The “information blocking” regulations and the Trusted Exchange Framework and Common Agreement (TEFCA) expand the possibilities for individuals to access their electronic health information directly through health information exchanges. But as HIEs and large national networks prepare for individual access, they are wondering how to ensure they are accurately matching individuals with their health information and how to reduce their potential liability under HIPAA regulations for sending an inaccurate can understand comparison.
In a July 20 letter to the Office for Civil Rights (OCR) in the Department of Health & Human Services, five leading interoperability groups allege that certain interpretations of violation reporting rules create barriers to interoperability and electronic PHI (ePHI) adoption . with individuals.
Executives from CARIN Alliance, DirectTrust, Commonwell Health Alliance, eHealth Exchange and Civitas Networks for Health requested a meeting with OCR staff to discuss ways to address this issue. “We would like to strongly emphasize that if OCR does not provide formal guidance or enforcement discretion on this issue, there will be significant adverse consequences for achieving nationwide interoperability and patient access,” they wrote.
As HIEs and large national HIE networks begin to prepare for individual access, how can they best ensure that they are accurately matching individuals with their electronic health information and mitigate their potential liability under HIPAA Understand regulations Submitting an inaccurate match.
As explained in the letter, HIEs primarily share information for treatment purposes or facilitate disclosure. Most HIE treatment disclosures are made in response to inquiries, and matching information to the correct patient is done by attempting to match demographic variables such as full name, address, full date of birth, phone number, and in some cases the last four digits of a social security number , using a variety of deterministic and probabilistic matching algorithms.
“In speaking with major national HIE networks, we’ve learned that these networks typically only return a patient’s records in response to a treatment request, or if the query does not contain enough data to produce an unequivocal match, no records are returned returned. TEFCA standards also dictate that only unambiguous matches are returned. Despite efforts to ensure that only the correct medical records are returned in response to a given request, there is a possibility that the incorrect medical records will be sent. In such a case, HIEs and participants in existing large networks rely on the following exception to the HIPAA definition of violation: “Any inadvertent acquisition, access, or use of protected health information by an employee or person working under the control of an affected entity or a business partner, if such acquisition, access, or use was made in good faith and within the authority and does not result in future use or disclosure in an improper manner [by the Privacy Rule].”
The exemption was an important element in the regulatory framework, the letter explains, as it addressed the potential liability for affected companies and their business partners related to circumstances beyond their control for the benign disclosure of PHI and as such to the establishment of national exchange networks for treatment purposes.
Like the treatment use case, the organizations say, the exception is just as important to the future success and acceptance of individual access services. It reflects the reality that 100% match accuracy is difficult to achieve, despite ongoing efforts by ONC and the industry to improve match accuracy. “However, it is not as clear that the HIPAA violation notification rules support the responsible sharing of digital health information by HIEs when patients choose apps or services that are not covered by HIPAA. If a non-HIPAA app offering individual access services queries an HIE or national individual access network using some of the same demographic data fields, the return of records is not subject to a clear exemption from liability for violations. As a result, and based on discussions with national networks, we have been informed that the networks are attempting to set an even higher threshold for associating a query with a unique patient in terms of the number of demographic data fields and the source of those data fields — a threshold for which there is no standard definition and which may be difficult to operationalize. The threat of potential penalties in the event of a violation — and the need to notify individuals and HHS (on an annual basis) — is a barrier to facilitating individual access by HIEs and TEFCA using the same infrastructure used today to support treatment requests becomes.”
Given the 21st Century Cures Act initiatives supporting expanded data access for patients through their chosen application, the organizations suggest that further guidance from OCR to address this mapping issue would be welcomed.
Speaking on Twitter, CARIN Alliance’s Ryan Howells stated: “This is a proposal on how we might reasonably implement patient access as a *necessary* response in a volunteer network while trying to protect patient rights/privacy and legal health risk systems/ Payers who have made a good faith effort.”
Also on Twitter, Brandon Keeler, a senior product manager at startup Zus Health and previously a product manager at Redox and Epic, said he disagreed with the gist of the letter. “The continuous loss of trust in the networks is being accelerated by giving out providers with poor matching. The right approach is to push shared patient data further as the next big step in patient inquiry,” he wrote. “I’m not opposed to loosening things up here through OCR (clearly in favour), but probably after setting a bar on the quality of matching algorithms, introducing customer credentials and making sure there’s reciprocity for the existing use case.”
Kristen Valdes, Founder and CEO of b.well Connected Health and board member of the CARIN Alliance, responded on Twitter by saying, “We need to start moving away from unique credentials (or portal tethering). If we want successful access to and use of data, we can no longer ask consumers to log in to the 70 or so places where their data resides. One identity standard – federated – is the way forward.”
The organizations copied both ONC and Sequoia into this letter because they said that addressing this issue is essential to using the TEFCA because it applies the flow of applicable HIPAA privacy and security regulations to all participants, regardless , whether they are affected companies, business partners or not enable nationwide individual access services.