Dealing with myriad state privacy laws was just one of the concerns weighing on health information exchange executives at a hearing this week hosted by the Privacy and Security Tiger Team of the HIT Policy Committee.
The hearing, according to HealthcareInfoSecurity, focused on non-targeted queries--in which a provider asks an exchange for all records on a patient when the providers are not known. The Tiger Team in April submitted recommendations to the HIT Policy Committee, but asked for more study of non-targeted queries.
Some committee members were worried that patients who did not want sensitive information shared would opt out of health data exchange altogether. The Tiger Team is expected to submit recommendations about non-targeted queries in August.
"The lack of consistency between state and federal laws has been an ongoing challenge," Joanna Pardee-Walkingstick, director of member services at SMRTNet, an HIE in Oklahoma, said at the hearing, according to HealthcareInfoSecurity.
Also, because the HIPAA Omnibus Rule allows patients to not disclose information to their health insurer about services paid for out-of-pocket, data segmentation poses a problem.
The self-pay provision of HIPAA Omnibus "is very hard to implement ... it's very clunky," John Kransky, vice president of strategy and planning of the Indiana Health Information Exchange, said at the hearing.
While the new HIPAA rule requires a patient's record to be "flagged" so that inappropriate disclosure does not occur, EHR systems don't have the capability to segregate that data, making compliance with the rule especially tricky.
Robust user training and checklists to ensure exchanges are being used as planned are among ways organizations can mitigate the unintended effects of health data exchange, according to a paper published last month by the HIE Unintended Consequences Work Group in the Journal of General Internal Medicine.
To learn more:
- read the HealthcareInfoSecurity article