380 likes | 479 Views
BH07 - Protecting Privacy in an Interoperable World. John Leipold, DBA, MBA, COO Valley Hope Association, SATVA Board Member, Former Chair Frances Loshin-Turso , President and Co-Founder, Defran Systems, Inc., SATVA Board Member, Current Chair
E N D
BH07 - Protecting Privacy in an Interoperable World John Leipold, DBA, MBA, COO Valley Hope Association, SATVA Board Member, Former Chair Frances Loshin-Turso, President and Co-Founder, Defran Systems, Inc., SATVA Board Member, Current Chair Bryan Griffiths, Vice President of Sales, Anasazi Software
Software and Technology Vendors’ Association • The Software and Technology Vendors’ Association (SATVA) is a trade organization for vendors of behavioral health and human services software and information technology. Its members have a genuine concern for promoting the use of effective information technology in behavioral health and human services; helping to formulate and support quality improvement for the highest industry standards; and facilitating the delivery of more efficient and effective consumer services through use of information technology.
Healthcare Information Management Systems Interoperability • “Interoperability” means the ability to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks in various settings, and exchange data such that clinical or operational purpose and meaning of the data are preserved and unaltered. Source: The 2006 White House executive order (section 2 paragraph c)
Healthcare Information Management Systems Interoperability • Various types of Interoperability… • Technical Interoperability ensures that systems can send and receive data successfully. It defines the degree to which the information can be successfully “transported” between systems. • Semantic Interoperability ensures that the information sent and received between systems is unaltered in its meaning. It is understood in exactly the same way by both the sender and receiver.
Health Care Interoperability…INCENTIVES… • Interoperability incentives are focused on: • Primary medical care… • Eligible health care providers can receive incentive payments for implementing electronic health records and participating in electronic health information exchange (Interoperability). • Meaningful Use
Health Care Interoperability…INCENTIVES… • Interoperability incentives are focused • on: • Implementation of Regional Health Information Organizations(RHIOs)… • Point to Point data exchange using a mechanism called “DIRECT.” • http://wiki.directproject.org/
The Theory… • Public policy initiatives to implement an interoperable health record are fundamentally based on the assumptions that an interoperable health record can improve care and decrease costs. • The Software and Technology Vendors’ Association agrees with these assumptions…
Privacy in an Interoperable Health Care World… • Privacy and confidentiality of highly sensitive health information is complicated. • Integrating privacy in the beginning stages of interoperability may have paralyzed early development. • As a result, RHIOs typically use an “Opt-In/Out-Out” model and are currently typically unable to give patients DISCRETIONARY control over their own highly sensitive health information…
Privacy in an Interoperable Health Care World… • The “Opt-In/Opt-Out” problem is addressed by the DIRECT model which provides for DISCRETIONARY control over highly sensitive health information. • However, RHIOs are working on this problem…
The “Federated” RHIO Model… • Health data is stored at each individual provider location in the “federated” RHIO model. • Uses a record Locator Service (RLS) • Opt-In/Opt-Out privacy controls versus discretionary privacy controls. Source: Promoting Health Information Technology in California http://www.lao.ca.gov/2007/health_info_tech/health_info_tech_021307.pdf
The “Repository” RHIO Model… • The repository RHIO model stores patient data at a regional central authority. • Uses record Locator Service (RLS) • Patient information in the repository is OUTSIDE the provider’s EHR. • Implications for provider and patient control over personal health information.
Understanding Privacy Risks in an Interoperable Health Care World… • Both the letter and the spirit of the regulatory environment intend for patients to have control over their personal health information. • This is certainly true for the privacy and confidentiality of substance use treatment records. • Risks to patient control include: • Repository databases. • Record locator services.
42 CFR Part 2… • The federal regulations relating to the privacy and confidentiality of substance use treatment records are commonly known as 42 CFR Part 2. • Part 2 only regulates substance use treatment information disclosures for “covered” providers. • Generally speaking, a provider is a “covered” provider if the provider holds itself out as primarily providing substance use treatment and the provider receives federal money (e.g., Medicare or grant funding).
Why 42 CFR Part 2? • Stigma interferes with the willingness that alcohol/drug dependent persons may have to seek treatment. • The need to address stigma is so powerful that congress extended legal protection to anonymity through the law… 42 CFR Part 2
Specific Requirements… … Substantial Risks • 42 CFR Part 2 has specific requirements covering substance abuse treatment records and there are risks associated with failure to comply. • 42 CFR Part 2 protects any information (including referral and intake) about alcohol and drug abuse patients obtained by a covered program. • Sanctions include possible action against an offending provider by the U.S. Attorney General.
The Most Important Risk Factor… • Compliance with 42 CFR Part 2 makes sure that an alcohol or drug abuse patient is not made more vulnerable by reason of the availability of his or her patient record than an individual who has an alcohol or drug problem and who does not seek treatment. • The most important risk is the risk of undermining the confidence the recovery community has that substance use treatment providers can and will protect patient information. • Even providers not technically covered by Part 2 should consider following the regulations.
The Power of Part 2… • The power of 42 CFR Part 2 isn’t threat of legal action under Part 2 by patients against covered providers. • Patients cannot bring action under 42 CFR Part 2 against a covered provider for gratuitous release of substance use treatment information in violation of the Part 2 regulations. • Patients can take civil legal action for any harm that may come as a result of the violation.
The Power of Part 2… • The power of Part 2 is the authority the regulations give to covered providers to protect a substance use patient’s treatment information. • This includes: • Treatment inquiries. • Patient identity. • Everything in the patient’s record. • Without a properly executed court order, lawyers cannot get the record with a subpoena nor can law enforcement simply compel disclosure by showing up at the treatment facility.
Disclosure is Prohibited! • A covered program is permitted to disclose identifying information on learning of suspected child abuse or neglect. The regulations limit this exception to initial reports of child abuse or neglect (no other kinds of abuse or neglect). • A covered program is required to disclose information when a proper court order exists compelling the disclosure. There are specific court order requirements under 42 CFR Part 2. • Regulations under CFR 42 Part 2 prohibit the disclosure and use of patient records, with a few exceptions. Disclosure may occur if an exception exists but it does not require the disclosure unless a court order compels the disclosure. • The regulations permit disclosure when the patient provides written authorization in the form of a properly executed release of information form. • Employees within an organization bound to 42 CFR Part 2 (covered program) may exchange patient information on a need to know basis. • The regulations permit limited disclosures for medical emergencies; such disclosures are limited to medical personnel only. • Covered programs may disclose information to qualified service organizations (QSO) on execution of an appropriate Qualified Service Organization Agreement (QSOA). A proper QSOA will include language binding the QSO to 42 CFR Part 2 in the same way the organization itself is already bound to 42 CRF Part 2. (The QSO is then a “covered program.”) • There are limited disclosures permitted for program audit and evaluation and for research purposes if no patient identifying information is released. • A covered program is permitted to disclose identifying information if a crime or threat of a crime has occurred on program premises or against program personnel.
The Rules Apply… • The rules apply even if the person seeking the information already has it or has other ways to obtain it. It applies to law enforcement or other officials, even with a subpoena. Indeed, covered programs are compelled to resist information disclosure based on presentation of a subpoena. Disclosing even the presence of a patient at a facility or unit which is identified as a place where only drug/alcohol services are provided requires written authorization from the patient. Furthermore, the memories and impressions of program staff are considered “records” protected by the regulations even if they are never recorded in any form. A payer or funding source that maintains records of a recipient of drug/alcohol treatment becomes subject to 42 CFR Part 2 to the same extent as the program from which the information came. • When records are released, 42 CFR Part 2 requires that a statement prohibiting re-disclosure accompanies the disclosed patient information. If the entity receiving the disclosures wishes to re-disclose the information then the entity must comply with the requirements of 42 CFR Part 2 to do so. Generally this would result in the receiving entity obtaining another properly executed release of information from the patient. • For public health administration HIPAA permits disclosure to a public health authority for disease prevention or control or to a person who may have been exposed to or is at risk of spreading a disease or condition. However, 42 CFR Part 2 prohibits these disclosures unless there is an authorization, court order, or the disclosure is done without revealing patient identifying information. • In addition to the disclosure limitations already discussed, 42 CFR Part 2 also further limits permitted disclosures to the minimum information necessary. Covered programs must limit all disclosures to the specific information necessary to carry out the purpose of the disclosure. The exception to this rule is when the disclosure is made to the patient him/herself.
How Does 42 CFR Part 2 Relate to Interoperability? • 42 CFR Part 2 regulates releasing the information that a federated or repository RHIO is designed to exchange. • There is no language in the regulations under 42 CFR Part 2 that grants unique exceptions for a RHIO to the requirement for a properly executed release of information before disclosure is made.
Discretionary Privacy controls are difficult to implement in an Interoperable world… • With limited exceptions, 42 CFR Part 2 requires a release of information (consent). • Therefore, and with the same limited exceptions, once records are disclosed to an HIE (health information exchange) or RHIO then 42 CFR Part 2 constrains the HIE or RHIO from further releasing the records without a specific and properly executed consent. • At a practical level, this makes interoperability difficult and requires an HIE or RHIO to have additional privacy capabilities in addition to the capability of complying with HIPAA requirements.
The “Point-to-Point” Data Exchange… … The “DIRECT” Model… • The Direct Project develops specifications for a secure, scalable, standards-based way to establish universal health addressing and transport for participants (including providers, laboratories, hospitals, pharmacies and patients) to send encrypted health information directly to known, trusted recipients over the Internet.
The “Point-to-Point” Data Exchange… … The “DIRECT” Model… • Electronic point-to-point data exchange occurs between a data provider (e.g., addiction treatment facility) and a data consumer (e.g., hospital, continuing care provider, pharmacy, etc.). • This exchange is mutually agreed by both parties. • There is no shared database.
Virtual Information Exchange… • Virtual information exchange could enable the entire U.S. as an integrated HIO. • Good model for privacy and confidentiality. http://www.executivehm.com/article/Virtual-Information-Exchange-Healthcares-Present-and-Future-HIE-Solution/
Summary and Conclusions… (1) • First of all… There is a need to comply with all state and federal regulations (not just 42 CFR Part 2) relating to the electronic disclosure of highly sensitive health information (e.g., mental health, HIV, genetic information, etc.). • Part 2 is a well constructed regulatory example and provides a robust foundation for interoperability standards and methodologies. • Part 2 is a great place to start…
Summary and Conclusions… (2) • 42 CFR Part 2 covers the entire substance use treatment record including all data elements, even those data elements not directly related to substance use. • Treating the entire record as covered information greatly simplifies the standards and methodologies required for patients to retain control over their personal health information.
Summary and Conclusions… (3) • A few practices will simplify privacy and confidentiality in an Interoperable world… • Never “Re-disclose.” In an interoperable world information can always comes from the original source. • Do not use highly sensitive health information for uses other than treatment. • Following these two practices facilitates compliance with virtually all privacy law.
Summary and Conclusions… (4) • Patient information maintained external to the actual treatment provider makes it much more difficult to set standards and build methods that keep personal health information under the control of the patient. • Record locator services must respect the regulatory environment. • For substance use patients, that might mean “can neither confirm nor deny…”
Summary and Conclusions… (5) … A possible VISION for the future… • Evolving technology may eventually enable virtual health information exchange where… • Health information can reside only at the provider that created the information, and where… • A virtual health record will render in real-time when a composite EHR across multiple providers is needed. • A “virtual” health record won’t need to get stored on any external database… There won’t be any need to do so.
Summary and Conclusions… (6) • Regardless of what the mature Nationwide Health Information Network (NwHIN) looks like, solutions for privacy and confidentiality of highly sensitive health information cannot wait. • Opt-In/Opt-Out ONLY doesn’t work for substance use treatment information • Opt-In/Opt-Out asks SU patients to trade privacy for the benefits of Interoperability. • Substance use patients need discretionary control over their health information AND get the benefits of Interoperability.
Summary and Conclusions… (7) • SATVA has focused on the interoperable health record and the related regulatory environment for privacy and confidentiality of behavioral health information with specific emphasis on 42 CFR Part 2 since 2008. • Interoperability Work Group. • Collaboration with HHS through SAMHSA and ONC. • Collaboration with industry stakeholders through: • National Association of Addiction Treatment Providers (NAATP). • Mental Health Corporations of America (MHCA). • The National Council for Community Behavioral Healthcare.
Summary and Conclusions… (8) • SATVA has developed technology for exchanging highly sensitive health information. • Technology is based on point-to-point exchange from provider controlled patient information databases using the DIRECT model. • Technology provides patient control over any disclosure of patient information. • Technology addresses the requirements of 42 CFR Part 2.
Demonstration… • Several members of the Software and Technology Vendors’ Association will now demonstrate 42 CFR Part 2 compliant substance use information disclosure.