Segmentation of Sensitive Data with Health Information Exchange

by | Nov 3, 2011 | HIE & HIN, Privacy & Consent

This article was originally published by the New Jersey Chapter of HIMSS and is reprinted here with minor modifiction.

Segmentation of Sensitive Data with Health Information Exchange

by Helen Oscislawski, Esq.

November 3, 2011

Patient consent is one of the most passionately debated, hot button issues with electronic health information exchange (HIE).  The crux of the tension lies, in part, between the need to make pertinent health information more readily accessible to the patient’s treating physicians, and the patient’s desire to control and keep such information private.  On the one hand, if technology is used to move information out of its “paper record-silo” and into the hands of the decision-making clinician wherever he or she may physically be located, this can increase efficiency, reduce costs, and ultimately result in overall better medical care delivered to the patient.  On the other hand, patients who seek medical treatment have certain expectations that their information will be kept confidential and may not want to have all of their health information available to all of their physicians.

The complex web of issues that patient consent and related privacy rights raises in the HIE context are intertwined with legal, technical and operational considerations.  This article discusses generally certain legal and other challenges that networked HIE presents, as well as the effort of one HIE initiative that is looking to implement a technical solution to “segment” sensitive data and place it behind additional technological safeguards.  Readers should consult with their own attorneys, however, before sharing patient information through any HIE network.

Consent Options for Health Information Exchange

A March 2010 whitepaper on patient consent options prepared by the Department of Health Policy, School of Public Health and Health Services at George Washington University Medical Center (the “GWU Consent Whitepaper”)[1] found that five (5) prevailing models have surfaced for HIE:  (1) “No Consent” (2) “Opt-Out” (3) “Opt-Out, with granularity of choice” (4) “Opt-In” and (5) “Opt-In, with granularity of choice”.  These five models are described in detail in the GWU Consent Whitepaper.

As between Opt-In and Opt-Out, the Opt-Out consent model has certain advantages.  First, it continues to protect patients’ privacy by giving patients the right to make a choice about whether to allow providers to access their health information electronically for certain pre-defined permitted purposes (i.e., treatment).  Thus, for example, if the patient does not want his/her physicians to have access their aggregated medical record, he/she can choose to Opt-Out of participating in networked HIE.  Second, the approach allows for a more complete clinical record to be created about the patient that the physician then has the opportunity to view before administering medical treatment.  Moreover, physicians have indicated that if significant components of the patient’s health information record are missing or incomplete, this makes the data found in an HIE network potentially less reliable and valuable to them from a clinical decision-making standpoint.  Finally, from an administrative perspective, the Opt-Out approach is to be somewhat less cumbersome to implement.

The Opt-Out approach is also well documented in research papers and environmental scans as an acceptable consent model for HIE. Of the nine (9) states evaluated in the GWU Consent Whitepaper, three (3) (Virginia, Tennessee, and Maryland) adopted an Opt-Out approach to patient participation for their respective state exchanges, and two (2) (Delaware and Indiana) adopted a “No Consent” approach, which affords patients with even less choice with regard to whether or not their information will be shared through an HIE.[2]   In addition, a recent legal scan of all fifty (50) states revealed that twenty-two (22) states have introduced and/or passed legislation that addresses patient consent specifically with regard to networked HIE.[3]  Of those twenty-two, sixteen (16) have introduced and/or enacted legislation that supports an Opt-Out approach.  Finally, in those states where specific HIE standards have not been legislated, many initiatives have nevertheless decided to proceed with an Opt-Out approach.

The Office of National Coordinator (ONC)’s Privacy and Security Tiger Team (“Privacy Tiger Team”) has recognized that both Opt-In and Opt-Out, and their more granular counterparts, are each a potentially acceptable consent approach for HIE, provided that the process implemented to effectuate the adopted approach complies with applicable law and affords the patient with an opportunity to exercise “meaningful choice”.  In order to better ensure that patients understand their options with regard to participating in or “opting out” of HIE, the Privacy Tiger Team recommended that participants engaging in HIE should prepare and disseminate a layered Notice of Privacy Practices (NPP) that includes at least a short summary of electronic HIE policies, and with a more detailed notice to be made available for interested patients.

In the end, a decision as whether to adopt an Opt-Out or Opt-In consent model (or any one of the other more granular counterparts) must take into consideration the circumstances and goals of the particular HIE network.  The consent model selected will subsequently affect what types of participants may join the HIE network without first having to obtain additional specific written consent from their patients to disclose/share health information to or through the HIE network.  Whether a particular type of participant will be allowed under applicable laws to share information with the HIE network may, in turn, be affected by the “permitted purposes” for which patients’ information can be accessed and used (e.g., treatment only, or will there be other uses?), and what type of information will be automatically included in and shared through the HIE network (i.e., demographic information only? sensitive information? de-identified information?).  Finally, if and how the selected HIE technology can (or cannot) support identification and segmentation of “sensitive” participants or “sensitive” data will also affect whether the particular consent approach can be implemented in compliance with the law.

Federal and State Law Considerations

As of the date of this article, there continues to be no federal law that specifically governs networked electronic HIE.  Therefore, most HIE consent models have been structured around the legal parameters set forth in the Health Insurance Portability and Accountability Act of 1996 and its related Privacy Rule and Security Rule (collectively, “HIPAA”), the Health Information Technology for Economic and Clinical Health Act and its related rules (collectively “HITECH”), and other applicable federal and state privacy laws governing patient information.

     With regard to sharing of information between health care providers for treatment purpoes, HIPAA and its related Privacy Rule do not require an individual’s prior written authorization.  The so-called “treatment exception” was carved out by HIPAA in order to prevent disruption of firmly established workflows and referral activities between providers. HITECH attempts, however, to provide additional protections and rights with regard to patient information.  For example, § 13424(d) requires:

“[N]ot later than one year after the date of the enactment of this title, the Comptroller General of the United States shall submit [….] a report on the best practices related to the disclosure among health care providers of protected health information of an individual for purposes of treatment of such individual. Such report shall include an examination of the best practices implemented by States and by other entities, such as health information exchanges and regional health information organizations, an examination of the extent to which such best practices are successful with respect to the quality of the resulting health care provided to the individual and with respect to the ability of the health care provider to manage such best practices, and an examination of the use of electronic informed consent for disclosing protected health information for treatment, payment, and health care operations.” (emphasis added).

In addition, § 13424(f) of HITECH requires the Secretary (of HHS) to study the definition of ‘‘psychotherapy notes’’ currently set forth in the HIPAA Privacy Rule and determine whether the same should be revised to include test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation, as determined by the mental health professional providing treatment or evaluation.  Based on such study, HHS is charged with also making a recommendation as to whether to issue regulations to revise such definition, presumably to broaden the type of mental health-related information that would be afforded additional protection (i.e., require prior written authorization from the patient before being disclosed from its source).

Last, §3002(2)(B) of the HITECH Act directs the HIT Policy Committee:

“[t]o make recommendations for . . . [t]echnologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns, in accordance with applicable law, and for the use and disclosure of limited data sets of such information.” (emphasis added).

The statutory provision also directs the HIT Policy Committee to make sure that the relevant and available recommendations and comments from the National Committee on Vital and Health Statistics (NCVHS) are considered in the development of its policies. See discussion further below.

New Jersey does not have a broad sweeping health information privacy law.  Instead, patients’ privacy rights are addressed through a patchwork of statutes, regulations, and some case law. Generally, with a few exceptions, these laws can be grouped or categorized as follows:

  • Facility-specific laws (e.g., hospitals; ambulatory care facilities; labs etc.)
  • Provider-specific laws (e.g., physicians; nurses; pharmacists; psychologists etc.)
  • Sensitive Information laws (e.g., HIV/AIDS; Genetic Information; STDs etc.)
  • Government Program-specific laws (e.g., Medicaid; Family Planning etc.)

For example, provisions that govern how health information can be used and disclosed varies between acute care hospitals and licensed medical practitioners. Rules governing New Jersey licensed acute care hospitals require “patient approval” before information in the patient’s records can be released, unless another healthcare care facility to which the patient was transferred requests the information, or the release of information is required and permitted by law, a third party payment contract, a medical peer review or the New Jersey State Department of Health. See N.J.A.C. 8:43G-4.1(a)21.  However, the Board of Medical Examiner rules governing New Jersey licensed medical practitioners and their medical practices contain a different standard that allows exceptions in confidentiality, even in the absence of the patient’s request, in cases where another licensed health care professional who is providing or has been asked to provide treatment to the patient.  See N.J.A.C. 13:35-6.5(d)3.

Thus, New Jersey law permits certain providers to participate in an HIE network and share information for treatment purposes (with certain restrictions on sharing sensitive information, as discussed in the next section) pursuant to an Opt-Out approach without having to obtain any specific prior written consent of the patient.  But, certain other providers are not permitted under New Jersey law to share patient information with other participants through an HIE network, even for treatment purposes, unless specific prior written consent from the patient is obtained.  Examples of such Restricted Providers include: mental health facilities, drug and alcohol rehabilitation facilities (including 42 CFR Part 2 providers), New Jersey Department of Health And Senior Services’ local health agency providers, psychologists, family therapists, and social workers.

Information that is subject to additional protections under federal and/or state law (“Sensitive Information”) almost always requires the patient’s prior written consent before being disclosed.  Certain federal or state law protections may also “attach to” such Sensitive Information and follow it downstream, so that prior written consent would need to be obtained by the subsequent “holder” of that information before it is re-disclosed again.  Therefore, if Sensitive Information appears anywhere in the data shared through the HIE nwork, it can only be disclosed and accessed after all requirements under applicable federal and state laws are met.

The following are examples of categories of Sensitive Information specifically protected by federal and New Jersey law and that must be protected from access or use, unless specific requirements have been met:

  • 42 CFR Part 2 Records;
  • Genetic Information and Nondisclosure Act;
  • Services paid for “out of pocket” (HITECH);
  • Psychotherapy Notes (HIPAA);
  • HIV/AIDS Information (N.J.S.A. 26:5C-8);
  • Venereal Diseases (N.J.S.A. 26:4-41);
  • Drug & Alcohol Rehabilitation Information (N.J.S.A. 26:2B-8);
  • Mental Health Rehabilitation (N.J.A.C 10:37-6.79);
  • Genetic Privacy Act of New Jersey (N.J.S.A. 10:5-43);
  • Minor’s Emancipated Treatment (N.J.S.A. 9:17B-1); and
  • Social Security Numbers.

In addition, federal policy may move to require certain additional categories of information be treated as Sensitive Information.  The NCVHS heard extensive testimony about the definitions of sensitive categories of health information beyond those that are currently recognized and protected under federal law.  On November 14, 2010, NCVHS issued its “Recommendations Regarding Sensitive Health Information” to the Department of Health and Human Services.  The NCVHS Recommendations suggest the following additional categories of information should potentially be treated as Sensitive Information in the HIE context:

  • The following specific Mental Health Information:
    • Psychiatric diagnoses
    • Descriptions by patients of traumatic events
    • Descriptions or analysis or reports by the patients of emotional, perceptual, behavioral, or cognitive states[4]
  • The following specific Sexuality and Reproductive Health Information:
    • Sexual activity
    • Sexual orientation
    • Gender dysphoria and sexual reassignment
    • Abortion, miscarriage, or past pregnancy
    • Infertility and use of assisted reproduction technologies
    • Sexual dysfunction
    • The fact of having adopted children

Segmenting Sensitive Information with an Opt-Out Model

After policy and legal considerations are vetted and implementation begins, new obstacles often surface.   If data is being contributed from a “restricted provider type” and must be kept confidential until a patient affirmatively consents to such provider disclosing the information to the HIE network, the provider can typically be flagged as a “opt-in” provider, and no data is ever automatically pulled, queried or accessed from such restricted provider until and unless the patient has specifically “opted-in” and consented to allowing such restricted provider to share the patient’s data with others.

Sensitive information, however, is not as easily handled, particularly when Opt-Out has been selected as a baseline approach. Where federal and state law permit patients’ general clinical data to be shared without specific prior consent of the patient, the information can be access by authorized providers in accordance with executed participation agreements and applicable laws.  However, where sensitive information is embedded in the general clinical data to be accessed, as is often the case with discharge summaries and other reports, the Opt-Out approach can present a problem because it is not possible to administratively identify such information and prevent access until the patient has given his or her consent.

In light of the forgoing implementation issue, certain HIE initiatives are testing “plug in” software that scans data residing in the HIE repository and “tags” it when certain terms are found that correspond to algorithms developed around state and federal laws restricting access to such Sensitive Information until certain conditions have been met, such as the patient giving prior written consent.  Once identified, the tagged data element, or document if it is not a discrete data segment, is removed from viewing, but a “flag” is left noting that certain information is incomplete and that additional requirements need to be met before it can be accessed i.e., the patient’s affirmative consent has to be obtained.

Segmentation of sensitive data through implementation and use of such a specialized technical application is an attempt to move HIE forward with a balanced approach.  The Opt-Out approach allows default sharing of general clinical information so that a longitudinal snapshot of a patient’s clinical medical and treatment history can be considered by his or her physicians.  It is this type of record that physicians have expressed are most valuable to their clinical decision-making. However, current laws continue to recognize that certain sensitive categories of information should be afforded specific protections. In the HIE context, this has remained a stumbling block to effective exchange of information, often resulting in less-optimal alternatives.

Data segmentation technology attempts to take a new approach to an old problem. The anticipated and hoped for end result will be a balanced approach that gives physicians access to valuable information that will improve the delivery of care to patients and at the same time giving patients ability to control access to certain sensitive information.

[1] Goldstein, M. and Rein, A., Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis (March 23, 2010). Prepared for Office of Policy and Planning, Office of National Coordinator for Health IT.

[2] See Goldstein & Rein. (Note that 4 states adopted Opt-In: Massachusetts, New York, Rhode Island, and Washington).

[3] Attorneys at Oscislawski LLC, 50-State Snapshot of HIE Legislation (September 2011).

[4] Important to note is that NCVHS excluded the following information from its definition of “sensitive” Mental Health Information:  medication lists; allergies and non-allergic drug interactions;  dangerous behavior within medical settings;  and information from medical notes, test, procedures, imaging or laboratory studies performed in a mental health facility that is not related to the mental health treatment but that would otherwise be considered medical information, such as cardiac studies to diagnose reported chest pain.

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives