ONC Trusted Exchange Common Agreement Framework Comments Page

Back to Security Main Page

• Links for ONC Trusted Exchange Common Agreement Kick Off
  • Presentation Recordings
  • ONC Trusted Exchange Common Agreement deck
• 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comment Submission site
• Comments due Aug. 25*Links for ONC Trusted Exchange Common Agreement Kick Off

Comment Area 3 - Cooperation and Non-Discrimination

• During discussions on the Comment areas for the Trusted Exchange and Common Agreement, several use cases were raised around what constitutes "information blocking" that impedes cooperation and non-discrimination. It would be helpful to have examples of what is and is not "information blocking" that covers the following use cases:
  • While information blocking by not sending information is one side of the coin, would choosing to avoid receiving or retrieving information, for example to avoid data overload or avoid finding out about previous services in order to get more recent or immediate test results, or to bill for redundant services be considered information blocking as well?
  • Would requiring opt-in consent for health information exchange for purposes of treatment, payment, or operations be considered information blocking because ONC considers this unnecessary?
  • Would permitting opt-out consent directives for health information exchange for purposes of treatment, payment, or operations be considered information blocking because ONC considers this unnecessary?
  • Would data segmentation based on organizational policy or patient consent directive, which is not otherwise required by state or federal privacy law, be considered information blocking?
  • Would an HIO or provider segmentation of what they or patients deem sensitive health information e.g., by means of storing it in a separate data store with more stringent access controls, be considered information blocking if not otherwise required by state or federal privacy law?

Comment Area 4 Security and Patient Safety

• HL7 is concerned that privacy is not included in Comment Area 4: Exchange electronic health information securely and in a manner that promotes patient safety and ensures data integrity.
• In past ONC work in this area, in particular in the Connecting Health and Care for the Nation:

A Ten Year Vision to Achieve Interoperable Health IT Infrastructure paper, privacy was explicitly included:

• Protect privacy and security in all aspects of interoperability. It is essential to maintain public trust that health information is safe and secure. To better establish and maintain that trust, we will strive to ensure that appropriate, strong, and effective safeguards for health information are in place as interoperability increases across the industry. We will also support greater transparency for individuals regarding the business practices of entities that use their data, particularly those that are not covered by the HIPAA Privacy and Security Rules.

Connecting Health and Care for the Nation: A Ten Year Vision to Achieve Interoperable Health IT Infrastructure at page 5.

• Achieving a Trusted Exchange Common Agreement seems unlikely unless such an agreement addresses issues related to preserving the originating discloser's privacy policy governance over information about their patients as this travels through various health information exchange nodes. In addition, policy guidance and technical mechanisms to support the persistence and enforcement of the originator's privacy policy need to be specified. HL7 Privacy, Provenance, and Security standards are being used to effectively ensure this capability in behavioral health HIEs including ONC Funded Colorado Regional Health Information Organization (CORHIO) and Prince George’s County Health Department Consent2Share implementation. HL7 Security Labeling related standards are in the process of being implemented in the Veteran's Administration. These should be leveraged by the Common Agreement.

Comment Areas 1 and 2: Standardization and Transparency

• It is critical to:
  • Adhere to industry and federally recognized technical standards, policies, best practices, and procedures (Comment Area 1);
  • Conduct all exchange openly and transparently (Comment Area 2) .
• These comments are in reference to the ONC assessment that "some have established a single set of permitted purposes that apply across all data exchanges while others align the permitted purposes by use case."

Comment Summary

• Trust issues related to both permitted purposes and participants is at the heart of any effort to establish a workable Trusted Exchange Common Agreement. Attempting to harmonize different HIE specific sets of permitted purposes with different HIE supported use case permitted purposes seems difficult at best given state and organizational policy differences even with respect to HIPAA treatment, payment, and operations purposes of use. Attempting to do so without establishing mechanisms for conveying permitted purposes and participants intended by the discloser will likely result in a lowest common denominator set of permitted purpose sets to be used in a homogenized set of use cases.
• The missing policy issue in this equation is that organizations are accountable for their purpose of use and minimum necessary policies. The HIPAA Privacy Rules in this area were written for a world of bilateral exchange, perhaps mediated by a clearinghouse for payment transactions. HITECH changes to the HIPAA Privacy Rule began to address issues related to exchanges within HIEs and across a single eHealth Exchange Network. Unaddressed are the complexity of the evolving exchanges among HIEs with much different trust frameworks and exchange policies linked together across multiple nodes with vastly different infrastructure and exchange paradigms. This complexity and its impact on open and transparent exchange must be adequately addressed by the ONC Trusted Framework Common Agreement if the result is confident, willing partners in this exchange. See The Regional ADT Exchange Network Infrastructure Models Brief, HIE Bright Spots: Health Information Exchange as a Key Enabler of Care Coordination – Part 1, and ONC HIE Bright Spots: How ADT Messages Support Care Coordination – Part II

Considerations and Concerns HIPAA Privacy Rule – Purpose of Use and Minimum Necessary

• Under HIPAA Privacy Rule, organizations must develop their own minimum necessary policies for internal access and purposes of use, and for external disclosure permitted purposes. These rules continue to serve the spirit of HIPAA despite the changing landscape since HIPAA’s enactment, and deserve to be fully respected despite the complexity of enforcement due to a somewhat erratic evolution of sharing exchange paradigms. If anything, these rules may be the driver for rationalizing that evolution into a more cogent approach for complying with those rules. Describing how that might be accomplished is the objective of the following comments.

Disclosure under HIPAA Privacy Rule

• It is clear that a request or disclosure to a provider for purpose of treatment is exempt from the HIPAA Privacy rules on purpose of use and minimum necessary, and that a disclosing covered entity may reasonably rely on another covered entity’s disclosure request for purpose payment and operations, there are salient parameters to reliance on the latter.
• With respect to disclosure for payment purpose of use, the definition of payment at § 164.501 does not include activities that would extend PHI sharing beyond payment activities related to a period of coverage or an encounter under that coverage in which both the provider and the payer were involved with the same patient. The minimum necessary requirements apply, and failing to do so may result in liability for breach.
• With respect to disclosure for operations purpose of use, the discloser is accountable for ensuring both that the recipient has or had a relationship with the patient who is the subject of the information being considered for disclosure and that only the minimum necessary is being disclosed, and failing to do so may result in liability for breach: "A covered entity may disclose protected health information to another covered entity for certain health care operation activities of the entity that receives the information if: Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship. HHS Uses and Disclosures for Treatment, Payment, and Health Care Operations