The tiger team has been meeting as often as twice a week since June to try to quickly develop healthcare IT privacy and security policy recommendations in the run-up to the implementation of a massive federal subsidy program for health IT under the American Recovery and Reinvestment Act of 2009. The first "payment year" of the federal IT subsidy program starts Oct. 1 for hospitals and Jan. 1, 2011, for office-based physicians.
One of the subsidy program's eligibility requirements is that healthcare providers be able to demonstrate that they're successfully using health IT to exchange patient information. The tiger team has focused its deliberations on policies governing such "meaningful-use" information exchanges.
In 2000, in the waning days of the Clinton administration, HHS issued its first HIPAA privacy rule, which mandated that healthcare providers and other so-called covered entities obtain patient consent before exchanging protected healthcare information for treatment, payment and specific list of "other" healthcare operations. In 2003, however, the Bush administration amended the HIPAA privacy rule and gave "regulatory permission" for covered entities to disclose the same sort of patient information for treatment, payment and other healthcare operations without a patient's consent. Consent, or the lack thereof, has remained a thorny issue in health IT ever since.
Previously, the tiger team reported to the Health IT Policy Committee a recommendation that patient consent not be required for what it called "directed exchange"—transactions limited to the exchange of information between providers for treatment of a specific patient. Based on this recommendation, patient consent would not be required in the event of a primary-care physician sharing patient information with a specialist as part of a referral, for example.
But the tiger team also suggested that there be six specific "trigger" conditions in which HHS might want to use its influence to require consent before patient information was exchanged. These trigger conditions were presented to the HIT Policy Committee in a progress report on the tiger team's activities during a committee meeting July 21.
According to the tiger team's original recommendations, one of the six specific conditions that should trigger a patient-consent requirement is the exchange of information "that is often perceived to be more sensitive than other types of information"—behavioral-health and substance-abuse information, for example, as the National Committee on Vital and Health Statistics defines these and other types of information as sensitive.
The tiger-team recommendations were accepted by the Health IT Policy Committee with the provision that they could be changed when a full set of recommendations is resubmitted to the committee by the tiger team in a month or so. Created under the American Recovery and Reinvestment Act of 2009, the Health IT Policy Committee makes recommendations to the Office of the National Coordinator for Health Information Technology at HHS.
It was the trigger for “more sensitive” information that was stepped back by the tiger team on Tuesday as members sought to answer this question: “For directed exchange, is the presence of sensitive data in the information being exchanged a trigger for requiring consent?”
The new answer they came up with is no.
Tiger team Co-chair Deven McGraw said members based their discussions and ultimate recommendation on a straw proposal (PowerPoint) that was not “word for word” but “close” to the content of an e-mail drafted last week by tiger team member Wes Rishel. McGraw is the director of the Health Privacy Project at Center for Democracy and Technology, a Washington-based think tank. Rishel is a vice president and distinguished analyst in the healthcare provider research practice of Gartner, an IT market research firm.
According to the straw proposal:
- All health information is sensitive, and what patients deem to be sensitive is likely to be dependent on their own circumstances.
- However, some federal and state laws recognize some categories of data as being more sensitive than others.
- Unless otherwise required by law, with respect to direct exchange for treatment, the presence of sensitive data in the information being exchanged does not trigger a requirement to obtain the patient's consent in the course of treating a patient.
The straw proposal, however, carried its own caveat: that the policy recommendation "does not change the patient-provider relationship," which the tiger team suggests must provide a foundation of trust for the patient as a prerequisite for health information technology use to be successful.
"When information is transmitted by a provider as a direct exchange for a specific treatment purpose, clinicians should take into account and honor, to the extent possible, patients' expressed or likely concerns for privacy and also ensure the patient understands the information the receiving clinician will likely need in order to provide safe, effective care," according to the proposal.
Further, according to the proposal, "The use of directed exchange does not materially change the considerations that would be undertaken in exchanging such information by nonelectronic means. As always, clinicians should be prepared and willing to discuss with patients how their information is disclosed."
In other words, according to discussions by tiger team members, just because the mode of information exchange is switching from paper to electronic records, that doesn't mean providers should not discuss and take into consideration a patient's privacy concerns.
None of the above considerations negates compliance with federal and state laws that require consent for certain sensitive information, tiger team members made clear.
In Florida, for example, patient records involving sexually transmitted diseases, HIV status, abortions, mental health and substance abuse “by statute do require specific permission” from the patient before being exchanged, said Gayle Harrell, a member of both the tiger team and the Health IT Policy Committee and a former member of the Florida Legislature.
Even though the tiger team recommends that HHS not use its authority to try to require that patient consent be obtained with sensitive information, "I think we need to be very clear there is physician involvement in what sections of that record can be sent," Harrell said.
But tiger team and Health IT Policy Committee member Judith Faulkner, CEO of Epic Systems Corp., Verona, Wis., a developer of electronic health-record systems, warned that "very conservative" compliance officers and lawyers could interpret a written recommendation about providers consulting with patients in a way that would burden busy physicians.
"In this case, given the burdens there are on physicians' time, the benefit we expect to get from electronic health exchange will be circumscribed to the degree that that exchange is not computerized and requires an active review by physicians," he said.
McGraw summed up the tiger team's consensus.
The question was, McGraw said, “When you have directed exchange, and you have sensitive data in what's being exchanged, whether that's the whole record or just a lab result does that require consent?”
"What we've got in the straw proposal is no, we're not suggesting that … the presence of sensitive data is a trigger in a direct exchange context where the provider already has control," McGraw answered.
"But it doesn't mean there is not some type of law that needs to be complied with which may require consent," she said; nor does it mean that patients shouldn't have the chance to discuss with their care team or doctor any concerns about the exchange of sensitive information.