American Health Information Community
Confidentiality, Privacy, and Security Workgroup
Summary of the 11th Web Conference of This Workgroup
Friday, June 22, 2007
KEY TOPICS
1. Call to Order and Welcome
Judy Sparrow, AHIC Director, opened the meeting at 10:02 a.m. She reminded those present that this meeting is designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.
2. Approval of Prior Meeting Summary/Opening Remarks
Kirk Nahra, Chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. Workgroup members were asked to approve the summary from the Workgroup’s May meeting. Any questions or comments on this summary should be submitted to the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so that it can be finalized. This summary and other meeting materials are available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
3. June AHIC Meeting Summary
Steven Posnack, ONC, provided an update from the June 12 AHIC meeting. There was much discussion about the successor for the AHIC, and three contractors made presentations on possible models. John Loonsk, ONC Director, provided an update on Healthcare Information Technology Standards Panel (HITSP) activities. Recommendations from the Chronic Care Workgroup, Electronic Health Records Workgroup, and the CPS Workgroup were presented and approved. Finally, Robert Kolodner, National Coordinator for Health IT, presented a framework for privacy and security. This framework will be developed with public input over the next several months. Mr. Nahra added that the discussion on the CPS recommendations was very straightforward. There were a few questions about what kinds of entities would participate, particularly whether the transmission networks would be covered. Materials from this meeting are available on the Community’s Web site at http://www.hhs.gov/healthit/community/meetings.
4. National Health Information Network Update
Dr. Loonsk provided an update on the National Health Information Network (NHIN). A new Request for Proposals (RFP) is available for the NHIN trial implementations. He explained that this is a stepwise process: the first year focused on the architecture, this year is focusing on trial implementations, and next year will focus on larger scale implementation. The NHIN is building a “network of networks” to provide health information exchange (HIE), and the RFP describes a set of core services that need to be made available by HIE organizations. This presentation is available on the CPS Workgroup Web site listed above.
Alison Rein stated that some of the capabilities under consumer services do not have existing standards, and asked about the role of HITSP to establish standards for the NHIN trial implementations. Dr. Loonsk replied that the core services are correlated with the seven AHIC use cases. While standards will not be in place for the trial implementations, the expectation is that HITSP will actively participate in this process to ensure the direction of the NHIN trial implementation contractors is compatible with the standards synchronization process.
5. Panel 1A: “Relevant” HIPAA Requirements
Mr. Nahra introduced the first panel by stating the “level playing field” recommendation left the relevancy of some Health Insurance Portability and Accountability Act (HIPAA) requirements for particular entities or categories of entities open for discussion. This panel will explore areas of the entity’s operation for which the HIPAA framework does not apply, and where a “carve out” from the HIPAA standard should be created. Viki Prescott testified against the expansion of HIPAA to apply to HIE organizations unless the HIE organization deals directly with the patient. Cassi Birnbaum of CalRHIO stated that privacy and security protections should be applied to the health care information and not the entities handling the data. Also, HIPAA standards should be used as the floor to address the wide variation in disclosure practices and security protections. Lory Wood of Good Health Network, Inc. testified that a level playing field improves competitiveness by building trust and interoperability, and HITSP technical standards should be required as a minimum set of confidentiality, privacy, and security protections. These presentations are available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
6. Panel 1B: “Relevant” HIPAA Requirements
This panel continued to explore categories of participants for which a “carve out” in the HIPAA framework should be considered. Jim Hansen, Healthe Mid America, stated that an accreditation body should be created to certify HIE organizations meeting a minimum set of standards, using HIPAA as a floor. Christopher B. Sullivan, Florida Center for Health Informationand Policy Analysis, testified that while HIPAA standards may serve as an acceptable minimum, HIPAA creates statutory barriers to multi-State HIEs that first need to be addressed. Rachel Nosowsky, University of Michigan Member, caBIG Data Sharing and Intellectual Capital Workspace, stated that HIE initiatives will succeed only if all participants are expected to meet “HIPAA-like” enforceable minimum standards. Certain HIPAA standards, however, will impede research collaborations unnecessarily without any corresponding benefit to patient privacy protections. These presentations are also available at the CPS Web site noted above.
Workgroup members had the following questions and comments for Panels 1A and 1B:
-
Regarding the creation of third-party entities to manage the multiplicity and complexity of queries to HIE organizations that would be required if the regulations were expanded, Ms. Prescott stated that it would increase complexity and costs. The process would not be as simple as farming it out to another organization, because the HIE organization does not own the data and would have to ensure the data from covered entities is protected. Mr. Nahra stated that this situation raises a few issues for the Workgroup to consider. First, business associates in general often do not own original data, and a query would be referred to the doctor or health insurer first. There could be a case, however, for individuals wanting to go to the Regional Health Information Organization (RHIO) first to prevent the need to obtain that original data from several different providers. Second, the accounting rule may require the HIE network to disclose information that the doctor or hospital would not, which increases the burden. Because this is not often requested by patients, expanding the accounting rule may not be advantageous.
-
Concerning the adoption of standard business associate agreements, Ms. Prescott stated that there are certain carve-outs placed on them from the providers of the data. For example, certain data could be used for treatment but not for research. Ms. Birnbaum added that the business associate agreement is widely accepted and offers assurances so that the providers who control the data will be comfortable releasing it. Ms. Nosowsky agreed, and commented that with a federated architecture, requiring a standard trust agreement is the “price of entry.” The agreements allows for both standardization and the option to add extra requirements. Mr. Hansen stated they also start with a standard agreement and then allow for nuances to be added, which is a real benefit because the negotiation process is time-consuming. He added that the “elephant in room” with these agreements concerns ownership of the data. His organization’s perspective is that the hospitals own the data, but consumers have the right to copy it from different providers and assemble it in one place.
-
For personal health records (PHRs) or consumer-oriented models, it was asked whether the HIPAA exception for treatment, payment, and health care operations could be reconciled with the concept of consumer control. Ms. Wood replied that their activities with HITSP are looking at this and other patient privacy issues, and that the PHR product offered by her group goes beyond many of the HIPAA requirements. Mr. Nahra added that one premise of the hypothesis is that PHRs may choose to have business practices that go beyond the standard, and that the standard would not mandate that they change these current business practices. Ms. Wood responded that the industry clearly is moving in the direction of consumer control, and this probably would not be changed by imposing the regulations on others. Ms. Birnbaum commented that extending the health care operations minimum necessity rule could be “opening a can of worms.”
-
Regarding whether any of the systems allow for family members to link records together, Ms. Wood replied that family accounts can be established as well as designating proxies.
-
Concerning the enforcement mechanism of business associate agreements, Ms. Nosowsky commented that there is some level of direct accountability through those contractual agreements. Beyond that, some participants will have direct liability such as sanctions through licensing boards. Ms. Prescott added that she is not convinced that there is a problem that even needs to be addressed. Because most HIE organizations are nonprofits with the goal to improve health care, it is necessary to consider financial sustainability. Few organizations will be interested in operating RHIOs if the potential exposure to financial penalties is layered onto the regulations that already exist.
-
Because many companies already are complying with HIPAA based on good business practices, the panelists were asked what the impact of a requirement would be. Ms. Prescott replied that there may be differences for business models that do not interact directly with consumers. Mr. Hansen stated that he would embrace the new level of regulations, because it will assist in conducting due diligence during business associate negations with the producers of data. Ms. Nosowsky emphasized that there is an appreciable difference between extending HIPAA as high-level standards versus detailed specifications. There already has been published evidence about the negative impact of HIPAA on research and on public health. She cautioned against superimposing the regulation across the industry rather than having all the players agree on minimum standards that follow the information rather than follower the players.
Mr. Nahra thanked the panelists, and encouraged follow-up input from the presenters on which specific pieces of the baseline are not relevant to their type of organization and should be carved out for those particular entities. Paul Uhrig added that another piece of information that would be helpful for the Workgroup’s deliberations is more commentary on the definitions of HIEs and RHIOs to add specificity to the list of participants.
Action Item #1: Panel presenters are invited to send additional comments to ONC staff on particular areas of HIPAA standards that are not relevant to their type of business organization, and that may not be relevant to their business model.
7. Panel 2: New Environment, New Perspectives
Mr. Nahra introduced this discussion by stating the level-playing field recommendation applies a standard at least equal to HIPAA to all participants. This panel will examine whether there is something different about the health care landscape today that would require a different set of standards other than HIPAA. Isaac Kohane, Harvard Medical School Center for Biomedical Informatics, testified on patient care issues regarding electronic genomic health information and commercially available testing services. Bradley Malin, Vanderbilt University, presented on privacy and patient care issues regarding the integration of genomic and electronic medical records. Joy Pritts, Georgetown University, stated that the HIPAA privacy rule is not applicable to new models of electronic health information sharing, specifically stand-alone PHRs. Mary Grealy, Healthcare Leadership Council, posited that a careful balance needs to be struck between the need for a universal privacy standard to facilitate multi-State electronic data exchange and the potential impediment to patient care and innovation caused by “hyper-compliance” with the HIPAA Privacy Rule. Bill Braithwaite, Health Information Policy Consulting, stated that while HIPAA privacy and security rules are based on solid principles, expanding HIPAA alone is not adequate to resolve the issues and challenges to multi-State HIE.
Workgroup member comments and questions for Panel 2 included:
-
Concerning the possibility of a Universal Commercial Code approach, Dr. Braithwaite commented that the environment has changed since the last attempt. In particular, the Health Information Security and Privacy Collaboration (HISPC) has increased awareness on the variations in regulations so that this type of approach may be more successful if it is tried again. Dr. Pritts added that State perspectives fall along a continuum, and while States may be willing to reduce the extent of variations, reaching a uniform code is unlikely. The model law approach accommodates this, because a limited menu of choices is provided for core concepts.
-
Regarding whether the adoption of more stringent protection standards would be an acceptable tradeoff to reach uniformity, Dr. Braithwaite responded that greater protection means something different to everyone. HIPAA requires patient authorization where it is appropriate. Consent is not required when it is implied that is, when implicit permission is given by presenting to the provider for care. He believes that any changes to require more signatures for consent are a useless burden. However, HIPAA approaches all health information as deserving the same level of sensitivity, whereas most States provide greater protection for some types of information than for others. Dr. Braithwaite stated that another approach would be providing special protection to information that the patient labels as sensitive rather than disease-specific regulations. Dr. Kohane agrees with this approach, because different types of information will be sensitive to different patients. This advocates for greater patient control rather than stricter consent procedures.
-
Regarding the ability to re-identify information that has been de-identified, Dr. Malin commented that the increased amount of information that is available electronically and publicly also has resulted in information that is easier to identify. In the environment of RHIOs, this situation calls for greater interoperability between systems to ensure adequate protections are in place. Dr. Braithwaite added that the term de-identified was invented when the HIPAA regulations were written to distinguish it from anonymous.
-
As to the ability of privacy regulations to keep pace with change, Dr. Malin responded that studies have shown that people in their teens and 20s are not very concerned about the privacy of their information and do not even recognize that privacy is a concern until a violation occurs. He stated there is a need for a public awareness campaign. Ms. Grealy agreed, stating that the “Facebook generation” needs to be educated about the ramifications of sharing information and that an education and outreach effort needs to coincide with HIE privacy protections. Dr. Kohane cautioned against underestimating the available resources for older populations and technologically disadvantaged groups. He sees ensuring that these groups are not disenfranchised as more of an implementation issue than a regulatory issue. Dr. Pritts added that a high-level statutory framework would be more adaptable than HIPAA to cover new entities as they emerge. Mr. Nahra commented that, for this reason, the Workgroup’s focus may be more on privacy than security issues. The security rule is adaptable to new kinds of information, whereas making the privacy rule “fit” might be more difficult.
Mr. Nahra summarized that the Workgroup has looked at two different issues: the level playing field and relevance. It may be that the new environment of HIE is different such that either “more than HIPAA” or “different from HIPAA” is needed. Given the confusion over HIPAA and the complexity of State versus Federal laws, Mr. Nahra asked the panelists to comment on the importance of implementing a single standard:
-
Ms. Grealy responded that it would depend on how the laws are simplified. For a single standard to work, it is necessary to educate consumers on why it is beneficial for health care providers and researchers to have their information and to have enforceable privacy protections. She added that what may be considered sensitive information today could be different tomorrow, and therefore a living document is needed that is able to evolve.
-
Dr. Pritts commented that the way to achieve simplicity is to follow the “opt-out” model adopted by other countries. In the United Kingdom and Canada, the assumption is that all information will be shared unless the patient opts out. This greatly simplifies the technical and legal requirements of protecting sensitive information, which can vary from State to State through preemption. The challenge in writing a unified law is where to set the standard. Since HIPAA, about 30 percent of the state access provisions have changed.
-
Asked to comment on the extent of patient control that is desirable and is still workable, Dr. Pritts replied that in British Colombia, the opt-out rate for the electronic prescription database is less than two percent. In general, consumers want the option to opt out even if they choose not to use it. Ms. Grealy added that opt-in systems have very different experiences than opt-outs and that participation is greatly reduced for opt-ins. One fear is that if patients are given too much control over withholding their information, it may lead to treatment and research data that are not useful. Dr. Malin agreed that if information is withheld or changed, the exchange system may not be viable, and that the extent that individuals should be able to withhold information needs to be evaluated. Increased transparency in the health care environment may be more useful and allow consumers knowledge about where their information is going.
-
Additionally, there are other laws that influence sharing health data besides HIPAA, including 42 CFR and the Family Education Rights and Privacy Act (FERPA), which may need to be considered.
8 . CE-CPS Subgroup Update
Mr. Posnack stated that the Consumer Empowerment (CE)-CPS subgroup has produced a draft document listing the essential privacy policy components, which was distributed in the meeting materials. The subgroup reached consensus on these components and now is seeking feedback from the two Workgroups. When the document is finalized, it will be forwarded by the CPS Workgroup as a recommendation to the AHIC. After getting AHIC approval, it would go to the Certification Commission for Healthcare Information Technology to begin development of certification criteria. Deven McGraw, Co-chair of the subgroup, stated that including the CE members in this conversation about privacy has been a positive experience. Mr. Nahra commented that the provisions will need to be examined in the context of HIPAA, to ensure that the Workgroup is not unintentionally recommending anything more stringent. Mr. Posnack asked Workgroup members to send any questions or comments to him prior to the next subgroup meeting.
Action Item #2: Workgroup members will e-mail questions and comments on the draft essential PHR privacy policy components to ONC staff.
9 . Planning for Next Meeting
Mr. Nahra summarized that today’s meeting established a sound beginning for focusing on the relevancy issue, and this conversation will continue over the next several months. He asked Workgroup members to send in suggestions for further testimony on the relevancy issue, especially categories, such as schools. Further, he asked ONC staff to review the written testimony to extract more information on the relevancy issue.
Action Item #3: Workgroup members will submit suggestions to ONC staff for further testimony on the relevancy issue. ONC staff will also synthesize information from today’s written testimony.
Mr. Nahra added that the Workgroup will continue discussions on whether to recommend a standard that is higher than HIPAA. The next meeting will be held on July 26 from 1:00 p.m. to 5:00 p.m.
10 . Public Comment
Vicki Hohner from Fox Systems, Incorporated commented that there does not seem to be as much consideration of public-sector concerns, specifically at the State and county levels. Local governments are already struggling to comply with HIPAA standards as a minimum, and raising the standards would be even more of a challenge.
11. Adjourn
Mr. Nahra thanked the participants, and the meeting was adjourned at 4:07 p.m.
SUMMARY OF ACTION ITEMS
Action Item #1: Panel presenters are invited to send additional comments to ONC staff on particular areas of HIPAA standards that are not relevant to their type of business organization, and that may not be relevant to their business model.
Action Item #2: Workgroup members will e-mail questions and comments on the draft essential PHR privacy policy components to ONC staff.
Action Item #3: Workgroup members will submit suggestions to ONC staff for further testimony on the relevancy issue. ONC staff also will synthesize information from today’s written testimony.
MEETING MATERIALS
Agenda
Essential Vendor Privacy Policy Components
John Loonsk - Nationwide Health Information Network Update
Mark Rothstein - NCVHS Written Testimony
Panel 1A: "Relevant" HIPAA Requirements:
Viki Prescott, Statement and Presentation
Cassi Birnbaum, CalRHIO, Statement and Presentation
Lory Wood, Good Health Network, Inc., Presentation
Panel 1B: "Relevant" HIPAA Requirements:
Jim Hansen, Healthe Mid-America, Statement
Christopher B. Sullivan, Florida Center for Health Information and Policy Analysis, Statement and Presentation
Rachel Nosowsky, University of Michigan Member, caBIG Data Sharing and Intellectual
Capital Workspace, Statement, Graphic, and Presentation
Panel 2: New Environment, New Perspectives:
Isaac Kohane, Harvard Medical School Center for Biomedical Informatics, Statement
Brad Malin, Vanderbilt University, Statement and Presentation
Mary Grealy, Healthcare Leadership Council, Statement
Bill Braithwaite, Health Information Policy Consulting, Statement and Presentation
June 2007 Public Comments:
American Medical Association
cancer Biomedical Informatics Grid - caBIG
John Cody
Florida Center for Health Information and Policy Analysis
Florida Hospital
GE Healthcare
Health Record Banking Alliance
Healthe Mid-America
Internet Business Logic
Lockheed Martin
Medical Imaging & Technology Alliance
Patient Command, Inc.
Tolven
WebMD Health
World Privacy Forum
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
|
Participants |
|
|
Sylvia Au |
Hawaii Department of Health |
|
Vicky Brennan (for Sam Jenkins) |
U.S. Department of Defense, Tricare Management Activity |
|
Steven Davis |
Oklahoma Department of Mental Health and Substance Abuse Services |
|
Jill Callahan Dennis |
American Health Information Management Association |
|
Elizabeth Holland (for Tony Trenkle) |
HHS/Centers for Medicare & Medicaid Services |
|
Susan McAndrew |
HHS/Office for Civil Rights |
|
David McDaniel |
VA/Veterans Health Administration |
|
Deven McGraw |
National Partnership for Women and Families |
|
Kirk Nahra |
Wiley Rein LLP |
|
Deborah Parris |
Family and Medical Counseling Service, Inc. |
|
Steven Posnack |
HHS/ Office of the National Coordinator |
|
Alison Rein |
AcademyHealth |
|
Paul Uhrig |
SureScripts, LLP |
|
Sarah Wattenberg |
HHS/Substance Abuse and Mental Health Services Administration |
|
Marilyn Zigmund-Luke (for Thomas Wilder) |
America’s Health Insurance Plans |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.