HIT Policy Committee: Privacy and security for query, response discussed

The Privacy & Security Tiger Team presented its recommendations for patient record query and response to the HIT Policy Committee during its April 3 meeting.

Team co-chair, Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, said that while query and response already is happening in healthcare, “what are new are the challenges raised when you automate this process.”

While HIPAA and state and federal laws regulate when most providers can disclose identifiable health information, the rules permit but don’t require that this information be disclosed, she said. “As a result, if there are uncertainties with respect to liability, the path of least liability would be not to disclose.”

Using three scenarios, the team evaluated various challenges and issues depending on whether the query is targeted, whether patient consent is needed and when the location of the information is unknown.

To respond to a query, an entity needs reasonable assurance that the requesting entity is treating the patient. A responder needs to send the right data, address it appropriately and send it securely, McGraw said. The data requester must have some way of presenting the treatment relationship and send enough information to the data holder to match the right record to the right patient.

The team discussed what supports “reasonable” reliance, by the data holder, that the requester is who they say they are, McGraw said. Possible ways to support reasonable reliance are use of a Direct certificate or membership is a network that the data holder trusts and pre-existing relationships between data holders and requesters.

McGraw said the team also believes that the HIT Policy Committee’s previous recommendations on patient matching should be implemented including the following:

• A standardized format for data matching fields;
• EHRs should be tested and certified for interoperability;
• Healthcare organizations/entities should evaluate the effectiveness of their matching strategies to internally improve matching accuracy;
• Matching accuracy should be enforced through governance;
• HIEs should be required to establish programs that ensure matching accuracy by participants and how to respond if incorrectly matched; and
• Office of the National Coordinator for Health Information Technology [ONC] should establish a program(s) to develop and disseminate best practices in improving data capture and matching accuracy.

“There is a role for the ONC to play in disseminating best practices about what types of algorithms work best in the matching context,” McGraw said. The team discussed use of a unique identifier but acknowledged that it is “not a panacea.”

This is a very complicated area, she said. “Providers are very concerned, and some patients too, about constraints in terms of sharing laws in the face of more stringent rules on certain types of data.”