A standard to address the legal and technical complexities of electronically exchanging behavioral health data has gained some traction with its inclusion in the 2015 Edition Health IT Certification Criteria final rule released last month. However, critics say the Data Segmentation for Privacy (DS4P) standard is not ready for prime time.
Behavioral health data requires additional protections beyond HIPAA, including adherence to federal law 42 CFR Part 2, which limits disclosure of identifiable information by a federally-assisted substance abuse treatment program to any entity, even for treatment, without signed consent from the patient, with limited exceptions. It also restricts re-disclosure of data by the receiving entity for any purpose without consent.
DS4P seeks to overcome barriers to secure electronic exchange of behavioral health data by applying a set of metadata and encryption onto a clinical document, enabling a provider to send it to a receiving system with technology to recognize the data is from a behavioral health or substance abuse program and to segregate it.
But, John Halamka, M.D., chief information officer of Boston’s Beth Israel Deaconess Medical Center and co-chair of the Health IT Standards Committee, argues that the DS4P send and receive technology is not mature enough to be included in the 2015 Edition Health IT Certification Criteria final rule.
“The Health IT Standards Committee has recommended that no standard ever be included in regulations until it has a level of maturity, adoption, and validation in the real world,” says Halamka. “We said ‘do not include DS4P because it doesn’t meet any of those criteria.’”
Halamka appreciates that the Office of the National Coordinator for Health IT and the Substance Abuse and Mental Health Services Administration have specific policy goals that require certain functions provided by DS4P. However, he argues that “the only problem is that the technology doesn’t exist” yet to fully enable those capabilities. He also criticizes SAMHSA’s recent DS4P pilot programs for being “not real world, not scaled” and merely “early demonstrations of concepts.”
Likewise, the Health IT Policy Committee’s Privacy and Security Workgroup earlier this year reported to the federal advisory body that it had some concerns with DS4P, including:
*Limitations of document level sequestration, with a read-only capability (information cannot be consumed/integrated in the EHR, including decision support software);
*Uncertainty about the extent to which the DS4P technology would enable compliance with 42 CFR Part 2 requirements after receipt of the segmented document;
*Policy uncertainties about whether a provider can manually enter similar data received directly from a patient, and whether that data, if subject to Part 2, would then be protected by against subsequent re-disclosure without authorization (and the paradox of regulating this information differently based on its source);
*Uncertainty about whether DS4P is appropriate to enable compliance with other sensitive data laws that may not include prohibitions on re-disclosure and;
*Discomfort among providers about “swiss cheese” electronic health records (records that are incomplete when patients withhold information) in a digital environment where there are greater expectations for the completeness of EHRs.
“We agree as a workgroup that the proposed criteria are a good initial step,” said Deven McGraw, then-chair of the workgroup, who is now deputy director for health information privacy in the HHS Office for Civil Rights. “We also think that this type of technology should certainly be available to those who seek to implement it. But, we are not sure that the criteria are necessarily ready for certification.”
In the end, the Privacy and Security Workgroup deferred to the Standards Committee to determine whether DS4P send/receive technology was mature enough to be included in the 2015 Edition rule, to which Halamka says his committee answered with a resounding no—advice that was apparently not taken by ONC.
Although the 2015 Edition establishes capabilities and related standards and implementation specifications that certified EHR technology would need to support the achievement of Meaningful Use by providers, Halamka observes says what is unusual about ONC’s final rule is that it “includes many things unrelated to certification for Meaningful Use” such as DS4P. Consequently, many vendors are unlikely to implement it.
“It has nothing to do with Meaningful Use. There’s not a single provision in the CMS final rule that requires this construct,” concludes Halamka. “But, at the same time, because it’s in the ONC rule I just know some customer is nonetheless going to demand that their vendor implement some standards that are not ready for prime time.”
ONC and SAMHSA officials were not immediately available for comment.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access