Advisory panel submits recommendations to HIT Policy Committee regarding health data exchanges

Posted on August 20, 2010 by Steve Fox and Vadim Schick

On August 19, 2010, the "tiger team" advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges.  Via Bloomberg Business Week:

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

<...> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

HIT Policy Committee will have to review and approve the proposed safeguards.  You can read more about the proposed standards after the jump, and can read the letter in full by clicking here.

 

Bloomberg Business Week described some of the proposed safeguards:

However, any data exchange that involves a third-party does require specific and "meaningful" patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said.

The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data for instance permitting the exchange of certain kinds of health data, but not all.

Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what's specified in their service agreements, the panel recommended.

Third parties should also be required to retain personal health data only for as long as it is reasonably needed and should then be required to destroy the data, the panel said.

All third parties having access to patient health information also need to comply with the privacy and security requirements of HIPAA.

"Panel drafts privacy recommendations for health data exchanges," Bloomberg Business Week (August 19, 2010).
Tags: , , , , , , , , , , , ,

In the news: patient privacy edition

Posted on April 28, 2010 by Steve Fox and Vadim Schick
  • HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners.  Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site.  At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice."  However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).
  • Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  According to HHS, "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."
  • On April 23, 2010 HIT Policy Committee's privacy and security workgroup revealed a draft  technical framework for patient consent requirements, titled Basic Patient Privacy Consent (BPPC).  According to Federal Computer Week, the draft framework includes "at least 12 types of patient consents, including implicit and explicit opt-out and opt-in, authorizations for specific research projects and authorizations for use of the document but not for republishing."
     

 
Tags: , , , , , , , , , ,

ONC publishes white paper on consent options

Posted on April 1, 2010 by Vadim Schick

The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange.  The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making."  While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here.  You can view the executive summary by clicking here.

Tags: , , , , , , , , , , ,