360 likes | 506 Views
HIT Policy Committee Privacy and Security Tiger Team. Deven McGraw, Chair Paul Egerman, Co-Chair July 21, 2010. Charge. The Tiger Team’s purpose and objective is to: Address privacy and security issues raised by ONC Provide practical guidance on health information exchange
E N D
HIT Policy CommitteePrivacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair July 21, 2010
Charge • The Tiger Team’s purpose and objective is to: • Address privacy and security issues raised by ONC • Provide practical guidance on health information exchange • Evaluate the topic within a specified context • Reach a consensus in developing policy recommendations at an appropriate level • Document decisions and conclusions
List of Members CHAIRS: • Paul Egerman, Co-Chair, • Deven McGraw, Co-Chair, Center for Democracy & Technology MEMBERS: • Dixie Baker, SAIC • Christine Bechtel, National Partnership for Women & Families • Rachel Block, NYS Department of Health • Carol Diamond, Markle Foundation • Judy Faulkner, EPIC Systems Corp. • Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center; NCVHS • David Lansky, Pacific Business Group on Health • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative
Presentation Summary • Recommendations: on Fair Information Practices in Health Information Exchange, focusing in particular on collection, use and disclosure limits (including data re-use and retention) (Deven) • Recommendations: on Consent (at a general level) (Paul)
Framing: Scope Tiger Team focused their discussions on the purposes for proposed Stage 1 Meaningful Use (MU) Note: Patient Access, Research and Claims and Payment Processing are not in scope for this initial discussion.
Health Information Exchange: Fair Information Practices Recommendations for Fair Information Practices in Health Information Exchange With a particular focus on Collection, Use and Disclosure Limits (Data Reuse and Retention)
Fair Information Practices – Recommended Principles and Expectations Policy Recommendations - Overarching Principles and Expectations: 1. The relationship between the patient and his or her health care provider is the foundation for trust in health information exchange. Thus, providers “hold the trust” and are ultimately responsible for maintaining the privacy and security of their patients’ records. Providers may delegate certain decisions related to exchange to others if such delegation is done in a way that maintains that trust.
Fair Information Practices – Recommended Principles and Expectations (cont.) 2. Entities involved in health information exchange – including providers and third party service providers like HIOs and intermediaries – should follow the full complement of fair information practices when handling patient information. 3. These include transparency, data integrity and quality, purpose specification, collection and use limitations, data minimization, security safeguards, individual access and control, and oversight and accountability. (ONC has articulated these in the Nationwide Framework for Electronic Health Information Exchange, which was incorporated by the Policy Committee into the Strategic Framework document.)
Fair Information Practices - Specific Applications 4. We used these principles – and particularly those related to purpose specification, collection and use limitation and data minimization (see definitions below) – to answer some specific exchange questions: Purpose specification: Specify the purposes for which personal data are acquired, exchanged, retained, and/or used. Collection limitation and data minimization: Acquire information only by fair and lawful means, and acquire, exchange, retain, and/or use only that information necessary to fulfill the specified purposes. Use Limitation: Personal data should not be disclosed, exchanged, retained, made available, or otherwise used for purposes other than those specified. Those questions follow on the next slides…
Questions 1. Should the exchange of IIHI for “treatment” be limited to treatment of the individual who is the subject of the health information (not other patients)? 2. In order to facilitate an IIHI request, how should the relationship between provider and patient be confirmed? 3. Will Providers who are not covered by HIPAA be permitted to access IIHI through an HIO? If so, what, if any, additional requirements should be placed on these Providers? Should data exchange with non-HIPAA covered entities be permitted?
Questions (cont.) 4. How should public health reporting be handled? 5. How should quality reporting be handled? 6. What limits, if any, should apply to 3rd Party Service Providers regarding data reuse? 7. What limits, if any, should be applied to retention periods?
Questions (cont.) 8. Should 3rd party service Providers disclose to their customers how they use and disclose information, and their privacy and security and retention policies and procedures? 9. Are business associate agreements sufficient for ensuring accountability? *** The answers offered by the Tiger Team can be found in the appendix.***
Consent • The Tiger Team moved to a discussion of the role that one of the fair information practices - individual choice – should play in health information exchange • This discussion assumed the adoption of the foregoing recommendation – that participants in health information exchange would adopt and be held accountable to the full spectrum of fair information practices • Discussion also assumed application of current law (federal and state) on consent.
Fundamental Principles-Patient/Provider Relationship • The relationship between the patient and his or her heath care provider is the foundation for trust in health information exchange. • Providers “hold the trust” and are ultimately responsible for maintaining the privacy and security of their patients’ records • Providers may delegate certain decisions related to exchange to others if such delegation is done in a way that maintains that trust.
Fundamental Principles—Patient Expectations • Patient expectations must be considered. Patients should not be surprised to learn what happens to their data. • Decisions about patient choice should flow from (and be consistent with) these fundamental principles.
Framing of Consent Discussion • We are reviewing consent from the standpoint of a patient’s participation in exchange generally (yes/no), and we are viewing exchange from the standpoint of Stage One of Meaningful Use. • We are not discussing more granular consent issues – i.e., consent by type of information. (On deck for after July HIT Policy Committee meeting.).
Previous Workgroup Recommendation • No additional patient choice needed (beyond what current law requires) in direct exchange from one provider to another for treatment • Provider maintains control of his/her record and makes decision about disclosure (to whom, what information, etc.) • Maintains the trust of provider-patient relationship
Patient Choice to Participate in Exchanges • What factors trigger the need for patient consent to participate in information exchange? • What approach should ONC take to a national policy on choice? • Should providers have a choice as to whether they participate in models of exchange? • Who should educate patients about choice? • How and by whom should consent be obtained & managed? • Consent durability
1. Recommendations on Trigger Factors for Consent • What factors trigger the need by a provider to obtain the patient’s consent for health information exchange with other providers? • Patient’s health information is no longer under control of either the patient or the patient’s provider • Patient’s health information is retained for future use by a third party/ intermediary • Patient’s health information is exposed to persons or entities for reasons not related to ongoing treatment (or payment for care) • Patient’s information is aggregated outside of a provider’s record or record of integrated delivery system/ACO with information about the patient from other, external medical records. • The exchange is used to transmit information that is often perceived to be more sensitive than other types of information (e.g. behavioral health, substance abuse, and other areas defined by NCVHS) **[parking lot for sensitive data discussion] • Significant change in the circumstances supporting an original patient consent
2 . Recommendations for Choice Model • What approach should ONC take to a national policy on choice? • Choice should be required if any of the factors in the previous slide are present, and ONC should promote this policy through all of its policy levers
2 . Recommendations for Choice Model (cont.) • Must be meaningful choice • advanced knowledge/time to make choice; • ability to make outside of urgent need for care; • not compelled or used for discriminatory purposes; • full transparency and education; • choice is proportional to/commensurate with the exchange circumstances • must be consistent with patient expectations for privacy, health, and safety; • must address break the glass scenarios
2 . Recommendations for Choice Model (cont.) • What approach should ONC take to a national policy on choice? (Opt-in or Opt out)? Two views were presented ***Details descriptions of these two views are found in he appendix*** • The form of choice should be based upon the Meaningful Choice rules and left to decisions to be made by providers and HIOs. • Other members of the team felt very strongly that, for the issues listed on Question #1, Opt-In should be required.
3. Recommendation on Provider Choice • Should providers have a choice about participating in exchange models? • Yes!
Summary Comment Ultimately, to be successful, we need to earn the trust of both consumers and physicians.
Appendix 25
Fair Information Practices – Questions / Recommendations Consistent with the four overarching principles and expectations for fair information practices, we addressed the following nine specific questions: 1. Should exchange of individually identifiable health information (IIHI) for “treatment” be limited to treatment of the individual who is the subject of the health information (not other patients)? (Recommendation) The exchange of PHI for treatment should be limited to treatment of the individual who is the subject of the information, unless the provider has the consent of the subject individual to access, use, exchange or disclose his or her information to treat others. [Note: need to explore possible exception for maternal/infant care]
Fair Information Practices – Questions / Recommendations 2. In order to facilitate an IIHI request, how should the relationship between provider and patient be confirmed? (Recommendation) The requesting provider, at a minimum, should provide attestation of their treatment relationship with the individual. This policy recommendation assumes that the requesting provider is covered by HIPAA and state health privacy and security laws. Requesting providers who are not covered should disclose this to the disclosing provider before patient information is exchanged
Fair Information Practices – Questions / Recommendations 3. Will Providers who are not covered by HIPAA be permitted to access IIHI through an HIO? If so, what, if any, additional requirements should be placed on these Providers? Should data exchange with non-HIPAA covered entities be permitted? (Recommendations) Providers who exchange individually identifiable health information (IIHI) should be required to comply with applicable state and federal privacy and security rules. If a provider is not a HIPAA covered entity or business associate, mechanisms to secure enforcement and accountability may include: Meaningful user criteria that require agreement to comply with the HIPAA Privacy and Security Rules NHIN conditions of participation Federal funding conditions for other ONC programs Contracts/BA agreements that hold all participants to HIPAA, state laws, and any HIO policy requirements
Fair Information Practices – Questions / Recommendations 4. How should public health reporting be handled? (Recommendations) Public health reporting by providers (or HIOs acting on their behalf) should take place using the least amount of identifiable data necessary to fulfill the lawful public health purpose for which the information is being sought. Providers should account for disclosure per existing law. More sensitive identifiable data should be subject to higher levels of protection. In cases where the law requires the reporting of identifiable data (or where identifiable data is needed to accomplish the lawful public health purpose for which the information is sought), identifiable data may be sent. Techniques that avoid identification, including pseudonymization, should be considered, as appropriate. The provider is responsible for disclosures from his or her records, but may delegate lawful public health reporting to an HIO (pursuant to a business associate agreement) to perform on his or her behalf; such delegation may be on a "per request" basis or may be a more general delegation to respond to all lawful public health requests. The HIO may not unnecessarily retain data. When the HIO is acting on behalf of the provider, the HIO should retain data only as needed to fulfill the services specified in its BA/service agreement with that provider, and supporting administrative functions.
Fair Information Practices – Questions / Recommendations 5. How should quality reporting be handled? (Recommendations) Quality data reporting by providers (or HIOs acting on their behalf) should take place using the least amount of identifiable data necessary to fulfill the purpose for which the information is being sought. Providers should account for disclosure. More sensitive identifiable data should be subject to higher levels of protection. The provider is responsible for disclosures from his or her records, but may delegate lawful quality reporting to an HIO (pursuant to a business associate agreement) to perform on his or her behalf; such delegation may be on a "per request" basis or may be a more general delegation to respond to all lawful requests. The HIO may not unnecessarily retain data. When the HIO is acting on behalf of the provider, the HIO should retain data only as needed to fulfill the services specified in its BA/service agreement with that provider, and supporting administrative functions.
Fair Information Practices – Questions / Recommendations 6. What limits, if any, should apply to 3rd Party Service Providers regarding data reuse? (Recommendation) The principles of collection limitation, purpose specification and use limitation should apply to Provider/3rd Party Service Provider uses of IIHI. A third party service provider may not retain, use and disclose for any purpose other than to provide the services specified in the BA/service agreement with the data provider, and supporting administrative functions, or as required by law.
Fair Information Practices – Questions / Recommendations 7. What limits, if any, should be applied to retention periods? (Recommendation) 3rd party service providers may retain data only for as long as reasonably necessary to perform the functions specified in the BA/service agreement with the data provider, and supporting administrative functions. Retention policies, must be established and disclosed and overseen; and data must be securely returned or destroyed at the end of the retention period, per NIST standards and conditions set forth in the BA/service agreement.
Fair Information Practices – Questions / Recommendations 8. Should 3rd party service providers disclose to their customers how they use and disclose information, and their privacy and security and retention policies and procedures? (Recommendation) 3rd party service providers should be obligated to disclose in their BA/service agreements with their customers how they use and disclose information, including without limitation use and disclosure of de-identified data, and their retention policies and procedures
Fair Information Practices – Questions / Recommendations 9. Are business associate agreements sufficient for ensuring accountability? (Recommendation) While significant strides have been made, business associate agreements, by themselves, are not sufficient to address the full complement of governance issues, including oversight, accountability and enforcement.
Consent Option – Opinion Summary OPT - IN “The fundamental right of privacy should determine the architecture of the system. Technology should preserve our values, and be determined by them – not the other way around. In order to gain the confidence of the public and achieve the promised benefits from the adoption of health information technology both providers and patients must be given true choice about whether to trust that technology and patients must have real choice about what happens to their PHI. The only option that truly provides that real choice is the use the ‘Opt In” methodology. It is the only choice that can make a real difference in how an individual’s information is used, shared, and protected. “Opt out” is a choice too late; it relegates the patient’s choice to a secondary consideration (after the horse is out of the barn) and undoubtedly will feed into suspicion and distrust.”
Consent Option – Opinion Summary ALTERNATIVE TO OPT- IN “When consent is needed, patients need to be given a Meaningful Choice. Among other attributes, Meaningful Choice needs to be proportionate with exchange circumstances and must provide adequate time and knowledge to make decisions. It is more important that we agree on these basic principles and on the situations where choice is required, instead of trying to make specific recommendations on the form of consent. The actual form of consent that is chosen will be determined by the Meaningful Choice principles and by the details of how the exchange operates.”