American Health Information Community

Confidentiality, Privacy, and Security Workgroup

Summary of the Seventh Web Conference of This Workgroup

Thursday, March 15, 2007

KEY TOPICS

1. Call to Order and Welcome

Judy Sparrow, AHIC Director, opened the Web conference at 10:55 a.m. She reminded those present that this meeting is designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.

2. Approval of Prior Meeting Summaries/Opening Remarks

Kirk Nahra, Co-chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. A motion was passed to approve the summary from the Workgroup’s February meeting. This summary and other meeting materials are available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.

3. Summary of March AHIC Meeting and RTI/HISPC Conference

Jodi Daniel reported on the presentation of the Workgroup’s Recommendation 5 at the AHIC meeting earlier in the week. Community members did not raise further concerns on the revised language, and it was unanimously approved.

Ms. Daniel also stated that the AHIC approved the Consumer Empower (CE) Workgroup’s recommendation for the certification of public health records (PHRs) on privacy, security, and interoperability criteria. Along with the recommendation, dissenting Workgroup members provided a statement. Other recommendations were also presented by the Quality Workgroup and the newly named Population Health and Clinical Care Connections (formerly Biosurveillance) Workgroup. Additionally, Ms. Daniel and Susan McAndrew participated in a privacy and security panel presentation, which provided an overview of Federal activities.

Ms. Daniel also reported on the national meeting of the Privacy and Security Solutions for Interoperable Health Information Exchange contract, which is supported by the Health Information Security and Privacy Collaboration (HISPC) initiative. This initiative is looking at the privacy and security organization-level business policies and practices and underlying state laws across 34 states and territories, and the meeting provided a forum for a dynamic discussion on their progress. Some issues that were discussed were: consent, data security and quality, and legal and regulatory questions particularly regarding the implementation of the Health Insurance Portability and Accountability Act (HIPAA) across State lines. Final reports are due in June.

4. Consumer Empowerment Workgroup Coordination

Ms. Daniel summarized the work to date on the collaboration with the CE workgroup on PHR privacy and security protections. The Co-chairs of the two workgroups have begun discussions on how this collaboration will proceed. Mr. Nahra stated that the CE Workgroup will use their expertise to identify privacy and security issues relating to PHRs, and then the CPS Workgroup will use their expertise to ensure that there are no unintentional implications in terms of existing privacy protection laws.

Ms. McAndrew added that the CE Workgroup conducted a market scan of privacy policies, and found that PHR vendors are largely free-standing and therefore non-covered entities under HIPAA. There was also large variation in the policies currently being used in the market. John Houston recommended circulating the National Committee on Vital and Health Statistics (NCVHS) letter regarding PHRs to inform this collaborative. Jill Dennis added that the E-health Web site principles regarding personal health information might be helpful.

Identity -proofing Research on Techniques Where No Prior Relationship Exists and the Changing Landscape Since HIPAA Was Enacted

Ms. Daniel presented on Yuriy Dzambasow’s follow-up research on value-added service providers. Mr. Dzambasow’s results are based on three PHR service providers, and the Workgroup was asked whether it would be useful to continue this research. Mr. Nahra commented that these difficulties underscore the challenges of the unregulated marketplace and that, pending the outcome of the group’s discussion of the working hypothesis, it would be useful to obtain more information. Mr. Dzambasow also reviewed changes in the healthcare landscape since HIPAA was enacted. His findings are available on the Web site noted above.

Workgroup members had the following comments on the presentation:

• While HIPAA was passed in 1996, the privacy rules were not implemented until 2001. Therefore, 1996 may not be the appropriate starting point for the analysis.

• In drafting the legislation, Congress started from the perspective of standardizing electronic transactions, rather than the perspective that privacy rules are needed. From the outset there were carve-outs for providers who do not exchange data electronically. The rationale of carving out entities should be considered as the Workgroup weighs whether the non-covered entities now need to be included in an all-encompassing privacy rule.

• In addition to stealing information, there is another facet to identity theft: if an individual uses an assumed name to obtain care, that information then becomes part of the medical record for the individual whose name was being used. When this record becomes part of the Nationwide Health Information Network (NHIN), the likelihood of an unintended outcome becomes much greater.

• The legislative objective behind HIPAA was to simplify administrative burdens.

• HIPAA is currently very United States-centric, and activities in the rest of the developed world need to be taken into consideration.

• More information is needed about the health information exchange organizations that are not under the scope of HIPAA.

• Mr. Dzambasow’s conclusions are not mutually exclusive and do not need to be considered as an “either/or” scenario. HIPAA is a set of standards that can be built upon to accommodate new types of exchanges, but there are also gaps that HIPAA does not address at all.

• Changes in health care service access and delivery also require reconsideration under HIPAA. In a network environment, information exchanges between PHRs and electronic health records (EHRs) and between PHRs and other interfaces raise questions about the ownership of the data, accountability over the release of the information, and responsibilities for record retention.

NCVHS Recommendations Requiring Further Discussion

Mr. Nahra referred Workgroup members to the chart of NCVHS recommendations. He suggested considering these recommendations while planning for CPS activities, so that this Workgroup does not duplicate their efforts. The highlighted items were marked as areas where further investigations are needed. Ms. Daniel clarified that these recommendations were presented by NCVHS to the Secretary. In terms of the recommendations in which a clear conclusion was drawn, the U.S. Department of Health and Human Services (HHS) is looking into incorporating the conclusions into the trial phases of NHIN. Mr. Nahra asked members to review the recommendations and to send any questions or comments to him or the ONC staff.

Action Item #1: Workgroup members will review the NCVHS recommendations, and send questions or comments to Mr. Nahra or the ONC staff.

Working Hypothesis Discussion and Refinement

Mr. Nahra introduced this topic by stating he formulated this working hypothesis as a way to focus the Workgroup’s discussion about entities that are playing a growing role in the health care system and are not covered by the existing HIPAA privacy and security rules. By discussing this hypothesis, the Workgroup could develop a consensus statement, a workplan for next steps, or a decision that this is not the right direction for the group. He stated that the premise behind the hypothesis is that non-covered entities should be lifted to the same level of HIPAA-covered entities; if HIPAA is the baseline, then non-covered entities are currently below the baseline in terms of legal requirements. The scenario leaves open the possibility that the whole standard should be raised higher.

Working Hypothesis: Entities that create, store, or transmitindividually identifiable electronic health information for purposes of clinical care or consumer management of such information should be required to meet enforceable privacy and security requirements at least equivalent to the relevant HIPAA principles, even if they are not “covered entities” under HIPAA today.

Workgroup members had the following comments on the working hypothesis:

• More information is needed to understand what non-covered entities exist and whether there are entities beyond the scope of “for purposes of clinical care or consumer management.” Mr. Nahra responded that this language is not intended to be limiting or to create another carve out, but it is intended to focus on players in the NHIN.

• NCVHS is finalizing a new set of recommendations which may be close to this hypothesis. However, the scope of the NCVHS recommendations may, either implicitly or explicitly, go beyond NHIN players to entities such as athletic trainers or medical spas.

• Current standards define entities as one of three types: a covered entity, a business associate of a covered entity, or neither. Members commented it would be helpful to know more information about the entities that fall in the “neither” bucket. Moreover, if all NHIN players are either covered entities or business associates, the scope of the discussion may have to change. Others commented on whether the business associates model is adequate.

• Selecting a few specific non-covered entities could provide a method for narrowing the focus for developing recommendations.

• Another way to provide a clear scope for this discussion could be to state explicitly that it applies only to NHIN players, and avoid the language of “clinical care or consumer management.” Privacy rules could be considered as the “price of admission” to the NHIN. Ms. Daniel agreed that this would be a good way of scoping the issue and avoiding duplication; it also would fit within the Workgroup’s charge.

• Focusing the discussion on entities who want to participate in the NHIN may avoid a need for statutory rules; an entity can choose not to participate if they do not want to follow the rules. There does need to be a mechanism, however, for enforcing rules. Mr. Nahra clarified that “enforceable privacy and security requirements” refers to standards for which there is an outside enforcer, such as government rules or industry-based certification.

• Because the NHIN can be a place to mine for data, there needs to be an understanding of who is a participant and who is a third party extracting data.

• There was discussion about whether it is a better approach to work through one hypothesis at a time, or to develop a set of hypotheses from which to choose the priority issue. Mr. Nahra responded that he is trying this approach as a way to come to consensus around one issue and to make progress in a relatively short period.

From this discussion, Mr. Nahra concluded that the Workgroup will move forward with the working hypothesis, and he summarized the possible next steps. Based on the discussion today, the language will be revised to explicitly refer to the NHIN. Also, a list will be generated of potential participants in the NHIN. The list will be used as a starting point for analyzing the working hypothesis.

Action Item #2: Mr. Nahra and the ONC staff will revise the working hypothesis language based on the above discussion.

Action Item #3: ONC staff will develop a list of potential non-covered entities participating in the NHIN. This list will be circulated to the Workgroup for comment. The list will be used as a starting point for analyzing the working hypothesis.

Application of Working Hypothesis to the Personal Health Record Environment

Covered Entity Perspective

Jeanette Thornton, America’s Health Insurance Plans (AHIP), presented on health plan- sponsored PHRs, which are operated as part of the covered HIPAA entity or as a business associate of the covered entity. Health plans are using information that is collected through processing claims and administrative data, as well as information that is entered by consumers to populate the PHR. AHIP believes HIPAA requirements apply to information from both sources, and that PHRs should be owned and controlled by the consumer. Additionally, AHIP feels that all PHRs need to have a method to amend incorrect data and have specific record retention guidelines.

While HIPAA is important in terms of PHRs, health plans actually are more affected by variations in State law. Most PHRs either exclude or allow the consumer to exclude certain sensitive information. Spousal access and children’s information also can be handled in many ways. The variations are due in part to laws that are not written specifically for PHRs, but rather about personal health information in general.

AHIP worked with the Blue Cross/Blue Shield Association to develop a standard set of information about 100 data elements that consumers should see in health plan- sponsored PHRs. They also developed a standard for portability if a consumer changes plans, which involved forming a working group with legal and technical experts to develop operating rules. While AHIP supports the working hypothesis to create a more level playing field under HIPAA, the working hypothesis does not address interoperability or variations in State laws.

Comments and questions included the following:

• Plans may be acting very conservatively in terms of excluding sensitive information. Many consumers like being able to control what information they take with them to specialists, and therefore would want to enter all their information into their PHRs. Jeanette Thornton responded that this approach may be a “stop gap” measure until the market catches up with selective functionality. Mr. Nahra added that this is a “legally reasonable” conservative approach, because there is no national standard that would cover all the State laws.

• As to whether giving the patient too much control over the information in a PHR could create a medical “novel” rather than factual record of health condition, Ms. Thornton emphasized that a PHR is not a clinical record of care and should not replace an EHR. Rather, it is a starting point for the conversation with a provider. Others commented that providers may then have a new burden of entering the PHR data into the clinical record, which introduces PHR-EHR interface issues.

• When using claims data for prepopulating PHRs, an audit trail of all corrections is also needed to maintain the integrity of the information.

• Employer-sponsored PHRs can be offered through an employer-sponsored health plan, or they can be offered directly by the employer. PHRs offered directly by the employer or a third-party vendor would not be considered as HIPAA business associates. Also, many health plan-sponsored PHRs roll out their product in phases, beginning with the large employer groups, which can cloud the distinctions further.

• Employer incentives to participate in PHRs may border on compulsion; however, compulsory participation would be a ripe situation for stricter privacy rules. Employers are also very conscious of potential liability issues regarding rights to access information. For PHRs sponsored directly by employers, it is unclear if there is a consent process regarding the prepopulation of data.

Planning for Next Workgroup Meeting

Mr. Nahra summarized the Workgroup’s three current activities: (1) identity proofing where no prior relationship exists, (2) the working hypothesis on non-covered entities, and (3) coordinated efforts with CE and NCVHS. Mr. Nahra asked the group to begin thinking about other areas where the working hypothesis model could be used to further define an issue for the Workgroup to address. Suggestions included:

• “Opt-in” versus “opt-out” participation

• Differences between HIPAA and state laws regarding consent for the release of information

• Identifying levels of NHIN participants and the applicability of privacy rules to the different levels.

Action Item #4: Workgroup members will submit ideas to ONC staff for the next working hypothesis.

Public Comment

None.

Adjourn

Ms. Daniel reminded participants that the next meeting will be held on April 12. Mr. Nahra thanked participants, and the meeting was adjourned at 2:44 p.m.

SUMMARY OF ACTION ITEMS

Action Item #1: Workgroup members will review the NCVHS recommendations, and send questions or comments to Mr. Nahra or the ONC staff.

Action Item #2: Mr. Nahra and the ONC staff will revise the working hypothesis language.

Action Item #3: ONC staff will develop a list of potential non-covered entities participating in the NHIN. This list will be circulated to the Workgroup for comment. The list will be used as a starting point for analyzing the working hypothesis.

Action Item #4: Workgroup members will submit ideas to ONC staff for the next working hypothesis.

Meeting materials

Agenda

Healthcare's Changing Landscape

NCVHS June 22, 2006 recommendations

CPS Working Hypothesis

Confidentiality, Privacy, and Security Workgroup

Members and Designees Participating in the Web Conference

Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.