American Health Information Community
Confidentiality, Privacy, and Security Workgroup
Summary of the Ninth Web Conference of This Workgroup
Thursday, April 12, 2007
KEY TOPICS
1. Call to Order and Welcome
Judy Sparrow, AHIC Director, opened the Web conference at 1:05 p.m. She reminded those present that this meeting is designed to meet the requirements of the Federal Advisory Committee Act. Ms. Sparrow also presented a new CPS Workgroup Member, Sylvia Au. Ms. Au works for the State of Hawaii in the genetics field. Workgroup members then introduced themselves.
2. Approval of Prior Meeting Summaries/Opening Remarks
Kirk Nahra, Co-chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. Workgroup members were asked to approve the summary from the Workgroup’s March meeting; any questions or comments on this summary should be submitted to Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so that it can be finalized. This summary and other meeting materials are available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
3. Panel 1: Personal Health Records (PHRs)
Mr. Nahra stated that the purpose of this panel is to provide information for the Workgroup’s “working hypothesis” regarding the extension of HIPAA coverage to cover non-covered entities participating in electronic health information exchange. The first panel is designed to give the PHR perspective on the “working hypothesis”. John DesMarteau from LAXOR, Inc. and Philip Marshall from WebMD Health presented on the privacy and security practices of their companies’ PHR products. These presentations are available at the Web site given above.
Workgroup members had the following questions and comments:
-
Dr. DesMarteau clarified that the product offered by LAXOR is more than software; it actually provides a communications infrastructure that can be managed by either consumers themselves or by a personal health information manager.
-
Mr. Marshall clarified that WebMD provides a network of public and private portals for a variety of stakeholders. For the PHR products that run through private portals, information that is obtained on other parts of the WebMD site can be stored in an individual’s PHR.
-
Dr. DesMarteau was asked to discuss how to balance consumer control with provider access. At LAXOR, access is role-based. Once a doctor loads information into a PHR, that information is then always available to the doctor; however, if the consumer changes providers, the first doctor would not have access to the second doctor’s notes without patient approval. Also, a doctor can append but cannot change notes that have been entered into the system.
-
LAXOR “volunteered” to apply HIPAA standards to their products, despite the fact that they are a non-covered entity, because it provides a universal standard. Also, the security rules in HIPAA are very rich and well presented.
-
Dr. DesMarteau clarified that his comment on liability was referring to the need for implementing as many reasonable safeguards as possible to prevent breaches. In considering liability protection, there also needs to be a balance between access and interoperability. He stated furthermore that LAXOR’s philosophy is that data should revolve around the patient, not vice versa.
-
Peter Basch commented that if the patient grants access to health care providers on selective components, what may appear to be a complete record actually would paint only a partial picture.
-
Mr. Marshall commented that WebMD does not sell any personal health information, identifiable or not. Nevertheless, it does make the data available in an aggregated, de-identified form to sponsoring organizations. The published Terms of Use state that the aggregated data is made available for this use. For smaller companies, WebMD follows a conservative practice so that cell sizes for the sponsors’ reports do not go below a certain number.
Mr. Marshall elaborated on his comment regarding how policies might restrict PHR activities unnecessarily. He stated that some rules or regulations might stifle the ability of consumers to increase efficiency and to address cost and quality concerns in the health care system. The spirit of HIPAA has allowed consumers to have more transparency, exercise more control over who receives information, and bring together data from a variety of sources. WebMD is evaluating ways in which that process could be facilitated or stifled by rules and regulations.
-
WebMD has mechanisms to help an individual continue to have access to his or her data if he or she changes employers or health plans. It is a core belief of WebMD that consumers have access to their data for their life span. In the worst-case scenario, consumers could request that their information be deleted.
4. Panel 2: Health Information Exchanges
This panel provided information on privacy and security practices for health information exchanges. Paul Uhrig from SureScripts, LLC, and Ken Majkowski from RxHub, LLC, presented on security practices for electronic prescription transactions. Micky Tripathi and Stephen Bernstein from the Massachusetts e-Health Collaborative, Gina Perez from the Delaware Health Information Network, and Amy Zimmerman from the Rhode Island Department of Health presented on state information-sharing networks. These presentations are available on the Web site given above.
Mr. Nahra opened the discussion for both this panel and the previous panel. Workgroup members had the following questions and comments:
-
The position of RxHub is that it is not a business associate; it does not perform any function other than to serve as the electronic network to transfer data between business associates or covered entities.
-
Mr. Majkowski clarified that when a physician chooses to write a prescription, the pharmacy benefit management (PBM) company only finds out about that prescription if the patient uses his benefit to pay for it; no information passes from the doctor’s office through RxHub back to an insurer or PBM. The information that the drug has been prescribed will be transmitted to the PBM for coverage purposes at the pharmacy level through other networks. Mr. Nahra added that patients can ask the PBM to block their information.
-
Dr. DesMarteau stated that every time a piece of data is entered into a record, the person who created it has an obligatory ownership of the data. He also commented that there is an audit trail for each of the different roles accessing a PHR.
-
Regarding patients who receive care across state borders, the representatives from the state health information exchanges (HIEs) commented that while there is interest in sharing information across state lines, the initial focus is on in-state providers. Ms. Perez added that current providers are notified that this system is not totally comprehensive; it is not a full historical record and contains data only from participating providers.
-
Other state representatives echoed that collaborative efforts are a desired outcome; however, beginning the dialogue at a local level requires time, and other communities might not be at the same point in their dialogue. Also, because funding often comes from the state or from the local health insurance market, sponsorship and state privacy laws could prevent cross-state collaboration. The feasibility and sustainability for these health information networks might be at the most local level.
-
In Massachusetts, the fact that information at the entity level is being withheld is invisible to other providers; however, there is a general warning that this is not a complete record, and a majority of care records are not yet in the system.
-
As to whether the opt-in option for the Massachusetts system is granular to the level of sharing specific laboratory results, Mr. Tripathi replied that the technology and physician practices are not in place to support that level of selectivity. Additionally, different vendors have different abilities to filter the data, but most are able to filter structured data such as ICD-9 codes. They would not be able, however, to flag related conditions or medications that could lead to the same conclusion as the blocked diagnostic code. A local group of Massachusetts physicians did review the structured fields to flag any data related to HIV results or genetic testing results, as mandated by state statute.
-
Given the complexity of this issue, Ms. Zimmerman added that it is not enough to pass a rule or regulation; there have to be methods for implementing and then enforcing the regulation. Currently, the HIE is limited to data exchanges for care and treatment, because the entity overseeing the HIE has not made decisions about appropriate uses of data for research or other secondary uses. The sustainability model for HIEs, however, may require more usability of the data under appropriate terms and conditions.
-
When asked whether information can be linked to other family members, Dr. DesMarteau replied that the LAXOR PHR does allow, on an opt-in basis, for a group structure to share family history or disseminate information to caregivers.
5. Working Hypothesis Discussion
Mr. Nahra reviewed that the working hypothesis is a method of focusing the Workgroup discussion. The hypothesis states that a level playing field should be established for all entities involved in the HIE system HIPAA-covered entities, business associates, and entities that do not fall into either category. The working hypothesis was revised after the last meeting and now reads as follows:
Working Hypothesis: All persons and entities that participate in an electronic HIE network, at a local, state, regional, or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to relevant HIPAA requirements.
Mr. Nahra asked panel members to comment on using HIPAA as a baseline standard and lifting their business practices to at least the HIPAA standard:
-
Dr. DesMarteau replied that LAXOR already is using HIPAA as a “floor” standard, except in situations where state law preempts HIPAA. Entities that can hold dialogs with state legislators are a part of an important enabling process.
-
Mr. Majkowski added that RxHub also views HIPAA as a floor and that their infrastructure was developed at the same time as the HIPAA rules. However, RxHub does not have any data repositories, which might be a major difference between them and other entities.
-
Mr. Uhrig stated that he supports the HIPAA standards as contemplated by the Working Hypothesis, with the caveat that not all not all of the provisions of HIPAA may make sense with respect to networks depending on the functions and rolethey play.
-
Ms. Zimmerman commented that her community feels HIPAA does not go far enough with privacy protections, and that the framework they are developing likely will go beyond HIPAA standards.
-
Mr. Tripathi agreed and stated that Massachusetts also has gone above the level of HIPAA. He added, however, that the Massachusetts HIE is a business associate of covered entities to which it provides services.
-
Dr. DesMarteau added that another difference between a PHR and a HIE is the level of control given to patients. A PHR is patient owned and controlled, whereas the HIE models discussed whether the patient is outside the circle of caregivers, part of the circle, or in the center of the circle.
Mr. Nahra summarized that the witnesses, as a sampling of the types of business that would be affected, seem generally supportive of this hypothesis. He commented that the business associate model was not really designed to cover the state HIEs and that the hypothesis suggests applying HIPAA standards for all players directly. Other Workgroup comments on the hypothesis included:
-
Questions regarding liability and how to terminate relationships can be problematic when an entity has multiple business associate relationships.
-
Raising all players in HIE networks to a HIPAA level is not the same as making all participants covered entities, because there are other portions of HIPAA that are not relevant to HIE.
-
It might not be possible or desirable to move forward with a one-size-fits-all standard of meeting HIPAA requirements, due to the nuances in the way these exchange organizations are structured.
-
It might be necessary to refine some of the terms in the working hypothesis. For instance, what does it mean to “participate” in the network? Also, more consideration may need to be given to whether there are categories of participants that are missing or, conversely, if the categories might extend to people who should not be included. This may involve the distinction between business associates and what was originally defined as a “trading partner” under HIPAA.
-
The variety of entities in HIE networks extends beyond traditional health care entities, and reviewing which measures are applicable might be a worthwhile exercise.
6. Planning for Next Meeting
Mr. Nahra stated that the Workgroup will continue this discussion at the next meeting, and asked Workgroup members to submit comments on the revised hypothesis and sub-hypotheses to ONC staff as soon as possible.
Action item #1: Workgroup members will review the revised hypothesis and sub-hypotheses, and submit comments to ONC staff as soon as possible.
Ms. Daniel suggested reviewing the list of HIE participants for additional testimony and discussion. Several Workgroup members commented that it may be more helpful to solicit comments from entities that would not be considered participants, such as secondary users.
Action item #2: Workgroup members will review the list of participants and submit comments to ONC staff as soon as possible.
Mr. Nahra reminded Workgroup members that the next meeting is on May 17 and that the June 28 meeting may be rescheduled to June 19.
7. Public Comment
None.
8. Adjourn
Mr. Nahra thanked participants, and the meeting was adjourned at 4:58 p.m.
SUMMARY OF ACTION ITEMS
Action item #1: Workgroup members will review the revised hypothesis and sub-hypotheses, and submit comments to ONC staff as soon as possible.
Action item #2: Workgroup members will review the list of participants and submit comments to ONC staff as soon as possible.
MEETING MATERIALS
Agenda
Working Hypothesis
Panel 1: Personal Health Records
DesMarteau - LAXOR, Inc.
Marshall - WebMD Health
Panel 2: Health Information Exchanges
Uhrig - SureScripts LLC
Majkowski - RxHub LLC
Tripathi - Massachusetts e-Health Collaborative
Zimmerman - Rhode Island Department of Health
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
Members |
|
Kirk Nahra |
Wiley Rein LLP |
Jodi Daniel |
DHHS / Office of the National Coordinator |
Sylvia Au |
Hawaii Department of Health |
Peter Basch |
MedStar e-Health |
Elizabeth Holland and Tony Trenkle |
DHHS / Centers for Medicare & Medicaid Services |
John Houston |
University of Pittsburgh Medical Center and National Committee on Vital and Health Statistics |
Sam Jenkins |
U.S. Department of Defense/Tricare Management Activity |
Susan McAndrew |
DHHS / Office for Civil Rights |
David McDaniel |
Veterans Health Administration |
Deven McGraw |
National Partnership for Women and Families |
Deborah Parris (for Flora Terrell Hamilton) |
Family & Medical Counseling Service |
Alison Rein |
National Consumers League |
Dan Rode |
American Health Information Management Association |
Paul Uhrig |
SureScripts, LLP |
Thomas Wilder |
America’s Health Insurance Plans |
David Wright (for Steven Davis) |
Oklahoma Department of Mental Health and Substance Abuse Services |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.