The Privacy & Security Tiger Team met yesterday to further discuss query and response scenarios for Health Information Exchange (HIE).
The Tiger Team made it clear that it does not plan to alter the rules that vest providers with the responsibility to share patient information responsibly and consistent with applicable law, such as HIPAA, state and other federal laws. Its goal instead will be to remove potential real or perceived barriers – through clarification regarding provider liability for responding to a query – to enable them to respond to queries and disclose information consistent with their professional obligations and the law.
The team discussed some HIE security use cases that demonstrate recommended methods for executing and implementing query and response scenarios and the team wants to have final recommendations set by the end of March in time for the April HIT Policy Committee meeting. In all, it discussed three scenarios:
Scenario 1: Targeted Query for Direct Treatment Purposes (HIPAA controls)
Assumes:
- Patient Z is being seen by a provider (Provider A)
- Patient advises provider that the patient has recently been seen at another provider or that another provider maintains his/her medical records (Provider B)
- Provider A queries Provider B –Do you have any records for Patient Z (this is a “targeted query”—one that is sent to a specific provider for a specific patient)
- Provider A (or staff) will resolve patient ID (i.e., that any records returned belong to Patient Z
Obligations:
Dataholder: HIPAA permits release of PHI for treatment purposes.
- Needs some reasonable assurance as to the identity of the entity requesting the data.
- Since disclosure is permitted for treatment, needs some reasonable assurance that querying entity has, or is in the process of establishing, a treatment relationship with the patient.
- Makes decision about whether to release data, and if so, what data, consistent with law
- If responding, needs to send back data for right patient, needs to properly address request, needs to send securely.
Requester:
- Needs to present identity credentials
- Must demonstrate (in some way) the treatment relationship
Questions:
What constitutes sufficient identity credentials to justify reliance?
Possible answers:
-Use of DIRECT certificate (when issued at entity level, expectation is that entities have id proofed & authenticated individual participants per HIPAA)
*But are DIRECT certificates designed to be used for authentication purposes? Does it matter if request is made by an organization or by an individual within an organization?
-Membership in a trusted network (HIO, vendor network, IDS)
What constitutes sufficient assurance of a treatment relationship to justify reliance?
- Data holders own knowledge/history with requester
- Capability to confirm within network/IDS
- Network rules provide accountability for false attestations
- Mere attestation from provider absent network accountability?
- Some indication of patient consent (that does not conflict with expressions of patient wishes known to, or on file with, the data holder)?
- Known existing treatment relationship with patient?
Does it matter if data holder makes the decision to disclose or if the data holder’s response is automated (set by data holder or automatic by participation (such as in a network)?
What information about the patient should be presented as part of the query? Ideally no more than is needed to accurately match.
- Start with basic demographics – full name, date of birth, address (insurance ID?)
- Data holder does matching: If data holder desires to respond, but request matches more than one patient, request more demographic data to confirm until two entities are able to agree on probable record
- Note that if the wrong record is sent, it is a breach – however, per the final rule, notification to the patient and regulators may not be necessary if the risk is mitigated (through return or destruction of the wrong record)
- Requester can search and match for the right patient.
- Dataholder’s should respond to queries consistent with their professional and legal obligations. (Note that even acknowledgement of the existence of a record is PHI.)
*Recommend at least acknowledgement of receipt of query?
*Dataholder may send no records, or all or part of a patient’s record, consistent with ethical and legal obligations.
Requirement to account for, log query and/or disclosure, with capability to share with patient upon request?
*Is this possible to do for targeted queries from EHR to EHR, or in federated HIO models?
Scenario 2: Targeted Query for Direct Treatment Purposes (HIPAA plus some other law or policy that requires consent before disclosing PHI)
- Assume data holder is responsible for obtaining and retaining evidence of patient’s consent (in light of most current laws)?
- Data holder responsible for telling the requester what consent they need?
- Requester responsible for obtaining consent for data holder to disclose data to requester?
- Is consent transmitted to data holder, if so how?
Scenario 3: Non-Targeted Query for Direct Treatment Purposes
Assumes previous providers are not specifically known; may require use of record locator (or data element access) service or master patient index to find possible sources of patient record.
Relevant Questions Unique to Scenario 2:
- Should patients have meaningful choice re: whether or not they are included in an RLS, DEAS or MPI that permits queries from external providers?
- Should querying entities be required to limit queries (for example, by geography, by list of possible providers, etc.)