3 specific areas of data sharing to clarify and consider in 2023
While interoperability is a main focus for ONC this year, there are still areas that demonstrate the truism that the devil is in the details.
While no one argues that we still have work to do, the 21st Century Cures Act, the Trusted Exchange Framework and Common Agreement (TEFCA) and multiple other initiatives now serve as foundations and catalysts for the advancement of interoperability. As real strides are being made, this is an important aspect of my role on the board of directors for The Sequoia Project.
In December, The Sequoia Project released the final version of the “Data Usability Implementation Guide” created by its Interoperability Matters Data Usability workgroup. This guide improves the ability for patient data to flow so it’s more usable by clinicians as they treat patients. It also removes gaps in the continuum of care, enables data tagging for searchability and helps reduce duplicate records — all foundational components for effective and accurate interoperability.
And while healthcare industry stakeholders will certainly benefit from advancements in data sharing, so will patients.
The move to greater interoperability places more power over health data management into the hands of patients. This includes enabling them to opt out of sharing specific segments of data. This nuance of the interoperability rules shines a new light on the need for better data privacy, control, quality and management in healthcare overall. We must define EHI and properly segment patient data to fully protect patients amid expanded data sharing and exchange.
Here are three specific areas of data segmentation to clarify and consider in the year ahead, with an eye on balancing interoperability with patient privacy.
Substance abuse data definitions and sharing
On one hand, the proposed changes in substance abuse data sharing gives enhanced information exchange by allowing a one-time permission to be granted by the patient for their data to be shared. However, substance abuse data-sharing rules currently fall under HIPAA. This, in effect, offsets the interoperability of the new rule.
Additionally, some definitions of terms within the two rules do not match. This is an important issue that needs to be rectified. For example, the definition of “patient representative” in the old rule is a patient representative that can be an actual person or a company. In the new rule, the representative must be an actual person. Under the new rule, if the representative is a company, that entity may not be covered by HIPAA, and that can be a major privacy concern.
More work must be done to harmonize the two rules and eliminate any potential cause for confusion.
Reproductive health data protections
There are many issues around this topic. One, “reproductive health data” is not defined by most of the new rules and laws being enacted. Two, this type of data is threaded throughout a patient’s health record, making it nearly impossible to pull out and segment.
A possible workaround is to call out reproductive health data as a specific data point within a record for which the patient must specifically grant permission for release. The challenge is how to redact reproductive health data, because this issue must be decided on a state-by-state, or even facility-by-facility basis.
Prior authorization changes
On the surface, the proposed changes to prior authorization should streamline the process, thus relieving patient frustrations in trying to receive care. However, from a privacy perspective, the use of APIs in this process could be a problem.
If a patient grants access to an API without fully understanding how that information will be used by the API developer (for example, sold, used in marketing efforts or in other ways), that data could be compromised. This is especially concerning if the API is not governed by HIPAA. The Federal Trade Commission is supposed to have governance in this arena, but it has never been given full authority to enforce penalties. Future HIPAA changes should address this loophole in prior authorization rules.
Even with the progress in interoperability efforts, in many ways it seems that we’ve still just scratched the surface. This is an exciting time to be in health IT, privacy and health information management. Professionals across all three disciplines have a unique opportunity to work together for the common good — ubiquitous data sharing and exchange alongside patient privacy protections.
As Micky Tripathi, national coordinator for health IT, mentioned during his interview with editor Bazzoli, “It is real work to share information; it’s complex.” But Tripathi also pushes industry stakeholders to make interoperability a priority in 2023. “It’s now a standard of care, and what we are going to do.”
Rita Bowen is vice president of privacy and compliance and HIM policy for MRO She has more than 40 years of experience in Health Information Management, holding a variety of HIM director and consulting roles. She currently sits on The Sequoia Project Board of Directors and is an active member of the American Health Information Management Association (AHIMA).