Notifying Patients About Exchanging EHRs

Tiger Team Calls for Notices on Health Information Exchange
Notifying Patients About Exchanging EHRs
Organizations involved in exchanging electronic health records should provide patients with clear, brief notices about their data sharing policies, a privacy and security tiger team advising federal regulators says. In addition, they should make available a more detailed description of data exchange activities and privacy protections for those who want it.

The tiger team also called on hospitals and clinics to go beyond the notices to discuss their information exchange practices with patients.

The tiger team presented its preliminary recommendations on what it portrayed as "transparency and openness" issues to the Health IT Policy Committee Oct. 20. The committee did not take a vote on the proposals, but indicated the team was headed in the right direction.

The team eventually will make a long list of final recommendations dealing with the privacy and security of health information exchange. They'll be included in a "policy and technology framework for health information exchange."

Ultimately, the Department of Health and Human Services will determine whether to use the recommendations approved by the HIT Policy Committee in new rules and regulations.

The HITECH Act called for expanding data exchange at the regional, state and national levels. It provided grants to states to help fund statewide exchanges.

Establishing Credibility

The tiger team endorses a "core value" that states: "Transparency about information exchange practices is a necessary component of establishing credibility with patients. In achieving greater openness and transparency for patients, we need to balance the need to give patients complete information on how their information is shared while at the same time providing information in a form that is manageable for patients to read and understand."

As a result, the team recommends a "layered approach" to notifying patients about information exchange activity, says Deven McGraw, team co-chair and director of the health privacy project at the Center for Democracy & Technology.

The team recommends summary statements within the "Notice of Privacy Practices" already required under HIPAA. These statements should be "easily distinguishable," such as with a bold heading, the team recommends. And they should make it clear that a more detailed explanation is available, either in a booklet or on a website, says Paul Egerman, a software entrepreneur who co-chairs the team.

Some members of the HIT committee asked the team to consider making additions to the notices, such as requiring that the summary statement point out that patients can access an audit of who has accessed their information.

EHR Exchange Consent

Earlier, the HIT Policy Committee endorsed the tiger team's recommendations on obtaining patients' "meaningful consent" for the exchange of EHR data. Under the recommendations, patient consent generally would be required for the exchange of data that involves a third party, such as a health information exchange or an e-prescribing gateway.

In addition to the transparency and consent issues, the tiger team is studying other topics, including:

  • Addressing data quality and integrity, making sure that those involved in information exchange take reasonable steps to ensure that health data is complete, accurate and up-to-date;
  • Implementing safeguards to ensure the confidentiality, integrity and availability of patient information and to prevent unauthorized or inappropriate use or disclosure. This includes the issue of authentication of the sources of information;
  • Providing individuals with a simple and timely way to access and obtain their information in a readable format.

Governing Health Information Exchanges

The HIT Policy Committee also heard an update on the work of its governance workgroup. The workgroup will develop recommendations on how to offer some sort of a "seal of approval" that health information exchanges sharing data nationally are meeting standards, including those for privacy and security.

Next year, federal regulators plan to issue a proposed rule for governance of organizations that use the National Health Information Network standards, as required under the HITECH Act.

The governance workgroup will make final recommendations, which will be used to help craft that rule, at a Nov. 19 HIT Committee meeting, says John Lumpkin, M.D. workgroup chair. He's senior vice president and director of the healthcare group at the Robert Wood Johnson Foundation.

"It's necessary to assure that sufficient privacy protections and safeguards are in place to facilitate and promote ... interoperability and to remove barriers to nationwide exchange of health information," according to Lumpkin's presentation.

The workgroup will make recommendations on whether an existing organization, or a new one, should serve as a national governance body for health information exchanges.

NHIN, which will be renamed this fall to clarify its meaning, is not a national network. Rather, it's a set of standards, services and policies for promoting and facilitating secure national exchange of health information on the Internet to improve health and healthcare.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.