The HIT Policy Committee Privacy & Security Tiger Team had a lot on its agenda during Monday’s meeting, as it had to finalize view/download/transmit (V/D/T) recommendations and begin discussion on future work with the Data Segmentation for Privacy Initiative (DS4P).
The meeting began with Deven McGraw, Chair, introducing new VA participants and ex-officio members to the Tiger Team: Stephanie Griffin (primary member), Director, Information Access and Privacy Office, and Andrea Wilson (secondary member) – Veterans Health Administration (VHA) Privacy Office Manager, HIG/Information Access & Privacy. Griffin and Wilson were asked to discuss their DS4P experiences. “I think this will greatly enrich our level of experience on the call in our discussion,” McGraw said.
Next, Dixie Baker reviewed the HIT Standards Committee’s (HITSC) Privacy and Security Workgroup’s National Strategy for Trusted Identities in Cyberspace (NSTIC) public hearing, which will be held March 12, 2014, 10 a.m. to 2:45 p.m. “The purpose of this public hearing is to gain a realistic and objective view of what NSTIC is and what its agenda is. We hope to have a better understanding of its use in healthcare,” Baker said.
And McGraw had a chance to quickly run through some changes to the Tiger Team’s final presentation to the HITPC on adult patients’ V/D/T account by friends, family and “personal representatives.” The person must be authorized to access PHI through VDT, either due to authorization from the patient or due to legal status and there has to be a mechanism that ensures they are who they say they are. But, according to the Tiger Team, granting credentials to authorized friends, family and personal representatives should be “sufficiently easy to discourage shared access yet still be sufficient to satisfy the need to assure authorization and identification/authentication.”
McGraw added that there were two language recommendations that the Tiger Team implemented into the V/D/T presentation as well. Education of patients and providers on rights, responsibilities, and limitations is key. The focus on limitations was suggested by John Houston, the Vice President of Privacy and Information Security at University of Pittsburgh Medical Center. And Tiger Team made sure that it emphasized patient education as well. “Education of patients about why this is not advisable is important.”
Finally, Joy Pritts, Chief Privacy Officer, ONC, and Johnathan Coleman, Initiative Coordinator for DS4P at ONC reviewed the initiative, which Pritts explained is the policy for the technology that ties its effort to ensure that behavioral healthcare providers are included in patient data exchange. Coleman explained that the DS4P project has been going on for more than 2 years now and talked about some successes from pilot implementation in multiple venues, including the Interoperability showcase at HIMSS 2013 and the HL7 Plenary meeting in Baltimore, September 2013. And the VA has extended the DS4P capabilities to demonstrate utilization of FHIR for DS4P (demonstrated at HL7 in Jan 14, in real time, using resources from Australia, Canada and USA).
Coleman present two scenarios to explain how and where data segmentation standards come into play:
1.
A. The Patient receives care at their local hospitalfor a variety of conditions, including substance abuse as part of an Alcohol/Drug Abuse Treatment Program (ADATP).
B. Data requiring additional protection and consent directive are captured and recorded. The patient is advised that the protected information will not be shared without their consent.
2.
A. A clinical workflow event triggers additional data to be sent to Provider/Organization 2. This disclosure has been authorized by the patient, so the data requiring heightened protection is sent along with a prohibition on redisclosure.
B. Provider/ Organization 2 electronically receives and incorporates patient additionally protected data, data annotations, and prohibition on redisclosure.
Coleman explained that DS4P has standards that enable this data to flow in a seamless way: The HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1. The “Normative Ballot was completed in January 2014 and was successfully reconciled in February. Coleman said that HL7 approved the final standard for publication and are processing with ANSI. The guide contains three volumes: Content Specification, DS4P with Direct and DS4P with Exchange. The standard uses document level tagging to convey confidentiality levels and obligations, as well as vocabularies to convey specific meanings, such as “Do not re-disclose without consent” or “This document is restricted”. McGraw said that the Tiger Team will continue with DS4P discussion next call.