A new case study published by the Commonwealth Fund demonstrates how the Colorado Beacon Consortium (CBC), one of the 17 communities selected by the Office of the National Coordinator for Health Information Technology (ONC) through its Beacon Community Program, handles integrating behavioral into its work with the health information exchange (HIE) operator Quality Health Network (QHN).
Protecting sensitive data such as mental health information from unauthorized access within a comprehensive electronic health record has become a hot-button issue of late. As HealthITSecurity reported earlier this month, the Privacy and Security Tiger Team, a workgroup that reports health IT-related privacy and security considerations to the HIT Policy Committee, has debated how sensitive data should be handled when dealing with HIE query exchange.
The authors of the case study highlight what exactly is at stake when EHRs containing sensitive data are accessed via HIEs. “Electronically integrating mental/behavioral and physical health care information can improve the overall quality of patient care,” write Douglas McCarthy, MBA, and Alexander Cohen, MPH., MSW. “Yet, many factors complicate efforts to do so. Among these are elevated privacy concerns and legal protections for mental and behavioral health information, as well as the involvement of nonmedical providers in mental health care.”
Currently, QHN has established rules for health data segregation governing who can access what information:
QHN’s operating rules permit only licensed medical providers to query the personal health information of patients for treatment purposes—an approach intended to ensure professional accountability for patient privacy. Behavioral health information cannot be viewed by QHN participants. Consequently, psychiatrists can view only non–behavioral health medication histories from QHN, and non–behavioral health providers cannot view confidential behavioral health information.
As an appendix to the case study reveals, the non-profit organization operating the HIE “uses components of a federated, real-time electronic distribution model to identify, collect, and distribute clinical data from across the community to medical providers of record.” This approach enables the HIE to providers to view a virtual health record, which is a securely compiled “virtually aggregated view of the data that remains segregated and under the control of each provider in accordance with federal privacy regulations.” Providers using the QHN HIE securely access the resource via a browser-based interface although the organization has developed EHR interfaces to streamline connectivity.
Source: QHN via Commonwealth Fund
Data segregation, however, still poses a problem for the QHN and CBC and it’s an area the two organizations are working on to mitigate. “This data segregation may impede timely coordination of care throughout a medical neighborhood,” McCarthy and Cohen explain. “ To help overcome this barrier, the CBC and QHN are collaborating with medical practices to evaluate a process for transmitting authorization forms through QHN that will enable more timely patient consent for sharing medical records among a patient’s care team members.”
There are many layers to safeguarding sensitive data such as mental or behavioral health information contained within a comprehensive EHR. While metadata tagging or user restrictions present ad-hoc approaches to protected sensitive health data, they seem incapable of being scalable and likely precluding them from being viable long term.