Grantees of HIE Funds Get “PIN-ned” on Privacy, Security and Patient Consent
On March 22, 2012 HHS/ONC released a new Program Information Notice (PIN) called the “Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program” (P&S PIN). The P&S PIN applies to all State Health Information Exchange Cooperative Agreement Program Recipients, including State Designated Entities (SDEs), SDE sub-grantees, and other direct grantees of the federal HIE Cooperative program. Here is a link to the HHS/ONC PIN website.
The P&S PIN requires all SDEs to submit as part of a 2012 annual SOP (Strategic and Operational Plan) an update of their privacy and security framework consisting of all relevant statewide policies and practices adopted by recipients, and operational policies and practices for HIE services being implemented by Grant recipients of funding in whole or in part with federal cooperative agreement funds (HIE Grant Recipients).
Among other things, each HIE Grant Recipient will need to submit how their existing privacy and security policies align with each domain of the Fair Information Practices (FIPs), which the ONC and the ONC’s Privacy & Security Tiger Team have each previously pointed to as providing a privacy and security framework for networked HIE. The FIPs are:
- Openness and Transparency
- Collection and Use and Disclosure Limitation
- Safeguards
- Accountability
- Individual Access
- Correction
- Individual Choice
- Data Quality and Integrity
Specifically, Point-to-Point Directed HIE Exchange Models will be required to demonstrate that their P&S policies address FIPs 1-4, and have the option of addressing FIPs 5-8. HIE models that aggregate data will be required to demonstrate that their P&S policies address FIPs 1-8. If any GAPs exist between a FIP and the HIE Grant Recipient’s current policies (i.e. a domain is not addressed), this must be identified and a strategy timeline and action plan for addressing these gaps in the 2012 SOP update must be provided.
One of the most debated topics with networked HIE has been patient consent. Many HIEs and stakeholders have asked the federal government on guidance on when and what form of consent is required for networked HIE.
The P&S PIN addresses patient consent with HIE, and requires that aggregated HIE models offer, at a minimum, individuals with a meaningful choice with regard to whether their individually identifiable health information (IIHI) may be exchanged through an HIO entity that aggregates data.
The P&S PIN then further goes on to define “meaningful choice” as including:
- Made with advance knowledge
- Not used for discriminatory purposes or as condition for receiving treatment
- Made with full transparency and education
- Commensurate with circumstances for why IIHI is exchanged
- Consistent with patient expectations
- Revocable at any time
Notably, the P&S PIN confirms that both opt-in and opt-out are acceptable means of satisfying patient choice. On Wednesday, March 27th, I had the opportunity to speak at the HIPAA Summit in Washington D.C. where an audience member asked whether a “no choice” HIE model is now no longer a viable option for HIE. Both Joy Pritts, ONC Privacy Officer, and Deven McGraw, Co-Chair of the ONC P&S Tiger Team, confirmed that at least with respect to HIE Grant Recipients who are operating an aggregated HIE model, the P&S PIN must be followed and each patient must be afforded with meaningful choice to participate in networked HIE. It’s also important to note that while the P&S PIN requirement could potentially be satisfied through obtaining written consent from the patient, written consent is not required and, moreover, Ms Pritts specifically pointed out that obtaining a written blanket consent without any supporting meaningful processes would not meet the FIP standard. Thus, whether an opt-in or opt-out model is used, HIOs must focus on ensuring that educational information about HIE is being delivered to patients, and the patient’s decision-making process is meaningful.
The FIPs are nothing new, and ONC actually issued its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information back in December of 2008! Ever since then, I have been advising HIE initiatives to BUILD their HIE Policies around the FIPs and this ONC guidance document. Here is an example of how I crosswalk the FIPs with my template set of HIE Policies for HIOs that aggregate IIHI.
For a copy of a sample set of our HIE Policies, email me at helen@oscislaw.com, or visit www.ohcsolutions.com which going live soon as a source for legal forms and templates.