“What we've seen from the ONC and CMS—when we talk, they listen,” Smith said. So, when the federal research report is released, “If it makes sense to us, we can anoint it and champion it. And if it doesn't—failing to do things that we think should be done—then it will be incumbent on us to call that out as well.”
Alas, the deadline for release of a report “has been pushed back indefinitely,” due to the federal government shutdown, now in its second week.
Smith said CHIME hopes to leverage its StateNet healthcare policy development collaborative on both issues, but improvements on computerized consent management will likely only come at the state level.
“On consent, we just have to keep plugging away,” Smith said. “ONC has a data segmentation pilot. There are three or four pilots under data segmentation for privacy.” But it's unlikely the federal government will address a national patient identifier, the controversial potential alternative to patient matching, any time soon, Smith said.
CHIME member Kevin Rhode, director of information technology at Jewish Family & Children's Service, a not-for-profit community behavioral health and social services provider based in Phoenix, said his organization has been working to help launch the Behavioral Health Information Exchange of Arizona, or BHIEAZ, a statewide HIE for use by Arizona's behavioral health services providers.
The idea is for BHIEAZ members to work together on the challenges of patient consent management and exchange of highly sensitive patient information on mental health, drug and alcohol abuse treatment under state and federal laws. Then, they can come up with policies and procedures to make that information available, when authorized, to the broader state health information exchange, Rhode said.
Under a federal law—called 42 CFR Part 2, named for the section of the federal code where it is located—the privacy paradigm is different and restrictions are more stringent for most drug and alcohol abuse records than for other records under the Health Insurance Portability and Accountability Act, the general, federal electronic medical-records privacy law.
If a provider receives federal funds for drug and alcohol abuse treatment, 42 CFR Part 2 applies, and generally, that provider must obtain patient consent before sharing those records with another provider, and the consent requirement runs with the record. The law has a unique “tag you're it” principle, in that recipients of these records, if they want to disclose them to another provider, are similarly obliged to obtain patient consent as well. HIPAA, in contrast, under a 2002 HHS privacy rule modification, grants administrative authorization to providers to disclose patient information without patient consent for treatment, payment and other healthcare operations.
Rhode said the BHIEAZ is looking at third-party vendors of consent management technology to facilitate the creation, storage and management of patient authorizations for record exchanges.
Their findings could have nationwide implications in that similar consent management technologies are needed more broadly due to a recent revision of HIPAA. It requires that patient consent be obtained before a provider can disclose patient records to his or her insurance company, if the patient pays for that visit or procedure out of pocket. The compliance deadline for the new rule was Sept. 23.
Follow Joseph Conn on Twitter: @MHJConn
More [email protected] Coverage