State laws, patient preferences pose privacy challenges for HIEs

Tools

Dealing with myriad state privacy laws was just one of the concerns weighing on health information exchange executives at a hearing this week hosted by the Privacy and Security Tiger Team of the HIT Policy Committee.

The hearing, according to HealthcareInfoSecurity, focused on non-targeted queries--in which a provider asks an exchange for all records on a patient when the providers are not known. The Tiger Team in April submitted recommendations to the HIT Policy Committee, but asked for more study of non-targeted queries.

Some committee members were worried that patients who did not want sensitive information shared would opt out of health data exchange altogether. The Tiger Team is expected to submit recommendations about non-targeted queries in August.

"The lack of consistency between state and federal laws has been an ongoing challenge," Joanna Pardee-Walkingstick, director of member services at SMRTNet, an HIE in Oklahoma, said at the hearing, according to HealthcareInfoSecurity.

Also, because the HIPAA Omnibus Rule allows patients to not disclose information to their health insurer about services paid for out-of-pocket, data segmentation poses a problem.

The self-pay provision of HIPAA Omnibus "is very hard to implement ... it's very clunky," John Kransky, vice president of strategy and planning of the Indiana Health Information Exchange, said at the hearing.

While the new HIPAA rule requires a patient's record to be "flagged" so that inappropriate disclosure does not occur, EHR systems don't have the capability to segregate that data, making compliance with the rule especially tricky.

Robust user training and checklists to ensure exchanges are being used as planned are among ways organizations can mitigate the unintended effects of health data exchange, according to a paper published last month by the HIE Unintended Consequences Work Group in the Journal of General Internal Medicine.

To learn more:
- read the HealthcareInfoSecurity article

Related Articles:
Can patients cherry-pick health information to be exchanged?
Providers: Expect patients to start asserting their privacy rights
EHR users could have trouble with new HIPAA provision
How to mitigate unintended consequences of data exchange
Consumer groups step up pressure on HIE security