ONC Trusted Exchange Common Agreement Framework Comments Page
- Links for ONC Trusted Exchange Common Agreement Kick Off
- 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comment Submission site
- Comments due Aug. 25*Links for ONC Trusted Exchange Common Agreement Kick Off
Comment 1 Adhere to industry and federally recognized technical standards, policies, best practices, and procedures.
- This comment is in reference to the ONC Trusted Exchange Common Agreement Kick-off Meeting discussion about Permitted Purposes for Data Exchange and Permitted Participants. In particular, with respect to the ONC assessment that "Some have established a single set of permitted purposes that apply across all data exchanged, while others align the permitted purposes by use case."
Trust issues related to permitted purposes and participants is at the heart of any effort to establish a workable Trusted Exchange Common Agreement. Attempting to harmonize different HIE specific sets of permitted purposes with different HIE supported use case permitted purposes seems difficult at best given state and organizational policy differences even with respect to HIPAA treatment, payment, and operations purposes of use.
To attempt to do so without establishing mechanisms for conveying the permitted purposes and participants intended by the discloser will likely to result in a lowest common denominator set of permitted purpose sets that could be used in a homogenized set of use cases.
The missing policy issue in this equation is that organizations are accountable for minimum use requirements. With respect to payment and operations purposes of use, the discloser is accountable for ensuring both that the recipient has or had a relationship with the patient who is the subject of the information being considered for disclosure, and that only the minimum necessary has been disclosed, and failing to do so may result in liability for breach.
Under HIPAA Privacy Rule, organizations must develop their own minimum necessary policies for disclosure. In addition, "A covered entity may disclose protected health information to another covered entity for certain health care operation activities of the entity that receives the information if: Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship." HHS Uses and Disclosures for Treatment, Payment, and Health Care Operations
There are marked differences in how these organizations, in particular, HIEs, determine whether the recipient has or had a relationship with the patient, and the criteria used to determine that relationship, especially where patients are not afforded a choice about having their information sent to the HIE and given an opportunity to specify the relationships they have or have had with HIE participants. With respect to transparency under this regime, patients must request accounting of disclosure to be made aware of the parties with which their information is share or chose to opt-out the exchange altogether assuming they know that their information is being shared.
For example, the fact that a Visiting HIE has a patient home address in the zip code of another "home" HIE does not indicate that any covered entity in the home HIE actually has a relationship with the patient, yet this is a commonly used approach for determining the HIEs to which the patient's information should be pushed using HL7 Admission, Discharge, Treatment messages (ADT) to notify unknown end users about a patient's health status. Where there are multiple connected HIEs with different governance, the provider in an opt-in for treatment purpose of use may be very uncomfortable with the breadth of multiple Beacon Community Data Use Agreement (DUA) provisions about permitted purposes and participants. In particular, the Beacon Community DUA indicates that any of the HIEs may be permitted to collect the patient's information for their " purpose of health care operations including quality assessment and improvement activities of the Covered Entities" to be shared with any intermediating HIEs participants based on vague notions of whether any of those participants has or had a relationship with the patient." Improving Hospital Transitions and Care Coordination Using Automated Admission, Discharge and Transfer (ADT) AlertsAppendix C: Beacon Sample Data Use Agreement Data Use p. 52.
One of the concerns raised by legal analysts of the 21st Century Cures Act is that disclosing providers may find themselves between a "rock and a hard place" by what seems to be a mandate to eliminate any barriers to universal access to patient records either by the lowest common denominator rules for what counts as permissible purpose and/or permissible participant and the notion of "information blocking":
- Information Blocking The Cures Act also escalates existing tension between government initiatives intended to promote the efficient exchange of health information (such as the Meaningful Use program) and legal restrictions on disclosing PHI, including those proscribed by HIPAA. In most cases, HIPAA permits but does not require disclosures of PHI. In contrast, the Cures Act prohibits or restricts "information blocking" by providers, HIT developers, health information exchanges (HIEs) or networks. For healthcare providers, "information blocking" involves conduct known by the provider to be unreasonable and "likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."
- The Cures Act authorizes the Inspector General of the U.S. Department of Health and Human Services (OIG) to investigate and penalize providers, HIT developers, HIEs or networks for information blocking. Providers may be faced with choosing between (1) disclosing PHI with the risk of enforcement by OCR if the provider is viewed after the fact as having disclosed the PHI to the wrong recipient or without appropriately verifying the recipient’s authority to receive the PHI and (2) declining to make a disclosure but being second guessed as unreasonable with the risk of enforcement by the OIG. The Cures Act authorizes the OIG to refer providers found to have engaged in information blocking to the appropriate agency for "appropriate disincentives" and allows the OIG to "consult" with OCR regarding HIPAA to resolve an information blocking claim. In contrast, developers, exchanges and networks may face penalties of up to $1,000,000 per violation. Time will tell how this provision will be enforced. 21st Century Cures Act - HIPAA & Other Privacy Considerations
Even where a sender can rely on the waiver of minimum necessary, the receiver remains accountable for limiting internal access and use to the minimum necessary for treatment, payment, and operations, as well as for other types of permitted purposes. It would be extremely difficult to align the different interpretations of what constitutes the minimum necessary with respect to any of these activities given that the law puts the onus of accountability of senders and receivers. Although HITECH instructed HHS to provide more guidance in this area, as has been repeatedly pointed out by NCVHS Subcommittee on Privacy, Confidentiality and Security.
To attempt to do so without establishing mechanisms for conveying the permitted purposes and participants intended by the discloser will likely to result in a National Trusted Exchange Common Agreement with the lowest common denominator set of permitted purpose sets that could be used in a homogenized set of use cases, which will likely not be well received by privacy protective patients and covered entities.
Would be best if permitted purposes were determined by applicable jurisdictional, organizational, and patient consent policies as the basis for determining which purposes apply to a given exchange. If the HIE limits disclosure to participants based on their permitted purposes for collection, access, use or re-disclosure by policy, then there would be more uniform sets of purposes permitted by participant type and by supported use cases.
This approach would make permitted purpose policy bridging possible, but only if a standardized interoperable set of "purpose of use" codes from the HL7 Privacy and Security Classification System (HCS) is adopted.
The use of simple privacy tagging to inform downstream users about the minimum necessary and purpose of use requirements that a discloser intends them to comply has been demonstrated repeatedly by ONC, SAMHSA, VA, and HL7.
All of HL7 product families either already or could readily leverage these codes as privacy tags in their respective "security label" syntax. The security label confidentiality, purpose of use, the HIPAA minimum necessary obligations, and prohibitions about redisclosure without consent, in particular where a patient has not opt-ed in to a downstream HIE's "opt-out" scheme, would assure disclosers that downstream end users are informed about the sharing agreement under which they received this information, and provide at least some liability relief to the disclosers for operating under the minimum necessary policies they have adopted for different permitted purposes and participants.
For an ADT message, these privacy tags are simply codes in the MSH Security element, which should be easily read by any HIEs access control system to indicate the permissible purposes and participants. For C-CDA, the Data Segmentation for Privacy Implementation Guide provides the means for assigning these privacy tags at the header or at a granular level. FHIR Resources have had security labels from the beginning and can carry privacy tags at a granular level or as a high water mark in a bundle.
Given that the technology is readily available, there is no need to devolve to the lowest common denominator. Protected sharing is possible at the highest common denominator. The impact to HIEs is that they would need evaluate the permissible purposes and participants with which they are allowed to share this information based on the privacy tags. If this isn't possible, then upstream HIEs may refuse to enter into DUAs with them based on their requirement to comply with their participants' minimum use policies. Or, these HIEs may face "information blocking" charges for failing to align with the lowest common denominator.
