- Being able to efficiently share patient information can help providers in numerous ways, including avoiding readmissions, avoiding medication errors, and even in decreasing duplicate testing. With even more interoperability tools at the ready, covered entities cannot overlook potential dangers to patient data privacy.
The Fast Healthcare Interoperability Resource (FHIR) is a recent technology that is helping healthcare providers sift through large amounts of data.
It is a draft data standard developed and nurtured by HL7 International and aims to “define the information contents and structure for the core information set that is shared by most implementations,” HL7 states on its website.
As explained by HealthITAnalytics.com, FHIR lets developers create apps that transcend a document-based environment by using standardized application programming interface (API) standards.
Applications can be plugged into a basic EHR operating system. Information can then be fed directly into the provider workflow, which can help organizations avoid document-based exchange shortcomings.
In terms of health data security and patient data privacy, APIs help data move between computer systems or programs. Healthcare stakeholders hope it can assist in the push toward interoperability and secure exchange of health data.
HL7 International Chief Technology Officer Wayne Kubick explained in an interview at HIMSS17 that social and regulatory barriers are often key concerns with data sharing and patient data privacy.
“We just got out of a meeting of the Argonaut Project,” he said. “Everyone’s worried and concerned about security and maintaining privacy and how difficult it is to share data. It’s not because of the technological barriers, but because of the social and regulatory barriers. It was very clear to everyone there that the 21st Century Cures Act includes a requirement that you are able to deliver all of the patient’s data to the patient upon request. That changes the model quite a bit.”
The House of Representatives passed the 21st Century Cures Act toward the end of 2016. The legislation called for a working group “to study and report on the uses and disclosures of protected health information for research purposes” under HIPAA regulation.
That working group must also consider the expectations and preferences on how an individual’s PHI is shared and used, as well as relevant Federal and State laws.
“The working group shall conduct a review and submit a report to the Secretary containing recommendations on whether the uses and disclosures of protected health information for research purposes should be modified to allow protected health information to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals’ privacy rights,” the bill read.
Furthermore, the potential uses of the PHI and potential impacts of disclosure and non-disclosure of PHI on access to health care services will need to be reviewed.
Kubick explained that informed consent from participants is necessary to have for clinical trials in the research world. However, that consent can go beyond a particular trial and can be saved for future applications.
“Within the FHIR infrastructure, there is a consent resource that has been developed so that patients can in fact define how they want to share their information prospectively, for what purposes, and with whom, Kubick stated. “They’ll have ownership over that, which will free up a lot of the constraints that are currently inhibiting use of data for additional purposes.”
HL7 CEO Charles Jaffe, MD, PhD, noted that the notion of what HHS office is responsible for data privacy is also beginning to shift.
“CMS is charged with enabling this sort of information sharing, so the focus is less on data protection and more on data fluidity,” he explained. “That’s a significant policy shift. They realize that if they’re ever able to define what quality means, it’s going to require the kind of data that FHIR and open APIs can deliver.”
HIPAA regulations are still important to keep in mind as information sharing methods continue to develop, Kubick stressed. The way HIPAA is written is not necessary a data sharing obstacle, but he suggested that each rule is potentially due for periodic review as things change.
“The underlying principles of HIPAA are still very important,” Kubick reiterated. “It’s not like there’s less concern over security. In fact, it’s the opposite.”
In terms of the 21st Century Cures Act, for example, healthcare providers have every bit as much responsibility to ensure the data doesn’t fall into the wrong hands as they do that it gets into the right ones, he said.
But if patients take the data, the providers can’t be responsible for what patients do once they have their own information.
Jaffe pointed out that an often overlooked notion is that HIPAA always provided for the use of data research.
“My guess is that it’s going to be even more liberally interpreted with consent issues,” he predicted. “The IOM had a discussion on this, and I think as patients become more aware that they’re responsible for their data, I think we’ll have a different focus.”