Following last week’s non-targeted query/response virtual hearing, the Privacy & Security Tiger Team began discussion of potential policy recommendations yesterday and raised some key themes for healthcare information exchange (HIE) query/response in general.
Chair Devin McGraw said that these themes weren’t conclusions or recommendations other than thoughts to spark conversation. But there were two conversation points that will be particularly impactful for healthcare organizations participating in HIEs: HIE participation agreements and how best to deal with sensitive data:
- Access to each network is controlled to members who have executed some sort of participation agreement (binding them to abide by any query limitations or other network policies). (For Surescripts, these agreements are executed with the dataholders and with the prescriber’s EHR vendors.) McGraw brought up the question of whether these agreements are worth it.
When a healthcare organization received a query for data from another organization that was outside of their network, they were reluctant or did not share the data because those entities had not signed participation agreements. Is there reason to pursue some type of common agreement, for example?
The question is also how do you scale the agreements? Dixie Baker, Senior Partner with Martin, Blanck & Associates, said that there should be a way for organizations to come to agreements in some form.
Surescripts works well because everyone has knowledge of agreement and each participant has the same agreement. Although I’m not fond of forcing regulations that require everyone to have some common agreement, a trust fabric can’t exist unless there’s something that people presume to be there. In the cases we heard [last week] and the HIEs today, that doesn’t exist. I think there should be at least some small form of common agreement.
Other members, such as David Holtzman from the Office for Civil Rights, said that these agreements would be reasonable in theory, but how do you put them into practice?
- For sensitive data, most depend on the data partner to withhold data requiring additional consent, or other types of sensitive data. RI seemed to have the only model where Part 2 (substance abuse treatment data) was made available in the HIE (but only to providers who specifically request it, subject to a second consent from the patient, and subject to a second attestation of a treatment relationship; also reminder provided about redisclosure limits). In many networks, patients who have concerns about access to sensitive data in the HIE are counseled to opt-out (or not to opt-in). Said McGraw:
The other issue that continues to be vexing for a lot of entities is the sensitive data issue. We’re still waiting to get some results from the data segmentation pilots that might give us some clue as to how we would deal with a lot of these networks not including sensitive data because of additional constraints around sharing and added sensitivity. I’m not sure how far we can go with this because the pilots are still pending.
These were other keys that the group discussed:
- Each network provides patients with some choice; most are opt-out but some are opt-in. Many adopt a model where the data is held by the network but is accessible only for those patients who have either opted-in or have not opted out. Rhode Island is the only network where data does not move into the HIE without opt-in consent.
- Many of the networks do have role based access levels for participants.
- All networks do audits of access/disclosures, but only some make directly available to patients.
- None do an override of patient consent – some have emergency break the glass in circumstances where patient has not yet provided any form of consent.
- All networks limit access to certain purposes — treatment is common to all; many others also allow for operations and public health reporting purposes; a couple allow for payor/payment access.
- All but Surescripts have some either inherent or express geographic limits.
- Testifiers expressed some concern about having federal policy potentially disrupting the arrangements they had carefully implemented; however, most expressed a desire for some guidance/common agreement terms that would help facilitate network to network (or HIE to HIE) exchange, and additional guidance on how to handle sensitive data.