August 6 , 2007

Patching Privacy Concerns
By Aggie Stewart
For The Record
Vol. 19 No. 16 P. 18

A public-private partnership has pinpointed 10 key issues that form roadblocks to secure electronic health information exchange.

In late February, Paul Feldman resigned as cochair of the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community, citing the group’s lack of “substantial progress towards the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network [NHIN]” as the reason.1

This dramatic step taken to protest Health and Human Services’ (HHS) apparent lack of urgency regarding privacy issues came on the heels of a Government Accountability Office (GAO) study, which found that HHS had yet to define and implement an overall approach to health information privacy that “identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the nationwide exchange of health information.”

The GAO further asserted that until HHS “defines an integration approach and milestones for completing these steps, its overall approach for ensuring the privacy and protection of personal health information exchanged throughout a nationwide network will remain unclear.”2 Its principal recommendation to HHS was to define and implement an overall approach to protecting health information that identifies milestones and an entity responsible for integrating the outcomes of its privacy-related initiatives.

Not surprisingly, HHS disagreed with the GAO’s recommendation and insisted that setting milestones would hamper its processes and “preclude stakeholder dialogue on the direction of important policy matters.”3 Although the GAO acknowledges that HHS has made progress on its current privacy initiatives, HHS critics maintain that progress has been too slow and the agency’s efforts don’t give privacy issues the footing needed to put them on par with interoperability and other systems’ development issues.

Whether HHS’ position reflects political posturing and resistance to accountability or genuine commitment to taking a stakeholder-driven, public/private approach toward creating a national policy framework for protecting the privacy, security, and confidentiality of health information within a system of electronic health information exchange (eHIE) remains a matter for political pundits. Nonetheless, the pitched debate over the most appropriate and effective strategic approach to take—including whether to set milestones and the speed necessary to accomplish objectives—reflects the volatility of the privacy issue and the high stakes for all parties involved.

Perhaps more importantly, however, it belies the matted and gnarled knot of federal and state laws, business and cultural practices, and technology issues to be combed out and the public/private buy-in needed to allow the eHIE vision—with all the necessary privacy and security protections built in—to become reality.

Taking Stock
The first group of contracts HHS awarded to advance an interoperable NHIN included one aimed directly at developing privacy and security solutions for eHIE. Simply titled “Privacy and Security Solutions for Interoperable Health Information Exchange,” this contract recognized that HIPAA implementation varies from state to state, and some states have adopted laws and policies for protecting health information that go beyond the HIPAA requirements. It also recognized that significant variation exists in the way individual hospitals, physicians, and other healthcare organizations implement required privacy and security policies, and all these variations pose considerable challenges to eHIE.

HHS awarded the contract to North Carolina-based RTI International, a nonprofit research institute with considerable expertise in a wide array of health services industries. The HHS’ Office of the National Coordinator (ONC) for Health Information Technology and the Agency for Healthcare Research and Quality will comanage the 19-month contract. To carry out the contract, RTI formed the Health Information Security and Privacy Collaboration (HISPC), a public-private partnership that brings together a multidisciplinary team of experts from 33 states and Puerto Rico to work with the National Governors Association Center for Best Practices to assess and develop plans to address the state-to-state variation in privacy laws and business practices that create barriers, or potential barriers, to eHIE. HISPC participants include consumers, physicians, pharmacists, HIT vendors, laboratories, attorneys, and insurers.

Specifically, the contract outlined three primary tasks: assess variations in organization-level business practices, policies, and state laws that affect interoperable HIE; identify and propose practical ways to reduce the variation to a set of good practices that permit interoperability while preserving the privacy and security requirements in applicable federal and state laws; and develop detailed, actionable implementation plans to move the security and privacy work forward in each state.

Ten Key Issues
Ten key issues emerged from the assessment of variation in business practices that affect eHIE.4 Some issues relate to misunderstandings or differing interpretations of HIPAA regulations, some to conflicts between state and federal laws, and others to technology or cultural/business issues.

Consent and authorization. Not surprisingly, the most common privacy variation relates to practices concerning patient consent and authorization, particularly as it relates to using protected health information (PHI) for treatment, payment, and healthcare operations. Even when organizations understand the HIPAA provisions, they sometimes do not understand when and how their own state laws apply. Further variation results in states that have intentionally made their privacy laws more stringent than HIPAA to avoid incidental or accidental PHI disclosures.

Additional reasons for variation include confusion about when federal and state laws require patient consent; the absence of a standardized requirement for when to use patient consent; lack of standardized forms for patient consent and authorization; multiple accepted ways of obtaining consent and authorization; and nonexistent procedures for when and how to authenticate patient authorization or consent.

Security practices. Business practice variation related to the HIPAA security rule had several causes, ranging from confusion and misunderstanding about what constituted appropriate security practices to knowledge gaps around available and scalable technology for the healthcare industry and consumers.5 Also, there seemed to be a lack of clarity around HIPAA security rule requirements. For example, while HIPAA addresses administrative, technical, and physical security around PHI, many organizations have given more attention to needed technology than administrative or physical safeguards. Business practice variations related to these issues have led to trust problems among organizations regarding liability, especially when one organization believes it has a stronger security operation than another organization to whom it sends PHI.

Trust. Again not surprisingly, trust that PHI would remain secure and private emerged as a critical issue to HISPC participants, particularly among providers and consumers. Provider concerns cluster around various potential liability situations, such as consumer lawsuits over inappropriate disclosure or inappropriate disclosure resulting from the actions of other HIE participants. They also voiced concerns over the potential uses of patient information by payers and the government.

For consumers, the potential for unauthorized disclosures of their information to payers and employers remains a significant obstacle to eHIE participation. Distrust of new information technologies runs a strong second to their disclosure concerns, which have been fueled by recent high-profile breeches at the Veterans Administration and Providence Health System.

State laws. State laws also present barriers to eHIE, both with respect to laws on the books and the absence of laws perceived as necessary for eHIE, such as those addressing the activities of regional health information organizations (RHIOs). HISPC participants voiced a general misunderstanding not only about the relationship between state privacy laws and HIPAA but also about where to find any related state law and how to apply it. Moreover, a few states discovered that several stakeholders, particularly providers, were unaware of the need to comply with state law when it is more restrictive than HIPAA. In some cases, states found privacy laws on the books that were too outdated to make sense when applied to eHIE.

Intersecting state and federal laws. The interrelationship between state and federal laws becomes more complicated when other federal privacy-related regulations come into play. Among the more problematic sets of federal regulations noted were the Clinical Laboratory Improvement Act (CLIA) and regulations protecting the confidentiality of patients in substance abuse treatment programs, particularly 42 Code of Federal Regulations (CFR) part 2. The CLIA allows states to determine who is authorized to receive test results, and many states narrowly define the group with such authority. Nonetheless, a range of standards has emerged from state to state. Additionally, the CLIA doesn’t define certain terms, such as individual responsible for using test results, that are key to its provisions leading to ambiguity and resulting in policy and practice variation from state to state.

HISPC participants also noted differences in the way providers treat PHI when substance abuse treatment is involved. Variation exists in facilities’, providers’, and integrated delivery systems’ understanding of how 42 CFR part 2 relates to HIPAA and how each is applied. These various understandings are further complicated by the differences between the HIPAA provisions and those of 42 CFR part 2, which HISPC participants said creates ambiguity about which provisions apply when. Together, these factors exponentially multiply the variations in policy and practice around the PHI of patients receiving treatment for substance abuse.

Technology issues. Apart from law and regulations, a host of technology-related issues present barriers to eHIE. Three overarching deficiencies lead the pack: uneven establishment of regional eHIE networks, uneven or limited electronic health record (EHR) implementation, and lack of interoperability of existing EHRs. HISPC participants identified technology-related “capacity gaps”—the organizational resources, technical capabilities, and financial means—that lead to variation in HIE practices, which ultimately limit the ability of organizations to participate in HIE.

With respect to regional HIE efforts themselves, HISPC participants commented on the varying definitions of RHIOs, their functions, roles, organizational structures, and funding structures. They also expressed concern about the lack of well-defined, operational, and deployable RHIO models. Coupled with this were questions about the legal status of these organizations and other operational issues, such as their ability to store and maintain data.

Matching patients and their records. Duplicate patient records remain a problem in most organizations, whether the facility is wired or not. As HISPC participants underscored, eHIE requires a standard, reliable way of linking patients to their clinical and administrative information. Without this, the risk of potential inappropriate use or disclosure increases, as does the associated risks of clinical errors and privacy breeches. The HISPC also noted that this risk magnifies when information is shared across organizations that have different patient identification and record-matching systems. The HISPC further noted that the accelerated development of personal health records makes establishing a standard, reliable method of linking patients and their records more urgent.

Interstate challenges. Many HISPC participants find themselves in a state or territory in which either health information is shared across state lines or there are significant seasonal fluctuations of workers and tourists and residents make substantial use of out-of-state providers; or a number of interstate health systems and plans do business in the state/territory. A health information infrastructure would have to seamlessly accommodate these kinds of situations. A parallel situation exists in states with Native American Indian reservations.

PHI disclosure differences. HISPC participants consistently noted differences in business practices around PHI disclosure as the single most important set of factors affecting interorganizational eHIE. In addition to the PHI disclosure issues already identified, HISPC participants called attention to a number of others, such as the following:

• ownership and control of health information;

• the HIPAA minimum necessary requirement;

• rerelease or redisclosure of health information;

• health emergency situations and the need to exchange information fast, easily, and securely;

• public health reporting requirements;

• judicial proceedings and law enforcement;

• human judgment in determining disclosure; and

• digital signatures to support patient consent and authorization procedures.

Cultural and business issues. Concern about liability for incidental or inappropriate PHI disclosures has caused many stakeholders to take a conservative approach to developing business policy and practices related to eHIE. Another category of business issues identified by HISPC participants relates to unclear and inconsistent definition of terms, such as medical emergency, minimum necessary, and current treatment, in state and federal laws. In the absence of standard definitions, variations in business policy and practices have emerged from a desire to comply with laws and regulations in a way that protects the organization’s interests.

Cultural issues cited include resistance to change, a common occurrence in organizations whenever new business practices are introduced or existing practices are discontinued or modified. Such resistance is frequently experienced during the transition from paper-based information systems to electronic information systems. An assumption that security slows down information exchange underlies a pervading belief that current manual practices of information exchange are timely, effective, and accurate.

Another highlighted cultural issue involves tension among providers, hospitals, and patients over who controls or owns the health data. HISPC participants indicated that many providers didn’t believe patients should have full access to their records and expressed concern that physicians would not enter complete notes if patients had full access to their records. Related liability concerns also surfaced.

From Assessment to Implementation Planning
Following the assessment of eHIE roadblocks, the HISPC identified a number of feasible solutions for establishing reasonable precautions for eHIE. Solutions were grouped into one of four categories: legal or regulatory (involving changes to state law or regulatory practices); business practice or policy (best practices); technology (involving changes to existing technology or adopting new technology); and education or guidance to provide a better context and understanding of eHIE.

HISPC state/territory teams are currently finalizing plans for implementing identified solutions. According to National Coordinator for Health Information Technology Robert Kolodner, MD, these implementation plans “will not only inform health information exchange initiatives in the states and territories that created them but will serve as input to other ONC-coordinated efforts, such as the State Alliance for E-Health’s Health Information Protection taskforce.”6

More information about the Privacy and Security Solutions for Interoperable Health Information Exchange and other state privacy and security initiatives can be found on the ONC Web site here..

— Aggie Stewart is a freelance writer and editor specializing in HIM and HIT. She also serves as consulting editor of Health Information Management Manual, 2nd edition.

References

1. Goldman J, Feldman P. “HPP Resigns from Government Privacy Workgroup.” February 21, 2007. Available here.

2. U.S. Government Accountability Office. “Health Information Technology — Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy.” January 2007. Available here.

3. U.S. Government Accountability Office. “Health Information Technology — Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy.” January 2007. Available here.

4. Dimitropoulos L. “Privacy and Security Solutions for Interoperable Health Information Exchange — Interim Assessment of Variation Executive Summary.” December 29, 2006. Available here.

5. Dimitropoulos L. “Privacy and Security Solutions for Interoperable Health Information Exchange — Interim Assessment of Variation Executive Summary.” December 29, 2006. Available here.

6. Kolodner R. Private health records: Privacy implications of the federal government’s health information technology initiative. Testimony before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia. February 1, 2007.