American Health Information Community
Confidentiality, Privacy, and Security Workgroup
DRAFT
Summary of the 15th Web Conference of This Workgroup
Thursday, November 8, 2007
KEY TOPICS
1. Call to Order and Welcome
Judy Sparrow, AHIC Director, opened the meeting at 1:04 PM. She reminded those present that this meeting is designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.
2. Approval of Prior Meeting Summary/Opening Remarks
Kirk Nahra, Co-Chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. Workgroup members were asked to approve the summary from the Workgroup’s September meeting; any questions or comments on this summary should be submitted to Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so that it can be finalized.
3. Health Information Exchange Panel Presentations and Discussion
Mr. Nahra introduced this panel with the goal of obtaining information about what can be done or what is being done in the HIE environment as it pertains to individual rights and uses and disclosures of information. These presentations are available on the CPS website at: http://hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
Amy Zimmerman, Rhode Island Department of Health, provided an overview of the development of the Rhode Island Health Information Exchange (RI HIE). A summary of important points covered during the question and answer period follows.
-
While the RI HIE is now limited to laboratory and medication history, there are plans to rapidly expand the data set with funds from the Medicaid transformation grant.
-
The HIE can continue to move forward with the authorization polices developed by the Health Department, regardless of the outcome of the proposed state legislation. Ms. Zimmerman said that they are approaching it from a stringent policy perspective which complies with current state mental health law. Moreover, policy may be preferable over legislation, because it provides more flexibility for future modification, while amending legislation is quite difficult.
-
The Health Department is having discussions now about what the HIPAA status will be for the HIE. The Health Department is leading this project in the early stages; they likely will contract with a vendor and eventually transition to the RHIO. The sense now is that the Health Department will have Business Associate Agreements (BAAs) with the data submitting partners.
-
Having a patient portal to view their own clinic data is in the future scope of work; however, the details of the level of granularity or physician approval have not yet been determined.
-
Regarding the creation of a clinical data repository for public health, evaluation, and research use, there is a general sense that there should be a HIE policy advisory committee regardless of what happens with the proposed legislation. In order to get the project launched and to obtain community buy-in, the scope for data uses has been limited to treatment purposes.
-
Regarding the “all or nothing” approach to the opt-in or opt-out disclosure policy, it was decided after much debate that providers needed to have access to the complete record to provide good treatment and to minimize patient risk.
Gregory Farnum and Anne Cramer, Vermont Information Technology Leaders, Inc. (VITL), presented on the pharmacy claims and medication history service being provided through a partnership with GE Healthcare. Comments and questions:
-
The BAA with GE Healthcare contains provisions to handle possible security breaches, and GE’s subsequent contracts, such as RxHub, are harmonized to pass on the security requirements. In essence, the agreement between VITL and GE is a sub-BAA, because VITL serves as a business associate to the insurers and hospitals. For HIPAA purposes, then, the covered entities are the insurers and the hospitals.
-
There are plans to develop a more comprehensive HIE. This money will come from a different “bucket” of funds. The chronic disease information service will be launched in the first part of next year.
-
Patients are being queried for consent at every transaction, which allows for the inclusion of new types of data as the scope evolves.
-
For this model, the information a patient receives regarding a breach would come from the individual institution’s privacy officers. Because Vermont is a small state with geographically distributed hospitals, it is not likely that a patient will go to more than two of the fourteen nonprofit hospitals. The hospital will contact the patient because that is where the relationship exists; there may be other issues related to the hospital record of which VITL would not be aware.
-
To date, hospitals have not yet received any requests for an accounting. The accounting would cover only the particular data stream between the request for information processed through GE and the information being delivered; it would not cover who touched the data once it gets to the hospital. The patient would likely contact the provider for an accounting request, and the provider would contact VITL; however, if the patient knows to contact VITL directly, they have a mechanism for responding. The right to request an accounting of disclosures is included in the information provided at time of consent.
James Golden, Minnesota Department of Health, discussed the impact of changes in health privacy laws on the Minnesota Health Information Exchange (MN HIE). Comments and questions for Dr. Golden included:
-
Regarding the consent requirements and the opt-out provision, Dr. Golden clarified that patient consent is obtained before the provider can access the record locator. This consent does not expire, but can be revoked. In addition, some consumers believe just creating a record locator might create a footprint of the care they have received, and as a result they would prefer to opt-out.
-
There are several data elements that could be used for unique identification: first name, last name, date of birth, gender, and address. Also the member ID number from the insurer could also be used. They have had good success with matching uniquely with those data elements.
Jac Davies, Inland Northwest Services, presented on a shared services model for leveraging resources. Questions and comments after this presentation included:
-
It would be helpful for workgroup members to receive copies of the sample agreements and to develop a matrix to compare the elements, such as opt-in versus opt-out.
-
It also was noted that each organization has developed very different models, which presents a range of possibilities for the developing HIE environment.
Vicki Estrin, Vanderbilt Center for Better Health, presented on the MidSouth eHealth Alliance in Memphis, Tennessee. Comments and questions for Ms. Estrin included:
-
Because the accessed information is for treatment purposes only, Ms. Estrin said that many organizations that are paper based will keep that information segregated in the correspondence section of the paper chart. If a provider then adjusts the treatment plan based on that information, using it to justify the treatment to the insurance company may present a gray area; however, Ms. Estrin commented that providers could present to the operations committee to obtain permission for this use of the data. She also said that, at this point, most systems in the country are not interoperable. Ms. Zimmerman added that in Rhode Island, they created a “carve out” around secondary disclosure of the HIE data because of these challenges of keeping it separate in the medical record.
-
Regarding the notion of case management, Ms. Estrin commented that they have begun discussions to better define this and will likely start out with a restrictive definition.
The discussion was then opened to general comments and questions for the whole panel:
-
Regarding how opt-in and opt-out policies are operationalized, Ms. Estrin reported that the opt-out rate for urban areas ranges between 1-2% and in suburban areas it is less than 1%. They included this option not because of any legal requirements, but from an ethical perspective. Ms. Zimmerman agreed that it is an ethical issue; the consumer’s “angst” increases when information becomes available in an integrated, electronic forum and could possibly affect employment or insurance.
-
Dr. Golden clarified that their data sharing agreement may or may not be a HIPAA BAA because there is still a question as to whether any data is actually being shared from the covered entity to the HIE. The determination may depend on the structure of the record locator, and whether the HIE is viewed as more of a conduit or pass-through for the data.
-
Regarding the exclusion of substance abuse and mental health information, Ms. Estrin clarified that prescription drugs are included in the context of the medication history but not in connection to an encounter from a mental health clinic or inpatient unit. They also have determined that diagnostic codes can be disclosed from an emergency department visit if the patient was not referred or admitted to a mental health, behavioral health, or substance abuse site. She added that they have a specific psychiatric ED and information from that site will not come to the HIE.
-
Concerning the granularity of consent policies, Ms. Zimmerman clarified that patients will be able to dictate which providers can see their data, but once that provider has access they can then see everything in the record. She added that this is not a technology issue but a policy issue: missing information can impact patient safety and quality of care. Ms. Estrin commented that they opted for an “all or nothing” approach because of the margin of error. While it would be technologically possible to screen out particular ICD-9 codes, there is still a chance that inappropriate information could get through on a radiology report, for example. Ms. Zimmerman also added that “sensitive” is different for different people.
-
Regarding the provision of accounting disclosures or audit trails, Ms. Estrin commented that they have not been asked to provide an audit log, but would be able to produce this type of report. She added that printing out an audit log would probably not be understandable for the consumer, and that they would have to create a consumer version of that report that could document disclosures and data use. Dr. Golden added that they have discussed making changes in the privacy law to deal with disclosures at both the treating and disclosing providers. He does not anticipate many requests for accounting of disclosures, except for during complaint investigations. Ms. Davies commented that their organization provides an audit tracking process through the software, which records every time the patient’s record is accessed. A hospital could then quickly pull up that record in response to a request.
Mr. Nahra then thanked the participants for a helpful and informative discussion.
4. Workgroup Discussion
Deven McGraw, Co-chair, commented that to the extent that the workgroup is developing recommendations regarding possible changes to HIPAA for an HIE environment, it may be helpful to discuss the common elements among the wide variety of models presented. Workgroup member comments included:
-
One commonality among the approaches was not waiting for state legislation, but rather moving forward by developing business practices for good patient care. These practices displayed a balance between the patient’s rights and the needs of end-users.
-
The variety of business arrangements and contractual entanglements through subcontractors dramatically reinforces the need for the workgroup’s previous “level playing field” recommendation.
-
These organizations confirmed the workgroup’s notion that the interface with patients belongs with the provider and not at the HIE level. However, when these systems become more fully integrated in the future, there may be a need for flexibility to accommodate the capabilities of the HIE.
-
While there may be some commonalities, it may be more useful is to note the differences. The workgroup could develop a tool for thinking through challenging issues such as opt-in/opt-out, substance abuse and mental health concerns, and data uses beyond treatment. If more standard methods were selected by the regional organizations, it will facilitate linking together these systems to form the NHIN.
-
The workgroup noted that NHIN’s vision is far ahead of what is really happening. These systems appear to be in their infancy. The systems were limited to just treatment purposes, exchanged a limited amount of information, and were limited to a regional geographic area. Also, none of these systems are currently linked to or provide a basis for data population of personal health records (PHRs).
-
It may be that funding concerns on the state level are preventing the technological “bells and whistles.” In contrast, large technology companies are not concerned about funding cycles and may be the mechanism to move these HIEs to a more national scope.
-
The timeframe for any recommendations will be important; the recommendations will need to specify whether they should be applied today or at some point in future. For example, if the recommendation only has relevance for a wholly integrated NHIN and not the non-integrated regional HIEs a timeframe for future implementation needs to be stated.
-
In developing new recommendations, the workgroup could stay at a higher principle level to prevent the local HIEs from devoting a lot of time to reinventing the wheel and potentially going down the wrong path; at the same time, the recommendations should not be so prescriptive that the HIE cannot be innovative to meet the community’s needs. Furthermore, by suggesting at least similar ways of developing HIEs, the regional HIEs will be more able to link up with other systems as they mature.
-
A matrix could be developed to compare the various approaches utilized by the presenters today; the matrix then can be used by the workgroup as they consider how to move HIEs beyond the current geographic boundaries.
Action Item #1: ONC staff will develop a matrix of approaches used by the HIE models, such as opt-in and opt-out policies, to be used during future workgroup discussions.
The workgroup then discussed how to use this information to advance the scenarios discussed at previous meetings. With the information at hand, they attempted to resolve those outstanding questions. Mr. Nahra summarized two outstanding issues:
-
Permission to participate in the flow of information. Obtaining patient authorization for their information to be part of the HIE is not a current HIPAA requirement and technically an authorization issue. Some models presented today developed a “per transaction” consent process, while others developed a “one-time” consent that does not expire.
-
Individual rights for controlling access to information, secondary uses, and requesting an accounting of disclosures. The models today kept these issues at the provider level rather than elevating them to the HIE. None of the presenting entities reported activities that would not be permitted, and are actually doing far less than what is permitted under current rules.
Mr. Nahra requested that workgroup members continue thinking about what the issues are and what information still is needed for the workgroup to deliberate the issue.
Action Item #2: WG will contact ONC if they have suggestions for testimony or other information sources for the next meeting.
5. Planning for Next Meeting
Mr. Nahra stated that the next meeting is scheduled for January 24th. The co-chairs will meet before this meeting to discuss the course of action for the workgroup.
6. Public Comment
None.
7. Adjourn
Mr. Nahra thanked the participants, and the meeting was adjourned at 4:49 p.m.
SUMMARY OF CONSENSUS AND ACTION ITEMS
Action Item #1: ONC staff will develop a matrix of approaches used by the HIE models, such as opt-in and opt-out policies, to be used during future workgroup discussions.
Action Item #2: WG members will contact ONC if they have suggestions for testimony or other information sources for the next meeting.
MEETING MATERIALS
Agenda
Presentations:
-
Amy Zimmerman
-
Greg Farnum and Anne Cramer
-
James Golden
-
Jac Davies
-
Vicki Estrin
10/4/07 CPS Workgroup Meeting Summary
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
| Co-chairs | |
| Jodi Daniel | HHS / Office of the National Coordinator |
| Steven Davis | Oklahoma Department of Mental Health and Substance Abuse Services |
| Jill Callahan Dennis | American Health Information Management Association |
| Don Detmer | American Medical Informatics Association |
| Elizabeth Holland (for Tony Trenkle) | HHS / Centers for Medicare & Medicaid Services |
| John Houston | University of Pittsburgh Medical Center and National Committee on Vital and Health Statistics |
| Susan McAndrew | HHS/Office for Civil Rights |
| David McDaniel | VA/Veterans Health Administration |
| Deven McGraw | National Partnership for Women and Families |
| Kirk Nahra | Wiley Rein LLP |
| Deborah Parris (for Flora Terrell Hamilton) | Family & Medical Counseling Service |
| Alison Rein | AcademyHealth |
| Paul Uhrig | SureScripts |
| Thomas Wilder | America’s Health Insurance Plans |
| Presenters: | |
| Amy Zimmerman | Rhode Island Department of Health |
| Greg Farnum and Anne Cramer | Vermont Information Technology Leaders, Inc. |
| James Golden | Minnesota Department of Health |
| Jac Davies | Inland Northwest Health Services |
| Vicki Estrin | Vanderbilt Center for Better Health |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.