The U.S. Government Accountability Office (GAO) has been busy producing reports of late, as it recently published its review of the cybersecurity troubles within the Department of Veteran Affairs (VA). The GAO also examined some of the key challenges, according various stakeholders, to health information exchange (HIE) and the Department of Health and Human Services’ (HHS) ongoing efforts and plans to address them. One big barrier cited in the report is accounting for different HIE privacy policies in separate states.
GAO, according to the report, said that it reviewed HHS documentation, interviewed HHS officials and interviewed providers about their experiences. Among the specific provider issues were insufficient standards, concerns about how privacy rules can vary among states, difficulties in matching patients to their records and costs associated with HIE. One big sticking point for providers is the variation in state privacy rules for different states and lack of clarity about individual requirements. Adding to the confusion for providers is the idea of exchanging data with providers that are located close to state borders and also serve patients from a neighboring state. HIPAA covered entities must adhere to both federal privacy rules and potentially stricter state privacy rules as well.
As for what the Office of the National Coordinator for Health Information Technology (ONC) is doing to aid providers with HIE privacy questions, the GAO referenced some of ONC’s recent work. This included high-level HIPAA and meaningful use guidance as well as suggestions to use state agencies, RECs and other professional associations to understand how state laws affect the sharing of patient health information. Further, the ONC’s Data Segmentation for Privacy Initiative (DS4P) was created to develop and pilot test standards for managing patient consents and data segmentation. Back in 2012, the ONC released (and is currently piloting) an implementation guide for consent management and data segmentation. Lastly, ONC expects to receive reports through its state HIE organization program on how different states are implementing their state’s privacy rules.
In spite of these programs and projects to increase understanding around HIE privacy and security, a few providers that the GAO spoke with are still unclear about other states’ HIE privacy and security laws.
They found it difficult to ensure they were compliant with state laws when exchanging certain personal health information with providers in another state. For example, some providers in Minnesota and Massachusetts noted that some state laws have stringent requirements related to sharing health information related to mental health, or human immunodeficiency virus or other sexually transmitted infections.
Moreover, some states have different perspectives on obtaining patient consent, such as whether consent is required only initially or for each transaction, when exchanging patient data. One suggestion that stakeholders have raised in the past is additional training for providers on varying state privacy laws. They also advised that HHS concentrate more on consent policies and work more on (1) electronically obtaining patient consent for disclosing health information, and (2) communicating that consent along with the related health information.
Though it didn’t criticize current work, GAO recommends that CMS and ONC:
(1) Develop and prioritize specific actions that HHS will take consistent with the principles in HHS’s strategy to advance health information exchange.
(2) Develop milestones with time frames for the actions to better gauge progress toward advancing exchange, with appropriate adjustments over time. In commenting on the draft report, HHS, including CMS and ONC, concurred with these recommendations.