The recent HIMSS Privacy and Security Forum in San Diego gave the ONC Privacy & Security Tiger Team an opportunity to present some of its work and recommendations over the past few months and discuss future ONC recommendation efforts as well.
Tiger Team Co-Chair, Micky Tripathi, President and CEO of the Massachusetts eHealth Collaborative, presented with Chair Deven McGraw, a partner at Manatt, Phelps & Phillips. Tripathi took some time to talk with HealthITSecurity.com about the Privacy and Security Forum, the topics the Tiger Team is focusing on and the importance of synergy with the Information Exchange Working Group.
The Tiger Team has concentrated on three main issues so far in 2014. First, it discussed patient personal representative access to medical records through patient portals. Next, data segmentation policies as they relate to substance abuse, as the Tiger Team worked with the Substance Abuse and Mental Health Services Administration (SAMHSA) on the topic. Lastly, the discussion that it just started revolves around minors’ access to their data and how health information exchanges (HIEs) have dealt with the complicated nature of access for minors from ages 12-18.
In reviewing personal representative access, Tripathi said the Tiger Team looked at how HIPAA allows a patient to designate a personal representative who would then be authorized to view the records, as well as family and friends as long as the patient doesn’t object. Those were static regulations, but the question was what, if any, implications there were for patient portals and view/download/transmit (VDT) requirements. Applying those HIPAA allowances to the electronic world can become challenging at times. But instead of coming back with a strong set of recommendations, Tripathi said the Tiger Team advised that there should be best practices and some education from ONC to providers.
Because the patient is the one allowing the access, there are no issues about authenticating or authorizing a person. The only issue we found was the fact that the easiest thing to do for a representative to do when logging into a patient portal is for the patient to give them their user name and password. This is obviously not a good thing from a security perspective. We advised that providers create a set of policies and work with their vendors to issue credentials to those other people that have access to a patient’s care.
Many vendors such as Epic or eClinicalWorks have those capabilities, he added, but the Tiger Team offered a set of guidelines for areas such as who as access to a prescription refill, for example. These recommendations have value in the sense that they can be a good starting point for providers working on new access policies.
Data segmentation work
Tripathi said he was very pleased with where the Tiger Team ended up in its work with data segmentation and SAMHSA. Any organization that is part of a federal substance abuse program must not share any information from that organization with anyone else without the patient’s permission. This includes even benign information that came from the program but wasn’t related to substance abuse, Tripathi said.
After years of delays and inability to make forward progress in this area, the Tiger Team was merely hoping to make small steps toward making solid recommendations to the ONC. Many have said to just change the laws around substance abuse data segmentation, but going to Congress to make law amendments is more convoluted than some realize.
We ended up coming up with a framework that had levels of sharing based on the maturity of the technology going forward. The Data Segmentation for Privacy (DS4P) is being developed right now in pilot form and has shown that in a clinical setting you can apply a set of metadata and encryption onto a clinical document. This would then allow a receiving system with the technology to be able to recognize that data is from a substance abuse program and segregate it. We used that to imagine that there are a few levels that could happen over time.
Minors’ access to patient data
The Tiger Team just began work with minors’ access rights and have found that there is little consistency across the country in terms of provider or HIE approaches.
With minors, for example, we’ve seen a lot of HIEs that are repository style and aggregate data look at the emancipated minors issue from 12-18 that allows them to have control of their information in some instances and take their data out of the HIE once they turn 12. They won’t accept any more information from that child until they turn 18 and their information has essentially disappeared during that time. It’s too hard to determine how to control access to information while staying out of compliance trouble.
A lot of the issues that we’re working on with minors right now are related to the idea that from a HIPAA perspective, a parent is seen as a personal representative that is granted automatic access. There are exceptions, included when the state has carved out specific areas where a parent doesn’t have that right. For example, Tripathi said, in Massachusetts parents don’t automatically have access to information regarding sexually transmitted diseases (STDs) or abortions. Further complicating matters for the Tiger Team is the fact that most states have different policies in place for different age groups.