A new batch of proposed healthcare information transmission standards aimed at affording patients more privacy controls over the flow of their healthcare information are up for review, revision and possible approval by the healthcare standards development organization Health Level Seven (HL7).
The 30-day balloting period opened last week under the HL7 ballot process on what Olympia, Wash.-based consultant Kathleen Connor described as "e-consent standards."
"We'll have some energetic discussions about positions," Connor said. "Then, once people agree to disagree, you try to reach consensus, and if those changes are substantive, then you'll re-ballot. If not, then it will pass and then it will go to ANSI (the American National Standards Institute) and it will have the imprimatur of an ANSI-approved standard."
Reconciliation of comments is scheduled to take place during the HL7 meeting April 29-May 4 in Cologne, Germany, Connor said.
The next step would likely be consideration of the privacy control standards by the Healthcare Information Technology Standards Panel, which was created by ANSI under a 2005 contract with HHS to harmonize healthcare IT standards for specific healthcare IT "use cases." The use cases were created by HHS and adopted by the American Health Information Community, a federal advisory panel created by HHS Secretary Mike Leavitt in 2005 to promote healthcare IT adoption. They aim to facilitate movement of patient demographics, laboratory values and medication lists and in so doing promote consumer use of personal health records, encourage physician adoption of electronic medical-records systems and provide public health benefits from electronically enhanced biosurveillance tracking systems.
If HITSP approves a standard for a specific use case, and that approval is accepted and "recognized" by Leavitt, all federal healthcare organizations must adopt it under an executive order signed by President Bush last year.
The new batch of proposed standards are in HTML format and are accessible to HL7 members at the SDOs Web site. They are based on the work of Canadians Lloyd McKenzie, Garry Cruickshank and Stanley Ratajczak, "all of whom have contributed in different ways to the development of the (Canada Health) Infoway privacy architecture," Connor said. Canada Health Infoway is the name of the national healthcare IT network development effort in Canada.
Connor said the HL7 Web site postings include a set of diagrams that can be "serialized" into the standardized XML that "goes over the wire" between information systems, such as electronic health records and regional health information organizations, or RHIOs.
In an e-mail message Connor explained, "The consent directive messages would be recorded at the point of care and sent to a consent repository with an association to the consumer/patient. This tells the entities that publish a patients records what the rules are for safeguarding privacy. The same message format can be used by a provider to override a patient's consent directives in case of an emergencyi.e., to "break the glass." In addition, the patient can give a provider a "shared secret" key or password to unlock information that was "masked by a patient's consent directives."
As in the U.S., where privacy rules at the state level differ widely, Canadian privacy rules vary between its 10 provinces and three territories.
For example, while Minnesota requires patient consent for most episodes of treatment, as well as for payment and other healthcare operations, Indiana has few state-level constraints and relies on the Health Insurance Portability and Accountability Act and its privacy rule. The HIPAA privacy rule initially required patient consent for most sharing of information, but it was modified by the Bush administration in 2002 to allow the exchange of protected healthcare information between covered entities and their business associates without consent for treatment, payment and "other healthcare operations."
In Canada, Connor said, planners had to deal with similar provincial and territorial variances. Saskatchewan gives patients the right to either opt in or opt out of its information-sharing scheme, while Quebec requires explicit patient consent for specific instances of sharing, she said.
The Canadian approach to standards harmonization, she said, was that in areas where the intent of the various provincial and territorial privacy policies was basically the same, authorities tried to reduce the differences through modification of policies. Where the intent was markedly different, they used technology to enable transmission while maintaining each jurisdictions unique privacy protections.
"They had a diversity of laws that were developed in silos just like in the U.S., but they were able to rationalize those, round off the corners and yet maintain respect for the differences in the provinces and territories," Connor said.
Connor, whose title is senior consultant with Fox Systems, said her role was as a "modeler" of the Canadian set of privacy standards, adapting it to U.S. care settings and preparing it for HL7 balloting.
"I inherited it and enhanced it so it would support the needs of the Substance Abuse and Mental Health Services Administration," the HHS agency that oversees drug and alcohol treatment programs and serves as a watchdog over the sensitive medical records of patients receiving treatment for drug or alcohol dependency. Connor was co-author with privacy lawyer Joy Pritts of a recently released report prepared for SAMHSA on the development of patient-centric privacy controls in IT systems being developed in the Netherlands, England and Canada.
Personal health records are one of the targets of Connor's adaptation of the Canadian privacy control standards, since many PHRs are being set up by employers or insurance companies that are not "covered entities" and therefore not afforded even the limited privacy protections of the HIPAA privacy rule.
"So I made this (standards set) robust enough for a person with a personal health record so that they can provide consents," Connor said. Her work will serve as a complement to work on consent standards also being done by the U.S.-based IT standards implementation consortium, Integrating the Healthcare Enterprise. The IHE's work is called the basic patient-privacy consent profile, Connor said.
Under the IHE model, a healthcare data exchange or RHIO would allow a requesting provider to pull down information and then seek to apply rules to its use based on existing patient consents, Connor said. "It would be up to the receiver to implement those rules," she said.
Connor said the e-consent standards she helped develop are more flexible and allow providers to climb the IT adoption curve, transitioning from paper-based to electronic systems.
They afford the user the ability to attach a scanned document or provide an electronic address for a document, Connor said.
"As they integrate this and their trading partners are able, they can move up to a fully electronic system that restricts at the point of access," she said. "We're in a transitional period. You're going to start at ground zero, which is all paper. Then some will be using a partial electronic environment and partial paper. When you go to the record locator service, all of your directives will be code-able and readable and it will say your role doesn't fit the roles that (the patient) has consented to, so you don't even get to see it.
"Right now, if they are envisioning anything at all, it is a lot of trust and support on a migration path that can scale up," Connor said.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.