Following opening remarks from National Coordinator Karen DeSalvo, the Privacy and Security Tiger Team virtually presented its family, friends and personal representative update to the HIT Policy Committee April 8, 2014.
The Tiger Team had wrapped up view, download and transmit (VDT) discussion back in March, but this meeting represented its final recommendations on the VDT access to the HIT Policy committee. The committee approved the Tiger Team’s recommendations.
Deven McGraw, chair, Tiger Team, told the HIT Policy Committee that the Tiger Team doesn’t see a need for additional policy, per se, but it does think that this is an area where there could be best practice recommendations and that’s what it was presenting on the subject. McGraw explained that current view, download and transmit (VDT) regulatory requirements for family, friends & personal representatives (these designations are determined by state law) include patients being able to expressly authorize the sharing of their PHI with others; legal personal representatives may have legal right to directly access a patient’s PHI; and under HIPAA, they stand in the shoes of the patient with respect to accessing PHI.
McGraw also offered a reminder that the Privacy Rule permits (but does not require) covered entities to share PHI with family members or other persons who are involved in the individual’s health care or payment for care. And though individuals have the right to object to such disclosures, patients may accomplish such VDT access on their own by sharing user names and passwords.
Although cannot control whether patients will grant VDT access on their own by sharing user names and passwords, this is not advisable (less capability to determine who has taken action in VDT, for example). Education of patients about why this is not advisable is important because, McGraw said, there’s no way to know who’s taken action in VDT. To combat these tendencies, McGraw said that the process for granting credentials to authorized friends, family and personal representatives should be sufficiently easy to discourage shared access yet still be sufficient to satisfy the need to assure authorization and identification/authentication. McGraw also explained what the Tiger Team is advising the ONC to accomplish with VDT:
We urge ONC to develop and disseminate the following best practices for assuring that access to adult patient VDT be extended to friends and family authorized by the patient, and, where appropriate, legal personal representatives.
McGraw listed five VDT best practices for ONC to consider and divided the first best practice, Authorization of Friends/Family, into two segments: easy and card hypotheticals:
Easiest case: patient makes request for VDT access for friend or family member
– Can be done in person or remotely (for example, over the phone, through VDT if that functionality is provided, via e-mail, etc.)
– Providers should document the request; capability to store electronically would be helpful
– Out of band notification can be used to notify/confirm
This is particularly important, McGraw said, when patient request for proxy access is made remotely, or through software acting on the patient’s behalf.
Harder case: friend or family members makes request
– Such access must be confirmed with patient, such as through out-of-band confirmation
– If the patient is incapacitated:
• HIPAA permits sharing of treatment-related information with friends or family, but limited to only information relevant to treatment
• Provider will need to consider whether providing access to relevant treatment information through VDT is appropriate vehicle
The next best practice was the authorization of personal representatives and McGraw offered a reminder that whether someone qualifies as a “personal representative” depends on state law, which varies so much that it’s hard to form uniform national policy/best practice recommendations. She added that providers should consider how they can adapt the processes they currently use for VDT to grant personal representative access to records. And a helpful capability would be the ability to store documentation of personal representative status (as well as patient authorizations of access by friends/family).
These were the best practices for identity proofing and authentication:
• Patient can provide credentials or directly authorize the access (for example, through VDT or by separate communication of contact information)
• Previous best practices re: identity proofing and authentication also apply here. (see backup slides)
• Also need to develop process and capability to cut off VDT access by friends, family and personal representatives due to patient change in preferences or changes in personal representative legal status.
The Tiger Team offered these best practices around the scope of VDT access:
VDT accounts may offer more than “all or nothing” access for proxies, with both respect to data content and functions that can be performed
• It is important to educate patients on whatever options are available, so they can make informed decisions about the scope of proxy access to be granted to friends/family. (In all or nothing contexts, it is particularly important to educate patients on the scope of data that will be accessible by anyone granted proxy access.)
For personal representatives, need to determine whether VDT access is limited to what the personal representative can legally access. (If not possible to do this, VDT access to personal representatives may not be grantable.)
Lastly, there must be continuing education of providers and patients:
• ONC should disseminate best practices to providers, to enable them to establish (and turn off) proxy access to VDT accounts consistent with law and patient needs.
• Providers also should educate their patients on the risks and benefits of VDT, consistent with the HITPC’s prior recommendations; such education should include risks/benefits of proxy access.