Last week, the Privacy and Security Tiger Team of the Health IT Policy Committee (a Federal Advisory Committee) provided its initial draft recommendations on the privacy and security topics and questions arising from electronic exchange of patient identifiable health information among known entities to meet Stage I of meaningful use — the requirements by which health care providers and hospitals will be eligible for financial incentives for using health information technology.
The findings of the Tiger Team are significant because many in the industry feel that it has been very difficult to implement technology without an overarching policy that is actionable for implementation purposes and reflects the concerns of the patient.
I recommend that readers of this blog read the letter provided by the Tiger Team, as it is fairly detailed and reflects its long conversations, careful study and considered deliberations regarding patient consent, sensitive data, and other topics critical to establishing and maintaining trust between the patient and the healthcare system in the Stage I – Meaningful Use exchange environment.
The Tiger Team’s report constitutes its recommendations, but the report does not formally establish law, regulation or policy. Nevertheless, the recommendations provide a fine starting point for discussing and evolving the privacy framework and policies needed for Stage I and additional exchange scenarios that will be reflected in Stage II and III.
Founded in Fair Information Practices – “a well-established rubric in law and policy.”
The Tiger Team report states that “Fair information practices, or FIPs, form the basis of information laws and policies in the United States and globally. This overarching set of principles, when taken together, constitute good data stewardship and form a foundation of public trust in the collection, access, use, and disclosure of personal information. “We” (the Tiger Team) used the formulation of FIPs endorsed by the HIT Policy Committee and adopted by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The principles in the Nationwide Framework are:[1] “
• Individual Access – Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
• Correction – Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
• Openness and Transparency – There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
• Individual Choice – Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information. (This is commonly referred to as the individual’s right to consent to identifiable health information exchange.)
• Collection, Use, and Disclosure Limitation – Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.
• Data Quality and Integrity – Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner.
• Safeguards – Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
• Accountability – These principles should be implemented, and adherence assured, through appropriate monitoring and other means, and methods should be in place to report and mitigate non-adherence and breaches.
In its letter, the Tiger Team also provides a set of Core Values to guide ONC’s work to promote health information technology.
These Core Values reflect a fundamental understanding of critical role of trust between patient and provider. I am not sure how we measure a patient’s level of “surprise,” but I think that perhaps they intend it as a notional measurement of how well the patient was informed a priori and whether trust is maintained over time. What are your thoughts?
• The relationship between the patient and his or her health care provider is the foundation for trust in health information exchange.
• As key agents of trust for patients, providers are responsible for maintaining the privacy and security of their patients’ records.
• We must consider patient needs and reasonable expectations. Patients should not be surprised about or harmed by collections, uses, or disclosures of their data.
• Ultimately, to be successful in the use of health information exchange to improve health and health care, we need to earn the trust of both consumers and physicians.
Finally, the Tiger Team provided specific recommendations in the following areas, as requested by ONC.
Here is where they get to the meat of the matter and discuss the issues, challenges and possible approaches to deal with some of these concerns. What do you think? Read it, weigh in here and let’s discuss it.
• Use of intermediaries or third party service providers in identifiable health information exchange;
• Trust framework to allow exchange among providers for the purpose of treating patients;
• Ability of the patient to consent to participation in identifiable health information exchange at a general level (i.e., yes or no), and how consent should be implemented;
• The ability of technology to support more granular patient consents (i.e., authorizing exchange of specific pieces of information while excluding other records); and
• Additional recommendations with respect to exchange for Stage I of Meaningful Use – treatment, quality reporting, and public health reporting.
[1] http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10731_848088_0_0_18/NationwidePS_Framework-5.pdf
Cari McLean
Joyce Lofstrom, MS, APR
Adam Bazer
Carla M Smith, MA, CNM, FHIMSS
Christel Anderson
Dave Roberts
Thomas S. Keefe, MA, FHIMSS
JoAnn W. Klinedinst, CPHIMS, PMP, FHIMSS
Joyce Sensmeier, MS, RN-BC, CPHIMS, FHIMSS, FAAN
Elinore Boeke
Mary Griskewicz MS, FHIMSS
H. Stephen Lieber, CAE
Lisa A. Gallagher, BSEE, CISM, CPHIMS
John Casillas
Juliet A. Santos, MSN, CCRN, FNP-BC
Tom Leary, MALA, FHIMSS
Karen Malone
Nancy Vitucci
Lauren Brown
David Collins, MHA, CPHQ, CPHIMS, FHIMSS
mattschlossberg
Mary Beth Micucci
John. H. Daniels, FHIMSS, FACHE
John P Hoyt FHIMSS FACHE
Jennifer Horowitz
Richard M. Hodge, MBA, MPA
kawagner
Liz Anderson
Ed Larsen
Arnol Simmons
Helen Figge, RPh, PharmD, MBA
Amanda Griffith
James (Jim) St. Clair, CISM, PMP, SSGB
Shelley Price, MS, FHIMSS
jfrenchhimss
Michelle Glenn
Zahid Butt MD, FACG
Amy Thorpe, FHIMSS
Michael A. Gaspar
ftvelasco
gumprx
Edna Boone, MA, CPHIMS Senior Director mHIMSS
The draft letter appears here: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19477
Pingback: ICMCC News Page » Tiger Team Provides Its Initial Privacy Policy Recommendations
Pingback: HIE Management and Operational Considerations (Updated) » Privacy and Security Update