The Office of the National Coordinator for Health Information Technology’s (ONC) Privacy & Security Tiger Team had a few lingering health data exchange security recommendations and comments to discuss heading into today’s meeting and was able to come to a few consensus opinions.
In wrapping up the question of what should be represented in a query and what type of responsibility a record holder has to release patient data, the Tiger Team came to a few determinations. For background, a query model puts entities into a position of collecting information—HIPAA does not establish rules around collection and instead focuses on permitted uses and disclosures once the information has been collected. “HIPAA doesn’t guide queries, but does control release of query by end user,” said Deven McGraw, co-chair of the Privacy and Security Tiger Team.
The questions for the Tiger Team included whether any revisions are needed to previous recommendations on consent and whether it needs to make any comment around the intersection of the IEWG recommendations and the previous recommendations on consent. In discussing the responsibility of the data holder to release data and response to all queries, the Team debated the question of mandatory vs. voluntary actions for healthcare providers and and whether this would deter providers from participating in data exchange. Seeing as there are technically few mechanisms where providers are required to release data, the team agreed that providers should, at bare minimum, respond to a query request, which could simply be an acknowledgement.
Of course, this does not include queries for records on minors, personal representatives, and proxies, which will be handled in a separate discussion. Additionally, highly sensitive health information, such as genetic, HIV, reproductive health, mental health, etc. would not be part of the consensus. The team notes that indirect treatment relationships, in which the provider does not interact directly with the patient and only reviews records, should be considered in finalizing these recommendations.
Trusted environment queries
Queries will take place in a trusted environment in which there is some mechanism in place to vet providers. Ways of establishing that this trust exists include:
– Use of the DIRECT protocol to transmit information (participants have been identity proofed and issued a certificate)
– Membership in a trusted network (participants have been identity proofed and authentication measures are in place).
There are others, but the Tiger Team chose to focus on DIRECT and membership in a trusted network.
The Tiger team also came to a preliminary consensus on these topics:
* Providers making a query for patient information for treatment purposes, must provide at least one of the following:
– An attestation that the requesting provider has established (or is in the process of establishing) a treatment relationship with the subject patient or
– An authorization from the patient.
* Record holders should be provided a “safe harbor,” insulating them from legal liability from wrongful disclosure if the above conditions are met.
* Providers are responsible for knowing and complying with the legal requirements governing these exchanges in their own jurisdictions
The team expects to wrap up this discussion during Q1 of 2013, which gives it six meetings (including today’s) to discuss the topics.