Healthcare Information Security

Cybersecurity News

Tiger Team closes in on behavioral health privacy recommendations

By Patrick Ouellette

- As Cris Ewell, Seattle Children’s CISO, referenced in a recent interview with, there can be many layers of consent and technology issues when it comes to exchanging behavioral health data. One layer the Health IT Policy Committee (HITPC) Tiger Team has been focusing on of late is the certification needed to enable exchange of behavioral health data.

The goal is to ensure this type of data remains private while also usable in a clinical setting. There were a number of follow up questions the Tiger Team and the HIT policy committee reviewed after its last call and one of the vendor participants, Cerner, answered those questions and was on the call as well. According to the Tiger Team, the HITPC unanimously agreed that the voluntary behavioral health certification process (1) is something ONC should pursue, and (2) that certification should include the same privacy and security safeguards that are currently required for CEHRT. These are a few examples of the Tiger Team’s questions for tech vendors and answers offered by Dan Levene, Director, Cerner Behavioral Health:

Some providers handle only sensitive information (e.g. information regulated by Part 2), while others handle both sensitive and non-sensitive information. In the paper world, it has been observed that some providers over-use this sensitive designation. As sensitive documents that are sent using DS4P will end up sequestered, overuse of a sensitivity designation will mean that some documents will unnecessarily get sequestered.  What methods are available to prevent providers from overusing DS4P or for generally dealing with this problem?

Clear and universal agreement on how much information within a disclosure should be marked as ultra-sensitive is not likely to be achieved given the number of local, state and federal policies or regulations governing various types of information related to substance abuse treatment, to HIV/AIDS treatment, sexual abuse treatment, sexually transmitted diseases or even simply, patient preference.

A concept we’ve labeled “rediscovery” holds much promise.  The concept of rediscovery is that information restricted because it originated from an ultra-sensitive source can be removed from restriction if it is also received or rediscovered from a non-ultra-sensitive source.

READ MORE: 25% of Patients Did Not Access Data Over Patient Privacy Concerns

An example:

- A primary care practice receives a disclosure from a substance abuse treatment program covered by 42 CFR part 2.

- The disclosure contains diagnoses for alcohol abuse and obesity, both legitimately diagnosed first hand by the SA program.

- Because the primary care practice had not previously documented the obesity so its only source of that knowledge is a 42 CFR part 2 covered entity, it must consider obesity to be ultra-sensitive private information.

- If the primary care practice also receives a disclosure from the patient’s cardiac specialist listing a diagnosis for obesity, the information can be downgraded to normal sensitivity because its provenance does not necessarily link the patient to substance abuse treatment.  Similarly the primary care physician could make her own observational diagnosis of obesity independent of the ultra-sensitive disclosure.

READ MORE: New York Suspends Nurse for HIPAA Violation Affecting 3K Patients

- A “genie in the bottle” principle applies:  once information has been legitimately discovered outside an ultra-sensitive context, it can be (re)classified for normal privacy sensitivity.  In other words, secrets revealed cannot be untold.  Of course, we must protect that legitimately sensitive information is not released from obligation.

Another approach to address the difficulties of sensitivity sequestration would be, as a matter of policy, to raise the bar on privacy of all healthcare information to include the typical obligations associated with ultra-sensitive privacy laws like 42 CFR Part 2.  If all information processing decisions adhered to that level, multiple workflows within local systems might be reduced or eliminated.  This approach, however, is not likely any less costly, at least in the short run.

What is the perceived demand for data segmentation functionality? Do you feel that DS4Pis ready for deployment?

Outside of the technical circles that discuss data segmentation, there is little call for the specific details of DS4P.  However, there is a real and recognized need to respect and handle the varying levels of privacy required to comply with the sum of regulations and policies in any one local jurisdiction. As an approach to addressing this need, DS4P’s standardization of privacy-related data handling is in demand.

The Tiger Team also had Substance Abuse and Mental Health Services Administration (SAMHSA) representatives on the call to discuss policy questions. Specifically, it was looking for guidance on how patient-sourced information is put into the EHR in accordance with the law. But the Tiger Team is also looking for SAMHSA to offer written expert best practices in these areas:

READ MORE: Updated Google Policy May Affect Patient Data Security

- How recipients are expected to handle a restricted Consolidated-Clinical Document Architecture (C-CDA)
- Clarifying the circumstances under which this information can be subsequently “sourced” from the patient in an informed way
- SAMHSA should gather user feedback to ensure that new guidance does not impose workflow barriers that would substantially inhibit existing or future flow of information Part 2 information

There will be one more meeting in the month of May that the Tiger Team will use to wrap up policy recommendations. The goal is to have final recommendations to present to the health IT policy committee for the June meeting.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks