WASHINGTON – The federal Health IT Policy Committee has endorsed a set of recommendations on when healthcare providers must obtain consent before exchanging patient heath records electronically with other clinicians, testing labs or health information exchange (HIE) networks.
The Committee will submit the recommendations, the product of several weeks' work by a special privacy and security "tiger team," to the Office of the National Coordinator for Health Information Technology. ONC must decide whether to set the recommendations in policy in time for the start of its health IT adoption campaign next year.
The recommendations answer questions that ONC raised about patient consent policies for point-to-point exchanges among providers and between providers and testing labs.
Clinical practices and hospitals must be able to perform such simple or "directed" exchanges in order to qualify for incentive payments in the first stage of the meaningful use project beginning in 2011.
"We laid down a foundation with these recommendations," said Deven McGraw, chair of the tiger team at the Aug. 20 meeting. "But only a systemic and comprehensive approach to privacy and security can achieve public confidence."
Paul Tang, MD, vice chair of the policy committee, said the tiger team's guidelines are critical to advancing health information exchange throughout the healthcare industry.
"If we deal with it like we were dealing with data in the past in silos, we will completely undermine the privacy and the trust that patients have in providers to improve their care and their health," he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation in Palo Alto, Calif.
Underlying the recommendations is the promise that a patient should not be surprised by what happens to his or her information, said Paul Egerman, a software entrepreneur and the tiger team co-chair. "Ultimately, to be successful we need to earn the trust of both patients and providers," he said.
The direct exchange of patient data between two providers generally does not require patient consent beyond what is already covered in HIPAA, state laws and fair information practices, unless circumstances arise to trigger a consent decision.
Consent might be necessary, for example, when a physician gives up complete control of a patient's health information after sending it through an HIE to another doctor's office or testing lab. If the HIE adds the record to its database for future distribution to members of its network, consent would be triggered.
At that point, patients must be given the opportunity to give consent, "before any of the patient's information is made available to a third-party information organization," Egerman said.
Technology that would enable a provider to filter sensitive information from the clinical record before it is transmitted through an HIE is promising, but only in the early stages of development, according to Egerman.
A role exists for ONC to develop and test approaches that would offer patients and providers more granular control over such exchanges. Until those features are available, "patient education is paramount," Egerman said. "Patients must understand the implications of their decisions and the extent to which their requests can be honored."
The Health IT Policy Committee will need to wrestle with other challenges in the next stages of meaningful use and more complex health information exchanges, including provider credentialing assurance, the need to establish individual access to information, correction and additional safeguards, McGraw said.
