Healthcare Information Security

Patient Privacy News

HL7 gives Tiger Team V/D/T privacy, security policy feedback

By Patrick Ouellette

- The HIT Policy Committee Privacy & Security Tiger Team continued to review patients’ family, friends and personal representative access to Certified EHR Technology “view/download/transmit” (V/D/T) features during its recent February meeting.

As part of the discussion, Health Level Seven International (HL7), an American National Standards Institute (ANSI) accredited standards developer, provided feedback on potential V/D/T privacy and security policy issues to Tiger Team chair Deven McGraw. Charles Jaffe, MD, HL7 CEO, and Donald T. Mon, PhD, Chair of the Board of Directors, offered these comments:

Policy Issue 1: Patients need to be informed and meaningfully consent to their personal representatives (PRs) having the extent of access that VDT affords

Patients may be comfortable in having a PR present during an encounter where the Patient can hear/see the PR’s interaction with the treating provider and has knowledge of what part of the patient’s medical history is being discussed.  However, in the VDT environment, an appointed PR at the beginning of a serious illness, for example, would now have access to the entirety of the patient’s PHI available via VDT.

Policy Issue 2: Similar to similar to a limited power of attorney, patients should have the ability to specify the extent of PR access to the portions of their VDT accessible medical history that the patient deems necessary for improved care coordination.

We…suggest that a practical consent model is established that can enable patients to manage their PHI appropriately and clearly identifies how consent is managed as data moves between providers, patients, and personal representatives, and clarifies the obligations of the PR to address the concerns of PHI becoming available beyond the immediate patient-provider relationship.  Furthermore this should clarify whether a PR is to be considered the same or different from the patient and if so how to enable health IT to help manage this as data is exchanged.

Policy Issue 3: Patients should be able to specify that policies for data access and use, such as a consent directive for disclosure, remain in place without the PR intervening.

Clarification is needed about the extent of discretion that covered entities have to designate a patient’s PRs.

Policy Issue 4: If covered entities do in fact have the right to select a patient’s PRs, then by policy, the PRs should only have access to the patient’s VDT records by virtue of explicit and granular patient control of what portions of those records may be accessed by the PRs. 

The risk that a PR could exercise the patient’s right to transmit the patient’s records to any entity without limit.

More HL7 pieces of advice included:

- If patient’s had VDT PR access consent directives, preferably using the HL7 Consent Directive CDA standard, then the patient can specify PR identifying information that the provider can use to verify the identity of the PR.  
The patients’ friends, family and other PR should be identified as IT users, identity proofed, provided an account ID separate from the patient, and all PR actions taken on behalf of the patient should be audited so that the patient can determine what actions have been taken on their behalf.
- The “all or nothing” option (as opposed to potentially more granular options) raises additional issues if HIPAA covered entities have discretion to designate PRs.  As stated above, this may force some patients to choose between maintaining privacy preferences and having PRs, or even mentioning any potential PR to covered entities.

Read through the rest of HL7′s comments here.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks