American Health Information Community
Confidentiality, Privacy, and Security Workgroup
Summary of the 12th Web Conference of This Workgroup
Thursday, July 26, 2007
KEY TOPICS
1. Call to Order and Welcome
Judy Sparrow, AHIC Director, opened the meeting at 1:05 p.m. She reminded those present that this meeting is designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.
2. Approval of Prior Meeting Summary/Opening Remarks
Kirk Nahra, Chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. Workgroup members were asked to approve the summary from the Workgroup’s June meeting. Any questions or comments on this summary should be submitted to U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so that it can be finalized. This summary and other meeting materials are available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.
Mr. Nahra provided an overview of the agenda for today’s meeting. The first topic is a further discussion of the Workgroup’s recommendation to establish a standard at least equivalent to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (the Privacy Rule) for all players in electronic health information exchange; the Workgroup now needs to deliberate whether the Privacy Rule is the appropriate standard, given advances in the health information technology landscape since it was written. The Workgroup has been calling this discussion the “differences” issue. The second topic on the agenda concerns the joint activities with the Consumer Empowerment (CE) Workgroup to develop personal health record (PHR) privacy policy components. The CPS Workgroup will now compare those components with the Privacy Rule to ensure that the group is not making any unintentional recommendations to change the Privacy Rule. The third topic, if time allows, will be a further discussion of what is being called the “relevancy” issue; that is, determining whether any components of the “level playing field” standard are not relevant to specific entities.
3. CPS “Differences” due to Electronic Health Information Exchange (HIE)
Mr. Nahra emphasized that it is not the charge of the Workgroup to critique the Privacy Rule, but rather to determine if it is the appropriate standard for the “level playing field” recommendation. This led to a conversation on whether the Workgroup needs to first better define what is meant by the “electronic HIE environment” before the Workgroup can discuss the differences in the environment since the Privacy Rule was written. There are several different models being advanced for electronic HIE. For some of these new technologies, the Privacy Rule can evolve as the health care industry evolves, but for others, the Privacy Rule may not be an adequate vehicle. To move the discussion forward, Mr. Nahra suggested organizing the conversation by looking at some of the Privacy Rule’s principles. For some principles, the group may quickly come to consensus that the Privacy Rule does or does not apply to the environment today. For other principles, the group may need to analyze the issue further by specific types of models or may need to solicit more information before a decision can be made.
Concept of Individual Rights
Mr. Nahra asked the Workgroup members to discuss whether there is interest in learning more about whether the new environment might require different rules regarding individual rights. Comments included the following:
-
The process and complexity involved in amending information in a health record is different depending on whether it is a one-owner record or a copied and mobile record. Additionally, there may be different implications for amending information depending on the HIE model.
-
The issue of audit trails, and how that relates to the accounting rule under the Privacy Rule, was discussed in terms of meeting the consumer’s need to track who has accessed his or her record. Newer models for HIE may facilitate the record-keeping requirements of the accounting rule. Further, the line between audit and accounting may become less distinct as data paradigms are shifting from systemcentric to patientcentric models.
Consensus #1: The Workgroup agrees that the concept of individual rights should be further evaluated to determine whether recommendations are needed for a standard different than what is currently in place under the Privacy Rule.
Mr. Nahra then asked the Workgroup members to formulate questions on specific components of the concept of individual rights and to suggest the vehicles for obtaining the answers. For example, testimony and research reports have been used by the Workgroup as vehicles for further information. Comments included the following:
-
Testimony could be solicited from consumers who have attempted to amend their information, especially after that information has become mobilized. This would help the Workgroup determine whether it is more difficult now, as is being speculated, or consumers are able to locate the original source and make the necessary change.
-
It would be useful to survey how repository models receive patient requests for protected health information (PHI). Also, the Privacy Rule includes a “reasonable fee” for copying medical records. This rule may be scalable to allow for copying electronic versus paper files, or the electronic environment may require a change in the rule.
Action Item #1: Workgroup members will send to ONC staff specific additional questions about individual rights and suggested vehicles to answer those questions.
Concept of Uses and Disclosures
Mr. Nahra then moved to discuss the uses and disclosures principles, beginning with the Section 512 public policy exemptions. This section of the Privacy Rule allows for exceptions to the patient consent and authorization principles for reasons such as subpoenas and public health reporting. Comments included the following:
-
More information may be needed on the allowable categories, especially research and biosurveillance activities.
-
There may be differences between HIE models and PHRs for rules pertaining to subpoenas. For example, is information entered by the consumer in a PHR handled differently than information reported to a physician?
-
In repository models, there may be the possibility for data mining for potential abuse and neglect information. This may require different patient notification procedures to facilitate the patient’s safety if information is being reported to law enforcement.
-
A legal analysis conducted by experts on this issue may be necessary to determine if the new environment requires different rules.
Consensus #2: The Workgroup members agree that the new environment may require different rules concerning Section 512 public policy disclosures, but this is not a high priority issue for the group’s workplan.
Mr. Nahra next asked the Workgroup members to discuss issues concerning the use and disclosure of PHI for purposes of treatment, payment or health care operations (TPO), which under the Privacy Rule can occur without an individual’s authorization.
Consensus #3: The Workgroup members agree that issues surrounding TPO disclosures should be further evaluated in the context of the new environment.
Mr. Nahra asked Workgroup members to identify specific issues that need to be examined further. Comments included the following:
-
Through a “higher than HIPAA” scenario, the Workgroup may be pushing more types of uses and disclosures into an authorization requirement.
-
There was discussion regarding the disclosure of a family member’s records as part of the treatment of a patient.
-
The Personalized Healthcare Workgroup is addressing questions related to genetic information and asking similar questions about information sharing under HIPAA.
Action Item #2: Workgroup members will send to ONC staff specific additional questions about TPO disclosures and suggested vehicles to answer those questions.
4. PHR Privacy Policy Components Discussion
Steve Posnack, ONC, presented the latest draft of essential privacy policy components from the CE-CPS subgroup. The new version includes an introduction as well as a column on the table which provides a crosswalk between the privacy policy components and existing Privacy Rule requirements. Mr. Nahra added that the crosswalk will allow for a comparison between the “wish list” and what is currently in place, so that the Workgroup can discuss whether there is a need for changes to the privacy rule. Deven McGraw, CE-CPS Co-chair, clarified that these principles are not limited to the privacy notice, and include more general “best practices” that would pertain to any communication between the PHR service provider and the user about the privacy policy. Ms. McAndrew, a member of the CE-CPS subgroup, commented that the intention is to include the privacy policy components as part of a certification process for PHRs. As such, these policy components are directed towards PHRs and are not discussing the need for similar or different components for electronic health records or other electronic systems.
Ms. McAndrew then walked through the chart, pointing out differences between these privacy policy components and the Privacy Rule:
-
Communication between PHR Service Provider and user about privacy policy
-
While the Privacy Rule does require contact information, it does not speak to timeframes for responding to consumer requests.
-
The effective date requirement is comparable to the Privacy Rule. However, there is currently no requirement to make available the historical policies and dates of any amendments.
-
The components addressing the notification of policy change go beyond what is currently required. Workgroup members discussed what types of changes this component would require, highlighting the potential need to define this document as a component of a privacy notice rather than a privacy policy.
-
The section on user options would allow the consumer the option to accept the changes or terminate the contract with the PHR vendor without penalty. There are no Privacy Rule counterparts to these policy components. It was noted that the technology to enable this provision is fairly simple.
-
-
Accessibility and readability of policy
-
There are Privacy Rule requirements regarding the accessibility and readability of the policy. The language component is not covered by the Privacy Rule, but would be driven more by civil rights laws.
-
-
Terminated accounts, change in company status, or discontinuation of service
-
These components cover the treatment of personal health information contained within terminated accounts. For the most part, the Privacy Rule addresses the underlying medical records or billing system information rather than information that is under the control of the individual in a PHR environment. The Privacy Rule also does not have record retention requirements. Moreover, these components allow the consumer to govern the information regardless of whether it is identifiable. The Privacy Rule clearly stops at the point of identifiability.
-
The Privacy Rule covers the sharing of information as part of a sale, acquisition, or merger of the business, but does not require public notification of the company’s policy in this regard.
-
-
User data collection
-
The Privacy Rule does not address the tracking of user behavior and attributes. The “cookie” is peculiar to the computerized business world.
-
-
Use and disclosure of user data
-
There is nothing in the Privacy Rule that would prevent giving the individual sole control of the information, but it is not a requirement.
-
Uses and disclosures are covered by the Privacy Rule.
-
The availability of audit trails may be more equivalent to an accounting trail under the Privacy Rule, but the Privacy Rule requirements now only cover specific types of disclosures. The Privacy Rule would not prevent this type of audit trail. However, it would be dramatically different than the current requirements.
-
-
Definition of key terms
-
While most terms have Privacy Rule counterparts, these are regulatory definitions that are not required to be communicated to consumers.
-
Mr. Nahra asked about the types of PHR models (data import, export, and sharing) and how those models would apply to these principles. Ms. McGraw commented that consumer control does not follow the data if those data are shared with another entity. The consumer does, however, have control over that particular copy of the record and control over whether it is transferred to another entity.
5. Planning for Next Meeting
Mr. Nahra stated that the September meeting is scheduled as a half-day meeting and will focus on the concepts of individual rights and uses and disclosures. The determination will need to be made whether to continue this discussion or to hear testimony, based on Workgroup members’ feedback to ONC staff.
6. Public Comment
None.
7. Adjourn
Mr. Nahra thanked the participants, and the meeting was adjourned at 4:50 p.m.
SUMMARY OF CONSENSUS AND ACTION ITEMS
Consensus #1: The Workgroup agrees that the concept of individual rights should be further evaluated to determine whether recommendations are needed for a standard different than what is currently in place under the Privacy Rule.
Consensus #2: The Workgroup members agree that the new environment may require different rules concerning Section 512 public policy disclosures, but this is not a high-priority issue for the group’s workplan.
Consensus #3: The Workgroup members agree that issues surrounding TPO disclosures should be further evaluated in the context of the new environment.
Action Item #1: Workgroup members will send to ONC staff additional, specific questions about individual rights and suggested vehicles to answer those questions.
Action Item #2: Workgroup members will send to ONC staff additional, specific questions about uses and disclosures and suggested vehicles to answer those questions.
MEETING MATERIALS
Agenda
Essential PHR Vendor Privacy Policy Components
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
|
Participants |
|
|
Sylvia Au |
Hawaii Department of Health |
|
Peter Basch |
MedStar e-Health |
|
Jill Callahan Dennis |
American Health Information Management Association |
|
Don Detmer |
American Medical Informatics Association |
|
Lorraine Doo (for Tony Trenkle) |
HHS/Centers for Medicare & Medicaid Services |
|
Flora Terrell Hamilton |
Family & Medical Counseling Service |
|
John Houston |
University of Pittsburgh Medical Center, and National Committee on Vital and Health Statistics |
|
Susan McAndrew |
HHS/Office for Civil Rights |
|
David McDaniel |
VA/Veterans Health Administration |
|
Deven McGraw |
National Partnership for Women and Families |
|
Kirk Nahra |
Wiley Rein LLP |
|
Steven Posnack |
HHS/Office of the National Coordinator for Health Information Technology |
|
Alison Rein |
AcademyHealth |
|
Paul Uhrig |
SureScripts, LLC |
|
Thomas Wilder |
America’s Health Insurance Plans |
|
Mazen Yacoub (for Sam Jenkins) |
DoD/Tricare Management Activity |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.