Securing Behavioral Health Data

Federal Panel Recommends Voluntary EHR Standards
Securing Behavioral Health Data
Deven McGraw

Today, to share sensitive mental health information, behavioral health professionals largely depend on getting patient consent and then sending confidential paper records to the patient's other clinicians, with strict rules about re-disclosure. But privacy and security experts envision a day when that data can be securely transmitted electronically.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

To inch that along, a federal panel has endorsed a preliminary plan to establish voluntary electronic health records software certification requirements related to behavioral health for Stage 3 of the HITECH Act EHR incentive program.

Another federal committee - focused on IT standards - will review the recommendations, and ultimately the Office of the National Coordinator for Health IT will decide whether to include the voluntary requirements as part of Stage 3 software certification criteria.

Baby Steps

At its June 10 meeting, the HIT Policy Committee approved recommendations from its Privacy and Security Tiger Team aimed at helping healthcare providers take "baby steps" in electronically sending and receiving sensitive behavioral health information.

"This is a very complex area," says Micky Tripathi, tiger team co-chair. "Taking baby steps is in recognition of these complexities."

Outside of a few pilot programs, most behavioral health information is sent and received by clinicians via paper records due to strict legal restrictions and a lack of technical capabilities in current electronic health record, says Deven McGraw, tiger team chair.

Certain federal laws, especially so-called "Part 2" regulations pertaining to healthcare providers participating in federal programs for the treatment of substance abuse patients, are even stricter than HIPAA when it comes to consent, disclosure and re-disclosure of sensitive patient information, McGraw explains.

That means, for instance, that substance abuse information that's electronically sent by a behavioral health provider to another clinician cannot be incorporated into an EHR without risk that the sensitive data might be later viewed by an unauthorized user. So those legal restrictions, combined with a lack of technical capability to securely handle sensitive data in most EHR systems today, end up producing incomplete patient records that exclude confidential, but perhaps pertinent, health information. In fact, because of all the complexity and legal restrictions involved, often behavioral health providers don't share the information at all with other clinicians, even with paper records.

Defining a Glide Path

The tiger team's recommendations to the HIT Policy Committee aim to promote some basic technical functionality in EHRs that would begin to allow sensitive information to be securely transmitted by behavioral health professionals and received by other clinicians without danger that the restricted data is inappropriately used or re-disclosed.

Before making its recommendations to the HIT Policy Committee, the tiger team spent several months studying these and other related issues. That included conducting public hearings and gathering input from the recently concluded two-year Data Segmentation for Privacy, or DS4P, initiative, coordinated by the Office of the National Coordinator for Health IT. The DS4P initiative included six pilot programs that demonstrated how sensitive patient data, such as mental health and substance abuse information, can be securely shared among clinicians with the electronic consent of patients (see: What's The Role Of Data Segmentation?).

In its recommendations, the tiger team described a four-level "glide path" for sending and receiving sensitive health information. Most providers today are at level zero. A goal of the recommendations is to bring healthcare providers to "level one" of the glide path through the help of voluntary certification requirements in Stage 3 of the HITECH Act EHR program, which is slated to begin in 2017.

The tiger team proposed that at level one of the glide path, with authorization from the patient, a "sender EHR" used by a behavioral health professional would send a consolidated clinical document "tagged" as restricted and subject to Part 2 restrictions on re-disclosure.

The team also described a level one "recipient EHR" as one that can receive and automatically recognize documents from Part 2 providers. However, the document would be sequestered from other EHR data. A recipient provider using DS4P functionality, for example, would have the capability to view the restricted clinical document - or data element - but the document or data would not be automatically integrated into the EHR. Document-level tagging can help prevent re-disclosure, McGraw says.

The tiger team recommended, and the HIT Policy Committee approved, that:

  • For HITECH Stage 3, "level-one" send and receive functionality should be part of a voluntary certification program for behavioral health EHR software. This includes the software being able to control which recipient healthcare providers can be sent Part 2-covered electronic documents.
  • For HITECH Stage 3, "level one" receiver functionality would also be voluntary certification criterion for "general" EHRs under the HITECH software certification program. This voluntary criteria would allow only recipient providers - who are generally not behavioral health professionals - interested in being at level one to request this capability from their vendors.
  • Additional technology pilots and guidance are needed by ONC and others to test, for instance, workflow issues related to sending and receiving restricted, sensitive EHR data;
  • Education of healthcare providers and patients is key. For instance, obligations that come with Part 2 data, especially around re-disclosure, are not yet fully understood, McGraw notes. ONC, Substance Abuse and Mental Health Services Administration and others can assist in providing needed educational materials and guidance.

The tiger team recommendations also push for ONC's HIT Standards Committee to study the various technology issues involved. For instance, that committee should evaluate if DS4P or any other standards are mature or feasible enough for voluntary EHR software certification.

The HIT policy and standards committees advise ONC on issues related to the HITECH Act EHR incentive program. ONC ultimately decides what's included in the final HITECH requirements.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.