1 / 20

Privacy and Security Tiger Team

Privacy and Security Tiger Team. Today’s Discussion: Query/Response Scenarios for Health Information Exchange March 12, 2013. Agenda. Continue discussion of query/response scenarios & policy recommendations to address each

catrin
Download Presentation

Privacy and Security Tiger Team

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange March 12, 2013

  2. Agenda • Continue discussion of query/response scenarios & policy recommendations to address each • To stay on schedule: 2 meetings (including today) to discuss these topics and wrap up the discussion

  3. Goals • Not attempting to alter the rules that vest providers with the responsibility to share patient information responsibly and consistent with applicable law • Goal is to reduce potential real or perceived barriers – such asthrough clarification regarding provider liability for responding to a query – to enable them to respond to queries consistent with their professional obligations and the law • Mapping out scenarios to achieve goals • Scenario 1 – Targeted Query for Direct Treatment (HIPAA controls) • Scenario 2 – Targeted Query for Direct Treatment, Data covered by more stringent privacy law • Scenario 3 – Non-targeted query

  4. Scenario 1: Targeted Query for Direct Treatment Purposes Among Covered Entities • HIPAA controls • Assumptions • Patient Z is being seen by Provider A • Provider A has knowledge that Patient Z has been seen by Provider B • Provider A queries Provider B for records (targeted query in a trusted environment for direct treatment purposes)

  5. Scenario 1: Existing Obligations • Data Holder (Provider B) • Needs some reasonable assurance as to the identity of the entity requesting the data. • Needs some reasonable assurance that querying entity has, or is establishing, a directtreatment relationship with the patient. • Makes decision about whether to release data, and if so, what data, consistent with law • If responding, needs to send back data for right patient, needs to properly address request, needs to send securely. • Requester (Provider A) • Needs to present identity credentials • Must demonstrate (in some way) the treatment relationship • Must send patient identifying information in a secure manner to enable data holder to locate the record

  6. Scenario 1 (Targeted Direct Treatment, HIPAA):Relevant Questions 1) What supports “reasonable” reliance, by the data holder, that the requester is who they say they are (identity)? Possible answers that support reasonable reliance: • Use of DIRECT certificate (when issued at entity level, expectation is that entities have id proofed & authenticated individual participants per HIPAA) • Membership in a network (HIO, vendor network, IDS, VPN) that the data holder trusts • Requester is known to data holder (such as through a pre-existing relationship)

  7. Scenario 1 (Targeted Direct Treatment, HIPAA): Relevant Questions (cont.) 2) What supports “reasonable” reliance, by the data holder, that the requester has (or will have) a direct treatment relationship with the patient -- and in this direct treatment scenario, therefore has legal authority and is otherwise authorized to obtain the data? • Data holders own knowledge/history with requester • Capability to confirm within network/IDS • Network that data holder trusts has rules providing accountability for false attestation • Some official communication of patient consent that does not conflict with expressions of patient wishes known to, or on file with, the data holder • Known existing treatment relationship with patient (e.g. there already exists prior requests for the patient from the external provider)

  8. Scenario 1 (Targeted Direct Treatment, HIPAA): Relevant Questions (cont.) 3) Does it matter if data holder makes the decision to disclose or if the data holder’s response is automated (set by data holder or automatic by participation (such as in a network)? Answer discussed at last TT meeting: Yes. Data holder may make decision to automate response and should adopt policies to govern when automatic response is appropriate. Such policies should be linked to the degree of assurance data holder has about Q1 (identity) or Q2 (legal authority to disclose data, which in this scenario is based on the existence of a direct treatment relationship).

  9. Scenario 1 (Targeted Direct Treatment, HIPAA): Relevant Questions (cont.) 3b) Additional concern (not discussed at last TT meeting): To what extent does automation trigger our previous recommendations on the need for meaningful choice by patients (see backup slides for reminder)? Straw response: If the data holder maintains the ability to make decisions on when to disclose a patient’s information, they can choose to automate their decisions. However, if data holders no longer have the capability to make decisions about whether or not to disclose a patient’s record to a particular requester, our previous recommendations requiring “meaningful choice” for the patient apply.

  10. Scenario 1 (Targeted Direct Treatment, HIPAA): Relevant Questions (cont.) • 4) Whatpatient identifying information should be presented as part of the query? • Ideally no more than is needed to accurately match. • Start with basic demographics – full name, date of birth, address (insurance ID?) • Data holder does matching: request more demographic data if insufficient to match. • Breach if wrong record is sent – however, per the final rule, notification to the patient and regulators may not be necessary if the risk is mitigated (through return or destruction of the wrong record) • Requester can search and match for the right patient? Does this risk exposing/breaching patient data (because requester could see information on patients with whom they do not have a direct treatment relationship)

  11. Scenario 1 (Targeted Direct Treatment, HIPAA): Relevant Questions (cont.) 5) Data holders should respond to queries consistent with their professional and legal obligations. (Note that even acknowledgement of the existence of a record is PHI.) • Recommend at least acknowledgement of receipt of query? • Data holder may send no records, or all or part of a patient’s record, consistent with ethical and legal obligations.

  12. Scenario 1 (Targeted Direct Treatment, HIPAA): Relevant Questions (cont.) 6) Requirement to account for and log query and/or disclosure, with capability to share with patient upon request? • Is this possible to do for targeted queries from EHR to EHR, or in federated HIO models?

  13. Scenario 2 (Targeted Direct Treatment, Sensitive Data) • Similar to Scenario 1 in terms of actors and transactions • Difference is that Targeted Query for Direct Treatment Purposes will fall under not only HIPAA, but other law or policy requiring consent before PHI disclosure • Assumptions • Data holder is responsible for obtaining and retaining evidence of patient’s consent (in light of most current laws)? • Data holder responsible for telling the requester what consent they need? • Requester responsible for obtaining consent for data holder to disclose data to requester? • Is consent transmitted to data holder? If so how?

  14. Scenario 3: Non-Targeted Query for Direct Treatment Purposes • Assumes previous providers are not specifically known. May require use of record locator (or data element access) service or master patient index to find possible sources of record. • Should patients have meaningful choice re: whether or not they are included in an RLS, DEAS or MPI that permits queries from external providers? • Should querying entities be required to limit queries (e.g. by geography, list of providers, etc.)?

  15. Query/Response Back-Up

  16. Background (HIPAA) • HIPAA and other laws (for example, state medical privacy laws and federal regulations regarding substance abuse treatment records) regulate the circumstances under which most health care providers are permitted to disclose identifiable (protected) health information (PHI), including disclosures of PHI in response to a query or request. • Except in circumstances where the law expressly requires disclosure, the rules permit but do not require providers to release PHI in a range of circumstances (treatment, payment, & operations, for example).

  17. Meaningful Choice • Providers give patients enough knowledge to understand how their information will be shared and with whom. Patient can make informed decision on the exchange of their health information. • Decision is made with advanced knowledge/time • Not used for discriminatory purposes or as condition for receiving treatment • Made with full transparency and education • Commensurate with circumstances for why PHI is exchanged • Consistent with patient expectations • Revocable at any time **Source: Sept 2010 HITPC Individual Choice Recommendations http://www.healthit.gov/sites/default/files/hitpc_transmittal_p_s_tt_9_1_10.pdf

  18. Meaningful Choice Triggers • Meaningful choice can be triggered in circumstances when the provider (or provider’s organized health care arrangement, or “OHCA”) does not have control of the decision to disclose or exchange the patient’s identifiable health information. • Examples: • A HIO operates as a centralized model, which retains identifiable patient data and makes that information available to other parties • A HIO operates as a federated model and exercises control over the ability to access individual patient data • Information is aggregated outside the auspices of the provider or OHCA and comingled with information about the patient from other sources. **Source: Sept 2010 HITPC Individual Choice Recommendations http://www.healthit.gov/sites/default/files/hitpc_transmittal_p_s_tt_9_1_10.pdf

  19. Privacy Rule: Permissible Use & Disclosure • The Privacy Rule permits, but does not require, many uses and disclosures without authorization* • HHS Rationale**: • For disclosures that are not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and ethical principles. • Rules are intended as a basic set of legal controls, but ethics and professional practice may dictate more guarded disclosure policies. • Nothing in this rule would provide authority for a covered entity to restrict or refuse to make a disclosure mandated by other law. *The only required disclosures are to the individual when they request access or an accounting of disclosures, and to the Secretary, HHS for compliance and enforcement purposes. **Source: 1999 NPRM for HIPAA Privacy Rule, p. 59926. See: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/1999nprm.pdf

  20. Privacy Rule: Minimum Necessary Standard • Disclosures for treatment purposes (including requests for disclosures) are specifically exempted from the minimum necessary standard. • HHS Rationale**: Exemption established in response to an “overwhelming majority” of comments (largely from the medical community) that expressed concern with applying the standard to treatment: • Contrary to sound medical practice, would increase medical errors, and lead to an increase in liability; • Caregivers need to be able to give and receive a complete picture of the patient’s health; • Complexity of medicine makes it unreasonable to think that anyone will know the exact parameters of the information another caregiver will need for proper diagnosis and treatment; • Existing ethical duty to limit the sharing of unnecessary medical information, and most already have well-developed guidelines and practice standards in place. **Source: 2000 Final HIPAA Privacy Rule, pp. 82713-4. See: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf

More Related