The Privacy & Security Tiger Team met yesterday to continue its work toward finalizing recommendations on health information exchange (HIE) queries for its August presentation to the health IT policy committee (HITPC). The meeting was the second of its three meetings this month as it prepares to detail its findings and discussions on both targeted and non-targeted query/response.
The meeting began with the team reviewing existing query/response obligations:
Data Holder (Response)
- Needs some reasonable assurance as to the identity of the entity requesting the data.
- Needs some reasonable assurance that querying entity has, or is establishing, a direct treatment relationship with the patient.
- Makes decision about whether to release data, and if so, what data, consistent with law
- If responding, needs to send back data for right patient, needs to properly address request, needs to send securely.
Requester (Query)
- Needs to present identity credentials
- Must demonstrate (in some way) the treatment relationship
- Must send patient identifying information in a secure manner to enable data holder to locate the record
Next, it went over the previously-discussed HIE query scenarios (all involving queries among disparate organizations):
Scenario 1: Query to one or more specific providers (“targeted”), HIPAA controls
Scenario 2: Query to one or more specific providers (“targeted), data covered by additional law requiring patient consent or authorization prior to PHI disclosure)
Scenario 3: Query based on patient demographics, using aggregator to find patient (“nontargeted”)
After going through recommendations that it discussed at length during previous meetings that were tied to these three scenarios, the Tiger Team discussed new recommendations:
- The previous recommendations, initially considered in the context of targeted query, also apply to non-targeted query.
- We considered whether additional policies were needed for non-targeted queries.
- We held a virtual hearing on June 24, where we heard from 8 operational models of non-targeted query.
- Based on this testimony, we affirm our recommendation that at this time, no additional policies are needed for non-targeted forms of query.
Points for Further Consideration
Toward the end of the meeting, it analyzed some loose ends that required deeper discussion:
- Last month’s virtual hearing highlighted the state of the trust framework upon which current health information exchange occurs.
- HIEs are currently built upon numerous trust agreements with data holders, some across state lines.
- There is the concern that financial considerations may prevent data sharing with other providers. (The argument was that ultimately, the data should go where the patient goes.)
The Privacy & Security Tiger Team will next meet on July 29 at noon EST.