ONC Privacy team: don't limit non-targeted query
The Office of the National Coordinator’s Health IT Policy Committee is still trying to sort out the complicated question of non-targeted data query, using a locator service to find the source of a patient’s records.
At a meeting Tuesday, HIT Policy Committee members asked the Privacy and Security Tiger Team to re-formulate recommendations on several data query scenarios — especially when a provider has to find a patient’s records from an unknown source for the purpose of direct treatment.
The open question is whether there should be limits beyond patient choice for data query “when a provider is not sure where a patient's records are,” said Deven McGraw, director of health privacy at the Center for Democracy & Technology and chair of the Policy Committee’s Privacy and Security Tiger Team.
“We don’t see a reason to place a limit on queries,” McGraw said, speaking for the rest of the Privacy and Security team.
Of course, she said, there would be limits for patients to choose — “giving patients a choice of who can query and for which purposes it can be queried.” Take someone who arrives in an ER comatose. Prior to that, the patient would hopefully have been able to delineate the circumstances under which his/her records could be located. Certain records or certain providers, such as substance abuse counseling, could be excluded.
But as for limits on provider querying, she said, “We worried about creating a limitation without a clear policy need that might end up limiting exchange, where we say you can only search in your state, or in a 500 mile radius.”
Although the question involves providers searching for other providers that would have the patient’s records and then asking for the records, not using an aggregator service to mine the records themselves, the discussion did end up being a bit “choppy,” as ONC head Farzad Mostashari, MD, put it, before asking McGraw to offer the Privacy and Security team’s suggestions on all scenarios at a later date.
Among some of the questions HIT Policy Committee members had, Judy Faulkner, founder and CEO of Epic Systems, asked: “Are aggregator services going to be required? I hope we’re not going to go down the path of saying, ‘we have to use aggregator services.’”
No, McGraw explained, they would not be required: “We sort of envision the model as a step to where you look for the records. There would then be a second step of querying these record holders, and that would be up to the record holder whether to release it or not.”
Mostashari added: “It’s not like it’s not happening today. There are record locator services and local trust communities.”
The HIT Policy Committee generally okayed the Privacy and Security team’s recommendations for data matching and query and disclosure logging in two other scenarios — targeted queries for direct treatment governed under HIPAA or under stricter privacy controls. But the Committee asked the Privacy and Security team to report back on all three scenarios with a package of recommendations.
While agreeing and being “amenable” to that, McGraw did highlight the importance of offering standards for the non-targeted scenario: “If we don’t answer this question: Status quo, which is not a good thing.”
In the area of privacy and security, the HIT Policy Committee also heard some updates to several pilot projects from Joy Pritts, the ONC’s chief privacy officer.
The Data Segmentation for Privacy Initiative includes several pilot programs testing different use cases and their scalability, Pritts said.
With the Department of Veterans Affairs and the Substance Abuse and Mental Health Services Administration, the ONC is piloting patient-directed segmentation on sickle cell anemia, HIV and substance abuse data in the contexts of Direct messaging, exchange and “break glass” emergency sharing. The capabilities are now being integrated into iEHR and the eHealth Exchange, intended to be offered as an enterprise access control service, Pritts said.
[Related: MU EHR incentives rocket past $13.7 billion.]
Another pilot, called NETSMART, is testing decisions on HIV status in Direct messaging and exchange contexts, with plans to work with the Illinois Health Information Exchange, the Kansas Health Network and the Tampa Bay Network.
Pritts’ Office of the Chief Privacy Officer is also working on mobile health security initiatives to help “integrate privacy and security” into health organization culture — after noticing that mobile IT use “was taking off at a disproportionate rate to the implementation of security measures,” Pritts said.
The office developed several informational resources for health organizations, trying to explain HIPAA’s privacy and security requirements in plain language with fact sheets, videos and even an interactive game. “We’re trying to move beyond PDFs,” Pritts said.