Tiger Team: No New Policies NeededGroup to Resubmit Privacy, Security Recommendations
After going back to the drawing board, federal advisers have returned to their original conclusion: No special privacy or security policies are recommended at this time for non-targeted health data queries.
Non-targeted queries include clinicians sending requests via a health information exchange network to locate all records about a patient from the individual's previous healthcare providers.
At a meeting on July 15, the Privacy and Security Tiger Team, a federal workgroup that advises the HIT Policy Committee, concluded that it will resubmit in August essentially the same recommendations it made to the committee earlier this year.
The tiger team decided to stick with its original recommendations after discussing a variety of privacy and security policy-related matters with leaders from several health information exchanges across the country. In a June 24 virtual hearing hosted by the tiger team, the HIE leaders described the various ways they are currently handling issues ranging from patient consent to disclosures of sensitive health data.
"Based on this testimony, we affirm our recommendation that at this time, no additional policies are needed for non-targeted forms of query," says tiger team chair Deven McGraw. The HIE leaders who testified "were very affirming in how careful they were" in their respective privacy and security policies for handling non-targeted queries, she says. '[They] have crafted policies that work for their communities."
Additionally, some testifiers expressed concern about having federal policy potentially disrupting the arrangements they had carefully implemented in their regions, according to supporting material the tiger team plans to submit to further explain its recommendations to the HIT Policy Committee at the committee's next meeting on Aug. 7.
The gist of those recommendations: Security and privacy policies used to protect patient data in directed queries - in which a clinician sends an electronic request for patient information to a specific, known data holder - should also apply to non-targeted queries. The tiger team will also again recommend against creating new policies that limit queries based on the geography of a patient or provider, the type of provider that holds patient records, or other factors.
Additional Work Requested
When the tiger team back in May first presented these same non-targeted query recommendations to the HIT Policy Committee, some committee members expressed concern that the proposals might not be robust enough to protect certain patient data, such as information related to substance abuse treatment.
The HIT Policy Committee - which advises the Office of the National Coordinator of Health IT - on May 7 instructed the tiger team to take a closer look at some possible policy issues involved with non-targeted queries (see: HIE Queries: Protecting Patient Privacy).
Subsequently, the Tiger Team hosted a June virtual hearing in which leaders of eight health information exchange organizations described their various policies regarding issues such as patient opt-in or opt-out forms of consent; disclosures of sensitive health data; geographic limitations in data sharing; and participant trust agreements (see: HIE Leaders Share Privacy Concerns).
Ultimately, those discussions led the tiger team right back to the same conclusions it previously reached.
The query proposals could be included in criteria for Stage 3 of the HITECH Act electronic health record incentive program, slated to begin in 2016.
In the supporting material the tiger team plans to submit with its recommendations to the HIT Policy Committee, the workgroup will describe why it decided to reaffirm its original recommendations, based in large part on the testimony of HIE leaders at the virtual hearing.