The HIT Policy Committee Privacy & Security Tiger Team explained the purpose and scope of its June 24 non-targeted query/response virtual hearing during yesterday’s meeting. In concentrating on policy and not security methodologies or identity management issues, the group wants to understand which policies are deployed to ensure that a “non-targeted query” for a patient record in a health information exchange (HIE)is appropriate, legal and authorized.
The policies that the Tiger Team wants to hone in on include query limitations such as who conducts a query as well as geographic or other limits and parameters intended to help assure proper access and also intended to help demonstrate that the requester is authorized to access a patient’s records. The group cited examples during the meeting of limitations placed on access to the record though queries. They include partial access to the record, geographic limits and purpose such as limiting queries to those for direct treatment. The Tiger Team said it wants to better understand the thought processes behind the development of these policies.
The Tiger Team has these questions for HIE participants:
1. How have you operationalized non-targeted queries? Please describe the process.
2. How long have you been operational with your approach and how many patients are involved?
3. Is there an inherent scope limitation associated with your entity that affects providers’ ability to perform non-targeted queries (e.g. geography)?
4. What additional limits are placed on non-targeted queries (e.g., who can query, for what purpose and scope of query)?
5. What roles do patients have in limiting queries? Are there circumstances in which patient preferences are over-ridden? If so, how does that process work and have there been any problems?
6. How do patients exercise “meaningful choice” as to whether their records are included in your “aggregator service”? Does this extend to the release of the data or does that require additional consent?
7. How do you address exchange of sensitive information in a non-targeted query model?
8. What information is returned to a requester as a result of a non-targeted query?
A. If you exchange sensitive information, is there a difference in what is returned when such information is involved?
9. In what environment and for what providers have non-targeted queries proven to be the most effective? Please provide appropriate metrics if available.
10. What challenges/problems have been created by your approach? What adjustments have you or do you plan to make to your approach?
11. Would having widely applicable policy (or guidance) on providers’ ability to perform non-targeted queries be helpful? If so, what should those policies be?
These are the proposed HIEs and stakeholders that have been invited to the event and their status. Each will look at different questions from separate perspectives and explain their experiences on the subject.
- HealthBridge (OH, KY, IN) (Invited)
- Nebraska Health Information Initiative (NeHII) (Invited)
- HealtheWay (Confirmed)
- New York, Rochester RHIO (Confirmed)
- Indiana Health Information Exchange (Invited)
- Rhode Island, Rhode Island Quality Initiative’s (RIQI) CurrentCare (Federated Model) (Invited)
- Maine, HealthInfoNet (Centralized Architecture) (Invited)
- Colorado, Colorado Regional Health Information Organization (CORHIO) (Invited)
- Surescripts (Confirmed)
- ClinicalConnect (Pittsburgh) (Invited)
The Tiger Team will go over who is answering what before the 1 p.m. start on June 24.