American Health Information Community
Confidentiality, Privacy, and Security Workgroup
Summary of the 14th Web Conference of This Workgroup
Thursday, October 4, 2007
KEY TOPICS
1. Call to Order and Welcome
Judy Sparrow, AHIC Director, opened the meeting at 1:02 PM. She reminded those present that the meeting was designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.
2. Approval of Prior Meeting Summary/Opening Remarks
Kirk Nahra, Co-chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants and announced that Deven McGraw agreed to serve as Co-chair. Workgroup members were asked to approve the summary from the Workgroup’s September meeting; any questions or comments on this summary should be submitted to Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so the summary can be finalized.
3. AHIC Update
Steve Posnack, Office of the National Coordinator, provided an update from the September AHIC meeting. The Population Health and Clinical Care Connections Workgroup presented a comprehensive set of recommendations about response management. The AHIC recommended that the Workgroup come back in January with cost and timeline estimates. Governors Phil Bredesen (D-TN) and Jim Douglas (R-VT) presented an update on the State Alliance for e-Health activities. There was also continued conversation about the AHIC successor. The report on Recommended Requirements for Enhancing Data Quality in Electronic Health Records was presented; the CPS Workgroup has been asked to review and comment on one of the report’s recommendations that focuses on privacy and security issues.
Jodi Daniel, Office of the National Coordinator, provided an update on the National Committee on Vital and Health Statistics (NCVHS) subcommittee looking at secondary uses of data. The subcommittee is preparing a report, and a draft will be available for public comment on October 17th. The report contains about 15 recommendations on topics including: the commercialization of data, business associate contracts, issues between quality and research, and the notion of data de-identification. The CPS Workgroup could decide to submit comments on the report, or could use this report to inform their discussion. For example, a scenario could be developed to look at secondary uses of data under this “differences” approach.
Action Item #1: ONC staff will send interested Workgroup members the draft NCVHS subcommittee report to review.
4. HIPAA Differences Scenario Discussion
Scenario 1- Auditor Access
Mr. Nahra provided a synopsis of this scenario, including how the Privacy Rule currently deals with fraud investigations and audits. Development of the Privacy Rule focused significantly on health care fraud, so that these and other law enforcement activities would not be disrupted. The Privacy Rule was written to distinguish between investigations “inside the health care system” and investigations “outside the system,” such as canvassing hospitals for injuries that are inflicted during the course of a crime; the CPS Workgroup will focus on the former. Fraud and abuse disclosures are specifically cited in the following areas of the Privacy Rule:
-
Section 506, perhaps the most critical component of the rule, states that covered entities can disclose information to another covered entity for their own treatment, payment, and health care operations (TPO) purposes, as well as for the receiving entities’ health care fraud and abuse detection or compliance purposes. This disclosure is permitted, but is not mandatory or required.
-
The “health care operations” definition itself contains a specific provision for disclosure when the entity is conducting or arranging for medical review, legal services, and auditing functions. Auditing functions include fraud and abuse detection and compliance programs.
-
Section 512, the “public policy” disclosures, contains a specific provision for uses and disclosures for health oversight activities. These activities are the “inside the health care system” set of regulatory reviews, audits, and fraud investigations.
Before discussing the “differences” section of this scenario, which attempts to identify what differences exist in how the HIPAA Privacy Rule operates in an electronic environment compared with the current environment, there was a general question regarding the description of repository versus non-repository models. While information that the record exists is available around the clock, it might not be possible to obtain the record itself; this may need to factor into the discussion of determining a reasonable timeframe. The Workgroup decided to delete “24/7 availability” from the definitions section of the scenario.
Mr. Nahra explained that this fraud-related scenario was primarily developed as a result of the Recommended Requirements for Enhancing Data Quality in Electronic Health Records (EHRs) Report that was presented at the September AHIC meeting. Reed Gelzer and Rebecca Busch, members of the Model Requirements Executive Team (MRET), then joined the call to discuss this report. This team identified and recommended requirements for EHRs that could be used to ensure data quality, as well as prevent or detect potential fraud within the health care system. The CPS Workgroup has been asked specifically to evaluate Requirement #8, Auditor Access to Patient Record.
Comments on this Recommendation included:
-
This team did not try to map these recommendations to current rules. Rather, they looked at the capacity of EHR systems. They recommended that these systems include the functionality of role-based access for the auditor, for both internal and external auditing activities.
-
Workgroup members debated current practices for auditors and discussed whether or not they are granted auditor-specific access or given administrator access. EHR systems currently available in the marketplace may have only basic functionality around role-based access because higher functionality is not being demanded. The Privacy Rule currently specifies that access should be role-based, and this discussion could lead to the conclusion that EHR systems are not meeting functions already required.
-
The discussion of “single encounter” and “entire episode of care” in the rationale section may raise unintended privacy issues regarding payer access to other payers in the coordination of benefits.
In summary, Ms. McGraw stated that a response to AHIC will be drafted, containing the following points:
-
The recommendations for EHR functionality to support various auditor activities are consistent with the existing HIPAA rule. There is no need for modifications to HIPAA as a result of this change in the health information technology (IT) environment.
-
The rationale section should be deleted.
-
Because MRET asserts that EHRs now available in the market are not meeting the functions listed in their report, and since those functions are arguably already required by current rule, there may be a role for education and better enforcement of the current rule.
Action Item #2: ONC staff will develop a draft response regarding MRET Requirement #8 for CPS Workgroup members to review.
Given this discussion of the recommendation, the Workgroup decided not to continue considering this scenario, but will return to it at a later time.
Action Item #3: ONC staff and CPS co-chairs will continue to develop the fraud scenario for a future Workgroup discussion.
Scenario #2 Accounting of Disclosures
Mr. Nahra provided the background for this scenario and the baseline rules for how the accounting right works today:
-
Section 528 of the Privacy Rule gives individuals the ability to request an accounting of only certain disclosures; in fact, this section excludes most disclosures, including TPO and disclosures pursuant to authorizations. The language of this section states that a covered entity must account for everything “except for” and therefore entities have struggled to figure out what disclosures are not exempt.
-
Section 512, disclosures for public policy purposes, would be included in an accounting request. This would cover disclosures for public health, law enforcement, research, and litigation. However, this is not an affirmative obligation; if a disclosure is made in connection with a fraud investigation, a patient would only be informed if that patient was part of that disclosure and made an accounting request within the right timeframe.
-
Some State breach laws do require notification, and government health systems have to comply with the Privacy Act of 1974 as well as the HIPAA rules.
Workgroup members then discussed how the request for an accounting of disclosures would be different in an electronic health information exchange (HIE) environment. Comments included:
-
The accounting right is being underutilized. Some companies, who invested heavily in building accounting systems, experienced a few requests right after the rule went into effect, but have not seen a return on this investment.
-
Most disclosures are about TPO, which is exempt. It may be that people are not using this right because what they really want is an accounting of TPO disclosures.
-
Business associates are required to track disclosures that trigger the accounting rule as well as covered entities. This means that if the covered entity receives an accounting request, that entity needs a vehicle for reaching out to their business associates. This becomes an enormous practical issue for RHIOs.
-
Under the HIE, patients could have the ability to make one accounting request rather than numerous separate requests to each provider or hospital. Because the HIE is not involved in the operations of the hospital, health insurer, or doctor, they might not be able to provide what disclosures one of the hospitals made in connection with litigation, fraud investigation, or public health reporting.
-
There are three possible ways for an HIE to handle a request: (1) the patient identifies the relevant entities for the HIE to disseminate the request, (2) the HIE identifies what providers the patient has seen by tracking the creators of the records, and (3) the HIE has a mechanism to track access and disclosures that would trigger an accounting request, even for providers that the patient does not know. There was discussion of examples for the third possibility, such as a patient who is denied admittance to a skilled nursing facility or a specialist who is sent a record in advance, but the patient does not follow up with the appointment.
-
While the majority of States do have laws regarding notification in the event of a security breach, this is a gap in HIPAA; however, the accounting right would not be an efficient mechanism for notification of a breach because the patient would have to initiate the accounting request, be a victim of that security breach, and be within the right timeframe.
-
There was discussion regarding whether functionality exists to support an HIE doing a search of records as an aggregated dataset. This would require the various entities in the HIE to all use compatible accounting systems and potentially standard patient identifiers.
The Workgroup then began to discuss the HIE environment not as it is today, but how it could be envisioned to meet the goals of better access to information and transparency for all stakeholders. Comments included:
-
Underutilization of the accounting rule is important to discuss further, and it could be that the way it is currently written is not useful. It was suggested that the Workgroup explore a real accounting mechanism, rather than limiting the conversation to the application of the HIPAA rule to an HIE environment. The challenge, however, would be to not create different standards for the electronic world and the paper world.
-
Because tracking disclosures of an EHR is less burdensome than tracking a paper file, it would now be possible to expand the accounting rule. Some consumers have asked for this, and an expanded accounting of disclosures would help to build trust and increase buy-in.
-
Under the HIE, data is being pulled from previously unconnected entities. The Workgroup discussed a new obligation to report when information is being exchanged, which could be expressed through an expansion of the accounting rule or through a new rule. Because a consumer who is participating in the HIE has already made some sort of global permission to allow those records to be pulled, the new reporting obligation would provide greater transparency rather than greater control over access.
-
This discussion may be shifting from accounting for disclosures to tracking uses. More information would be needed from developing systems about their audit trail capability for a greater accounting functionality. The scope of the audit trail also would need to be defined; including all of TPO might impose a technical burden that is too great for these developing systems. More information also is needed on the extent of the data that the HIE would have access for tracking disclosures, especially if disclosures are expanding to include health care operations, because this information is not be part of the core medical records.
Consensus: Accounting for disclosures represents an area for future Workgroup activities.
5. Planning for Next Meeting
The next meeting is scheduled for November 8th, which likely will include testimony from HIEs in response to a notice in the Federal Register. Mr. Nahra posed two questions for which more information is needed in order to continue the discussion of the accounting right:
-
What would be the scope of an expanded accounting right from covered entities?
-
What would be the scope of accounting that an HIE could provide?
This topic will be pursued as a parallel track to testimony already planned for November.
Mr. Nahra then summarized the action items from today’s meeting:
-
Interested Workgroup members will contact ONC regarding the NCVHS report.
-
The Workgroup response to Recommendation 8 will be drafted.
-
The Workgroup will return to the scenario on fraud, which will be fleshed out further, and the scenario on security breach, which also was included in today’s meeting materials.
6. Public Comment
None.
7. Adjourn
Mr. Nahra thanked the participants, and the meeting was adjourned at 4:53 p.m.
SUMMARY OF CONSENSUS AND ACTION ITEMS
Action Item #1: ONC staff will send interested Workgroup members the draft NCVHS subcommittee report to review.
Action Item #2: ONC staff will develop a draft response regarding MRET Requirement #8 for CPS Workgroup members to review.
Action Item #3: ONC staff and CPS co-chairs will continue to develop the fraud scenario for a future Workgroup discussion.
Consensus: Accounting for disclosures represents an area for future Workgroup activities.
MEETING MATERIALS
Agenda
Accounting Scenario
Auditor Scenario
Breach Scenario
Confidentiality, Privacy, and Security Workgroup
Members and Designees Participating in the Web Conference
Members | |
Sylvia Au | Hawaii Department of Health |
Peter Basch | MedStar e-Health |
Jodi Daniel | HHS / Office of the National Coordinator |
Jill Callahan Dennis | American Health Information Management Association |
Don Detmer | American Medical Informatics Association |
Elizabeth Holland (for Tony Trenkle) | HHS / Centers for Medicare & Medicaid Services |
Susan McAndrew | HHS/Office for Civil Rights |
David McDaniel | VA/Veterans Health Administration |
Deven McGraw | National Partnership for Women and Families |
Kirk Nahra | Wiley Rein LLP |
Alison Rein | AcademyHealth |
Leslie Shaffer | DoD/TRICARE Management Activity |
Thomas Wilder | America’s Health Insurance Plans |
Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.