American Health Information Community
Confidentiality, Privacy, and Security Workgroup
Summary of the 17th Web Conference of this Workgroup
Tuesday, February 5, 2008
PURPOSE OF MEETING
The meeting was convened to discuss “higher than HIPAA” issues related to consumer choice for participating in electronic health information exchanges (HIEs). Meeting materials and documents referenced below are available at http://hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
KEY TOPICS
1. Revised Relevancy Recommendation Letter
Steve Posnack, Office of the National Coordinator for Health IT, stated there were a few changes made to clarify the differences between direct and independent relationships. These changes were made in response to the dissenting vote made during the last meeting. If there are no further comments, this letter will be presented during the next Community meeting on February 26th.
2. Higher than HIPAA Issues Discussion
Kirk Nahra, Workgroup Co-chair, stated the goal for this discussion is to address whether higher standards than what are currently provided by the Health Insurance Portability and Accountability Act (HIPAA) are needed for the HIE environment. This will build on the prior recommendation that all players should be required to meet standards at least at the HIPAA level.
The first piece for this discussion will focus on consumer choice for participating in HIEs. At the last meeting, several workgroup members commented that their views on this issue are dependent on other “higher than HIPAA” provisions. Therefore, a chart was developed to assist workgroup members in identifying HIPAA provisions that would be contingent for a decision on consumer choice. Workgroup members will walk through the chart and identify the provisions as contingent or non-contingent for consumer choice. Mr. Nahra stressed that “non-contingent” does not mean “unimportant;” the workgroup will return to these elements in future discussions.
Because the goal for the contingent/non-contingent exercise is to reach a recommendation on consumer choice, a working hypothesis could be formulated to further guide the process. Most concerns raised by workgroup members are related to non-treatment use and disclosures that are permitted by HIPAA. Therefore, Mr. Nahra posited the following proposed working hypothesis:
Proposed Working Hypothesis: Protected Health Information (PHI) can be retrieved from a network only for purposes of (a) treatment and (b) payment. Once the information is obtained and made part of a record, it is subject to HIPAA rules.
Mr. Nahra emphasized that this proposed working hypothesis focuses on retrieving the information, and not on how it is used. Additionally, while de-identified data may be a topic for future discussion, the focus now is on identifiable information.
Workgroup members then walked through the chart and had the following comments:
- The provision on agreed upon restrictions was debated as to whether it is de facto part of the choice decision. That is, a consumer will have to take into account the agreed-upon restrictions in making their choice to participant or not participate in the network.
- A disclosure to a business associate (BA) was marked as a non-contingent element, but may need to be revisited. The workgroup will first look at activities for covered entities, and then separately look at BAs. It was noted that there could be an increased risk with more players in contact with the data. Also, workgroup members were reminded of the previous “level playing field” recommendation.
- It was noted that the facility directory component of §164.510 may be comparable to an index or patient locator. Because this is an analogous issue not directly addressed by HIPAA, it was added to the chart as a non-contingent element.
- The §164.512 uses and disclosures have been the subject of much workgroup discussion; however, not all elements are contingent to the choice decision. Law enforcement, in particular, was discussed as to which category it belongs; while the proposed working hypothesis might restrict data searching, the workgroup determined law enforcement disclosures should be marked contingent until a consensus is reached on the working hypothesis. Judicial and administrative proceedings would be handled in a similar fashion.
- The minimum necessary standard was marked as contingent to be consistent with §164.502(b).
- It was suggested to add §164.530(f), the obligation to mitigate any harmful effect of the use and disclosure of information, as a placeholder in the discussion. HIPAA does not require notifications when a breach occurs. It was noted that for this discussion “HIPAA standards” also includes more stringent state laws, which include affirmative breach notice rules. Due to recent media coverage of “stolen laptop” stories, these security issues might play a significant role in consumer fears.
After this exercise, the workgroup returned to the proposed working hypothesis as a possible direction for the discussion of consumer choice. The premise behind the proposed working hypothesis is that there are beneficial uses for sharing information over a network, such as treatment and payment; other uses, such as health care operations and public policy purposes, raise more questions. Therefore, the hypothesis focuses on treatment and payment uses. Additionally, the hypothesis is “front-ended,” meaning that it focuses on reaching out and gathering information from the network for these purposes. Once the information is obtained, it is treated consistent with HIPAA standards and does not have to be held separately from other information on that patient.
Workgroup members had the following comments and reactions to the proposed working hypothesis:
-
Including healthcare operations. Workgroup members discussed including healthcare operations in the proposed working hypothesis, along with treatment and payment, to better reflect the HIPAA structure. However, HIPAA primarily deals with how covered entities use and disclose information, but does not address how they gather information. The provisions of §164.506(c) have a very limited scope for use and disclosure operations; the workgroup agreed to add this to the proposed hypothesis.
Modified Proposed Working Hypothesis: PHI can be retrieved from a network only for purposes of (a) treatment and (b) payment, and (c) limited health care operations as set forth in §164.506(c). Once the information is obtained and made part of a record, it is subject to HIPAA rules.
- Including public policy and research uses. After discussing the addition of limited healthcare operations, workgroup members raised the question of including other provisions, such as public policy and research. These issues would require more information-gathering.
- Control over information flow. Workgroup members discussed data sharing for payment, particularly cases like coordination of benefits where health plans can request information from another health plan. While that type of disclosure is allowed under HIPAA today, health plans do not generally share this information. It was noted, however, that a HIE system could allow a participant to pull data on a patient without others system players knowing about it; this scenario would not change the rule but would change the dynamic of the current environment. This point may be the distinction in how these networks differ from the current HIPAA environment; that is, changing the control of information flow from the holder of the information to the requester of the information.
- Data use by HIEs. The use of data by the network itself is another issue that is not addressed by the working hypothesis. It was suggested that various data activities, such as pre-packaging de-identified data, could be part of the business sustainability model for these networks, and not much is known about this. The possibility was also raised that, as an implication of the “level playing field” recommendation, defining them as a covered entity under HIPAA may broaden the range of their activities.
- Workgroup process. Several months ago, the workgroup began discussing the differences in a network environment to determine if “higher than HIPAA” standard were needed; this much broader topic has evolved to focusing on how the network itself operates and how participants interact with that network. The working hypothesis then proposes a focal point for this aspect of the broader discussion. However, concerns were raised as to whether adopting this working hypothesis is short-circuiting the workgroup process and will not address the totality of topics that need to be better understood before reaching a decision on consumer choice to participate in HIEs.
4. Planning for Next Meeting
The next meeting is scheduled for Monday March 3rd. Deven McGraw, Workgroup Co-chair, led a discussion of topics for additional information needed to ascertain whether the scope of the proposed working hypothesis is broad enough. Research and public health were identified as additional purposes for “reaching in” to the network to obtain data. Suggested topics and sources of information included:
- Some public health agencies have agreements with hospitals to electronically transmit reportable cases; it is unclear whether the agency could then “reach in” to the system. Contacts were suggested from New York City Public Health Department, the Centers for Disease Control and Prevention, and Indiana Health Department.
- To discuss issues around defining research and quality assessment, it was suggested to contact the National Quality Forum and the Ambulatory Quality Alliance, and the National Association of Health Data Organizations.
- The Personalized Healthcare Workgroup has discussed and gathered testimony on issues surrounding de-identified data and the possibilities of re-identifying de-identified data.
Action item #1: ONC staff will follow-up on workgroup member suggestions for additional information and testimony on public health and research issues that would influence the discussion of consumer choice.
SUMMARY OF CONSENSUS AND ACTION ITEMS
Action item #1: ONC staff will follow-up on workgroup member suggestions for additional information and testimony on public health and research issues that would influence the discussion of consumer choice.
MEETING MATERIALS
Agenda
Draft HIPAA Relevancy Recommendations Letter
11/08/07 CPS Workgroup DRAFT Meeting Summary
1/24/08 CPS Workgroup DRAFT Meeting Summary
Chart of HIPAA Privacy Rule Standards
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
| Co-chairs | ||
| Kirk Nahra | Wiley Rein LLP | |
| Deven McGraw | National Partnership for Women and Families | |
| ONC | ||
| Jodi Daniel | HHS/Office of the National Coordinator | |
| Steve Posnack | HHS/Office of the National Coordinator | |
| Members and Designees | ||
| Steven Davis | Oklahoma Department of Mental Health and Substance Abuse Services | |
| Jill Callahan Dennis and Dan Rode | American Health Information Management Association | |
| Don Detmer | American Medical Informatics Association | |
| Elizabeth Holland and Mike Pagels (for Tony Trenkle) | HHS/Centers for Medicare and Medicaid Services | |
| John Houston | University of Pittsburgh Medical Center and National Committee on Vital and Health Statistics | |
| Susan McAndrew | HHS/Office for Civil Rights | |
| David McDaniel | VA/Veterans Health Administration | |
| Alison Rein | AcademyHealth | |
| Mazen Yacoub and Vicky Brennan (for Leslie Shaffer) | DoD/TRICARE Management Activity | |
| Thomas Wilder | America’s Health Insurance Plans | |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.