Tiger Team Recommendation 1: Policies Regarding the Use of Intermediaries / third-party service organizations:
- Third party service organizations may not collect, use or disclose personally identifiable health information for any purpose other than to provide the services specified in the business associate or service agreement with the data provider, and necessary administrative functions, or as required by law.
- Third party service organizations may retain personally identifiable health information only for as long as reasonably necessary to perform the functions specified in the business associate or service agreement with the data provider, and necessary administrative functions.
- Retention policies for personally identifiable health information must be established, clearly disclosed, and overseen. Such data must be securely returned or destroyed at the end of the specified retention period, according to established NIST standards and conditions set forth in the business associate or service agreement.
- Third party service organizations should be obligated to disclose in their business associate or service agreements with their customers how they use and disclose information, including without limitation their use and disclosure of de-identified data, their retention policies and procedures, and their data security practices.
- Where such third party service organizations have access to personally identifiable health information, they must execute and be bound by business associate agreements under the Health Insurance Portability and Accountability Act regulations (HIPAA).
Tiger Team Recommendation 2.1: Trust Framework For Exchange Among Providers for Treatment
- The responsibility for maintaining the privacy and security of a patient’s record rests with the patient’s providers, who may delegate functions such as issuing digital credentials or verifying provider identity, as long as such delegation maintains this trust.
- To provide physicians, hospitals, and the public with an acceptable level of accuracy and assurance that this credentialing responsibility is being delegated to a “trustworthy” organization, the federal government (ONC) has a role in establishing and enforcing clear requirements about the credentialing process, which must include a requirement to validate the identity of the organization or individual requesting a credential.
- State governments can, at their option, also provide additional rules for credentialing service providers so long as they meet minimum federal requirements.
- The requesting provider, at a minimum, should provide attestation of his or her treatment relationship with the individual who is subject of the health information exchange.
- Providers who exchange personally identifiable health information should be required to comply with applicable state and federal privacy and security rules. If a provider is not a HIPAA-covered entity or business associate, mechanisms to secure enforcement and accountability may include:
- Meaningful user criteria that require agreement to comply with the HIPAA Privacy and Security Rules;
- NHIN conditions of participation;
- Federal funding conditions for other ONC programs
- Contracts/Business Associate agreements that hold all participants to HIPAA, state laws, and any other policy requirements (such as those that might be established as the terms of participation).
- Requesting providers who are not covered by HIPAA should disclose this to the disclosing provider before patient information is exchanged.
- Assuming FIPs are followed, directed exchange for treatment does not require additional patient consent beyond what is required in current law or what has been customary practice.
- If the following circumstances are present, patients should be able to exercise meaningful consent to their participation. ONC should promote this policy through all of its levers.
- When the decision to disclose or exchange the patient’s identifiable health information from the provider’s record is not in the control of the provider or that provider’s organized health care arrangement (“OHCA”). Examples of this include:
- A health information organization operates as a centralized model, which retains identifiable patient data and makes that information available to providers.
- A health information organization operates as a federated model and exercises control over the ability to access individual patient data.
- Information is aggregated outside the auspices of the provider or OHCA and comingled with information about the patient from other, external medical records.
A patient’s consent must be meaningful in that it:
- Allows the individual advanced knowledge/time to make a decision. (E.g., outside of the urgent need for care.)
- Is not compelled or used for discriminatory purposes. (E.g., consent is not a condition of receiving medical services or benefits.)
- Provides full transparency and education. (I.e., the individual gets a clear explanation of the choice and its consequences, in consumer-friendly language that is conspicuous at the decision-making moment.)
- Is proportional to the circumstances. (I.e., the more sensitive, personally exposing, or inscrutable the activity, the more specific the consent mechanism. Activities that depart significantly from patient reasonable expectations require greater degree of education, time to make decision, etc.
- Must be consistent with reasonable patient expectations for privacy, health, and safety; and
- Must be revocable. (I.e., patients should have the ability to change their consent preferences at any time. It should be clearly explained whether such changes can apply retroactively to data copies already exchanged, or whether they apply only "going forward.")
- The policies described above should not be construed to override laws that permit or compel providers to share patient data including, but not limited to HIPAA and legal requirements to participate in disease registries or research databases. We hope, however, they will be considered more fully in the future.
- Based on our core values, the person who has the direct, treating relationship with the individual, in most cases the patient’s provider, holds the trust relationship and is responsible for educating the patients about how information is shared and with whom.
- Such education should include the elements required for meaningful choice, as well as understanding of the “trigger” for consent (i.e., how information is being accessed, used and disclosed).
- The federal government has a significant role to play and a responsibility to educate providers and the public (exercised through policy levers).
- ONC, regional extension centers, and health information organizations should provide resources to providers, model consent language, and educational materials to demonstrate and implement meaningful choice. HIOs should also be transparent about their functions/operations to both providers and patients.
- The provider/provider entity is responsible for obtaining and keeping track of patient consent (with respect to contribution of information from their records.) However, the provider may delegate the management/administrative functions to a third party (such as an HIO).
Based on the context of Stage I Meaningful Use, which is a voluntary program, ONC is not requiring providers to participate in any particular health information exchange. Whether a doctor’s employer requires such participation is not a matter for government policy.
Tiger Team Recommendation 4 : Granular Consent
- The technology for supporting more granular patient consent is promising but is still in the early stages of development and adoption. Furthering experience and stimulating innovation for granular consent is needed.
- This is an area that should be a priority for ONC to explore further, with a wide vision for possible approaches to providing patients more granular control over the exchange and use of their information
- The goal in any related endeavor that ONC undertakes should not be a search for possible or theoretical solutions but rather to find evidence for models that have been implemented successfully and in ways that can be demonstrated to be used by patients and fulfill their expectations. ONC and its policy advising bodies should be tracking this issue in an ongoing way and seeking lessons learned from the field as health information exchange matures.
- In the interim, and in situations where these technical capabilities are being developed and not uniformly applied, patient education is paramount: Patients must understand the extent to which their requests can be honored and we encourage setting realistic expectations. This education has implications for providers but also for HIOs and government.
- The exchange of individually identifiable health information (IIHI) for “treatment” should be limited to treatment of the individual who is the subject of the information, unless the provider has the consent of the subject individual to access, use, exchange or disclose his or her information to treat others. (We note that this recommendation may need to be further refined to ensure the appropriate care of infants or children when a parent’s or other family members information is needed to provide treatment and it is not possible or practical to obtain even a general oral assent to use a parent’s information.)
- Public health reporting by providers (or HIOs acting on their behalf) should take place using the least amount of identifiable data necessary to fulfill the lawful public health purpose for which the information is being sought. Providers should account for disclosure per existing law. More sensitive identifiable data should be subject to higher levels of protection.
- In cases where the law requires the reporting of identifiable data (or where identifiable data is needed to accomplish the lawful public health purpose for which the information is sought), identifiable data may be sent. Techniques that avoid identification, including pseudonymization, should be considered, as appropriate.
- Quality data reporting by providers (or HIOs acting on their behalf) should take place using the least amount of identifiable data necessary to fulfill the purpose for which the information is being sought. Providers should account for disclosure. More sensitive identifiable data should be subject to higher levels of protection.
- The provider is responsible for disclosures from his or her records, but may delegate lawful quality or public health reporting to an HIO (pursuant to a business associate agreement) to perform on his or her behalf; such delegation may be on a "per request" basis or may be a more general delegation to respond to all lawful requests.
- "The relationship between the patient and his or her health care provider is the foundation for trust in health information exchange.
- As key agents of trust for patients, providers are responsible for maintaining the privacy and security of their patients’ records.
- We must consider patient needs and reasonable expectations. Patients should not be surprised about or harmed by collections, uses, or disclosures of their data.
- Ultimately, to be successful in the use of health information exchange to improve health and health care, we need to earn the trust of both consumers and physicians."