Navigating Access to Minors' Health DataFederal Advisers Tackle Complex Privacy, Security Issues
A federal advisory panel is gearing up to tackle a number of complex data security, privacy and legal issues involved when accessing and exchanging the electronic health information of patients who are minors.
Under Stage 2 of the HITECH Act financial incentive program for electronic health records, participating healthcare providers are required to provide patients with the ability to view, download and transmit their health information. Also, under HIPAA, patients have a right to access their health records. Many healthcare providers are rolling out patient Web portals to meet those regulatory requirements.
However, when dealing with providing access to the electronic health records of minors, many complex issues are involved. Those include: parental rights to their children's information; minors' right to provide their own consent for certain healthcare services and to control the information related to those services; and wide differences in state healthcare and privacy laws pertaining to minors.
"There are certain things that minors can consent to - what does that mean for patient portals and what technology need to be built into that?" asks Micky Tripathi, co-chair of the Privacy and Security Tiger Team, which advises the HIT Policy Committee of the Office of the National Coordinator for Health IT. For example, the re-disclosure of information when providers exchange certain pediatric patient records raises privacy concerns, Tripathi explained at the tiger team's June 23 meeting.
The tiger team is considering making recommendations that could, for example, eventually wind up as new requirements for the HITECH Act electronic health records incentive program. Among the issues it will review are laws that vary from state to state for the ages at which minors can obtain certain health services, such as reproductive health services or substance abuse treatment, without the consent of parents.
Often - but not always - a minor has legal authority to control health information pertaining to health services for which they can provide consent. A challenge, for instance, is how to block parents' electronic access to information regarding reproductive health services obtained by their minor child while also providing that parent access to the rest of their child's health information via a patient Web portal.
Another complicated matter is the sending of claims information to insurers pertaining to certain health services that a minor has legal authority to seek without a parent's consent. For instance, how does explanation of benefits information for those health services get processed by insurers without violating a minor's wishes for keeping those services confidential from parents when an EOB statement is issued? Those situations potentially could be handled differently by various healthcare providers and health insurers.
For instance, John Houston, CISO and privacy officer at the University of Pittsburgh Medical Center, told fellow tiger team members that UPMC's health plan "has a way to suppress" an EOB for substance abuse treatment for a minor from being sent to an individual's parents. "You have to decide whether to segregate two sets of information," he says.
Meanwhile, another related issue involving EOBs is the challenge of protecting the health information privacy of adult children who, under the Affordable Care Act, can remain on their parents' insurance plans until age 26.
Tiger team member David McCallie, vice president of medical informatics at software vendor Cerner Corp., noted that among potential design challenges for EHR vendors is dealing with diversity in state laws related to minors.
For instance, if EHR developers program software to comply with various state and other requirements, the industry will need to address how this will effect workflow for healthcare providers, he says. "If we could get all states to agree on all the same rules, it wouldn't be a problem," he says.
But the age for minors to seek certain healthcare treatments without parental consent can vary, even within a state. For instance, one state allows 12-year-olds to consent for treatment of a sexually transmitted disease, but the age of consent for substance abuse treatment is 14, one tiger team member noted.
Other complexities in providing access to minors' records revolve around family situations and related legal issues, such as divorces. For instance, how do healthcare providers manage giving portal access to a minor's records to one parent, but not the other parent, depending on custody issues when a divorce occurs?
Tripathi says the tiger team will begin diving deeper into the complexities at its next meeting on July 14. The discussions will likely last through several meetings, although a timeline hasn't been set.
The first subtopic likely to be discussed will concern the various issues involving view, download and transmittal of health records by minors, parents and other custodians. For instance, the team might examine whether patient portals should automatically shut off records access for parents when pediatric patients turn age 18, Tripathi notes.
Another subtopic that also will be discussed is the exchange of minors' health records. For instance, if a minor has received certain health services without a parent's consent, how does a healthcare provider prevent unauthorized disclosure to parents when those records are sent to a new clinicians who have their own patient portal?
In the meantime, some healthcare providers are finding that issues involving access and exchange of minor's health records are just too complicated, so they are strictly limiting access to minors' data via portals, Tripathi notes.
When it comes to the complexities of handling access to minors' digital health records, "there is no one-size-fits-all solution to how you're going to address that age group," notes privacy attorney Adam Greene, a partner at law firm David Wright Tremaine, in a recent interview with Information Security Media Group.
"Some healthcare providers, for example, might provide parents with access to the patient portal, but may be able to segregate certain information that is not accessible to the patient portal for that patient population, so that you know the parent is not going to be able to see certain services. Other healthcare providers may not have that ability, and they may have to completely exclude this age group," he says.
"We're still looking at different healthcare organizations finding what works best for them. This is a very tough situation."