American Health Information Community
Confidentiality, Privacy, and Security Workgroup
Summary of the 18th Web Conference of this Workgroup
Thursday, April 17, 2008
PURPOSE OF MEETING
The meeting was convened to discuss factors for policy development and hear testimony on public health and electronic health information exchanges (HIEs). Meeting materials and documents referenced below are available at http://hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
KEY TOPICS
1. Draft Policy Factors
Deven McGraw, Workgroup Co-chair, summarized that the Co-chairs have drafted a list of elements for future policy development efforts. Given the difficulties the Workgroup experienced deliberating recommendations on consumer choice, as well as the shortened timeframe for advancing recommendations to the Community, this new approach will raise a landscape of policy issues. Kirk Nahra, Workgroup Co-chair, added that the previous “drilling down” approach seemed to be opening more issues rather than closing them. In fact, it was noted that one outcome of this Workgroup is that the issues are so intertwined that looking at one issue in isolation is not feasible. The policy factors approach is being proposed as a more productive direction for the remaining time of the Workgroup; these factors can then be the basis for other policy-making bodies going forward.
John Loonsk, Office of the National Coordinator for Health IT, raised the issue of defining an HIE. He stated that the definitions workgroup is scoping an HIE as an action, rather than an entity who conducts the action. Mr. Nahra commented that, in past recommendation letters, the Workgroup did not provide a conclusive definition, due to the evolutionary nature of the market. The intention for the draft policy factors was to develop generally applicable principles, regardless of the specific model of HIE; however, the group may need to be cognizant of the various models as they discuss each factor. Additionally, for each factor, the Workgroup will need to address whether a rule already exists, and if so, whether that rule is sufficient or if the new environment creates a policy gap.
The Workgroup then discussed each draft policy factor. It was noted that for all policy factors, the working assumption is that prior recommendations, including the “level playing field” recommendation, are applicable.
Factor 1: The ability of a participant in an electronic HIE network to view, access, or request health information without the prior knowledge of the source of that information creates new challenges to protecting privacy.
Workgroup member comments on Factor 1 included:
-
One item to highlight in discussing this factor is the notion of a limitation on the collection of data. In a paper environment, a hospital or provider would have to ask a patient what other care they have received, so that there is an inherent consent built into the disclosure of that information. However, in the networked environment, there is more of an opportunity to obtain data without prior consent of the patient.
-
While a networked environment may facilitate or provide more opportunity to access information, challenges to protecting privacy is not a new issue.
-
The concern was raised that the language of the draft document may be inflammatory. Although the scale and opportunity for obtaining information without consent increase with HIEs, the language does a disservice to those who have been very thoughtful in designing and using these systems.
-
Given that HIPAA is the policy “floor,” mirroring the syntax of use and disclosure may be another approach for this factor. It was also noted that the language included in HIE participant agreements regarding viewing and requesting information may differ from HIPAA.
Factor 2: Confidentiality, privacy, and security protections should be established to both prevent access to an electronic HIE network for unauthorized purposes and to limit the purposes a network can use health information itself.
Workgroup member comments on Factor 2 included:
-
A concern was raised about allowing networks to access information for their own health care operations. Depending on the nature of the network, they may be able to access information that was previously not available to them. For repository models, they would not have treatment or payment purposes but they would have health care purposes.
-
One possible recommendation is to have another group further explore the issue of the extent to which HIEs can use data for health care operations, and whether that varies depending on the model.
-
There is a distinction between participants in a network using that network for their own health care operations versus health care operations of the network itself.
Factor 3: Once health information has been accessed via a network and recorded into a provider or other entity’s record about an individual, such health information should be treated as it is today under HIPAA and State Law. Two sets of rulesone governing information obtained from a network and one governing information obtained from other sourceswould be impractical.
Workgroup member comments on Factor 3 included:
-
The necessity of outlining this factor as a separate factor was questioned. Mr. Nahra explained that it was included in the draft due to prior Workgroup discussions about whether there would be different restrictions for information obtained through an HIE.
-
It was noted that this issue may depend on the particular structure of the HIE. However, this policy factor is suggesting that, even if the information obtained through an HIE is able to be kept separate from information obtained through other means, that information should not be regulated differently.
-
This concept builds on Factor 1, as well as the “level playing field” recommendation pertaining to HIPAA-covered entities. Patients would not be regulated in any of these policy factors.
-
This factor does not address the possibility that HIEs may create opportunities to obtain information that is currently not permitted under HIPAA. Rather, it is focusing on establishing only one set of rules for use and disclosure of the information once it has been obtained, regardless of the method for obtaining it.
-
The Workgroup previously discussed limiting the gathering of data from networks to treatment, payment, and selected health care operations, but was not able to reach a consensus. An objection to this scope of activities is that it may prevent potential uses for networks or access to data for organizations which do not now have that ability, such as public health agencies.
Factor 4: In determining the types of choices consumers should be able to make with respect to the exchange of their heath information via a network, steps should be taken to incorporate the rights of consumers with the legitimate needs that providers and other entities have to access, use, and disclose health information.
Workgroup member comments on Factor 4 included:
-
It was clarified that the intention is not to suggest that providers need to second guess the appropriateness of disclosed information.
-
It was noted that the word “balance” was deliberately not used in this statement, because it tends to imply that consumers have to give up some of their rights.
-
Additionally, when these factors are incorporated into a recommendations letter, there will be a background statement that focusing only on consent is not enough; consumers need to know to what they are consenting for it be meaningful.
Factor 5: Policy should promote privacy and security but not add such complexity that it creates a significant impediment to the development and benefits of health information exchange networks.
Factor 6: The protections established for health information exchanged via a network should take into account the potential benefits to health care delivery, transparency, quality improvement, and population health.
-
For factors 4, 5, and 6, it was suggested that these broad statements could be folded into a background section of a recommendations letter, rather than having them as distinct policy factors.
Ms. McGraw commented that this discussion of the policy factors was the initial step in developing a more fulsome recommendation letter. The Co-chairs and ONC staff will follow up on comments made today to produce the next draft for discussion. They will also identify HIPAA analogies for these factors for the next draft.
Action item #1: The Co-chairs and ONC staff will follow up on Workgroup member comments on the draft policy factors and begin drafting a letter of recommendation to be forwarded to the AHIC.
2. Public Health and Health Information Exchange
Ms. McGraw introduced this panel by explaining that the group is interested in hearing about how HIEs are facilitating public health improvement. David N. Sundwall, Utah State Department of Health, presented on core public health functions and the value for public health to participate in clinical information exchange. Marc Overhage, Indiana Health Information Exchange, presented on the engagement of public health in HIE.
Workgroup members had the following questions and comments:
-
Dr. Overhage clarified that his HIE operates by having data flow in real time from sources like laboratory systems and hospitals. This allows for the monitoring of results as they are being generated; various algorithms are chosen by the participating entities. These results are then delivered to the entity in a standardized format. The HIE has offered to provide reporting on how the entity’s results compare with others in the exchange but there has been no interest in this. Dr. Sundwall stated that their epidemiology surveillance system is separate from the HIE.
-
While the Indiana HIE hosts the data in one common location, the Utah model is an exchange only without any repository. Dr. Sundwall noted that this feature was key for the state legislature, who did not want to fund a centralized data repository that could raise privacy concerns.
-
Dr. Overhage stated that the Indiana HIE has no state funding. The public health activities of the HIE are a marginal cost with considerable benefit; therefore the public health department does not fund it. They did, however, help to fund interface-building for hospital syndromic surveillance systems. They also receive Federal funding to participate in ONC nationwide demonstrations. The HIE also receives a fee per transaction for results delivery and fees for quality improvement activities.
-
Regarding patient authorization, Dr. Sundwall commented that the clinical HIE is a new authority and they are in the process of developing patient consent. Consent is not needed for the mandatory reportable data. Dr. Overhage added that laboratory reporting for reportable disease is a state law. For syndromic surveillance, this information is deidentified before being aggregated; that is, the direct identifiers are removed, but some HIPAA identifiers are needed for public health purposes.
-
Looking to the future, Dr. Sundwall commented that opportunities for chronic disease management will present themselves as the clinical record exchange matures; they have been addressing this as much as possible through population health surveillance to focus on areas of higher concentration. However, their primary responsibility is to protect the public health through traditional disease surveillance, and the clinical exchange will not replace their disease monitoring activities. Dr. Overhage reported on a forward-thinking geographic information base initiated by an Indiana mayor. This community database will link with the HIE to anonymously query about proximity to power lines or income based on census block, for example. For chronic disease management, they have focused initially on primary care physicians and are running quality measures across market areas on issues such as insurance barriers to health care screening tests.
In summary, Mr. Nahra stated the presenters raised four main categories of activities that, in his opinion, do not raise new biosurveillance security issues. The four areas were:
-
Provider licensing
-
Using the network as a channel for disseminating public health information
-
Improving the vehicle for information that is already communicated between providers and public health agencies
-
Providing treatment services
Workgroup members then commented on this summary:
-
Depending on how the mandatory reporting laws are written, the networks may provide a broader collection method than what is found today. This could lead to the ability to data mine. Because the data is deidentified for syndromic surveillance, it was noted that the ability to data mine is not necessarily concerning, but it is a change in the environment.
-
Given that much of the utility from an HIE for public health is yet to be explored, it is important that any recommendation from this Workgroup does not stifle innovation. A concern was raised that, in phrasing a recommendation that appears to suggests these current activities are within the scope of what is allowable, a dichotomy may be established that could make future activities more difficult.
3. Planning for Next Meeting
The next meeting is scheduled for Tuesday, May 27th. The Co-chairs and ONC will develop a revised draft of the policy factors to discuss at this meeting.
SUMMARY OF CONSENSUS AND ACTION ITEMS
Action item #1: The Co-chairs and ONC staff will follow up on Workgroup member comments on the draft policy factors and begin drafting a letter of recommendation to be forwarded to the AHIC.
MEETING MATERIALS
Agenda
2/5/08 CPS Workgroup DRAFT Meeting Summary
Sundwall: Public Health and HIE
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
Co-chairs |
||
Kirk Nahra |
Wiley Rein LLP |
|
Deven McGraw |
Center for Democracy and Technology |
|
ONC |
||
Jodi Daniel |
HHS/Office of the National Coordinator |
|
Steve Posnack |
HHS/Office of the National Coordinator |
|
Members and Designees |
||
Steven Davis |
Oklahoma Department of Mental Health and Substance Abuse Services |
|
Jill Callahan Dennis |
Health Risk Advantage |
|
Christine Heide (for Susan McAndrew) |
HHS/Office for Civil Rights |
|
Elizabeth Holland (for Tony Trenkle) |
HHS/Centers for Medicare and Medicaid Services |
|
John Houston |
University of Pittsburgh Medical Center and National Committee on Vital and Health Statistics |
|
David McDaniel |
VA/Veterans Health Administration |
|
Deborah Parris (for Flora Terrell Hamilton) |
Family & Medical Counseling Service |
|
Alison Rein |
AcademyHealth |
|
Leslie Shaffer |
DoD/TRICARE Management Activity |
|
Thomas Wilder |
America’s Health Insurance Plans |
|
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.