The federal Office of the National Coordinator (ONC) for healthcare IT receives advice from two committees: the HIT Policy Committee and the HIT Standards Committee. The Policy Committee has been developing a policy framework for development of a nationwide health IT infrastructure, including standards for the exchange of patient medical information. They have already made finalized recommendations to the ONC for defining Meaningful Use.
In their September 18, 2009, meeting, the HIT Policy Committee focused their attention on privacy and security, declaring these to be “foundational requirements for appropriate management and exchange of individuals’ health data.” The committee sought testimony and comments in four broad categories: (1) individual choice/control and data segmentation; (2) use, disclosure, secondary use, and data stewardship; (3) aggregate data use, de-identification/re-identification, and models for data storage; and (4) transparency, accountability and audit.
The overview that was presented reviewed how ARRA “changes the game,” extending privacy and security beyond what was previously covered by HIPAA. Custodians of personal health information (PHI), such as EHR vendors, or anyone involved in the collection and transmission of PHI, need a Business Associate (BA) agreement. Breach notification requirements now extend beyond EHRs, and include PHR vendors (which were not included under HIPAA previously). One principle highlighted was that an individual has the right to restrict disclosure of PHI, and to limit the use and request for PHI to the “minimum necessary” information for the purposes intended – mainly, this applies to health plan and other third-party payor, restricting PHI disclosure to only what is needed for bill payment.
Testimony around the question of privacy showed consensus around individual control of one’s own PHI, rather than any rules that would govern all health care consumers in a one-size-fits-all fashion. At the same time, the Coalition for Patient Privacy recognizes that (1) most HIT systems today do not have patient privacy and control over access to PHI “wired in up-front”; (2) it will thus need time to transition their technology; and (3) working together with industry and government to assure meaningful and comprehensive privacy protection in EHR systems is the best way to achieve progress and reap the benefits envisioned.
How does the issue of privacy apply to Practice Fusion’s cloud-based EHR, especially as we build our chart-sharing capabilities? Unlike legacy systems that were designed and built prior to the emergence of national health IT policy, Practice Fusion addresses the question of privacy and permission as part of its “up-front wiring.” Patterned similarly to traditional workflows in paper-based physician office environments, when a patient is referred by one physician to another, and sends relevant clinical information (usually by fax) to the consultant, the Practice Fusion model would document patient permission and expose the physician’s clinical chart to the consultant so that the same chart can be shared by both physicians. This is a dramatic step forward from past technology – the achievement of “one patient, one chart” will have very significant impact on coordination of care between practitioners. Individual patient permission is central to this technology, and the creation of a “permissions rules engine” represents the next step in the evolution of EHRs. It may well turn out that shared, web-based technologies like Practice Fusion’s cloud-based EHR will achieve exactly the kind of protected, privacy-assured health data exchange platform that is envisioned by the HIT policy process.
Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.
In their September 18, 2009, meeting, the HIT Policy Committee focused their attention on privacy and security, declaring these to be “foundational requirements for appropriate management and exchange of individuals’ health data.” The committee sought testimony and comments in four broad categories: (1) individual choice/control and data segmentation; (2) use, disclosure, secondary use, and data stewardship; (3) aggregate data use, de-identification/re-identification, and models for data storage; and (4) transparency, accountability and audit.The overview that was presented reviewed how ARRA “changes the game,” extending privacy and security beyond what was previously covered by HIPAA. Custodians of personal health information (PHI), such as EHR vendors, or anyone involved in the collection and transmission of PHI, need a Business Associate (BA) agreement. Breach notification requirements now extend beyond EHRs, and include PHR vendors (which were not included under HIPAA previously). One principle highlighted was that an individual has the right to restrict disclosure of PHI, and to limit the use and request for PHI to the “minimum necessary” information for the purposes intended – mainly, this applies to health plan and other third-party payor, restricting PHI disclosure to only what is needed for bill payment.
Testimony around the question of privacy showed consensus around individual control of one’s own PHI, rather than any rules that would govern all health care consumers in a one-size-fits-all fashion. At the same time, the Coalition for Patient Privacy recognizes that (1) most HIT systems today do not have patient privacy and control over access to PHI “wired in up-front”; (2) it will thus need time to transition their technology; and (3) working together with industry and government to assure meaningful and comprehensive privacy protection in EHR systems is the best way to achieve progress and reap the benefits envisioned.
How does the issue of privacy apply to Practice Fusion’s cloud-based EHR, especially as we build our chart-sharing capabilities? Unlike legacy systems that were designed and built prior to the emergence of national health IT policy, Practice Fusion addresses the question of privacy and permission as part of its “up-front wiring.” Patterned similarly to traditional workflows in paper-based physician office environments, when a patient is referred by one physician to another, and sends relevant clinical information (usually by fax) to the consultant, the Practice Fusion model would document patient permission and expose the physician’s clinical chart to the consultant so that the same chart can be shared by both physicians. This is a dramatic step forward from past technology – the achievement of “one patient, one chart” will have very significant impact on coordination of care between practitioners. Individual patient permission is central to this technology, and the creation of a “permissions rules engine” represents the next step in the evolution of EHRs. It may well turn out that shared, web-based technologies like Practice Fusion’s cloud-based EHR will achieve exactly the kind of protected, privacy-assured health data exchange platform that is envisioned by the HIT policy process.
Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.
Posts
2 comments:
Robert,
I am very interested in the "permissions rule engine". Based on my background in web application access control a few thoughts come to mind:
1. Can the patient define permissions on their health record? Maybe she does not want her gynecology lab results visible by her opthalmologist?
2. Does an IT admin, maintaining the EHR system have visibility into patient health records? By his job definition he has superuser rights to the database to keep it going, but how do we prevent him from viewing confidential patient data?
3. Granularity of access: The pharmacist can view John's name and address for prescription verification but can he view the diagnosis?
regards...
You raise some interesting points. Briefly:
1. The permissions rules engine will continue to evolve in its sophistication, and allow for fairly detailed granularity. We will comment on this with more detail in upcoming blog pieces – stay tuned.
2. The security and privacy built in to the Practice Fusion system does not allow IT staff to look at PHI. We have in place layers of audit and security that protect against this, and we keep track of an audit log that shows who has opened which patient’s record.
3. Pharmacy does not share in an EHR. They receive prescriptions (paper or electronic), which (from a data standpoint) are the minimally-necessary exports of packets of information needed for the legal filling of a prescription.
Post a Comment