Though there have been some structural changes to the Privacy and Security Tiger Team and it has moved on from its accounting of disclosures talks, the team hopes to touch upon a variety of topics in 2014. Micky Tripathi, Co-Chair of the Tiger Team and CEO of the Massachusetts eHealth Collaborative (MAeHC), discussed the Tiger Team’s prominent plans for this year with HealthITSecurity.com.
Check out Part 1: Micky Tripathi discusses accounting of disclosures wrap-up
Laughing as he said hopefully the Tiger Team won’t have to go back to accounting of disclosures in 2014, Tripathi offered an inside look into what the team would like to focus on this year. From patient data proxy access to dealing with minors’ privacy, there are a few key areas of concentration for the Tiger Team.
Could you talk about how Tiger Team and Health Information Exchange will now operate?
Tripathi: We’ve tried to link the Tiger Team and Health Information Exchange working group more than they were in the past. In 2013, their agendas often overlapped. We didn’t want any signal to the market that in merging groups we were placing any less significance in privacy and security. So what we ended up doing at the end of the day was having Deven McGraw as co-chair of the Information Exchange group and myself as co-chair of the Tiger Team. We each have our own separate agendas, but we’ll be coordinating and bouncing ideas off of each other when areas of focus overlap.
What are some highlights from the 2014 Tiger Team calendar?
Tripathi: Things change, but for the foreseeable future, one of the things that we’re going to be working on is the question of proxies and proxy access to data. For patients of multiple organizations in one area, such as Massachusetts where there are a lot of patient portals, how does their family access their data through the portals? While it’s often what happens in the market, the unsatisfactory solution would just to give the families their user names and passwords. Neither providers nor patients should share user names and passwords. So what would be the ground rules to giving proxy access to those portals? The easy answer would be to say “when the patient gives access.” But what about situations of abuse or birth control rights? Sometimes there may be information the minor may not be required to allow access to their parents. From an EHR perspective, those will be the kind of issues we’re addressing.
Were there any other focal points?
The second thing we’re going to look at business associate (BA) relationships in the EHR context in particular. It comes into play in a number of areas, such as accounting of disclosures, but we’ll be looking at EHRs as the BAs of HIPAA covered entities.
The third thing that we’ll look at is [privacy] issues related to minors. As I referenced before, there are problems with emancipated minors and statutorily-protected information, for example. We’ll try to figure out how those things should be worked out in the electronic world. And we’ll look at what happens in key transition points, as there’s a period between 12-18 years old where some of these laws kick in. Many organizations just “punt” the issue and don’t allow minors’ data from age 12-18 to be in the HIE because the rules are so tough to figure out. Because of the complexity of the rules, they feel as though that’s what they have to do. We’ll try to offer any guidance we can on these issues.