American Health Information Community
Confidentiality, Privacy, and Security Workgroup
DRAFT
Summary of the 16th Web Conference of this Workgroup
Thursday, January 24, 2008
PURPOSE OF MEETING
The meeting was convened to finalize the recommendation letter on the relevancy of Health Insurance Portability and Accountability Act (HIPAA) requirements to electronic health information exchanges (HIEs) and to discuss whether “higher than HIPAA” standards are needed in an electronic health information exchange environment. Meeting materials and documents referenced below are available at http://hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
KEY TOPICS
1. AHIC Update
Jodi Daniel, Office of the National Coordinator (ONC), stated that the Community met on January 22nd. At this meeting, an announcement was made that the team of LMI and the Brookings Institution will design and implement AHIC 2.0. This award will consist of two phases with a full transition expected by late 2008.
The Healthcare Information Technology Standards Panel (HITSP) presented their latest harmonization standards, including a security and privacy technical note. Ms. Daniel stated the intention of this note was to advance requirements for use cases. The scope of the note included: secured communications channel, security audit trail, identity assertion, non-repudiation of origin, access control, date stamping, document integrity, and managed consent directives. While the intention was to be “policy neutral,” many of the technical issues can be intertwined with policy. Therefore, it may be worthwhile to have a future discussion of these standards, especially in light of the workgroup’s efforts on issues such as identity proofing and authentication.
Ms. Daniel also stated that there was a heartfelt conversation at the meeting about ensuring patient access to electronic information. Under HIPAA, patients have the right to this information, but the conversion to electronic records may raise new issues, such as the format of the information, copying fees, and the time to grant a request. For this workgroup, these issues may be of interest to address as either a clarification of what is now covered by HIPAA or to recommend new standards as part of the “higher than HIPAA” discussion. Workgroup members noted that recommendations about speed and formatting might not be controversial on principle; however, based on the testimony from regional health information organizations (RHIOs), it may be a practical issue.
Additionally, Deven McGraw, Workgroup Co-chair, presented a response to the Model Requirements Executive Team (MRET) recommendations. In summary, the Workgroup’s response was that Requirement 8 is consistent with HIPAA requirements, but would benefit from further specificity regarding auditor roles.
The next AHIC meeting will be held on February 26th, in coordination with the Healthcare Information and Management Systems Society (HIMSS) meeting in Orlando.
2. HIPAA Relevancy Recommendations Discussion
Kirk Nahra, Workgroup Co-chair, stated the goal for this discussion is to finalize the current working draft of the recommendations letter. He stated that the workgroup has discussed this issue a great deal already, and the draft has gone through revisions. The precedent for these recommendations is the HIPAA clearinghouse exemption; that is, when consumers do not have direct relationships with clearinghouses, HIEs, or RHIOs, these networks should be exempted from HIPAA privacy notice requirements. However, HIEs that do have direct relationships with consumers should follow requirements at least equivalent to the current HIPAA standards.
Workgroup member comments included:
-
A concern was raised from an alternate workgroup member, about the impact exempting HIEs from certain HIPAA requirements would have on consumers.
-
Another member responded that they had raised similar concerns to earlier drafts, and now feels the current draft does not dilute individual rights; obligations for privacy notices continue to fall on the health care provider.
-
Because this field is rapidly changing, the letter leaves open the possibility that if these relationships change over time, the exemption would no longer hold.
-
Also mentioned in letter is the workgroup intention to look at “higher than HIPAA” standards for HIEs, so that consumer protection may actually be enhanced by future recommendations.
From this discussion, the majority were in agreement to forward the letter to the Community. Concerning the dissenting vote, clarification is needed as to whether the Workgroup member agrees with his alternate, and if so, what process he will follow to express this dissenting view.
Consensus #1: By majority, workgroup members approved the relevancy recommendation letter, which will be presented to the AHIC.
3. “Higher than HIPAA”
As stated in the relevancy letter, the next topic for the workgroup to address is whether higher standards than what is currently provided by HIPAA are needed for the HIE environment. Ms. McGraw and Mr. Nahra suggested narrowing down a broad topic by starting with choice options for patient participation, and they developed discussion scenarios. The goal for this discussion today is to better determine what the next steps will be for the Workgroup. If Workgroup members find during the course of this discussion that they are able to determine their position, the Workgroup could move forward in developing recommendations. If not, the next step will be to identify what is needed to move forward, such as obtaining factual information, hearing testimony, or having more discussion.
The scenarios represent a spectrum of three possible policy approaches, building on levels of consumer control and assuming the personal health record (PHR) can connect with an HIE:
-
Consumers can choose whether their information is disclosed from their PHR to an HIE; once the information is part of a network, all HIPAA rules apply.
-
In addition to choosing to disclose information from their PHR, consumers can choose whether information in their provider’s electronic health record (EHR) can be exchanged as part of the HIE. Once the information is part of a network, all HIPAA rules apply.
-
In addition to choosing to disclose information from their PHR and their provider’s EHR, consumers have a level of granularity in their choice with respect to the EHR. The granularity could include choices per transaction, by provider, or by condition. Once the information is part of a network, some HIPAA rules would apply in addition to others that may be higher.
Workgroup members had a robust discussion about these options, which included the following comments:
Workgroup Process
-
An alternative structure to these options would be to look at different rules for the information depending on its source. However, if a patient discloses information to a provider, that information may then become part of the provider’s EHR, which would blur the origins of the information. Therefore, these scenarios offer choices as to whether to disclose the information, but once the information is in the network, it follows the same rules regardless of its source.
-
Because these scenarios are based on HIPAA today, more clarity on the direction of the “higher than HIPAA” discussion may be needed before decisions are made. For example, the parameters for healthcare operation disclosures under the new HIE environment become unclear. Additionally, research that is not conducted for traditional publication reasons could also become a gray area under the new HIE environment.
-
It was clarified that “all HIPAA rules apply” would include more stringent state laws. A “higher than HIPAA” standard could then bring all states up to the highest state law, or even present a new higher standard. The work being done by the State Alliance for e-Health and the Health Information Security and Privacy Collaboration (HISPC) may inform this discussion.
Levels of Control in the PHR vs. EHR
-
There was discussion as to whether Options 1 and 2 should be reversed in terms of increasing levels of control. Starting with sharing information in the EHR through a network could be seen as the most basic level of control, because any information the patient communicates with the provider, verbally or electronically, is integrated into the EHR. Adding the PHR to that network would be an additional layer of choice for the consumer.
-
The framework for the “higher than HIPAA” discussion is to focus on differences in the environment such that different rules are needed. From this framework, the difference is that purely consumer-driven information is considered outside the health care system and not under HIPAA today. Therefore, the first choice is to exchange data that is currently seen as unregulated.
-
When data does come out of the PHR and the physician uses it, that data becomes part of the EHR, and the scenario is shifted to Option 2. Therefore, it was suggested that the line of choice between Options 1 and 2 be redrawn to distinguish between different levels of disclosure once that information is part of an EHR.
Levels of Granularity
-
The level of granularity was discussed as to whether it covers both PHRs and EHRs, or whether it could be just one or the other. It was noted that individuals can exercise granularity by choosing what to enter into the PHR. However, this choice could be complicated by the technical capabilities of the PHR or by incentives from the PHR sponsor.
-
The issue of data being used for research purposes, in addition to or instead of treatment, was raised. This may be specifying a level of granularity.
-
Because PHRs are based on the premise of consumer control, the concern was raised that an “all or nothing” approach to disclosing that information may eliminate the concept of a PHR.
-
Because many of the available systems do not have the capacity for fine levels of granularity, this option may not be practical to implement. Additionally, there is little uniformity across state laws, which adds to the level of complexity introduced by granular choices.
-
An argument could be made against high levels of granularity, because the more choices offered as to what information is included undercuts the value of completeness in a medical record.
Based on this discussion, Ms. McGraw suggested determining if a consensus has been reached on the threshold choice, that consumers have the right to choose whether information is disclosed from their PHR. If agreement is reached on that element, the workgroup can then discuss the consumer’s choice over whether, and at what level of granularity, the data in their provider’s EHR becomes part of the network.
Consensus #2: Consumer choice is inherent in the concept of a PHR, and consumers have the right to choose whether information in a PHR is disclosed.
From this consensus point, Ms. McGraw and Mr. Nahra then outlined three levels of consumer choice pertaining to how data is used and disclosed from EHRs, slightly modified from the scenarios discussed above:
-
Consumers have only the rights currently held under HIPAA and state laws.
-
Consumers have an “all in or all out” choice.
-
Consumers have granular choices in participation.
The workgroup then identified what elements would help move forward the discussion of the opt-in/opt-out scenarios:
-
The “higher than HIPAA” discussion of use and disclosures may influence opt-in/opt-out decisions. The list of topics under consideration for “higher than HIPAA” standards will be reviewed to determine if others are contingent elements for the opt-in/opt-out discussion.
-
Because granularity by definition can be seen as “higher than HIPAA”, it was noted that the National Committee on Vital and Health Statistics (NCVHS) is finalizing a letter on sensitive data types for which additional protections would be needed.
-
The operating premise of the “higher than HIPAA” conversation is that the previous workgroup recommendation brings all players, including business associates, up to at least the existing HIPAA level.
-
If available, reviewing research on factors that effect consumer opt-in/opt-out choices would help inform the discussion.
Action item #1: ONC staff will circulate the historical list of topics for discussion to Workgroup members so they can identify higher than HIPAA issues.
Action item #2: ONC staff will circulate a list of “higher than HIPAA” topics. The topics will be categorized as contingent or not contingent in relationship to the choice issue.
4. Planning for Next Meeting
The next meeting is scheduled for February 5th. Because of the short turn-around time, Mr. Nahra suggested discussing “higher than HIPAA” issues not related to the opt-in/opt-out, such as individual rights. At a previous meeting, the Workgroup began discussing scenarios on individual rights, and it might be fruitful to now return to that discussion.
Action item #3: ONC will circulate to the Workgroup the meeting notes from the last discussion of individual rights scenarios.
The goal for this discussion will be to determine if the Workgroup is close enough to a consensus to formulate a working hypothesis, and if not, to identify what other information is needed to come to consensus.
SUMMARY OF CONSENSUS AND ACTION ITEMS
Consensus #1: By majority, workgroup members approved the relevancy recommendation letter, which will be presented to the AHIC.
Consensus #2: Consumer choice is inherent in the concept of a PHR, and consumers have the right to choose whether information in a PHR is disclosed.
Action item #1: ONC staff will circulate the historical list of topics for discussion to Workgroup members so they can identify higher than HIPAA issues.
Action item #2: ONC staff will circulate a list of “higher than HIPAA” topics. The topics will be categorized as contingent or not contingent in relationship to the choice issue.
Action Item #3: ONC will circulate to the Workgroup the meeting notes from the last discussion of individual rights scenarios.
MEETING MATERIALS
Agenda
Draft HIPAA Relevancy Recommendations Letter
11/08/07 CPS Workgroup DRAFT Meeting Summary
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
Co-chairs | ||
Kirk Nahra | Wiley Rein LLP | |
Deven McGraw | National Partnership for Women and Families | |
Members and Designees | ||
Jodi Daniel | HHS/Office of the National Coordinator | |
Sylvia Au | Hawaii Department of Health | |
Steven Davis | Oklahoma Department of Mental Health and Substance Abuse Services | |
Jill Callahan Dennis | American Health Information Management Association | |
Don Detmer | American Medical Informatics Association | |
Elizabeth Holland (for Tony Trenkle) | HHS/Centers for Medicare & Medicaid Services | |
John Houston | University of Pittsburgh Medical Center and National Committee on Vital and Health Statistics | |
Marilyn Zigmund-Luke (for Thomas Wilder) | America’s Health Insurance Plans | |
Susan McAndrew | HHS/Office for Civil Rights | |
David McDaniel | VA/Veterans Health Administration | |
Alison Rein | AcademyHealth | |
Leslie Shaffer | DOD/Tricare Management Activity | |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.