I recently had the pleasure of speaking with Andrea Fox, senior editor of Healthcare IT News, a HIMSS TV publication, to discuss the future of balancing patient privacy and data sharing. This important topic was also the opening theme of the HIMSS Cybersecurity Forum held in Boston last December.
As stated by Anita Allen, professor of law and philosophy at the University of Pennsylvania, “A great deal of reflection is called for, and maintaining balance between the interests in privacy and in disclosure offers an industry dilemma.” This dilemma is especially true considering proposed legislation changes regarding data sharing and exchange.
Here are four valuable highlights from my HIMSS TV interview with Andrea.
Focus sharpens on data quality and usability.
With increased data sharing comes greater responsibility to ensure the quality, accuracy and utility of patient data. To that end, The Sequoia Project recently released the final version of its “Data Usability Implementation Guide.” This resource offers guidance to improve the usability of data received by end users within their workflows to benefit patient care.
Every HIM professional should download this roughly 40-page guide and use it as their mantra. The guide promotes improved flow of patient data, makes it more usable for clinicians, and supports a better continuum of care. Best practices are provided for data tagging to ease searchability and reduce duplicate records. The guide also puts more power in the hands of the patient as patients can opt out of sharing specific segments of data.
Overall, the content emphasizes data control and management, placing HIM professionals front and center in the pursuit of better data quality amid expanded data exchange.
Concerns abound regarding substance abuse data and rule conflicts.
On one hand, the proposed changes in substance abuse data sharing offer enhanced information exchange by allowing a one-time permission granted by the patient for their data to be shared. However, substance abuse data sharing rules are currently under HIPAA, potentially offsetting interoperability of the new rule.
Additionally, definitions of terms within the two rules do not match, such as the definition of patient representative. In the old rule a patient representative could be an actual person or a company. In the new rule the representative must be an actual person. This creates a problem if the representative is a company because that entity may not be covered by HIPAA, which can be a major privacy concern.
Before moving forward, more work is needed to harmonize the two rules and alleviate any potential cause for confusion.
Prior authorization changes may open the door for privacy leaks.
The proposed changes to prior authorization should streamline the process, thus relieving patient frustrations in trying to receive care. However, the use of APIs in this process could present a potential privacy problem.
If a patient grants access to an API without fully understanding how that information will be used by the API developer (i.e., sold, used in marketing efforts, etc.), that data could be compromised. This is particularly true if the API is not governed by HIPAA.
The FTC is supposed to have governance in this arena, but they’ve never been given full authority to enforce penalties. I expect HIPAA to evaluate this concern sometime in 2023.
Action is needed to protect reproductive health data.
There are many issues around reproductive health data. Reproductive health data is not defined by most of the new rules and laws that we’re seeing enacted. Second, this type of data is threaded throughout a patient’s health record. This makes it extremely difficult to pull out and/or segment data.
One solution is to call out reproductive health data as a specific data point within an EHR. However, the patient must specifically grant permission for the release of that data. Processes and procedures on how to redact reproductive health data must be determined on a state-by-state or even facility-by-facility basis.
At the end of the day, balancing patient privacy and data sharing is not just an IT project. Progress results when there is collaboration among IT, privacy and HIM leadership. IT should set up the structure of the connection, but an HIM professional is needed to determine if the data has been mapped and segmented properly.
Micky Tripathi, National Coordinator for Health IT at HHS, said it succinctly during his recent interview with John Lynn on Healthcare IT Today. “Information sharing is now a standard of care.” It is where the industry is headed and what we must do. However, Tripathi also recognizes the challenge. “It is real work to share information and it’s a complex endeavor.” Now is the time to move information sharing up the priority list for IT, privacy and HIM.
