To address legal and technical complexities of electronically exchanging behavioral health data, the Health IT Policy Committees Privacy and Security Workgroup believes an emerging standard called Data Segmentation for Privacy (DS4P) has value.
The workgroup, however, is not sure whether the standard is mature enough to be included in the 2015 certification criteria for electronic health records, as proposed in a new rule from the Office of the National Coordinator for HIT.
The workgroup, chaired by Deven McGraw, partner in the healthcare practice of Washington, D.C. law firm Manatt, Phelps & Phillips, made the recommendation during last weeks HIT Policy Committee meeting.
We agree as a workgroup that the proposed criteria are a good initial step, said McGraw. We also think that this type of technology should certainly be available to those who seek to implement it. But, we are not sure that the criteria are necessarily ready for certification.
As a result, the Privacy and Security Workgroup is asking the HIT Standards Committee to determine whether DS4P send/receive standards are mature enough to be included in the voluntary 2015 certification program.
DS4P applies a set of metadata and encryption onto a clinical document, enabling a provider to send it to a receiving system with compatible technology to recognize that the data is from a behavioral health or substance abuse program and to segregate it. Behavioral health data requires additional protections beyond HIPAA, including adherence to 42 CFR Part 2, a portion of federal law that limits the disclosure of identifiable information by a federally-assisted substance abuse treatment program to any entity, even for treatment, without signed consent from the patient to authorize the disclosure, with limited exceptions. It also restricts the re-disclosure of that data by the receiving entity for any purpose without consent.
While McGraw agreed that the electronic exchange of sensitive information is critically important for the future of health IT and DS4P send-receive lays an initial foundation for enabling those data flows, she said that in evaluating the proposed DS4P criteria for the next phase of certification the workgroup had some concerns:
*The limitations of document level sequestration, with a read-only capability (information cannot be consumed/interdigitated in the EHR, including decision support software);
*Uncertainty about the extent to which the DS4P technology would enable compliance with Part 2 requirements after receipt of the segmented document;
*Policy uncertainties about whether a provider can manually enter similar data received directly from a patient, and whether that data, if subject to Part 2, would then be protected by DS4P Receive against subsequent re-disclosure without authorization (and the paradox of regulating this information differently based on its source);
*Uncertainty regarding whether DS4P Send and Receive is appropriate to enable compliance with other sensitive data laws that may not include prohibitions on re-disclosure; and
*Discomfort among providers about swiss cheese electronic medical records (records that are incomplete when patients withhold information) in a digital environment where there are greater expectations for the completeness of electronic medical records.
The technology is a good step forward but it doesnt necessarily get you completely over the goal line, concluded McGraw.
On May 22, the Health IT Policy committee will hold a virtual meeting to hear final comments on the proposed certification rule, at which time the committee will vote on the recommendations.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access