Tiger team clarifies consent rules for HIEs
By Mary Mosquera
Tuesday, August 17, 2010
The federal privacy and security tiger team said health information exchanges cannot share sensitive patient information beyond a simple point-to-point exchange without first obtaining a patient’s consent.
The panel, which advises the Health Policy Committee, clarified the matter at an Aug. 16 meeting of the team. Its previous guidance was unclear about the privacy obligations of health information exchange organizations, according to panel members.
More specific language was required because some health information exchanges (HIEs) provide both multipoint exchange services among a provider community but also handle direct point-to-point exchange services.
These simpler exchanges do not require patient consent beyond what is covered in existing law, such as the Health Insurance Portability and Accountability Act and state laws, and fair information practices.
However, the panel said HIEs must obtain a patient’s consent if they make personal health information collected during a direct exchange available to a third party.
“Providers have to offer the option to the patient whether or not to they’re going to participate in health information organizations,” said Paul Egerman, a software entrepreneur and co-chair of the tiger team at an Aug. 16 meeting of the team.
The tiger team published a 19-page letter with this and several other draft recommendations around privacy and security in simple exchanges and will present it to the Health IT Policy Committee Aug. 19.
Some patients may not want their provider to use a HIE to share their information if the HIE retains some control over their data in a simple exchange, the panelists said.
In such cases a provider can use a different organization to conduct a the exchange. Or, it can use the same HIE, “as long as provider maintains the control over the decision to exchange,” according to the panel’s draft recommendations.
A case in point was offered by panel member Wes Rishel, a vice president with Gartner’s health care practice.
In the scenario, a physician orders and receives lab results through an HIE, which captures the results and begins to build a database with it. “If the patient does not consent to using the HIE, the physician has to go through a dual track,” said Rishel.
The provider still needs to use the HIE services to obtain the lab results. But if the HIE performs both community and point-to-point exchange services, “it is precluded from using info under directed exchange without consent,” he said.
The policy committee will offer its final recommendations to the Office of the National Coordinator in time for healthcare providers to meet upcoming deadlines for meaningful use, the panel member said.
As the tiger team winds down its work, some of its privacy and security work will also feed into a new policy committee work group being set up on NHIN governance, according to Joy Pritts, ONC chief privacy officer.
In creating the new panel, ONC wants to host discussions on what to include in a formal rulemaking that would establish rules of the road – including principles on consent and privacy – for organizations that participate in the nationwide health information network. |
发表于 2010-8-19 07:59:22