How healthcare providers and vendors that are part of a health information exchange (HIE) should be segmenting and securing sensitive information, such as mental health data, sexually transmitted disease (STD) information or drug/alcohol abuse history, remains somewhat ambiguous for many stakeholders.
The Privacy and Security Tiger Team has been working for a few months on the nuances and granular details of HIE query exchange and the health IT (HIT) policy committee on its efforts at last week’s meeting. In trying to remove perceived policy barriers or gray areas of HIE Direct exchange, there is still a lack of clarity regarding a patient with tagged sensitive metadata consenting to an HIE query.
Last Thursday, the Office of the National Coordinator for Health Information Technology (ONC) awarded DirectTrust.org and NYeC, each Exemplar HIE Government Program Cooperative Agreements. During the announcement, a question was posed to DirectTrust President and CEO David Kibbe about sensitive data segmentation and Kibbe explained that for now, DirectTrust would be hands-off in dividing patient content.
I as a family physician, for example, am communicating with a psychiatrist or social worker with Directed exchange. We have to be cognizant of the privacy laws, but Directed exchange is neutral to content. What we’ve been working on at DirectTrust is make the exchange A. Private and secure and B. identity validated in a way that can be validated and maintained. We’ve left those responsibilities to the providers who are doing the exchange.
State law confusion
Discerning between state, federal and updated HIPAA laws can further complicate the situation both providers and vendors when it comes to transmitting and securing this sensitive data as well. For example, there was a recent state of New York Court of Appeals case that highlighted how responsibility for this type of information can become muddled even in a non-HIE. The plaintiff in the case, John Doe, had his STD information breached in bizarre fashion when his girlfriend’s sister-in-law, who’s a nurse at the clinic, learned of the condition and updated his girlfriend with the information via text message.
According to blogs.findlaw.com, Doe ended up suing the clinic for “common law breach of fiduciary duty to maintain the confidentiality of personal health information, breach of contract, negligent hiring, negligent infliction of emotion distress, intentional infliction of emotional distress, and breach of duty to maintain the confidentiality of personal health information under three New York laws: Civil Practice Law § 4504, Public Health Law § 4410, and Public Health Law § 2803-c.” The court ended up dismissing all eight claims, but the case is being appealed at the New York Court of Appeals at the moment.
What’s next for HHS and VA?
It’s not as though the government has turned a blind eye to this situation, as the Department of Health and Human Services (HHS) and the Department of Veterans Affairs (VA) said back in September that they were collaborating on how best to transport sensitive data in an HIE. Part of the answer may be the organizations’ Data Segmentation for Privacy (DS4P) Initiative, which was formed to create standards for patient data disclosure and authorization. As EHRIntelligence.com explained, HHS Substance Abuse and Mental Health Services Administration (SAMHSA) and VA have worked these standards into the initiative to tag private data so that the patient has to authorize the data being sent to a healthcare provider. But updates since it announced DS4P Jericho-UT Austin Pilot have been scarce and there hasn’t been discussion of progress during these monthly privacy and security policy meetings.
On one hand, you have DirectTrust leaving it up to healthcare organizations to figure out the sensitive data question on their own, and then there’s DS4P working toward a metadata tagging framework. Hopefully there will be collaboration on sensitive data security best practices among these government organizations.