Monday’s Privacy & Security Tiger Team virtual hearing on non-targeted query among healthcare information exchanges (HIEs) showcased the various ways in which these organizations use non-targeted query and what policies they have in place to communicate patient data in a compliant manner.
Two panels of HIE organizations focused on HIE policy (not security methodologies or identity management issues). Panel 1 included Deb Bass, Sara Juster and Connie Pratt of the Nebraska Health Information Initiative, Mariann Yeager and Martin Prahl of HealtheWay, Ted Kremer of the Rochester (NY) Regional Health Information Organization and John P. Kansky of the Indiana Health Information Exchange. Panel 2 was composed of Laura Adams and Charlie Hewitt of Rhode Island Quality Institute’s CurrentCare, Paul Uhrig of Surescripts, Christian Carmody and Tracy Crawford of ClinicalConnect and Joanna Pardee-Walkingstick of SMRTNet.
Carmody explained that who can query ClinicalConnect, located in Pennsylvania and an Opt-Out state, is controlled at the participant level, based on a user having the appropriate security to view that patient record within the participant’s EHR. The specific purpose and scope are defined in the ClinicalConnect Data Exchange Agreement as limited to treatment, payment and operations, public health activities and reporting as permitted by HIPAA, and reporting on quality measures as defined by “meaningful use” under ARRA and HIPAA.
In regards to meaningful choice and how consent works, ClinicalConnect requires that each of its participants, which ClinicalConnect is a business associate for, make a standard “Notice of Privacy Practices Addendum” available to patients that details how patient information will be managed and exchanged. Lastly, Carmody said that ClinicalConnect instructs its participants not to send sensitive information to ClinicalConnect, specifically where additional restrictions are forced on the disclosure of information.
Next, Yeager, Executive Director of Healtheway, the non-profit, public/private collaborative chartered to support the eHealth Exchange (eHEX), said that Healtheway’s targeted and non-targeted queries are operationalized using a common technical and trust framework.
Basically, query-based exchange participants must comply with the organization’s technical and testing requirements, such as security, transport, discovery of patient records, as well as query and retrieval of documents. Furthermore, Yeager said non-targeted queries participants who query data for treatment purposes also have a duty to respond to authorized requests for data for treatment purposes, either with a copy of the data or with a standardized response that data are not available.
As for additional limits placed on non-targeted queries, she stated that the eHEX has “robust functionality” to support policies related to who can query, such as the purpose and scope of the query. Participants include policy statements / assertions to accompany the message (i.e. the query). These statements provide important information and enable a responder to determine whether / how to respond to a request. These policy assertions are sent using an international OASIS standard, called Standard Access Markup Language (SAML).
And, as opposed to ClinicalConnect’s practice of not using sensitive data, though participants are bound to laws that establish additional protections related to sensitive information, it may be included with other data in an EHR. In this scenario, eHEX participants, as a matter of standard practice, obtain an individual’s express consent or authorization prior to the release any information to other eHEX participants.
The next Tiger Team meeting will be held on July 10 from 1 p.m. to 2:30 p.m. EST to discuss the testimony received from panelists and the need for policy recommendations on non-targeted query.