As a federal policy battle looms over the extent to which patients will exercise control over the movement of their electronic health records, one outstanding question is: Will electronic health-record systems be able to give practitioners and patients the level of consent management they'll need or want?
Behavioral health offers cues for privacy control
A possible answer might come from the not-for-profit Certification Commission for Health Information Technology, which has developed a new set of criteria against which EHRs can be tested for the special needs of behavioral health professionals, who have long dealt with patient-consent choices, laws and rules that the rest of the medical profession may soon face.
"I've lived in behavioral health all my life, so I'm more familiar with that," said Sharon Hicks, chief operating officer of Community Care Behavioral Health, part of the University of Pittsburgh Medical Center. "Once you live in it, you feel fine. We've had these rules in place for a long time and they don't create a problem."
Hicks serves as co-chairwoman of the CCHIT behavioral health work group, which labored for two years to develop a special set of test criteria for EHR systems used by behavioral-health professionals. On Tuesday, CCHIT announced the launch of the new specialized testing program along with niche EHRs in behavioral health, dermatology, and long-term and post-acute care.
Under a 2003 HHS modification to the privacy rule of the Health Insurance Portability and Accountability Act of 1996, physicians, hospitals, claims clearinghouses enjoy “regulatory permission” to exchange patient information without patient consent for treatment, payment and a broad, catch-all category of other healthcare operations.
Under another federal law, however, certain providers of mental health services and treatment of drug and alcohol abuse must obtain patient consent before exchanging their information.
In addition, Hicks said, "Almost every state, if not every state, has a similar law about drug and alcohol information." She added: "It's not just the federal government saying that drug and alcohol information has to be treated at this high level of privacy, and often the state rules are more strict than the federal rule, and when they (are), the state rule trumps the federal rule.”
Because federal policy remains as yet unresolved on the level of control patients will have over the exchange of their own information, the CCHIT work group had to write EHR test criteria for what likely will become a moving target regarding consent.
Hicks said the job of the CCHIT work group was made easier given that about 35 IT vendors are selling products into the niche market of behavioral health and have had to design EHR systems to meet the longstanding consent requirements of state and federal laws.
"There has been a behavioral health software market way before there was CCHIT or a sense that they'll have to be certified, so, those vendors have always had to deal with it," Hicks said.
"What we've put into the criteria, we've put the ability to go segregate types of record," Hicks said. EHR systems can be tested whether they can segregate data according to organizational policy, scope of practice or jurisdictional law, she said. In practice, it would require systems to be able to restrict records to be accessed by providers, say, restricting access only to physicians. The aim, at least, is that the jurisdictional test criteria should cover the patient consent requirements of state and federal laws, she said. "We hope there is enough flexibility in there that people would be able to be compliant."
CCHIT spokeswoman C. Sue Reber said the behavioral health system certification program will ensure that the EHR systems that are tested and pass meet the organization's own standards. For now, CCHIT has applied along with several other organizations to be recognized by HHS as a testing and certification body under new federal rules covering the stimulus law program that provides federal subsidy payments for providers to buy certified EHRs. Thus far, no testing and certification organization has received federal recognition, although an ONC official said Wednesday the first will be designated soon.
Hicks, who began her healthcare career as a social worker, said she developed an early interest in healthcare IT but has maintained a view of patient privacy shared by many who deal with such highly personal issues as mental health and substance abuse.
"My sense is the right solution is the thing the patient privacy groups are talking about," Hicks said. "It's more about a consumer having protection about what happens to their information. We have not given up our rights that certain people don't have permission to see my data.
"If we treat all health data as the property of the person and the person controls who gets to see it, then I see no reason for the rigorous rules," Hicks said. "So, can an insurance company have access to data that they don't need to do their business? The answer, whether it's physician health or behavioral health, is no.”
During Wednesday's meeting of the HIT Standards Committee, an advisory panel also created under the stimulus law, the privacy and security tiger team made a presentation that sparked lively discussion about patient consent and opt-in versus opt-out. A presentation by the tiger team before the HIT Policy Committee on July 21 sparked a similar debate, which also reflected differences of opinion within the tiger team itself.
At Wednesday's HIT Standards Committee meeting, committee member and medical researcher Christopher Chute, a physician and professor of medical informatics at the Mayo Clinic College of Medicine, Rochester, Minn., expressed concern about the "sobering prospects" for public health research if HHS uses its authority to create a "one size fits all" policy of opt-in on health information exchange.
Opt-in means the default position is that patient information will not be exchanged without a patient's affirmative consent. Opt-out means the default position is that the information will be exchanged unless the patient affirmatively requests that it not be.
Chute argued that allowing opt-in would distort data samples used for research.
Hicks, however, said that in her experience working at the Western Psychiatric Institute and Clinic, Oakland, Pa., now a part of UPMC, even before HIPAA, patient consent was required. "And even back in the 80s, we asked people if they were OK with having their data in aggregate form available to researcher, and most of the time they said yes," Hicks said. "I still believe that people should be asked and if you have a good argument, most people will agree with you."
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.