Long-awaited recommendations on how to add digital privacy protections to health records
, and particularly to sensitive behavioral health
information, could emerge in June, a leader of a work group organized under the auspices of the Office of the National Coordinator for Health Information Technology's Health IT Policy Committee told its members Tuesday.
That won't be soon enough for some who have followed the issue for years and wonder why standards can't be agreed upon using existing technology that involves applying what are known as metatags to data to ensure privacy.
“We demonstrated these kinds of capabilities … in 2010. Four years later, we're still talking about can this stuff be done? Come on, it's just a lack of knowledge,” said veteran privacy programmer Duane DeCouteau, a senior software architect at Edmond Scientific Co., and an expert in metadata tagging for privacy.
Those familiar with pilot projects using existing technology point to functions, such as restricting data access by type of provider, that have yet to be implemented, however.
At issue are medical records that fall under the constraints of a federal privacy law, 42 CFR Part 2, known for its place in the Electronic Code of Federal Regulation, which governs providers of federally supported drug and alcohol abuse programs.
The Health Insurance Portability and Accountability Act, the chief federal healthcare information privacy law that regulates the movement of data among covered entities and their business partners, provides broad tolerance for the movement of patient records without patient consent.
Part 2, however, requires patient consent for most movement of patient data. That consent requirement also follows the data, from one provider to the next, sort of a “tag, you're it,” rubric.
The committee makes recommendations about meaningful use criteria to the ONC, a first step in the rulemaking process for developing meaningful use and EHR testing and certification criteria under the American Recovery and Reinvestment Act's EHR incentive payment program.
The Health IT Policy Committee is now considering recommendations on “voluntary” testing and certification criteria for systems developed to serve behavioral health providers.
The ONC at HHS authorized six pilot projects for health data protection technology under its Data Segmentation for Privacy
, or DS4P, initiative.
The committee's Tiger Team Chairwoman, Deven McGraw, gave a status report
on the workgroup's efforts so far, including evaluation of those six pilots. The Tiger Team was formed in 2010 and one of its first activities was to hold a public hearing to evaluate computer systems capable of segmenting highly sensitive elements of patient records for privacy
So far, the technology has limits, McGraw said. A behavioral health organization can obtain the permission of a patient to share his or her information with an outside healthcare provider—an acute-care hospital, for example—and the systems are capable of “tagging” that record to inform the recipient that it contains sensitive information that will impart privacy and obligations to the recipient under 42 CFR Part 2.
“It works, very well, I think, for the behavioral health entities that before couldn't share data,” McGraw said. “They get the ability to electronically send this data with the restriction communicated on it per the rules that apply directly to them and they've been able to help facilitate the coordination of care for a patient they have treated.
On the recipient side, however, “if that provider is using the data segmentation for privacy standards they have the capability to view it.” But it's read only, she said.
“In other words, the data can't be picked apart and sent to decision support; it can't be picked apart and sent to the various elements of the EHR, because doing so would risk the possibility of being able to redisclose it without the opportunity to obtain the authorization for that to happen.”
ONC Chief Privacy Officer Joy Pritts said developers “have the ability to tag within the document,” that is masking only specific sensitive data elements, such as a diagnosis code for depression. The problem is, Pritts said, “Nobody has implemented it that way.”
Instead of incorporating the data from a behavioral health provider's transmission into a patient record kept by the acute-care provider, “The document, by design now, is put into a separate file,” Pritts said. “It is not, by design right now, incorporated into the EHR.”
Pritts also said that role-based access “is not one of the functionalities that has been associated with any of these pilots.” Such access constraints would, for example, give a hospital's psychiatrist access to a record transmitted from a behavioral health provider, but perhaps not another clinician.
DeCouteau said he is frustrated, not only with the slow pace of adoption of privacy protection technology, such as metadata tagging, but also the seeming inability of policy advisers to understand the technology and its capabilities and to take a regulatory stand supporting it.
“On the mental health side, you have 46% of all Americans will experience a mental health crisis at some point in their lives,” DeCouteau said “That's a lot of people and a lot of data that needs to be protected. That should be the driving force behind it.”
“It's up to the Tiger Team (to say) these are the standards we're going to implement with meaningful use,” DeCouteau said. “Until they stand up and say that, the vendors are going to suffer from the 'not invented here syndrome.'” Follow Joseph Conn on Twitter: @MHJConn