HITPC moves basic BH data exchange forward

The Health IT Policy Committee voted to move forward recommendations regarding sending and receiving capabilities for behavioral health data during its June 10 meeting.

Considering the restrictions on behavioral health data and the high level of sensitivity, the Privacy and Security Tiger Team recommends both required certification criterion for behavioral health providers and voluntary certification criterion for general providers.

Behavioral health information is considered Part 2 data and is protected by federal statute. “Behavioral health providers, particularly the ones governed by the federal substance abuse program rules, have some very specific requirements they need to abide by, a good portion of which are in statutes, not just in regulations,” explained Deven McGraw, chair of the Privacy and Security Tiger Team. “These are consents that apply even for treatment, unlike with HIPAA. These rules apply to any provider who receives that data in terms of requiring protection.”

Before any exchange of information, these providers must get the consent of patients before they can share any data that potentially identifies them as having been in a substance abuse program or having a history of substance abuse. If a patient provides consent, the sending provider must pass along the fact that the data are subject to restrictions. The recipient also is required to not disclose the information without the consent of the patient.

The Privacy and Security Tiger Team describes the current state of behavioral health information exchange as Level 0—Part 2-covered data are not provided electronically to general healthcare providers. Part 2-covered data is shared only via paper.

In Level 1, the recipient EHR can receive and automatically recognize documents from Part 2 providers, but the document is sequestered from other EHR data. Document-level tagging can help prevent re-disclosure.

The Tiger Team recommends that Meaningful Use Stage 3 requirements include Level 1 send and receive functionality in the voluntary certification program for behavioral health providers. Behavioral health EHRs must be able to control which recipients can be sent Part 2-covered electronic documents.  Only recipient providers interested in being at Level 1 would request the capability from vendors. “It’s far from ideal,” said McGraw but the provider can see what’s going on with the patient and treat accordingly.

The voluntary recommendation is “because we recognize a lot of providers might not be comfortable with a technical functionality that enables them to receive data that they then can’t fully utilize in their EHR,” said McGraw. “Other providers believe that receiving in view only mode is better than nothing and voluntary criterion enables them to do that. It might even enable them to get some field experience with how much uptake and how well it’s working.”

Moving beyond Level 1 is beyond Meaningful Use, said the Tiger Team. “However, progression is less likely to occur if we don’t lay the foundation for moving from Level 0 to Level 1 for both behavioral health and general provider EHRs.”

The Tiger Team referred to senders and receivers moving along the scale as “glide paths.” The sender side is “much simpler” because it assumes senders are covered by Part 2 substance abuse and treatment privacy rules, McGraw said. The recipient side is more complicated, she said, because “by and large recipients are not covered by Part 2. Even if they are, recipients have a much bigger load to carry.” In the current state, they don’t have the capability to receive Part 2-covered data.

Level 1 technology has been piloted and the Tiger Team suggests more. “We recommend continued pilots of this technology, particularly with respect to how recipients can handle data when they get it,” she said.

The Tiger Team acknowledges that this is “a baby step from a technical standpoint, at least as it moves from the status quo of zero digital exchange to this very initial level. To get there, you really do need catchers to be empowered to at least receive and view the data.”