The tiger team recommended that in general, one provider should be allowed to share a patient's information directly with another provider without his or her consent for treatment purposes. To make health information exchange successful, providers would be obliged to maintain an atmosphere of trust among themselves and with patients within the exchange process. That would entail a responsibility on the part of providers to educate patients on the benefits and risks of health information exchange.
The sticking point for some committee members Thursday came with the tiger team recommendation that an exception be made when a provider exchanges a patient's information with a health information organization, or HIO. When a provider uses an HIO that retains data in its own central data repository, or when the HIO gives access to that patient's record to others via a “federated” model where access is no longer under the immediate control of the provider in charge of that patient's care, the patient should have a choice in whether his or her information can be sent to that HIO, according to the tiger team.
Health IT Policy Committee member Neil Calman, a physician and the president and CEO of the New York-based Institute for Family Health and a former member of the Privacy & Security Tiger Team, raised the first and strongest objection.
Calman said his and other practices were using a regional information exchange to provide "value-added" data analytics services as part of a diabetes control program.
Calman argued that if patients were allowed to opt out of sending their information to the exchange, they could either lose benefits or force HIOs or providers like himself "to have an alternative model" for providing those value-added services. "I am going to come to depend on those things that provide safety and quality," he said.
"We're signaling to HIOs you need to have two models," Calman said, adding, "I think they're having enough problems figuring out one way to do this, so I don't think that's realistic."
Calman said a practice should be able to establish its data handling policies and then it should be up to the patient to decide whether or not they want services from that practice. Calman said a provider should be obliged to tell the patient how his or her data is being handled, then it should be up to the patients “whether they want to use a practice or not.”
"If you come to my practice, this is the way we do business," Calman said. "I can do that with every other possible way I do business. I think we just need to rethink that one thing."
Health IT Policy Committee member Judith Faulkner, CEO of Epic Systems Corp., Verona, Wis., a developer of health IT systems, also suggested this specific tiger team recommendation might be premature and that more physicians should be consulted to determine their feelings about how the patient-consent provision might affect their work flows.
"Even if one patient opts out, it creates for the provider the responsibility to create a different way," Faulkner said. The underlying assumption is “that it's not a significant burden on the provider, and is it really true? My gut feel is we're taking a risk." And if compliance with the recommendation places a significant burden on providers, "We're in trouble with that phrase," Faulkner said.
Tiger team Co-chairwoman Deven McGraw and Co-chairman Paul Egerman, however, attempted to counter the objections.
As a core principle, the tiger team has included in its recommendations that health information policy should adhere to the principles of fair information practices, which include that patients be given control over the use of their information and that no patient should be denied healthcare services for exercising that control.
That sense of inclusiveness was "at the core of these recommendations," McGraw said. "People who are nervous about their privacy, which isn't everybody, we don't want to be left out of this system. We ought to give some people some choice, and if the choice is you've got to leave the doctor that you've been with, that's not a very good choice."
At any rate, Egerman added, the burden won't fall on providers. HIOs are able to segregate processes, allowing providers to have data transmitted but not stored.
Providers "do not have to have two ways of doing things in case a patient decides not to consent," Egerman said. "The regional HIOs can do this; they can offer whatever exchange services they offer without retaining the data. The HIO has to abide by that process. This is doable."
McGraw said that, under the tiger team's recommendations, quality-improvement services like those Calman pointed to could be performed under an “organized healthcare agreement” among participating providers.
According to Joy Pritts, chief privacy officer with the Office of the National Coordinator for Health Information Technology at HHS, such an agreement is defined under HIPAA as a provider-controlled arrangement. An organization operating under such an agreement cannot be an HIO if the HIO includes companies or groups that are not so-called covered entities under the Health Insurance Portability and Accountability Act of 1996. Still, the parties to such an agreement could contract with an HIO to provide data analytic services. Submitting data to those operating under an organized healthcare agreement for treatment, payment and other healthcare operations does not require patient consent.
Health IT Policy Committee member Charles Kennedy, vice president for health IT at WellPoint, asked whether the tiger team recommendation applied to claims data moving through claims clearinghouses. Egerman said it did not.
The explanations apparently satisfied Calman, Faulkner and Kennedy. The Health IT Policy Committee, which reports to the ONC, voted to accept the tiger team's recommendations without amendment, dissent or abstention.