ADVERTISEMENT
Projects aim to segment data for privacy
Because people with behavioral health diagnoses have higher rates of other medical conditions, better integration of primary and behavioral healthcare has become a priority for federal agencies and provider organizations.
However, the necessary patient consent protocols for information sharing and the associated technology infrastructure are two issues seriously hampering the flow of patient records between behavioral and other medical providers. Progress has been slow.
Information exchange
Despite the billions spent on the establishment of regional and statewide health information exchanges (HIEs) over the past dozen years or so, few organizations that provide substance use treatment are participating in HIEs. Even for those with EHR systems, the hesitation to exchange patient data with other providers is largely due to concern about federal privacy laws.
The basic problem is that federal confidentiality regulations drafted in the early 1970s—commonly referred to as 42 CFR Part 2—state that without written authorization from the patient, clinicians cannot access patients’ substance use history and treatment regimens, except in cases of emergency. The regulation’s prohibition on unauthorized redisclosure has been a challenge for provider-to-provider information exchanges.
Rather than wholesale data flow in big batches, tight controls at the individual patient level are needed to make sure the patient’s consent travels with the data to control access. Further complicating matters, some state regulations conflict with federal regulations or pose even more stringent guidelines about protecting sensitive health information.
Progress is possible, though. At the state level, some HIEs are making small steps toward exchange within the framework of existing regulations.
For instance, the HIE in Maine recently started connecting with behavioral providers. One public provider with residential and community services for mental health is now sharing patient registration information, diagnoses, patient demographics, allergies and medications in the HIE. Per Maine law, information is only shared if the patient “opts in” or access is needed to respond to a medical emergency.
In Arizona, the Behavioral Health Information Network of Arizona (BHINAZ)—itself an HIE with seven behavioral organizations participating—is working with the existing statewide HIE used by physical health providers to advance the long-term goal of bidirectional exchange between them. But working through the consent issues has been a daunting task, according to organization officials. Teams have spent 18 months doing legal and technical work on consent.
Federal projects
At the federal level, the Office of the National Coordinator for Health IT (ONC) and SAMHSA have renewed efforts to pilot technology solutions that would allow patients to segment their data in online consent forms. ONC’s Data Segmentation for Privacy (DS4P) initiative, based on a new HL7 standard, developed guidelines for enabling data segmentation and management of patient consent preferences. In 2013, ONC funded six pilot projects that sought to develop data models and workflows that support centralized storage and retrieval of patient consent directives from a repository consistent with the DS4P guidelines, and more projects using the segmentation are in the works through SAMHSA.
In 2014, the health department of Prince Georges County, Md., worked with SAMHSA to develop an open source tool called Consent2Share (C2S), which is based on DS4P and allows patients of multiple providers to create consent directives specifying who is authorized to access their data. Kate Wetherby, a public health advisor to SAMHSA, says the five-month pilot with Prince Georges County was successful in establishing an electronic workflow for consent involving the HIE.
“When a patient goes into Consent2Share, they actually select each provider they want to share information with, and what information they want to share with that provider,” she says.
The software also lets patients choose information they do not want to share, such as alcohol use, drug use, HIV, psychiatric notes, genetic testing or STDs. The patient can then see what the document will look like and secure it with an electronic signature.
“The patient also has the capability to create a new consent form and revoke the older one anytime they want,” Wetherby says.
More challenging than the technology infrastructure is the process of making sure consent activities fit in clinician workflows. Prince Georges County created a process so that as soon as the patient comes in, the provider asks about sharing data.
“We needed to explain to patients why this is important, where the information is going and who is going to use it,” she says.
Once the pilot was completed, Prince Georges County continued to expand its use of C2S. The county’s deputy health officer, doesn’t have a background in substance use treatment but saw the need for integrating such data and championed the effort.
“The county still has work to do to expand it, but given the short time frame, they have been very successful,” Wetherby says. “The providers like it, and they have had good feedback from stakeholders.”
The pilot project proves that data sharing can be done, she says.
Although most HIEs will continue to struggle with managing consent for sharing sensitive data, Laura Rosas, lead public health advisor with SAMHSA, says the problem is not just with HIEs or the technology.
“There are a lot of misconceptions around HIPAA and confusion around rules for how to handle information,” Rosas says.
OTP exchange
This year SAMHSA is also launching a data-sharing pilot project involving opioid treatment programs (OTP) and patient service continuity. In the past, during a disruption of normal service, some clients being treated for opioid dependence were unable to obtain their medications.
For example, about 1,000 OTP patients couldn’t get access to treatment in the aftermath of hurricane Katrina in 2005 in the Gulf states. Since then, SAMHSA has developed the Service Continuity Pilot (SCP) project as a component of SAMHSA’s Health Information Technology strategic initiative. SCP will help continue service for patients by allowing the exchange of dosing information to be shared among OTPs through HIEs. In addition, the pilot will incorporate the DS4P standards. On May 1, 2015, SAMHSA launched the SCP with a HIE based in South Bend, Ind., which will share results this Fall.
“Because dosing with methadone can be fatal, it is important to get the dose correct,” Rosas says. “We are pilot testing two OTPs that are connecting to an HIE in a way that is 42 CFR Part 2-compliant, to see if we can send the information from one OTP to an HIE and have the other OTP access that information directly.”
Lucia Savage, ONC’s chief privacy officer, acknowledges that sifting out data for privacy protection is a complicated task, but one that her office will continue to address.
“We want to make sure that what we are doing is accomplishing two things: one is improving health outcomes for our most vulnerable population; and the other is to ensure that in doing so we are not creating situations where people are afraid to seek care because of things we have put in motion. We have to balance that,” Savage says.
In the draft of its 10-year interoperability roadmap, ONC has set out a deliberate, long-term process to work on this issue.
“We have given ourselves more than five years to have a conversation about whether it is possible to ameliorate the confusion or accomplish the dual goals of simplifying the environment and ensuring protections remain in place so we can bring technology to bear and help people comply with rules they need to comply with,” Savage says.
A proposed CMS rule currently under consideration would make DS4P mandatory for certified EHR vendors if a provider purchasing the EHR wants to take advantage of the technology.
“In our interoperability roadmap, we called out the availability of this DS4P technology but also noted the difficulty of implementing it nationwide and having it be taken up in a way that doesn’t put extra burdens on the healthcare providers, because of this incredibly complicated rules environment we have,” Savage says. “I think data segmentation has some great potential, but we have some additional work to do on the policy front to take advantage of those benefits. At HHS, as we embark on delivery system reform, we want to make sure that any patient is able to have his or her data shared with a primary care provider so that physician can coordinate care and produce better outcomes.”
Privacy standards
One weakness of the Office of the National Coordinator for Health IT (ONC) Data Segmentation for Privacy (DS4P) approach to segmenting data is that it applies to whole documents rather than just data elements. Providers often find that document-centric approach presents too much information to sift through.
But a new development in the industry has created an emerging standard called Fast Health Information Resources (FHIR) coupled with application programming interfaces to send and receive smaller, more granular data sets. One such project is a pilot being developed by ONC and the Veterans Administration.
At the HIMSS annual meeting in Chicago in April, the project participants demonstrated the ability for patients to create consents, authorizations and restrictions for sharing healthcare information. The project created a single interface that allowed patients to set their consent, privacy and other personal preference in one place. The authorization service enables patients to manage sharing among providers, authorize information to flow from their health records directly into their mobile apps, and send information from their apps to their providers or elsewhere.
Over the next 18 to 24 months, ONC will seek to promote broader use and adoption of the FHIR technology and extend its focus to include policy and trust issues that may arise with this approach. It also will seek out partners willing to pilot the interface in real-world settings.
David Raths is a freelance writer based in Pennsylvania.
