HIT Policy Committee: Privacy and security for query, response discussed

The Privacy & Security Tiger Team presented its recommendations for patient record query and response to the HIT Policy Committee during its April 3 meeting.

Team co-chair, Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, said that while query and response already is happening in healthcare, “what are new are the challenges raised when you automate this process.”

While HIPAA and state and federal laws regulate when most providers can disclose identifiable health information, the rules permit but don’t require that this information be disclosed, she said. “As a result, if there are uncertainties with respect to liability, the path of least liability would be not to disclose.”

Using three scenarios, the team evaluated various challenges and issues depending on whether the query is targeted, whether patient consent is needed and when the location of the information is unknown.

To respond to a query, an entity needs reasonable assurance that the requesting entity is treating the patient. A responder needs to send the right data, address it appropriately and send it securely, McGraw said. The data requester must have some way of presenting the treatment relationship and send enough information to the data holder to match the right record to the right patient.

The team discussed what supports “reasonable” reliance, by the data holder, that the requester is who they say they are, McGraw said. Possible ways to support reasonable reliance are use of a Direct certificate or membership is a network that the data holder trusts and pre-existing relationships between data holders and requesters.

McGraw said the team also believes that the HIT Policy Committee’s previous recommendations on patient matching should be implemented including the following:

  • A standardized format for data matching fields;
  • EHRs should be tested and certified for interoperability;
  • Healthcare organizations/entities should evaluate the effectiveness of their matching strategies to internally improve matching accuracy;
  • Matching accuracy should be enforced through governance;
  • HIEs should be required to establish programs that ensure matching accuracy by participants and how to respond if incorrectly matched; and
  • Office of the National Coordinator for Health Information Technology [ONC] should establish a program(s) to develop and disseminate best practices in improving data capture and matching accuracy.

“There is a role for the ONC to play in disseminating best practices about what types of algorithms work best in the matching context,” McGraw said. The team discussed use of a unique identifier but acknowledged that it is “not a panacea.”

This is a very complicated area, she said. “Providers are very concerned, and some patients too, about constraints in terms of sharing laws in the face of more stringent rules on certain types of data.”

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup