Federal Advisers Tackle Secure HIECommittee Approves Data Sharing Proposals
A federal advisory panel is outlining how to address privacy and security issues involved in the exchange of patient information among healthcare providers using the query and response method.
The HIT Policy Committee on April 3 approved recommendations from its Privacy and Security Tiger Team (see: Keeping Data Queries, Responses Secure).
The recommendations address how to assure the identity and authority of healthcare providers when they electronically request data about a patient from another healthcare provider. They also address the issues involved when the data holder responds to those queries.
The proposals could potentially be included in criteria for Stage 3 of the HITECH Act EHR incentive program, slated to begin in 2016, notes Deven McGraw, chair of the tiger team and a member of the HIT Policy Committee.
But they could be applied by the Office of the National Coordinator for Health IT in other ways, she says. ONC is preparing a series of voluntary guidelines for secure health information exchange (see: Farzad Mostashari: HIE Security Vital). And on April 4, ONC will announce grants to two groups - DirectTrust and the EHR/HIE Interoperability Workgroup - to collaborate on development and adoption of data exchange policies, interoperability requirements and business practices.
The recommendations approved by the HIT Policy Committee, which advises ONC, deal with two query/response scenarios. Those are:
- A HIPAA-compliant targeted data query by a healthcare provider to another provider for information needed when directly treating a patient;
- A targeted query by a healthcare provider to another provider for patient information for treatment in a situation where more stringent state privacy laws than HIPAA are in effect.
The tiger team will continue to develop recommendations for a third scenario, involving a non-targeted query, such as a provider sending a query via a health information exchange for all records about a patient from their previous healthcare providers, who are not known (see: Keeping Data Queries, Responses Secure).
Query and response actions among providers - such as a request for a patient's lab results or medical images for treatment - are a frequent occurrence in healthcare. The committee's recommendations address the privacy and security challenges raised when automating the process, McGraw explains. That includes adhering to HIPAA and various state privacylaws that regulate when healthcare providers are permitted to disclose protected health information.
The tiger team's goal is to reduce potential real or perceived barriers - such as through clarification regarding provider liability for responding to a query - to enable providers to respond to external queries consistent with their ethical obligations and the law, McGraw says.
For either of the targeted query/response scenarios, when a healthcare provider requests patient data from another provider via electronic query, the data holder should have assurances that the requester is authorized to receive the information, McGraw explains.
The tiger team recommended a number of ways of providing "reasonable reliance" to the data holder that someone requesting patient information is who they say they are. For example, the requester could use a digital identity certificate as a credential. Or the data holder could simply verify that the requester is an authorized member of a network, such as health information organization, that the data holder trusts.
The team also identified ways of providing reasonable reliance to the data holder that a data requester has or will have a direct treatment relationship with the patient - and therefore has legal authority and authorization to obtain the data. That might include confirming, using a trusted network, that the patient has an existing relationship with the requesting provider.
Patient identifying information presented as part of a query should ideally include "no more but no less" information than what is needed to accurately match the individual to the correct record, the team recommended.
Another recommendation accepted by the committee is that data holders should respond to queries consistent with their professional and legal obligations and do so in a timely way. That could include providing some or all of the requested content or a providing a standardized response indicating the content requested is not available or cannot be exchanged. "We do not think silence is an appropriate response," McGraw says.
The data holder and the requester should log both the query from an outside organization and the response, regardless of its content, under the recommendations the committee endorsed. Plus, this information from the query and response logs should be available to the patient upon request.
The HIT Policy Committee also accepted additional recommendations for the second scenario involving a targeted query in situations where more stringent state privacy laws than HIPAA are in effect. Those include:
- As a best practice, those involved in a query/response transaction should have a technical way to communicate applicable consent/authorization needs or requirements and maintain a record of such transactions. For example, data holders may need to communicate with a querying entity that a particular patient authorization is required before data can be shared.
- The HIT Standards Committee should come up with recommendations for technical methods for giving providers the capacity to comply with applicable state patient authorization requirements or policies. However, the tiger team acknowledged that those technical methods to deal with specific patient consents "may be an area where 'one size fits' all is neither possible nor desirable given current technologies."