The “information lock-in” regulations and the Trusted Exchange Framework and Common Agreement (TEFCA) are expanding opportunities for individuals to access their electronic health information directly from health information exchanges. But as HIEs and large national networks prepare for individual access, they are raising questions about how to ensure they are accurately matching individuals with their health information and understand their potential liability under HIPAA regulations for sending a incorrect match.
In a July 20 letter to the Office for Civil Rights (OCR) at the Department of Health and Human Services, five major interoperability groups claim that certain interpretations of the breach notification rules are causing barriers to interoperability and approval of electronic PHI ( ePHI). with individuals.
Leaders from CARIN Alliance, DirectTrust, Commonwell Health Alliance, eHealth Exchange and Civitas Networks for Health requested a meeting with OCR staff to discuss ways to address this issue. “We want to strongly emphasize that without OCR providing formal guidance or enforcement discretion on this topic, there will be significant negative consequences for achieving statewide interoperability and patient access,” they wrote.
As HIEs and large national HIE networks begin to prepare for individual access, they are raising questions about how to ensure, to the extent possible, that they are accurately matching individuals with their electronic health information and understand their responsibility possible under HIPAA regulations for sending an incorrect match.
As the paper explains, HSIs primarily disclose or facilitate the disclosure of information for treatment purposes. Most HIE treatment disclosures are made in response to inquiries, and matching information to the correct patient occurs by attempting to match demographic variables such as full name, address, full date of birth, phone number, and in some cases four the last digits of a social security number, using a variety of deterministic and probabilistic matching algorithms.
“In conversations with large national HIE networks, we have learned that these networks typically return only one patient’s data in response to a treatment query, or if there is not enough data in the query to provide a unique match, none registration will not be returned. TEFCA standards similarly mandate that only unique matches be returned. Despite efforts to ensure that only correct patient data is returned in response to a given query, the possibility exists that the wrong patient data may be submitted. In such a case, HIEs and existing large network participants rely on the following exception to HIPAA’s breach definition: “Any inadvertent acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access or use is made in good faith and within the scope of the authority and does not result in future use or disclosure in an unauthorized manner [by the Privacy Rule].
The exemption was an important element of the regulatory framework, the letter explains, because it addressed potential liability for Covered Entities and their Business Associates in connection with circumstances beyond their control for benign PHI disclosures, and as such, helped in the approval of national documents. exchange networks for treatment purposes.
Like the treatment use case, the organizations say, opting out is just as important to the future success and adoption of individual access services. It reflects a reality about the difficulty in achieving 100 percent matching accuracy, despite ongoing efforts by ONC and industry to improve matching accuracy. “However, it is not as clear that HIPAA’s breach notification rules are equally supportive of the responsible exchange of digital health information through HIEs when patients choose applications or services not covered by HIPAA. When a non-HIPAA application providing individual access services requests an HIE or national network for individual access using some of the same demographic data fields, the return of the data is not subject to an express exemption from infringement liability. As a result, and based on discussions with national networks, we have been told that networks are looking to set an even higher threshold for matching a query to a unique patient in terms of the number of demographic data fields and the source of these data fields – a threshold for which there is no standard definition and which can be difficult to operationalize. The threat of potential penalties in the event of a violation—and the obligation to inform individuals and HHS (on an annual basis)—is a barrier to facilitating individual access through HIE and TEFCA using the same infrastructure used today to support treatment inquiries.
Given the 21st Century Cures Act initiatives that support expanded patient data access through their application of choice, the organizations suggest that further guidance from OCR would be welcome to address this compliance issue.
On Twitter, Ryan Howells of the CARIN Alliance explained that “this is a proposal for how we can reasonably implement patient access as a *necessary* response to a voluntary network while trying to protect patient rights/privacy and legal risk to health systems/payers who have made a good faith effort.”
Also on Twitter, Brandon Keeler, a senior product manager at startup Zus Health and previously a product manager at Redox and Epic, said he disagreed with the letter’s gist. “Continuous degradation of trust in networks is accelerated by giving providers with poor compliance. The right approach is to continue to strongly advance shared patient credentials as the next big step in Patient Demand,” he wrote. “I’m not against OCR smoothing things out here (obviously for him), but maybe after setting a bar for matching algorithm quality, extracting consumer credentials, and actually making sure that reciprocity happens for the existing use case.”
Kristen Valdes, founder and CEO of b.well Connected Health and a CARIN Alliance board member, responded on Twitter saying, “We need to start moving away from unique credentials (or portal links). If we want successful data access and use, we cannot continue to require consumers to maintain access to the approximately 70 countries where their data resides. One standard for identity – federated – is the way forward.”
The organizations copied both ONC and Sequoia in the letter because they said addressing this issue is essential to taking advantage of TEFCA as it applies downstream of applicable HIPAA privacy and security provisions to all participants, whether Covered Entities, Collaborators Business or not, they facilitate individual access services nationwide.
