HITPC talks exchange of behavioral health, sensitive data
New technologies to facilitate the exchange of behavioral health data while ensuring that privacy and security protections are maintained were explored during the Health IT Policy Committee on May 6.
Data Segmentation for Privacy (DS4P), an initiative of the Office of the National Coordinator for Health IT’s Standards & Interoperability Framework, piloted technologies for enabling the disclosure of sensitive behavioral health and substance abuse data covered under 42 CFR Part 2.
Currently six pilots are underway, which include Virginia Substance Abuse and Mental Health Services Administration pilot, SAVTA pilot, Netsmart pilot, Jericho/UT pilot, Greater New Orleans Health Information Exchange pilot and Teradact pilot, according to Deven McGraw, chair of the Certification & Adoption Workgroup who also serves as director of the health privacy project at the Center for Democracy & Technology.
“We sought to understand more about these pilots and actual implementation of DS4P, as well as an understanding of how Part 2 data is handled today by providers and some HIEs,” McGraw said at the meeting,
In the paper world, clinicians would manually redact sensitive data that a patient does not want disclosed. Electronically, exchange still begins with patient consent to authorize the sharing of behavioral health or other sensitive information. Using DS4P technology, a Consolidated Clinical Document Architecture (CCDA) or data element is tagged as coming from a behavioral health provider with an indication that the document is restricted and cannot be re-disclosed without further authorization of the patient, explained McGraw.
A recipient can view the restricted CCDA, or data element, but the technology prevents it from being automatically passed, consumed and interdigitated into the EHR.
Implementation to date has largely been “all in” or “all out” with respect to disclosure of information from behavioral health providers and programs, McGraw reported. She said granularity with respect to information shared by a behavioral health provider might be achieved by omitting information from the CCDA, but that raises the “Swiss cheese” problem when providers don’t know data are missing.
While the "view only" mode to access sensitive data is not ideal, it is better than nothing. “DS4P is not a perfect solution,” she said, but added, “docs appreciate the ability to have this data in advance so they can prepare. It enables them to share electronically in ways not possible before.”
The next steps for technology companies working on this include:
- Enabling query of behavioral health providers (transmittal of authorization)
- Enabling decision support without risking unauthorized re-disclosure
- Parsing
The question remains whether certification of both behavioral health EHRs and provider EHRs for the DS4P technical capacity be mandatory for certified EHR technology. McGraw said some other gray areas needing clarification include whether providers who confirm something in the protected records with a patient can add it to the EHR, such as medications.
The workgroup is scheduled to propose recommendations in June to determine whether this technology has been adequately piloted and ought to be in EHRs, and how it fits into Meaningful Use compliance.