MU4: Some federal and state health information privacy and confidentiality laws, including but not limited to 42 CFR Part 2 (for substance abuse), establish detailed requirements for obtaining patient consent for sharing certain sensitive health information, including restricting the recipient’s further disclosure of such information.

·  How can EHRs and HIEs manage information that requires patient consent to disclose so that populations receiving care covered by these laws are not excluded from health information exchange?

·  How can MU help improve the capacity of EHR infrastructure to record consent, limit the disclosure of this information to those providers and organizations specified on a consent form, manage consent expiration and consent revocation, and communicate the limitations on use and restrictions on re-disclosure to receiving providers?

·  Are there existing standards, such as those identified by the Data Segmentation for Privacy Initiative Implementation Guide, that are mature enough to facilitate the exchange of this type of consent information in today’s EHRs and HIEs?

# / Comment ID / MU4 / Name of Respondent / Organization / Comments
1 / HHS-OS-2012-0007-DRAFT-0006
/ 1 / Delaware Health Net, Inc / ·  No comment.
2 / HHS-OS-2012-0007-DRAFT-0008
/ 4 documents, in folder / NORC at the University of Chicago / ·  Noted that 42 CFR Part 2 applies only when that information is contained in a record held by a federally assisted “program.” Addiction treatment information given in a general hospital, ER, physician office, Federally Qualified Health Center (FQHC), or rural clinic generally would not be protected.
·  Commented that 42CFR Part 2 differs sharply from newer laws because it provides no non-discrimination prohibitions or protection against insurance discrimination, disability and life insurance discrimination, and employment discrimination.
·  Commented that since the Secretary of HHS has broad authority to prescribe regulations to “carry out the purposes” of the statute and should modify 42 CFR Part 2 regulations to permit an explicit and limited exclusion allowing disclosures of substance use disorder treatment information to healthcare providers and health plans for purposes of treatment, coordination of care, recovery support, quality improvement, disease management, and payment. The only items that can be disclosed without authorization for the limited exceptions are demographic information, diagnosis, medications, laboratory results, and identification of past or current treatment providers.
·  Commented that the Secretary should promulgate regulatory interpretations that would prohibit discrimination based on information in substance use disorder program records; limit use in criminal and civil investigations or proceedings; and strengthen civil and criminal sanctions against unauthorized disclosures.
3 / HHS-OS-2012-0007-0507 / cell F71 / Sunti Ponkshe / Accenture / ·  Stated that this is a very important issue.
·  Recommended discussion with the American Health Information Management Association (AHIMA), the Health Information Management experts and harmonization of other similar efforts in this area to avoid duplication.
4 / HHS-OS-2012-0007-0376 / p. 11 / Sarah Cottingham / Telligen Iowa HIT Regional Extension Center / ·  Suggested ONC Standardize these types of regulations to be consistent across the states so Electronic Health Record (EHR) Vendors can successfully build these standards.
·  Recommended ONC works with the states to see if conformity can be agreed upon.
·  Recommended ONC works with the states to establish consistency and that the states work with each other.
·  Commented that the Data Segmentation for Privacy (DS4P) pilot was very interesting and that it should be published in Stage 3 recommend that ONC publish the results for the pilot and any proposal for Stage 3.
·  Commented that the system has to be able to sequester data by encounter or admission as well as by the other categories that are typically segmented.
5 / HHS-OS-2012-0007-0412 / p. 12, 13 / John Travis / Cerner Corp. / ·  Suggested consideration of some manner of classifying the sensitive data such that disclosure can be effectively managed based on privacy policies applied at the time of disclosure.
·  Commented that the Standards and Interoperability (S&I) Framework's DS4P WG has examined leverage of medical code sets that may already codify what is to be disclosed and Health Level 7 (HL7) confidentiality and sensitivity code sets for this classification purpose to codify structured data about to be disclosed in a clinical document for semantically tagging clinical documents and data for purpose of understanding the privacy protection that may be attributed to what is to be disclosed.
·  Commented this may support the use of policy decision point business rule engines to examine the content of structured clinical documents based on this semantic tagging for sensitive data at the time of disclosure, and to relate that to policy enforcement point capabilities integrated into disclosure management functions to determine if patient authorization exists for disclosure. This kind of an approach may be workable but is not yet in wide commonplace use.
·  Commented that there are multiple areas of requirement here, which suggests that an iterative approach should be used: ONC should consider iterating requirements for consent administration and capture, privacy policy definition and application, authorization capture, semantic tagging of sensitive data, policy decision point abilities and policy enforcement point abilities.
·  Suggested that HL7 Sensitivity and Confidentiality code sets and purpose of use kinds of code sets may be a good start.
6 / HHS-OS-2012-0007-0409 / p. 14 / William Zoghbi / American College of Cardiology (ACC) / ·  Commented that reductions in the use of tobacco have contributed significantly to the decrease in morbidity and mortality rates from heart disease. Given the differing requirements for coverage of smoking cessation support across insurance plans and states, the ACC is concerned by the proposed recommendation that health IT be used to generate referrals for patients who need to stop smoking or using tobacco.
7 / HHS-OS-2012-0007-0425 / p. 17 / Willa Fields, Stephen Lieber / HIMSS / ·  Suggested that patient information can be tagged with metadata including special category information and even patient privacy preference information (as previously captured from the patient) using HL7 sensitivity codes. Tagging would be accomplished by the originator of the electronic patient information and would necessarily need to comply with all relevant federal and state laws and regulations.
·  Commented that management of patient consent and/or privacy preferences is not something that could easily be captured and maintained in an individual EHR, but rather might require a separate infrastructure or ecosystem that is accessible by providers through an EHR or Health Information Exchange (HIE) and patients alike.
·  Commented that the full implementation of such a service or ecosystem would be complex and the interaction with the patient will require a complete set of tools, including training, resources and education regarding the implications of their privacy preference choices. The entirety of this service/ecosystem creation and deployment is likely outside of the scope of the Meaningful Use (MU) program.
·  Commented that until such a service or ecosystem is present, it will be difficult to specify a specific MU measure for providers. This approach could simplify the consent process for patients, and also would make it much easier for them to keep track of the permissions they had selected. It also could reduce cost and risk for providers.
o  Patient records their privacy preferences through a portal or service instead of having to fill out a form each time he/she receives care from a provider.
o  The portal manages each patient’s preferences, allowing changes by the patient and provides notification to the patient when their permissions needed to be renewed.
o  Whenever a data holder received a request for an individual’s health information, his/her EHR or the HIE could query the service to determine whether the patient had authorized the requested use or access.
o  Before any holder of a patient’s information could make it available to another party; the holder would need to query the portal for the permissions currently in effect.
·  Suggested that the portal would be responsible for managing permissions, and the holder of information would be responsible for managing data in compliance with the permissions in force at any given time. The service could be accessed using a secure Representational State Transfer (REST) protocol or the eHealth Exchange protocol. Permissions could be exchanged using the Extensible Access Control Markup Language (XACML) standard.
8 / HHS-OS-2012-0007-0382 / p. 25 / Cheryl Peterson/Karen Daley/Marla Weston / American Nurses Association / ·  Recommended working directly with the enforcement bodies (e.g., OCR) to gain their input on disclosure and consent. Seek input from consumer groups and interested consumers directly.
·  Suggested evaluating the practicality of developing regional or state-level Certified EHR Technology (CEHRT) criteria for EHR modules that might be regulated at those levels.
·  Suggested inviting testimony from large health care systems that have successfully managed consent criteria and variations among those criteria.
·  Commented that the ANA supports the ANI’s response to this question.
9 / HHS-OS-2012-0007-0395 / p. 26 / Paula Bussard / The Hospital & Health System Association of Pennsylvania / ·  Commented that many studies and reports have identified variation in privacy laws across states as a key barrier to information exchange.
·  Recommended that HHS works toward a single set of federal privacy laws to facilitate information exchange and improve efficiency, while still protecting privacy.
10 / HHS-OS-2012-0007-0419 / p. 47 / James Kaufman / Childrens Hospital Association / ·  Noted that there are adolescent privacy issues that need to be considered along with these questions.
11 / HHS-OS-2012-0007-0413 / p. 7 / John Gilligan / Human Service Center / ·  Suggested recognizing Sensitive Health Information through meta tags, leveraging pilots, and developing a method that complies with patient consents.
·  Commented that preservation of trust should be a top priority; record patient consent, communicate limitations on use of PHI; communicate restrictions on disclosure and re-disclosure of PHI.
·  Commented that the regulations promulgated at 42 CFR Part 2 do not contemplate the electronic exchange of health information enabled by EHR systems and need to be revised. Uniform Privacy Compliance Safe Harbor should be established that would trump any State laws. Standardize approach to regulatory guidance.
·  Commented that sensitive data is often mixed with general patient data. Patients should have resources that would make it easier for them to understand how they can use data protections available to them.
12 / HHS-OS-2012-0007-0393 / p. 9 / Jennifer Covich Bordenick / eHealth Initiative / ·  Noted that in 2007, eHI developed the “eHealth Initiative Blueprint: Building Consensus for Common Action” which is a shared vision and a set of common principles, strategies and actions for improving health and healthcare through Health IT and health information exchange. Believes that there continues to be room for progress in these areas: Transparency, Collection and Use of Personal Health Information; Individual Control; Security; Audit; Accountability and Oversight.
13 / G:\Meaningful Use\HITPC\Stage_3_RFC\Submission / p.1 / VA / ·  Invalid link. Cannot view document.
14 / HHS-OS-2012-0007-0557 / p.1 / Heather Roe Day / WY e-Health Partnership / ·  Suggested using the work already done by the HIEs to manage consent for the distribution of sensitive data across data silos. This will happen faster if the work already done is applied.
15 / HHS-OS-2012-0007-0234 / p.1 / Aileen Wehren / Porter-Starke Services Inc / ·  Commented that all of these suggestions avoid the need for the HIE to manage authorizations and consents however it does slow down information flow because of the added requirement to contact the behavioral health care provider to confirm if a given piece of data can or cannot be sent.
·  Suggested ONC consider four options:
o  Option 1: Requests for behavioral health information are submitted to the HIE, the provider that submitted those data would need to approve the transmission of those data, thus guarding against any change in authorization for disclosures.
o  Option 2: Assign responsibility for determining the data to be sent to the health care provider. They could filter data by various criteria based upon patient consent. This would still require that Option 1 above be implemented if addictions data are included in the HIE.
o  Option 3: Restrict the data to be included; not allowing based on diagnoses, medications and laboratory, results that disclose information subject to 42 CFR, thus limiting the amount and type of information in the HIE. Providers would secure consent to include data in the HIE.
o  Option 4: Stratify data in the HIE so that addictions data are “held separately”. Then implement the processes at the HIE for the data to be released only when the provider/owner of the data approves the release.
16 / HHS-OS-2012-0007-0236 / p.1 / Meika DiPietro / Vermont Department of Health / ·  Supported the inclusion of a statement on the patient consent form in which the patient will agree to the prescriber/pharmacist having the right to look up controlled prescription information for the patient.
·  Supported capacity building for primary care EHR systems to better manage the consents and control the re-disclosure of select types of information.
17 / HHS-OS-2012-0007-0238 / p.1 / Kathleen Connor / Edmond Scientific Company / ·  Commented that three DS4P pilot teams have already demonstrated the ability to used standard terminologies to "tag" a Meaningful Use (MU) compliant C32 and CCDA in accordance with the HL7 Consent Directive Clinical Document Architecture (CDA).
·  Commented that the standards-based semantic labeling (tagging) of clinical facts, which are the discreet elements used to construct a CCDA, with clinical terminologies and provenance is already a MU EHR required capability.
·  Commented that the DS4P pilots demonstrate how these "tagged" clinical facts are consumed by the security labeling services or Access Control System Policy Information Point (PIP).
·  Commented that the PIP also invokes the governing privacy policies and patient consent directive to control enterprise user access and to construct a CCDA for disclosure, which either redacts, masks, or tags a clinical fact (at the CDA header, section, and entry level) with security labels that tells the receiver how to comply with policies that govern the disclosure.