Health information exchanges (HIEs), a cornerstone for interoperability and data sharing in Stage 2 of Meaningful Use, are just as subject to HIPAA's privacy and security concepts as providers, according to attorney Helen Oscislawski, speaking at the 20th National HIPAA Summit in Washington, D.C. this week.
The Office of the National Coordinator for Health IT's privacy and security guiding principles for HIEs aren't identical to HIPAA's requirements, but they "crosswalk" and cover the same ground, such as patient access rights, limits on use and disclosure, role-based access and auditing, Oscislawski noted.
One of the biggest issues regarding HIEs is whether and how a patient consents to his or her health information being shared in an exchange, with most using different degrees of opt-in or opt-out models; opt-out is a baseline model for hospitals and other basic providers, while opt-in generally is used for sensitive information, such as HIV status or genetic testing. But these are not perfect solutions.
"If there are no restrictions on sharing, even sensitive information, it concerns patient trust," Oscislawski said. "If consent is 'one for all' and covers everything, it doesn't offer confidentiality and consent isn't meaningful. But granular, item-by-item restriction is difficult administratively, and not in line with current electronic health record workflows where data is already exchanged."
One way to handle the dilemma is to allow for data segmentation, as recommended by the National Committee for Vital Health Statistics (NCVHS), which would sequester sensitive categories of information, such as psychotherapy information. NCVHS frequently advises the U.S. Department of Health & Human Services regarding health IT issues. Sequestering is an improvement, albeit with limitations.
"EHRs don't have segments yet," Oscislawski said. "So if sensitive data is in the record, the whole document is hidden."
To learn more:
- here's info on ONC's privacy and security framework for HIEs