HIE Leaders Share Privacy ConcernsDealing With State Laws, Omnibus Rule
Some of the trickiest policy-related issues that health information exchanges face include how best to safeguard the most sensitive patient data, how to deal with a mish-mash of state privacy laws and how to segregate patients' self-pay treatment data in compliance with the HIPAA Omnibus Rule.
Executives from eight HIEs shared these insights at a June 24 hearing hosted by the Privacy and Security Tiger Team of the HIT Policy Committee, which advises federal regulators. The hearing was held to learn more about HIEs' policies related to non-targeted queries - electronic requests for patient data by a healthcare provider when the other record-holding healthcare providers are not known.
To get around the thorny issue of inadvertently disclosing particularly sensitive patient information - such as mental health or substance abuse treatment details - against an individual's wishes when a non-targeted query is made, some HIEs simply, as a matter of policy, don't provide access to that data.
"A lot of data sources are not confident [about] data segmentation," says Ted Kremer, executive director of the Rochester (N.Y.) Regional Health Information Organization. So rather than try to segment sensitive data in health information exchanges, that data is often excluded, he says.
For instance, the Rochester exchange doesn't allow substance abuse treatment centers to transmit patient data.
"We only have one or two facilities in our area that do [substance abuse testing], so they don't send information," Kremer says.
Some other HIEs require sensitive information to be filtered out by providers before patient data is sent to the exchanges.
Among the biggest challenges faced by many HIEs, especially those with members who serve patients in more than one state, is navigating a patchwork of state privacy laws when accommodating non-targeted inquiries.
"The lack of consistency between state and federal laws has been an ongoing challenge," says Joanna Pardee-Walkingstick, director of member services at SMRTNet, an HIE in Oklahoma. The state-by-state differences in privacy requirements are stumbling blocks, she says.
Chris Carmody, who oversees ClinicalConnect, an HIE in Pennsylvania, says differing laws in states regarding whether patients must "opt in" to give permission for health data exchange - or be automatically included unless they "opt out" - also create challenges. "Picking one as a nationwide [standard], either opt in or opt out, would simplify things," he says.
Protecting Self-Pay Patient Data
Under the HIPAA Omnibus rule, organizations are required to accommodate patients' requests to not disclose to their health insurer information about a product or service that they paid for out of their own pockets. Because the Nebraska Health Information Initiative allows payers to participate, the HIE needs to examine how it will comply with this provision.
For now, the HIE doesn't segregate data; instead, it advises patients to opt out if there's data they don't want disclosed through the exchange, says Sara Juster, vice president of compliance at Nebraska Methodist Health, a participant in the Nebraska HIE.
The self-pay provision of HIPAA Omnibus "is very hard to implement ... it's very clunky," says John Kransky, vice president of strategy and planning of the Indiana Health Information Exchange.
The June 24 hearing was held to examine how established HIE organizations deal with complicated policy issues in non-targeted queries involving clinicians who are not part of the same integrated health delivery organization.
"These providers are not known in advance ... and an aggregator such as a health information exchange or record locator service, is involved," says Deven McGraw, tiger team chair and director of the health privacy project of the Center for Democracy and Technology, a consumer advocacy group.
The services provided by HIEs can help improve the quality of care as well as patient safety. "Non-targeted queries enable clinicians to discover information at the point of [patient] care," says Kransky.
The tiger team plans to resubmit recommendations to the HIT Policy Committee in August for policies related to non-targeted health data queries. Those recommendations might potentially be included in requirements for Stage 3 of the HITECH Act electronic health record incentive program, or perhaps used by the Office of the National Coordinator for Health IT for other purposes related to national health information exchange.
The workgroup in May had submitted to the HIT Policy Committee a number of recommendations about non-targeted queries, but the committee instructed the team to re-examine its suggestions.
Some committee members were worried that the possibility that sensitive information could be disclosed by non-targeted queries might dissuade some patients from allowing any of their health data from being exchanged. So the committee instructed its tiger team to take a closer look at privacy issues involved.
The tiger team plans to continue discussions about non-targeted queries at its July 10 meeting, with the aim of presenting the HIT Policy Committee refreshed recommendations in August, McGraw says.