A federal advisory group backtracked on its recommendation that the government embrace technology that helps providers share highly sensitive patient information, including data from behavioral health organizations that are key to accountable care organizations and other value-based payment models.
Instead, the panel suggested that even a modest proposal for voluntary testing and certification of so-called Data Segmentation for Privacy, or DS4P, technology in electronic health-record systems “may create confusion among providers.”
HHS endorsed the technology in a proposed rule in March. Metadata tags would warn receiving providers of their heightened privacy obligations, and the tags would remain attached to the electronic documents, reminding them that patient consent is again required if the records are to be sent elsewhere.
The technology “has saved some hospitals millions of dollars associated with the cost of care,” HHS' Office of the National Coordinator for Health Information Technology said in the rule, citing a Florida organization using DS4P. That's because “the patients they treat with substance abuse or behavioral health issues were able to send an electronic referral and get a discharge performed earlier in the process,” the ONC said.
Such data-sharing would be particularly useful for ACOs, which receive compensation for keeping such potentially high-risk, high-cost patients out of the hospital.
On Tuesday the privacy and security work group of the federally chartered Health IT Policy Committee recommended that the ONC merely educate providers and EHR software developers “about the features and limits of DS4P technology.” And it recommended the ONC conduct more pilot programs to refine technologies “that enable the sharing of sensitive data in compliance with the law.”
The work group invited its sister organization, the Health IT Standards Committee, to consider whether the DS4P standard had sufficient “maturity” for inclusion in the government's EHR testing and certification scheme, part of the $30 billion federal EHR incentive payment program.
Both committees advise the ONC, which writes the rules for the technology that providers must use to qualify for federal EHR incentives.
The position the privacy and security panel took this week was a turnaround from last June.
In June, its recommendation was that the ONC add a voluntary program to test certain privacy-protecting features under its regime for certifying EHR systems. The technology could be used by behavioral health and some general health providers. Testing, it argued, could assure buyers that a certified EHR was capable of affixing metadata tags to electronic documents to better handle this ultra-sensitive medical information.
Those documents would include the electronic medical records of patients treated by federally funded drug and alcohol treatment programs. Their medical records are protected by a series of federal privacy laws, passed by Congress in the 1970s and known collectively as 42 CFR Part 2. They require that a patient's consent be obtained each time such sensitive information is shared with another provider.
The aim of the statute was to guard patients from potential stigma or criminal prosecution, which might serve as barriers to them seeking care. It's a more stringent privacy standard than the HIPAA privacy rule, the federal law that covers most other patient information. Under HIPAA, providers can, in most instances, disclose and exchange patient records without patient consent.
The difference between the two privacy laws has formed a barrier to interoperability of health information technology systems between behavioral health and general health organizations. Penalties for violating 42 CFR Part 2 are $500 for a first instance and $5,000 for each thereafter.
The metadata tags envisioned by the ONC would comport with DS4P data standards already voted on and accepted by an internationally recognized standards development organization, Health Level Seven.
The ONC sponsored six pilot tests of the technology in 2012 and 2013. The pilots focused on moving behavioral health patients' records to general health providers.
At the urging of the privacy and security work group's predecessor organization, the ONC included a DS4P testing initiative in its March proposed rule.
The ONC's proposed rule is open for public comment through May. Most provisions of the rule won't go into effect until 2018. The full Health IT Policy Committee did not vote to accept or reject its privacy work group's latest recommendations. That vote could come at a follow-up meeting May 22.
Deven McGraw, a lawyer with Manatt, Phelps & Phillips who serves as chairwoman of the work group—previously known as the tiger team—said new appointees decided not to support their earlier counterparts' recommendation on DS4P.
The turnaround prompted a rebuke from Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, an Austin, Texas-based not-for-profit patient-privacy advocacy group, which has endorsed the VHA's DS4P approach.
“I find it completely insupportable them saying nothing works and it can't be trusted,” Peel said, citing early success with it by the Veterans Health Administration and others. “It's not a technology problem,” she said, “It's an 'I don't want to do it' problem.”