The Privacy and Security Tiger Team met yesterday to finalize its next round of query and response discussions for Health Information Exchange (HIE) and came away closer to having recommendations prepared for the April HIT Policy Committee meeting.
The team wanted to focus on Scenario #2 and potentially talk about Scenario #3 that the Tiger Team had laid out in previous meetings. It completed discussion of query/response scenarios & policy recommendations for Scenario #2, which was titled “Targeted Query for Direct Treatment, Data covered by more stringent privacy law” The scenario is similar to Scenario 1 in terms of actors and transactions, but the difference is that targeted query for direct treatment purposes will fall under not only HIPAA, but other law or policy requiring consent before protected health information (PHI) disclosure.
Here were the initial straw recommendations:
- Data holders and requesters must comply with the laws that apply to each. In some cases requesters must obtain the patient’s consent/authorization prior to a query; in some cases the data holder must have the patient’s consent/authorization prior to releasing PHI.
- The form of consent must comply with applicable law – i.e., the requester must have a form that satisfies their legal requirements (if applicable), and data holders must have the form that satisfies their legal requirements (if applicable). These forms may not be the same.
- Parties to a query/response must have a technical way to transmit and record applicable consent/authorization.
- In circumstances where the law requires consent/authorization for subsequent disclosure (“redisclosure”) by the recipient, technical capabilities to transmit this requirement are needed.
- Entities may use a service to fulfill the above obligations.
After delving through various considerations for the recommendations above, the Tiger Team agreed, according to Chair Deven McGraw, that it’s premature to decide on one particular technical capability for query response. “It does need technical capability standards, but this isn’t a one-size-fits all circumstance,” McGraw said. The team still needs more time for complete Scenario #2 discussion, but has inched closer to final recommendations.
Lastly, it discussed Scenario #3, which is different because it’s non-targeted query, for a few minutes. The scenario assumes that previous providers are not specifically known and may require use of record locator (or data element access) service or master patient index to find possible sources of record. The Tiger Team ended the meeting by agreeing that patients should have meaningful choice regarding whether or not they are included in a record locator service (RLS), or other product that permits queries from external providers. It left the question of whether querying entities should be required to limit queries (e.g. by geography, list of providers, etc.) as incomplete because of the need for more feedback from the policy committee.