Patient Control of EHR AccessONC to Create Standards for 'Granular Consent' for EHRs
Federal law requires obtaining a patient's permission to share information related to substance abuse and alcohol abuse treatment, she points out. And many states have similar laws about obtaining patient consent for providing access to sensitive health information, such as data about mental health treatment and HIV test results, she adds. "So the challenge has been, how are we going to be able to follow these laws in an electronic environment?"
A Privacy and Security Tiger Team already has made recommendations on obtaining patient consent to exchange any information in their electronic health records, but it stopped short of making recommendations for more "granular consent" for specific portions of a record, saying more study was needed. ONC has yet to include the team's consent recommendations in any proposed regulations or guidelines.
In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, following her presentation at the recent National HIPAA Summit, Pritts:
- Described ONC's intention to commission a study that would yield recommendations for standards to enable patients to grant granular consent, such as to permit certain clinicians to access all their records except those dealing with mental health treatment.
- Confirmed that criteria for stage 2 of the HITECH Act electronic health record incentive program, due by year's end, will include new privacy and security requirements, but says it's too soon to predict the specific details.
- Revealed that ONC and the Federal Trade Commission have prepared a draft of a study on the issue of privacy and security requirements for personal health records. She hopes that the overdue report to Congress on the issue, as mandated under the HITECH Act, will be submitted this year.
- Advised organizations implementing EHRs to conduct a risk assessment and train staff on how to comply with privacy and security policies.
Before joining ONC, a unit of the Department of Health and Human Services, Pritts was on the faculty at Georgetown University, where she held a joint appointment as a senior scholar with the O'Neill Institute for National and Global Health Law and as a research associate professor with the Health Policy Institute.
HOWARD ANDERSON: In your presentation at the National HIPAA summit, you revealed the launching of a new study on standards for offering patients more granular consent so that a patient could give consent for sharing some, but not all, of their patient record, via a health information exchange. Why you are doing that study?
JOY PRITTS: Currently, federal law requires a patient's permission to share information that is related to substance and alcohol abuse treatment. The information, once it flows, cannot be shared again with another healthcare provider unless they get the patient's permission again. That is called the Substance Abuse Confidentiality Regulation. Many states have similar laws that deal with what we would usually classify as sensitive health information, like information on mental health treatment or information related to HIV test results.
So the challenge has been, how are we going to be able to follow these laws in an electronic environment? ... The Health IT Policy Committee recommended that we do some research into that. There was an all-day hearing last year that looked at cutting-edge technology for facilitating patient consent. There were a number of issues that were identified at the end of the hearing as next steps, like developing ontology or looking at standards for sharing the health information. So we're interested in following up on those recommendations to take the next steps to allow people who use electronic health records and who transmit their information electronically to comply with the law.
Consent Standards Development
ANDERSON: So the end result will be a report that describes the feasibility of enabling a patient to deny consent for the exchange of portions of their records?
PRITTS: No we're not really looking for a report. We are hoping that we can develop or we can identify some standards that would be useful in this area. ... I think that we're a little bit beyond the report stage and we're really looking to see some action forward.
EHR Security Standards
ANDERSON: Will Stage 2 criteria for the HITECH electronic health record incentive program includes some new requirements regarding privacy and security, such as the Tiger Team recommendations?
PRITTS: I cannot imagine that meaningful use Stage 2 will not include some privacy and security requirements.
ANDERSON: Is it too soon to tell what those will be any of the specifics?
PRITTS: Yes it's way too soon. The process here is that the Tiger Team has made some recommendations but there will be an entire package of recommendations that will come to ONC for meaningful use criteria from the whole HIT Policy committee. So we'll have to wait and see what that whole package looks like.
Personal Health Records
ANDERSON: What is the status of the joint ONC/Federal Trade Commission report to Congress on privacy and security requirements for personal health records?
PRITTS: It's progressing. We had a roundtable last December on PHRs and related technology, which gave us a lot of information. We have a draft of a study that incorporates that as well as other external information, including that the National Committee on Vital and Health Statistics has done, some work that FTC has done, and we continue to work with FTC to explore these issues and to finalize it. We're hoping - and I always hesitate to give a date because it puts a lot of pressure on us - but I'm hoping that we will be able to get a report to Congress this year.
ANDERSON: Finally, what advice would you give to folks who are adopting electronic health records in hopes of gaining incentives about the most important steps they can take to protect that digitized information?
PRITTS: First is they really should conduct a risk assessment and see where their vulnerabilities are. Even if you are a very small organization, it doesn't have to be that complicated, but there are certain basic things that people should not be doing, like writing passwords on yellow sticky notes and leaving them on the computer. They should do training of their personnel because the only way people will know what they are supposed to do is if you train them. This is not something that necessarily comes naturally to people. They do not practice security on their home computers. So to do this in the office will be something new for them.
Looking at the list of breaches that HHS has compiled over the last year, it's pretty clear that you need to protect your software and your hardware from theft and loss, and the easiest way to do that is to encrypt it.