Keeping Data Queries, Responses SecureTiger Team Examines Health Data Exchange Issues
The Privacy and Security Tiger Team, which advises federal regulators, is tackling the issues involved in the exchange of patient information among healthcare providers using the query and response method.
The tiger team plans to make recommendations to the HIT Policy Committee in April that address several query/response scenarios. Those scenarios include: A HIPAA-compliant targeted data query by a healthcare provider to another provider for information needed when treating a patient; a targeted query by a healthcare provider to another provider for patient information in a situation where more stringent state privacy laws than HIPAA are in effect; and a non-targeted query, such as a provider sending a query via a health information exchange for all records about a patient from their previous healthcare providers, who are not known.
"We took up these query policy issues in response to a recommendation from the [HIT Policy Committee] information exchange workgroup that query/response capabilities be required for EHR certification in Stage 3" of the HITECH Act electronic health record incentive program, says Deven McGraw, who chairs the tiger team. "But any recommendations we craft can be used for Office of National Coordinator for Health IT in any way it sees fit."
In addition to beginning its work on the requirements for Stage 3 of the "meaningful use" incentive program, which starts in 2016, ONC is preparing a series of voluntary guidelines for secure health information exchange (see: Farzad Mostashari: HIE Security Vital).
In making its query/response policy recommendations, the tiger team's goals are to:
- Not alter the rules that give providers the responsibility to share patient information responsibly and consistent with applicable law;
- Reduce potential real or perceived barriers to exchange, such as through clarification regarding provider liability for responding to a query.
At its March 12 meeting, tiger team members discussed a number of fine points regarding scenarios involving HIPAA-compliant query/response.
For instance, some of the discussion focused on whether a healthcare provider sending a query for patient information and a provider receiving the query should be required to keep logs of those queries and the responses so that the information can be presented to patients upon request.
Other issues discussed included whether data queries should include specific patient identifying information, such as an individual's key demographic information, to help ensure the right patient's information is provided.
The tiger team will meet again on March 18 before making its final recommendations to the HIT Policy Committee, which advises ONC.