American Health Information Community

Confidentiality, Privacy, and Security Workgroup

Summary of the 13th Web Conference of This Workgroup

Thursday, September 6, 2007

KEY TOPICS

1. Call to Order and Welcome

Judy Sparrow, AHIC Director, opened the meeting at 1:02 PM. She reminded those present that this meeting is designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.

2. Approval of Prior Meeting Summary/Opening Remarks

Kirk Nahra, Chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. Workgroup members were asked to approve the summary from the Workgroup’s July meeting; any questions or comments on this summary should be submitted to Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so that it can be finalized.

3. AHIC Update

Steve Posnack, Office of the National Coordinator, stated that the Personalized Healthcare Workgroup presented a set of recommendations at the July 31st AHIC meeting and suggested initiating a joint effort with the CPS Workgroup on genomic information. Additionally, several meetings were convened regarding the AHIC successor, including a technical assistance meeting on the Notice of Funding Availability. Finally, Mr. Posnack reported that the six prototype use cases for 2008 have been published on the ONC Website and are open for comment; the process for 2009 is being primed and Workgroup members will have the opportunity to provide input.

4. HIPAA Differences Scenario Discussion

Mr. Nahra opened this continuing discussion by providing an overview of the questionnaire sent to Workgroup members following the July meeting. He underscored that the focus of this conversation is on differences in the electronic health information exchange environment that require different rules than what is currently provided by the HIPAA standard. Workgroup members previously recommended raising all direct participants in electronic health information exchange to the HIPAA level and eliminating the business associate model. For this discussion, Mr. Nahra asked the Workgroup members to include these recommendations as part of a “HIPAA-plus” standard. The Workgroup has also heard testimony on the applications of more stringent State laws, and these laws would need to be included as part of the current environment. As a vehicle for discussion today, scenarios were developed to consider the differences in the environment, and changes that may need to be recommended to the “HIPAA-plus” standard.

Workgroup members had the following comments on this approach:

• The addition of more stringent State laws is a difficult and confusing component. It may be appropriate for the group to look more closely at the different State rules, as well as looking at barriers presented by the inconsistent State standards.

• Several Workgroup members expressed support for recommending a single Federal standard. It was noted that the RTI International, Inc. contract activities, and efforts by the National Governors Association are currently addressing the variations in state privacy laws issue.

• It was noted that a barrier to health IT adoption may be confusion over HIPAA. Clarifying this confusion is a mechanism not only for bettering privacy protections but also for bettering health care by advancing the adoption of health IT.

Scenario 1- Treatment

Mr. Nahra provided a synopsis of this scenario, and how the current HIPAA standards, such as the privacy rule, minimum necessary, and access rights and restrictions, would impact this interaction. Under the baseline, the hospital should be able to get health history information from other providers to treat the patient in the emergency room, and the hospital is allowed to use that information, once obtained, for treatment, payment, and health care operations (TPO).

Workgroup members then discussed how this interaction would be different if the hospital were a participant in a Regional Health Information Organization (RHIO). Comments about the differences caused by the electronic health information exchange environment included:

• Right of Restriction. Depending on the algorithm used by a RHIO, the hospital could electronically find out about providers that the patient chose not to disclose. If the RHIO were simply a more efficient way of finding the records that the patient disclosed, it would be no different than the current HIPAA environment. If the RHIO were also able to find records that the patient did not disclose, there could be a need for different rules. An additional factor for consideration is that some RHIOs have mechanisms to block or restrict access to sensitive information, such as mental health records; most masking mechanisms have a “break the glass” provision for emergency situations.

• Ability to gather more information. Under HIPAA, the burden for gathering information is on the requestor; a provider is permitted to disclose, but is not in violation of any rules, by not disclosing. In an electronic health information exchange environment, there is an ability to gather information better and faster. Because information may be available that was not available before, the risk of privacy violations may become greater than in the paper world. Additionally, in the paper world, the patient has to be asked what other medical records exist; this could be seen as a “pseudo” consent even though consent is not required. However, in an electronic world, the patient would no longer need to be asked, and this could be perceived by the patient as a difference in consent requirements. Any recommendations for a more stringent privacy policy in an electronic health information exchange environment would need to be balanced with the potential increases in quality.

• Minimum necessary. In the current paper world, a provider would filter and relay only the necessary information to a requesting provider, or possibly not disclose any information at all. In an electronic health information exchange environment, however, more than just the minimum necessary information could be disclosed in response to a query to an electronic database. “Minimum necessary” is already a concept that exists in both rule and practice, but the rule does not apply to treatment. Again, there is a need to balance the potential for better treatment with privacy concerns.

• Trust. An increased sense of vulnerability may lead to patients choosing not to share information or resist the efforts to move the providers in their community to a networked system. In HIE, information is more broadly available without the patient’s ability to identify its source. However, when HIPAA was first being written, there was concern that patients would withhold information or self-pay for care, and these fears did not come to full fruition.

• Differences in models. There was discussion about the impacts of opt-in versus opt-out models, the granularity of these models to mask specific information, and the functionality to change these settings after the initial sign-up period. Also, most comments have been about compiling information about one patient from multiple records available through the networked system. Under a repository model, there is only one file per patient; this might have implications for rules regarding restrictions.

This discussion made progress toward identifying areas that could be potential differences. The challenge now for Workgroup members is to identify factual information sources to support the opinions expressed above. The factual information can then serve as a basis for generating recommendations. The National Committee on Vital and Health Statistics, the American College of Emergency Physicians, and the Massachusetts e-Health Collaborative RHIO were listed as possible sources for this information.

Action Item #1: Workgroup members will send to ONC staff further comments on the first scenario, as well as potential sources for testimony and factual information.

Scenario 2- Request for Access

Mr. Nahra then led a discussion of the second scenario, which focuses more on access rights. The designated record set was defined as any medical, billing, or claims records containing protected health information that is used to make decisions about an individual. Under HIPAA, the rules are the same whether the record is paper or electronic. This scenario considered an electronic system that was not part of a health information exchange (HIE) and both repository and non-repository HIE models. As the baseline, it is assumed that the HIE would be operating under the “level-playing field” recommendation, and the relevancy of HIPAA privacy notice requirements for the HIE might need to be considered.

Comments about the differences caused by an electronic health information exchange environment included:

• Differences in models. Under HIPAA, a patient would go to each individual doctor to obtain a copy of his record from that provider. In an electronic health information exchange environment, a patient could make a request directly to the HIE to obtain his records from multiple providers. However, there are three different models for a repository system: a system that produces one blended record from its sources, a system that compiles individual records in one place, or a locator system that does not actually have the records. The market has not yet determined which model is dominant, and the differences between the models could have implications for considering changes to HIPAA.

• Convenience versus cost. The convenience factor is high for a patient to go directly to a HIE; however, the convenience of the patient must be balanced with other cost and administrative factors assumed by the HIE to provide this service. Under HIPAA, copying and postage fees are allowed, but fees for administrative elements like retrieving and re-filing are not allowed. Without these administrative fees, a HIE would not be able to make a business model work for record copying services. The personal health record (PHR) may play an important role in the business model for moving towards the network rather than individual providers.

• Identity proofing. HIEs have the capability to identify providers, but because they might not interact directly with the patients, they do not have a means for patient identity proofing. The Workgroup struggled in earlier discussions about non-in-person identity proofing in situations where there is no prior relationship; however, the patients have been identity-proofed with the provider and the provider is known by the HIE. It is possible, then, that the HIE could find a technology solution to identify the patient, but the Workgroup would need to hear testimony.

• Access. There was discussion as to whether the patient would contact the HIE directly at the exclusion of contacting providers, or the patient would contact one provider who could then pull records from other providers through the HIE. If the provider were required to pull other records through the HIE, there would be implications for privacy and restriction rights. Also, depending on the mechanism for restrictions, it could be possible for the patient to obtain more information by going to each provider individually rather than going through the HIE.

• Amendment of information. Granting or denying a request to amend a record has to remain with the provider, because only the provider has the ability to determine if that information is accurate. Under HIPAA, the provider has to make a reasonable effort to communicate the amendment with parties identified by the individual and to parties that have requested that information in the past. The HIE may be in a unique position to assist in disseminating amended information, because they would have audit trails to track where that information went in the past. There is a business opportunity for HIEs to have amended information dissemination as a value-added service.

On the basis of this discussion, the Workgroup reached the following agreements:

Consensus #1: The Workgroup should not recommend a change in the HIPAA rules to force HIEs to respond to requests for copies of the designated record set. The access right should continue to operate as it currently does.

Consensus #2: The Workgroup should not recommend a change in the HIPAA rules to designate the HIE as the responsible party to grant or deny a request to amend a designated record set. The amendment process should continue to operate as it currently does.

Consensus #3: Because the “level playing field” recommendation would include HIEs as an equivalent to a covered entity, the HIEs’ involvement with Request for Access and with Amendments will become part of the “relevance” discussion.

Consensus #4: More evidence needs to be gathered, possible through HIE testimony, to reach consensus on whether or not the existing HIPAA privacy rule adequately addresses requirements for disclosures of patient information for treatment purposes in an electronic health information exchange environment.

Action Item #1: Workgroup members will send ONC staff further comments on the treatment scenario, as well potential sources for testimony and factual information.

5. Planning for Next Meeting

Mr. Nahra stated that the next meeting is scheduled for October 4th. Differences discussions will continue at the meeting along with discussions around new scenarios.

6. Public Comment

None.

7. Adjourn

Mr. Nahra thanked the participants, and the meeting was adjourned at 4:38 p.m.

SUMMARY OF CONSENSUS AND ACTION ITEMS

Action Item #1: Workgroup members will send to ONC staff further comments on the treatment scenario, as well as potential sources for testimony and factual information.

Consensus #1: The Workgroup should not recommend a change in the HIPAA rules to force RHIOs to respond to requests for copies of the designated record set. The access right should continue to operate as it currently does.

Consensus #2: The Workgroup should not recommend a change in the HIPAA rules to designate the RHIO as the responsible party to grant or deny a request to amend a designated record set. The amendment process should continue to operate as it currently does.

Consensus #3: Because the “level playing field” recommendation would include RHIOs as an equivalent to a covered entity, the RHIOs’ involvement with Request for Access and with Amendments will become part of the “relevance” discussion.

Consensus #4: More evidence needs to be gathered, possible through HIE testimony, to reach consensus on whether or not the existing HIPAA privacy rule adequately addresses requirements for disclosures of patient information for treatment purposes in an electronic health information exchange environment.

MEETING MATERIALS

Agenda

Treatment Scenario

Access Rights Scenario

7/26/07 CPS Workgroup Meeting Summary

Confidentiality, Privacy, and Security Workgroup

Members and Designees Participating in the Web Conference

Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.