Reflects what matters most to ONC when it comes to national health information exchange governance and the principles in which ONC believes,

stated Dr. Mostashari last Friday in his Health IT Buzz Blog. Short and sweet, the Governance Framework provides guidelines for the governance of HIE.

The Governance Framework sets forth four sets of principles for HIE which are specifically geared towards HIOs and other entities that set HIE policy such as state agencies and partnerships:

• Organizational principles, focusing on transparency and openness, inclusiveness, oversight and enforcement;
• Trust principles, focusing on meaningful choice to participate in HIE and to limit types of data exchange, transparency in privacy and security practices, and the accuracy of information;
• Business principles, providing open access and standards to promote collaboration; and
• Technical principles, ensuring technology can accomodate exchange through the use of standards and implementation specifications, testing and collaboration with voluntary consensus standards organizations. 

Of particular interest is the recommendation that HIOs provide a "Notice of Data Practices" entirely separate from the Notice of Privacy Practices each participating organization in an HIO would provide to its patients describing HIE activities. The Notice would describe not only uses and disclosures of identifiable information, but de-identified information as well. 

Furthermore, organizational principles would include,

[P]romot[ing] inclusive participation and adequate stakeholder representation (especially among patients and patient advocates) in the development of policies and practices.

Another recommendation would prompt HIOs to maintain and publish statistics on their exchange capacity, including number of users and patients, type of standards implemented and transaction volume, as well as to disseminate "up-to-date" information on compliance with statutes and regulations, best practices and even potential security vulnerabilities.

Is the Governance Framework helpful to HIOs? Maybe. It does NOT

Prescribe specific solutions but lays out milestones and outcomes that ONC expects for and from HIE governance entities as they enable electronic HIE.

It is a far cry from guidance for the every day problems HIOs are faced with as expressed by numerous stakeholders to ONC, such as sharing data across state lines, sustainability, variations in standards between providers and HIOs, and differences in policies governing who may access patient data (i.e., clinicians only vs. administrative and other personnel).

It does, however, provide at least a "common founation" for HIOs to build their organizational structure and policies upon. And it's better than a set of regulations and rules for HIE and HIOs that no one is ready for.  

To read the full Governance Framework and for additional information on ONC's HIE activities, visit ONC's HIE Governance website.   

This alone will not be enough to achieve the widespread interoperability and electronic exchange of information necessary for delivery reform where information will routinely follow the patient regardless of wheter they receive care....

The overarching goal is to develop and implement a set of policies that would encourage providers to routinely exchange health information through interoperable systems in support of care coordination across health care settings.  

HHS therefore seeks comment on several options for encouraging HIE among providers and settings of care through a hodge-podge of existing statutory vehicles (primarily CMS and ONC programs and projects). In addition to requesting comment on these existing vehicles, CMS and ONC seek to identify what is currently working to encourage HIE, and which changes would have the biggest impact on HIE adoption, including regulatory requirements.

Furthermore, although long neglected under the EHR Incentive Programs, CMS and ONC specifically seek comment on what policies and programs would have the most impact on post-acute and LTC care providers as well as behavioral health.  They ask for insight into how these programs and policies should be implemented and developed to maximize care coordination and quality improvement for these populations. In addition, CMS and ONC specifically seek comment on policies and programs which would most impact patient access and use of their electronic health information for management of their care.   

Post-Acute and Long-Term Care Providers.  HHS acknowledges the low rates of EHRs and HIE among LTC and post-acute care providers and identifies existing authority which could be leveraged to expand HIE.  These include incorporating HIE as key components of:

1. Medicaid health homes;
2. Demonstration and pilot projects under Medicaid and the Childrens Health Insurance Program (CHIP);
3. Home and community based services (HCBS), which would include LTC;
4. State expansions of HIE infrastructure as part of the Medicaid EHR Incentive Program, and
5. CMS Conditions of Participation or Coverage

Settings of Care.  HHS additionally acknowledges the need to accelerate HIE across providers, including ambulatory care, behavioral health, laboratory, and post-acute and LTC. For example, HHS seeks comment on:

1. New e-specified measures for exchanging summary records following transitions of care aligned with CMS quality reporting programs, including the EHR Incentive Programs;
2. Medicare Shared Savings Program, requiring or encouraging Accountable Care Organization (ACO) to engage in HIE as part of coordination of care;
3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of use of interoperable technology for HIE to facilitate model participation decisions and requirements;
4. Model testing to align Medicare and Medicaid financing and care integration under the Capitated Financial Alignment model.

Consumer and Patient Engagement.  HHS and CMS seek to encourage engagement of patients in their care by improving their access to health information and electronic communication between their health care providers.  Options to encourage consumer and patient engagement include:

1. Incorporating new measures into Medicare Advantage Program consumer assessment serveys (CAHPS);
2. Blue Button availability to all CMS beneficiaries;
3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of incentives for consumers to more actively participate in their health; and
4. Direct access to lab results from laboratories (CLIA and HIPAA Amendments).

The RFI will be published today in the Federal Register.  Comments may be submitted up to 5pm on April 22, 2013. 

This year, ONC is kicking off several activities to support HIE governance. First, a federal funding opportunity is available for existing governance entities to further develop and adopt policies, interoperability requirements, and business practice criteria relating to HIE. Applications may be submitted until February 4 on Grants.gov. 

Secondly, Dr. Mostashari and ONC have scheduled an open Town Hall listening session for this coming Thursday, January 17, as well as February 14 in order for stakeholders to express their priorities, concerns or issues.  Based on stakeholder input, the HIT Policy Committee and HIT Standards Committee are expected to hold a public hearing then on January 29 to discuss current HIE policies, practices and impediments, as well as opportunities to strengthen and improve governance. 

Finally, ONC will develop and publish a series of governance "guidelines" based on the feedback it has received for effective and trustworthy HIE.  Stay tuned for more information on ONC's new site for HIE Governance. 

This past July, ONC released the results of a two-year effort by the Southeast Regional HIT-HIE Collaboration (SERCH) Project on Health Information Exchange in Disaster Preparedness and Response. The SERCH project began in November 2010 and included representatives from natural disaster-prone states such as Alabama, Arkansas, Florida, Georgia, Louisiana, and Texas. 

Supported by ONC, the SERCH Project was a state-led initiative aimed at identifying information-sharing challenges during natural disasters and developing strategic plans to incorporate HIE into disaster planning. The group developed an actionable plan to improve HIE capabilities in response to disasters, both during and in the aftermath, focusing particularly on interstate communication and information-sharing, and addressing legal and other barriers to the use and disclosure of patient information. 

Although limited primarily to the groundwork that needs to be covered prior to implementation of a fully-operational State HIE, the SERCH Project recommended five steps for any organization planning on sharing information through HIE to take to integrate HIE and disaster planning, especially where information-sharing could occur across state lines.

1. Understanding the State’s disaster response policies and align with the State agency designated for Emergency Support Function #8 (Public Health and Medical Services) before a disaster occurs.
2. Developing standard procedures approved by relevant public and private stakeholders to share electronic health information across State lines before a disaster occurs.
3. Considering enactment of the Mutual Aid Memorandum of Understanding to establish a waiver of liability for the release of records when an emergency is declared and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. States should also consider using the Data Use and Reciprocal Support Agreement (DURSA) in order to address and/or expedite patient privacy, security, and health data-sharing concerns.
4. Assessing the State’s availability of public and private health information sources and the ability to electronically share the data using HIE(s) and other health data-sharing entities.
5. Considering a phased approach to establishing interstate electronic health information-sharing capabilities.

These recommendations can also be applied and implemented by individual HIE networks and organizations, not only at the state-level. 

A full copy of the whitepaper can be found on the Health IT website.  You can also find a summary of the report by Lee Stevens, Policy Director for the State HIE Program, as well as his blog post in 2011 on the Joplin Tornado and the role of EHRs at the Health IT Buzz. 

The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information.  Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.  

Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges.  However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general.  Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically. 

In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange.  The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.   

We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free.  77 FR 28545. 

In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:

1. Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
2. Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
3. Process for retiring and updating CTEs to address current exchange needs,
4. Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
5. Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.

Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs.  However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus.  The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.

ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases.  Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.

Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316.  NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on.  NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.

Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes: 

1. For purposes of medical treatment;
2. When information exchange is mandatorily required under law; or
3. Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.

Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain.  In addition, an NVE would be required to implement and use one of two types of transport specifications:  unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications. 

The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?

A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments.  Public comments on the RFI are due June 14, 2012 and may be submitted online at https://www.federalregister.gov/articles/2012/05/15/2012-11775/nationwide-health-information-network-conditions-for-trusted-exchange

**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012.  Comments must be submitted by 11:59PM Eastern Daylight Time. 

Entitled "The Landscape and a Path Forward," the HIE Roadmap sets forth current HIE connectivity and exchange approaches across the nation, as well as federal efforts towards developing the foundation for interoperability and trusted HIE through common standards, services and policies.  It highlights those strategies for integrating these federal and private sector efforts, emphasizing the current progress that has been made and those challenges and barriers remaining to be overcome. 

Most importantly, it hopes to provide a roadmap of the major steps communities can follow to achieve progress towards HIE.  The HIE Roadmap states,

...Given the rapid market and policy changes and technology innovations occurring right now, there is confusion among healthcare stakeholders about how best to proceed with implementing HIE.  Leading HIE organizations are indeed charting new ground.  Emerging HIE efforts can and should learn from those who are further along in order to...leapfrog toward success."

It notes that in 2010, the number of public HIEs increased 81% from 37 to 67 with a whopping 210% increase in operating private HIEs, from 52 to 160.  Providing clear examples of leading HIE efforts, their leverage of national standards for exchange, and other factors contributing success, the HIE Roadmap seeks to capture the vision for why HIE is important to improving patient care and to the performance of our healthcare system, as well as provide a framework and a path forward for those working towards achieving HIE in their communities. 

The HIE Roadmap highlights several of the most notable challenges and barriers to HIE, including:

• Funding and sustainability;
• Variations in implementation of interoperability standards;
• Provider adoption;
• Disparate EMRs; and
• Privacy and security concerns.

However, it recognizes that these challenges and barriers are being "tackled and overcome."  The HIE Roadmap highlights ONC efforts towards building a foundation of interoperability and trusted exchange, in particular, recommendations of the HIT Policy and Standards Committees and their workgroups, such as the Meaningful Use, Information Exchange, and Privacy and Security Policy Workgroups.  It highlights the importance the Direct Project and the Nationwide Health Information Network (NHIN) continues to play in developing a strong interoperable foundation and the potential the Direct Project and NHIN have to promote best practices, compliance with existing national standards and implementation recommendations, and following through responsibility to protect health information.

The HIE Roadmap describes the approaches taken by several HIE initiatives across the nation, including:

• Care Connectivity Consortium, comprised of five leading health systems, Kaiser Permanent, Mayo Clinic, Geisinger Health, Intermountain Healthcare and Group Health;
• HealthBridge, with 50 participating hospitals, 800 physician practices, and 7,500 physicians;
• Indiana HIE (IHIE), with 90 hospitals and 19,000 participating physicians;
• Inland Northwest Health Services (INHS), with an air ambulance collaborative, rehabilitation hospital, and IT management for 38 hospitals and EMR services for 750 physicians, and which also partners with the Departments of Defense and Veterans Affairs; and
• Kaiser Permanente, which includes the Kaiser Foundation Health Plan and subsidiaries, 37 hospitals and over 450 clinical facilities, and the Permanente Medical Group Practices.

While highlighting the various strategies implemented by these initiative, the HIE Roadmap also recognizes that,

Indeed, interoperable HIE is a journey without a definite endpoint.  Many different approaches are being used, stakeholders are at different stages along this journey, and there is by no means a "one size fits all" model. 

It notes, however, that a key priority of many of these initiatives is to provide standards-based services to small physician practices, recognizing that most healthcare is delivered in these physician practices and the challenges they face.  Finally, the HIE Roadmap sets forth four major "steps" or phases for implementing successful and sustainable HIE, which starts wtih developing the HIE's objectives and vision.

In conclusion, the HIE Roadmap states,

The ultimate goal of HIE is to ensure that the right information is available at the right time and place every time to support the delivery of high quality, well coordinated, and cost effective patient-centered healthcare.  Keeping a consistent and clear focus on what is best for the patient is above all else the smartest way to stay on course in the ever-changing environment of HIE.

The P&S PIN requires all SDEs to submit as part of a 2012 annual SOP (Strategic and Operational Plan) an update of their privacy and security framework consisting of all relevant statewide policies and practices adopted by recipients, and operational policies and practices for HIE services being implemented by Grant recipients of funding in whole or in part with federal cooperative agreement funds (HIE Grant Recipients).

Among other things, each HIE Grant Recipient will need to submit how their existing privacy and security policies align with each domain of the Fair Information Practices (FIPs), which the ONC and the ONC's Privacy & Security Tiger Team have each previously pointed to as providing a privacy and security framework for networked HIE.  The FIPs are:

1. Openness and Transparency
2. Collection and Use and Disclosure Limitation
3. Safeguards
4. Accountability
5. Individual Access
6. Correction
7. Individual Choice
8. Data Quality and Integrity

Specifically, Point-to-Point Directed HIE Exchange Models will be required to demonstrate that their P&S policies address FIPs 1-4, and have the option of addressing FIPs 5-8. HIE models that aggregate data will be required to demonstrate that their P&S policies address FIPs 1-8. If any GAPs exist between a FIP and the HIE Grant Recipient's current policies (i.e. a domain is not addressed), this must be identified and a strategy timeline and action plan for addressing these gaps in the 2012 SOP update must be provided.

One of the most debated topics with networked HIE has been patient consent. Many HIEs and stakeholders have asked the federal government on guidance on when and what form of consent is required for networked HIE.  

The P&S PIN addresses patient consent with HIE, and requires that aggregated HIE models offer, at a minimum, individuals with a meaningful choice with regard to whether their individually identifiable health information (IIHI) may be exchanged through an HIO entity that aggregates data.

The P&S PIN then further goes on to define “meaningful choice” as including:

• Made with advance knowledge
• Not used for discriminatory purposes or as condition for receiving treatment
• Made with full transparency and education
• Commensurate with circumstances for why IIHI is exchanged
• Consistent with patient expectations
• Revocable at any time

Notably, the P&S PIN confirms that both opt-in and opt-out are acceptable means of satisfying patient choice. On Wednesday, March 27^th,  I had the opportunity to speak at the HIPAA Summit in Washington D.C. where an audience member asked whether a “no choice” HIE model is now no longer a viable option for HIE.  Both Joy Pritts, ONC Privacy Officer, and Deven McGraw, Co-Chair of the ONC P&S Tiger Team, confirmed that at least with respect to HIE Grant Recipients who are operating an aggregated HIE model, the P&S PIN must be followed and each patient must be afforded with meaningful choice to participate in networked HIE. It's also important to note that while the P&S PIN requirement could potentially be satisfied through obtaining written consent from the patient, written consent is not required and, moreover, Ms Pritts specifically pointed out that obtaining a written blanket consent without any supporting meaningful processes would not meet the FIP standard. Thus, whether an opt-in or opt-out model is used, HIOs must focus on ensuring that educational information about HIE is being delivered to patients, and the patient's decision-making process is meaningful.

The FIPs are nothing new, and ONC actually issued its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information back in December of 2008!  Ever since then, I have been advising HIE initiatives to BUILD their HIE Policies around the FIPs and this ONC guidance document. Here is an example of how I crosswalk the FIPs with my template set of HIE Policies for HIOs that aggregate IIHI.

For a copy of a sample set of our HIE Policies, email me at helen@oscislaw.com, or visit www.ohcsolutions.com which going live soon as a source for legal forms and templates.

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB).  Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy. 

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects.  The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

  ...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education.  The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations.  In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements. 

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community.  Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed.  The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices.  Regulations for the demonstration projects are expected to be finalized shortly. 

To Register, click here.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

• adhere to the use and disclosure rules in HIPAA;
• adhere to the requirements in HIPAA for safeguarding patient information;
• comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.   

The Report notes, among many other things, that the current structure of available health IT systems is inadequate, resulting in user difficulty, unavailability of relevant information, such as best practices, limited capability for sharing data across systems, patient concerns regarding improper access, and the inability to search or aggregate and de-aggregate data where necessary for research, public health, quality improvement, or patient safety. In essence, current health IT systems cannot easily support the desired outcomes. The Report identifies key legislation and regulations responsible for moving the development of health IT forward, namely, HITECH and the “meaningful use” EHR Incentive Program, as well as demonstration projects to develop experience and the necessary conditions for progress. However, the Report stresses the urgency of accelerating and redirecting much needed federal groundwork for HIE.

The Report notes the successes of early adopters of integrated EHR systems (i.e., Kaiser Permanente and VHA), while recognizing areas of functionality still in dire need of improvement, such as interoperability. It finds data exchange and aggregation central to accomplishing potential health IT benefits yet rejects current HIE models as being “ill-suited” as the basis for a national health information infrastructure due to durability and interoperability concerns. PCAST considers new technologies, such as “cloud-based” EHR products, patient personal health records, and data aggregation “middleware” products for interoperability that have potential to remove barriers and create solutions, as well as other promising models for data exchange.

PCAST rejects standardized health record formats and service-oriented architecture (SOA) in favor of metadata-tagged data elements and data-element access services (DEAS), the advantages of which the Report describes in detail. Such “tags” are small pieces of information accompanied by a larger “megadata tag” which groups them by attributes as well as required privacy and security protection.

The Report argues that a universal exchange language based upon tagged dataelements (i.e., DEAS and metadata-tagged data) is more sophisticated and better for privacy and security.

For example, DEAS would require authentication of an individual into the system and allow only access to information based upon the role he or she is assigned. To obtain access to encrypted tagged data elements, based upon a patient’s privacy choices, the individual would have to have the proper credentials and role. It is also crucial to note that the Report rejects that such a system would require “universal patient identifiers” or create a central repository of patient information.

Furthermore, the Report explores how HIPAA is ill-equipped, and possibly detrimental to medical research and care, to handle the changes in health IT and how HITECH both partially remedies and exacerbates this situation, such as accounting of disclosures which will “stifle innovation”.

Finally, the Report argues that federal leadership is necessary to combat economic concerns and incentivize information exchange and development of health IT systems. Adopting standardized metadata, aligning economic incentives (such as through “meaningful use”), encouraging technological innovation and competition, supporting development of network infrastructures through appropriately designed pilot projects, and developing a regulatory health IT structure along with regulatory oversight all are suggested by the Report as necessary.

PCAST detail several layers and roadmaps for government agencies to progress towards the realization of a national health IT infrastructure. It also recommends guidelines for transitioning from existing EHRs and information exchange systems to the new tagged data element model advocated by the Report, and addresses generation of necessary early design choices by ONC and the Report’s vision for future CMS meaningful use requirements. The Report concludes with specific short and mid-term recommendations for ONC, DHHS, CMS, and other agencies in order to realize the objectives outlined in the Report towards establishment of a national health IT infrastructure.   In response, ONC, for one, appears to have already set up a PCAST Report Workgroup, and the first meeting is scheduled for January 14, 2011.

 To review PCAST’s summary of Recommendations of who should do what next, click Continue Reading below.

FOLLOWING RECOMMENDATIONS REPRINTED FROM PCAST REPORT (PP 77-79):

The Chief Technology Officer of the United States should:

• In coordination with the Office of Management and Budget (OMB) and the Secretary of HHS, and using technical expertise within ONC, develop within 12 months a set of metrics that measure progress toward an operational, universal, national health IT infrastructure. Research, prototype, and pilot efforts should not be included in this metric of operational progress.
• Annually, assess the Nation’s progress in health IT by the metrics developed, and make recom-mendations to OMB and the Secretary of HHS on how to make more rapid progress.

The Office of the National Coordinator should:

• Move more boldly to ensure that the Nation has electronic health systems that are able to exchange health data in a universal manner based on metadata-tagged data elements. In particular, ONC should signal now that systems will need to have this capability by 2013 in order to be deemed as making “meaningful use” of electronic health information under the HITECH Act.
• Act to establish initial minimal standards for the metadata associated with tagged data elements, and develop a roadmap for more complete standards over time.
• Facilitate the rapid mapping of existing semantic taxonomies into tagged data elements, while continuing to encourage the longer-term harmonization of these taxonomies by vendors and other stakeholders.
• Support the development of reference implementations for the use of tagged data elements in products. Certification of individual products should focus on interoperability with the reference implementations.
• Set standards for the necessary data element access services (specifically, indexing and access control) and formulate a strategic plan for bringing such services into operation in an interoperable and intercommunicating manner. Immediate priority should be given to those services needed to locate data relating to an individual patient.
• Facilitate, with the Small Business Administration, the emergence of competitive companies that would provide small or under-resourced physician practices, community-based long-term care facilities, and hospitals with a range of cloud-based services.
• Ensure that research funded through the SHARP (Strategic Health IT Advanced Research Projects) program on data security include the use of metadata to enable data security.

The Centers for Medicare & Medicaid Services should:

• Redirect the focus of meaningful use measures as rapidly as possible from data collection of specified lists of health measures to higher levels of data exchange and the increased use of clinical decision supports.
• Direct its efforts under the Patient Protection and Affordable Care Act toward the ability to receive and use data from multiple sources and formats.
• In parallel with (i.e., without waiting for) the NRC study on IT modernization, begin to develop options for the modernization and full integration of its information systems platforms using modern technologies, and with the necessary transparency to build confidence with Congress and other stakeholders.
• When informed by the preliminary and final NRC study reports, move rapidly to implement one or more of the options already formulated, or formulate new options as appropriate, with the goal of making substantial progress by 2013 and completing implementation by 2014. CMS must transition into a modern information technology organization, allowing integration of multiple components and consistent use of standards and processes across all the provider sectors and programs it manages.
• Exercise its influence as the Nation’s largest healthcare payer to accelerate the implementation of health information exchange using tagged data elements. By 2013, meaningful use criteria should include data submitted through reference implementation processes, either directly to CMS or (if CMS modernization is not sufficiently advanced) through private entities authorized to serve this purpose.
• By 2013, provide incentives for hospitals and eligible professionals to submit meaningful use clinical measures that are calculated from computable data. By 2015, encourage or require that quality measures under all of its reporting programs (the Physician Quality Reporting Initiative, hospitals, Medicare Advantage plans, nursing homes, etc.) be able to be collected in a tagged data element model.

The Department of Health and Human Services should:

• Develop a strategic plan for rapid action that integrates and aligns information systems through the government’s public health agencies (including FDA, CDC, NIH, and AHRQ) and benefits payment systems (CMS and VA).
• Convene a high-level task force to align data standards, and population research data, between private and public sector payers.
• Convene a high-level task force to develop specific recommendations on national standards that enable patient access, data exchange, and de-identified data aggregation for research purposes, in a model based on tagged data elements that embed privacy rules, policies and applicable patient preferences in the metadata traveling with each data element.
• As the necessary counterpart to technical security measures, propose an appropriate structure of administrative, civil, and criminal penalties for the misuse of a national health IT infrastructure and individual patient records, wherever such data may reside.
• Appoint a working group of diverse expert stakeholders to develop policies and standards for the appropriate secondary uses of healthcare data. This could be tasked to the Interagency Coordinating Council for Comparative Effectiveness Research.
• With FDA, bring about the creation of a trusted third-party notification service that would iden¬tify and implement methods for re-identification of individuals when data analysis produces important new findings.

Other or multiple agencies:

• AHRQ should be funded to develop a test network for comparative effectiveness research. The FDA, and also other HHS public health agencies, should enable medical researchers to gain access to de-identified, aggregated, near-real-time medical data by using data element access services.
• HHS should coordinate ONC activities with CDC, FDA, and any other entities developing adverse event and syndromic surveillance networks.
• The Department of Defense and the Department of Veteran Affairs should engage with ONC and help to drive the development of standards for universal data exchange of which they can become early adopters

The National Committee on Vital and Health Statistics (NCVHS) released an advisory letter to the Department of Health and Human Services (HHS) on November 10 addressing recommendations for the management of sensitive information in the HIE context.  NCVHS, which is the statutory public advisory body for HHS, explored and identified categories of sensitive health information requiring new technologies and methods for segmenting and protecting such information in electronic health records.  The advisory letter, which coordinates with Health IT Policy Committee recommendations and requirements, addresses preliminary categories of sensitive information, including:

• The new HITECH cash payments (“payment in full” and “out-of-pocket” restriction);
• Genetic information;
• Psychotherapy notes;
• Substance abuse treatment records;
• HIV information;
• Sexually transmitted disease information;
• Sexuality and reproductive health information;
• Certain health information for minors, where protected by state law;
• Mental health information; and
• Certain circumstances where the entire medical record may be deemed sensitive (e.g., domestic violence, victims of violent crime).

In addition, the NCVHS advisory letter includes five core recommendations for HHS.  Among these are identifying and publishing best practices for managing categories of sensitive information, and investing in research for enhancing health information exchange and electronic health record capabilities and in pilot tests and projects for assessing feasibility, effects, efficacy and the costs and benefits of such capabilities. 

The NCVHS recommendations will serve as a platform for HHS to conduct research, develop technologies and implement pilot tests and projects with an eye towards understanding the feasibility, technical standards, effects on patient care, and the costs and benefits of managing sensitive information.  As NCVHS stated in the advisory letter,

[o]ur nation is committed to deploying interoperable health record to improve patient health, health care, and public health.  Patient trust is critical to patient participation in this deployment, and, therefore, we must invest in technologies that will promote this trust.

In short,SAMHSA and ONC support the use and disclosure of 42 CFR Part 2 information through an HIO, as long the Part 2 Rules are followed.  Although SAMHSA's position is concerning to some who fear that including such sensitive information for HIE will make it susceptible to breaches and improper disclosures, the agency found that there are significant positive health benefits that patients could gain from allowing an HIO to facilitate proper exchange of their records electronically.

For an INCREDIBLY helpful Q&A Guidance document regarding how SAMHSA believes Part 2 Drug & Alcohol Treatment records can be appropriately used and disclosed through an HIO, visit their website at http://www.samhsa.gov/healthprivacy/, or click "Continue Reading" below for copy of their Questions & Answers on this topic ....

SAMHSA FREQUENTLY ASKED QUESTIONS ABOUT USING & DISCLOSING DRUG AND ALCOHOL ABUSE TREATMENT INFORMATION THROUGH HIOs

Q1. Does the federal law that protects the confidentiality of alcohol and drug abuse patient records allow information about patients with substance use disorders to be included in electronic health information exchange systems?

A1. Yes. The federal confidentiality law and regulations (codified as 42 U.S.C. § 290dd-2 and 42 CFR Part 2 (“Part 2”)), enacted almost three decades ago after Congress recognized that the stigma associated with substance abuse and fear of prosecution deterred people from entering treatment, has been a cornerstone practice for substance abuse treatment programs across the country. Part 2 permits patient information to be disclosed to Health Information Organizations (HIOs)² and other health information exchange (HIE) systems; however, the regulation contains certain requirements for the disclosure of information by substance abuse treatment programs; most notably, patient consent is required for disclosures, with some exceptions.

This consent requirement is often perceived as a barrier to the electronic exchange of health information. However, as explained in other FAQs, it is possible to electronically exchange drug and alcohol treatment information while also meeting the requirements of Part 2.

Q2. What types of providers are covered programs under 42 CFR Part 2 (“Part 2”)?

A2. To be a “program” that falls under 42 CFR Part 2, an individual or entity must be federally assisted and hold itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment (42 CFR § 2.11). A program is “federally assisted” if it is:

1) authorized, licensed, certified, or registered by the federal government;

2) receives federal funds in any form, even if the funds do not directly pay for the alcohol or drug abuse services; or

3) is assisted by the Internal Revenue Service through a grant of tax exempt status or allowance of tax deductions for contributions; or 4) is authorized to conduct business by the federal government (e.g., certified as a Medicare provider, authorized to conduct methadone maintenance treatment, or registered with the Drug Enforcement Agency (DEA) to dispense a controlled substance used in the treatment of alcohol or drug abuse); or 5) is conducted directly by the federal government.

A different definition of a “program” applies when services are provided by a specialized unit or staff within a general medical facility (or ‘mixed use’ facility – see FAQ #15). A general medical facility has a Part 2 program if:

1) there is “an identified unit within a medical facility which holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment;” or

2) there are “medical personnel or other staff in a general medical facility whose primary function is the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment and who are identified as such providers.” (42 CFR § 2.11 (b), (c))

Most drug and alcohol treatment programs are federally assisted. However, there are for-profit programs and private practitioners that may not receive federal assistance of any kind. These programs and practitioners only see clients who have private health insurance or self-pay. Unless the State licensing or certification agency requires those programs or private practitioners to comply with Part 2, they are not subject to the requirements of 42 CFR Part 2, because they are not federally assisted. States may, however, enact laws requiring compliance with Part 2, and programs should refer to their state laws in these situations. Clinicians who use a controlled substance (e.g., benzodiazepines, methadone or buprenorphine) for detoxification or maintenance treatment of a substance use disorder require a federal DEA registration and become subject to Part 2 through the DEA license. In contrast, a physician who does not use a controlled substance for treatment, such as Naltrexone, and does not otherwise meet the definition of a Part 2 program is not subject to Part 2.

Q3. What patients, and which records and information, are protected by 42 C.F.R Part 2?

A3. The Part 2 regulations “impose restrictions upon the disclosure and use of alcohol and drug patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program.” (42 CFR § 2.3(a)) The restrictions on disclosure apply to any information disclosed by a Part 2 program that “would identify a patient as an alcohol or drug abuser …” (42 CFR §2.12(a) (1))

Under 42 CFR § 2.11:  

“Patient” means “any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program.”

 “Records” mean “any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program.”

For purposes of these FAQs, entities that participate in an HIO network, including but not limited to participating health care providers, will be referred to as “HIO affiliated members.” Participating health care providers may also be referred to as “HIO affiliated health care providers.”        

“Disclose or disclosure” means the “communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the records of a patient who has been identified.”

 “Patient identifying information” means the “name, address, social security number, fingerprints, photographs of similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.”

In sum, the information protected by Part 2 is any information disclosed by a Part 2 program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a Part 2 program.

Q4.  For the purposes of the applicability of 42 CFR Part 2, does it matter how HIOs are structured?

A4. No. HIOs may take any number of forms and perform a variety of functions on behalf of the health care providers and other entities participating in the HIO network. Regardless of the functions performed by the HIO, 42 CFR Part 2 still applies. HIOs may:

• provide the infrastructure to exchange patients’ health records among entities participating in the HIO network and facilitate the exchange of patients’ electronic health information;       
• serve as a data repository that holds or stores patient records supplied by entities participating in the HIO network, and then makes them available for exchange in response to participants’ requests for such records;
• provide a record locator service for HIO participants and match individuals to their health records from different locations; or
• review and respond to requests for patient records from HIO participating providers.

Each of these scenarios involves the disclosure of Part 2 information. In some cases, the Part 2 program is disclosing protected information to the HIO, which stores it within the HIO system and then makes it available to HIO affiliated members on request. In other cases, the Part 2 program is disclosing protected information to the HIO, which does not keep it in a repository but rather passes the information along to HIO affiliated members. In either event, the disclosure of Part 2 protected patient information to and through the HIO would only be permitted in ways authorized by Part 2. This means that in non-medical emergency situations, either a patient consent or a Qualified Service Organization Agreement (defined in other FAQs) will need to be in place in order for the Part 2 program to disclose the information to the HIO, and patient consent will be needed to allow the HIO to redisclose the Part 2 information to other HIO affiliated members.

Q5. Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?

A5. Unlike HIPAA, which generally permits the disclosure of protected health information without patient consent or authorization for the purposes of treatment, payment, or health care operations, Part 2, with limited exceptions (i.e., medical emergencies and audits and evaluations), requires patient consent for such disclosures (42 CFR §§ 2.3, 2.12, 2.13). Some types of exchange, however, may take place without patient consent when a qualified service organization agreement (QSOA) exists or when exchange takes place between a Part 2 program and an entity with administrative control over that program.

A qualified service organization (QSO) means a person or organization that:

1. provides services to a [Part 2] program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and
2. has entered into a written agreement with a program under which that person acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and
3. if necessary, will resist in judicial proceedings any efforts to obtain access to patient records, except as permitted by these regulations.

Where a Part 2 program has entered into a QSOA with an entity that provides any of the covered services, and where the information exchanged is needed to provide the covered services, patient consent is not required. (42 CFR § 2.11)

In addition, patient consent is not required when information is exchanged within a Part 2 program or between a Part 2 program and an entity that has direct administrative control over the program. When a substance use disorder unit is a component of a larger behavioral health program or of a general health program, specific information about a patient arising out of that patient’s diagnosis, treatment or referral to treatment can be exchanged without patient consent among the Part 2 program personnel and with administrative personnel who, in connection with their duties, need to know information (42 CFR § 2.12(c)(3)). Patient information may not be exchanged among all of the programs and personnel that fall under the umbrella of the entity that has administrative control over the Part 2 program. A QSOA would be required to enable information exchange without patient consent in this situation.

Q6. Under Part 2, can a Qualified Service Organization Agreement (QSOA) be used to facilitate communication between a Part 2 program and an HIO?

A6. Yes. A QSOA under Part 2, which is similar but not identical to a business associate agreement under §§ 164.314(a) and 164.504(e) of the HIPAA Security and Privacy Rules, is a mechanism that allows for disclosure of information between a Part 2 program and an organization that provides services to the program, such as an HIO. Examples of services that an HIO might provide include holding and storing patient data, receiving and reviewing requests for disclosures to third parties, and facilitating the electronic exchange of patients’ information through the HIO network.

Before a Part 2 program can communicate with a Qualified Services Organization – in this case the HIO – it must enter into a two-way written agreement with the HIO. Once a QSOA is in place, Part 2 permits the program to freely communicate information from patients’ records to the HIO as long as it is limited to that information needed by the HIO to provide services to the program. The HIO may also communicate with the Part 2 program and share information it receives from the program back with the program. Patient consent is not needed to authorize such communications between the HIO and Part 2 program when a QSOA is in place between the two.

Q7. May information protected by Part 2 be made available to an HIO for electronic exchange?

A7. Information protected by 42 CFR Part 2 may only be made available to an HIO for exchange if:

1. a patient signs a Part 2-compliant consent form authorizing the Part 2 program to disclose the information to the HIO, OR 
2. a Qualified Service Organization Agreement (QSOA) is in place between the Part 2 program and the HIO.

Q8. If Part 2 information has been disclosed to the HIO, either pursuant to a Part 2- compliant consent form authorizing such disclosure or under a QSOA, may the HIO then make that Part 2 information available to HIO-affiliated members?

A8. An HIO may disclose Part 2 information that it has received from a Part 2 program to HIO affiliated members (other than the originating Part 2 program) only if the patient signs a Part 2-compliant consent form. Patient consent is not needed to authorize such communications between the HIO and Part 2 program when a QSOA is in place between the two.

Q9. How do different HIO patient choice models regarding whether general clinical health information may be disclosed to or through an HIO (e.g., no consent, opt in or opt out) affect the requirements of 42 CFR Part 2?

A9. HIOs have adopted a number of different policies for making general clinical information available to participating members. Some HIOs have adopted a “no consent” model, under which a patient’s health information may be disclosed to an HIO and subsequently disclosed by the HIO to its affiliated members for specified purposes without obtaining the patient’s consent. Other HIOs have adopted an “opt in” model, in which the patient’s information is disclosed to the HIO and subsequently disclosed by the HIO to affiliated members for specified purposes only if the patient has affirmatively agreed to such disclosures. Yet other HIOs have adopted an “opt out” model, in which the patient’s information is disclosed to the HIO and subsequently disclosed by the HIO to affiliated members for specified purposes unless the patient has affirmatively declined to participate in such exchange.

Regardless of which model the HIO adopts for exchanging general clinical information, the HIO must still comply with the requirements of 42 CFR Part 2 with respect to Part 2 information. This means that even if an HIO adopts a “no consent” model for other information, the patient’s Part-2 compliant consent must be obtained to disclose Part 2 information to or through the HIO. On the other hand, the HIO may impose requirements in addition to 42 CFR Part 2. For example, because an “opt in” model requires affirmative patient consent to participate in the HIO, a Part 2 program may need to obtain patient consent to disclose Part 2 information to an HIO even if the Part 2 program has a QSOA with the HIO.

Q10. If an HIO is holding or storing Part 2 patient data through a QSOA, can the HIO redisclose the data coming from the Part 2 program to a third party without patient consent?

A10. Only in very limited circumstances. An HIO may disclose the Part 2 information to a contract agent of the HIO, if it needs to do so in order to provide the services described in the QSOA, and as long as the agent only discloses the information back to the HIO or the Part 2 program from which the information originated. If a disclosure is made by the HIO to an agent acting on its behalf to perform the service, both the HIO and the agent are bound by Part 2, and neither organization can disclose the information except as permitted by Part 2.

The HIO would not be allowed to redisclose the information to third parties, including HIO affiliated members (except in a medical emergency, which will be discussed in other FAQs), because the HIO affiliated members are not acting as agents of the HIO, but rather are receiving services provided by the HIO. Consequently, if an HIO wants to redisclose the Part 2 program’s records to a participating member, it would need the consent of the patient.

Q11. What are the required elements of a patient consent under Part 2?

A11. A written consent to a disclosure under the Part 2 regulations must be in writing and include all of the following items (42 CFR § 2.31):

1. the specific name or general designation of the program or person permitted to make the disclosure;
2. the name or title of the individual or the name of the organization to which disclosure is to be made;
3. the name of the patient;
4. the purpose of the disclosure;
5. how much and what kind of information to be disclosed;
6. the signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the patient;
7. the date on which the consent is signed;
8. a statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer; and
9. the date, event or condition upon which the consent will expire if not revoked before. This data, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.

Q12. What must a Part 2 program do to notify the HIO, or any other recipient of Part 2 protected information, that it may not redisclose Part 2 information without patient consent?

A12. Part 2 requires each disclosure made with written patient consent to be accompanied by a written statement that the information disclosed is protected by federal law and that the recipient cannot make any further disclosure of it unless permitted by the regulations. Thus, when information is disclosed electronically, an accompanying notice explaining the prohibition on redisclosure must also be electronically sent. Under 42 CFR § 2.32, the statement must read:

“This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.”

Q13. Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties, such as HIO affiliated members?

A13. Yes. Under Part 2, a single consent form can authorize a disclosure of information about a patient to one recipient, such as an HIO, and simultaneously authorize that recipient to redisclose that information to an additional entity or entities (such as other HIO affiliated health care providers identified in the consent form), provided that the purpose for the disclosure is the same. The required statement prohibiting redisclosure must accompany the information disclosed through consent, so that each subsequent recipient of that information is notified of the prohibitions on redisclosure.

Q14. Does Part 2 allow the use of multiple-party consent forms?

A14. Yes. A Part 2 consent form can authorize an exchange of information between multiple parties named in the consent form. The key is to make sure the consent form authorizes each party to disclose to the other ones the information specified and for the purpose specified, in the consent.

If patients want to authorize all or many members of the HIO to access their Part 2-protected record as well as to exchange information with one another, a multiple-party consent form must comply with all relevant requirements of Part 2, including a list of the names of each person or organization to whom disclosures are authorized, that the parties may disclose to each other, and for what purposes.

Q15. Does Part 2 require the use of original signed consents?

A15. No. While consent under Part 2 must be in writing and nonverbal, “wet” signatures – where the entity obtaining a patient’s consent gets the consent form signed by the patient in-person and sends the original, signed consent form to the Part 2 provider – are not necessary. Part 2 does not require programs (or recipients named in the consent) to have a patient’s "original" signed consent form in their possession to make disclosures. As long as the program or recipient of the consent acts with reasonable caution, it may accept a facsimile or a photocopy of a consent form. Some electronic health information systems may have, or may be developing, the capacity to obtain electronic consents. An electronic signed consent form would be allowable as well, provided an electronic signature is valid under applicable law.

Q16. Under Part 2, may an HIO release demographic information about Part 2 patients without patient consent?

A16. Yes. However, one must be sure to be in compliance with Part 2, which prohibits the disclosure of patient-identifying information. (42 CFR § 2.11 and § 2.13) Therefore, releasing demographic information would only be allowed under Part 2 if the demographic information does not reveal any information that would identify the person, either directly or indirectly, as having a current or past drug or alcohol problem or as being a patient in a Part 2 program.

Q17. Under Part 2, can an HIO reveal that a patient had an encounter at a mixed use facility (or “general medical” facility – see FAQ #2) as long as the HIO does not reveal that the patient was in the mixed use facility’s Part 2 program? A mixed use facility can be defined as a service provider organization that provides substance abuse treatment services as well as other health services such as primary care, dental care, mental health services, social services, etc.

A17. Yes, such a disclosure would be permitted under Part 2 because no information protected under Part 2 – any information that would identify the person, either directly or indirectly, as having a current or past drug or alcohol problem or as being a patient in a Part 2 program – is being disclosed. Part 2 explicitly permits “acknowledgement of the presence of an identified patient in a facility or part of a facility if the facility is not publicly identified as only an alcohol or drug abuse diagnosis, treatment or referral facility, and if the acknowledgement does not reveal that the patient is an alcohol or drug abuser.” (42 CFR § 2.13(c)(1))

Q18. Under Part 2, can an HIO use a consent form that provides for disclosure to “HIO members” and refers to the HIO’s website for a list of those members?

A18. No. 42 CFR Part 2, § 2.31(a)(2) states that consent forms must include the names of the individuals or organizations who will be the recipients of the Part 2 data. The purpose of this requirement is to ensure that patients are sufficiently informed about the disclosures that will be made under the consent. Many individuals throughout the country still do not have computers or access to the Internet, and many HIO affiliated health care providers do not have the resources to provide patients with access to the Internet at the HIO providers’ offices. Thus, Part 2 consents should identify, by attachment if necessary, all the HIO affiliated members that are potential recipients of the Part 2 data.

Q19. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to future HIO affiliated health care providers?

A19. No. If a health care provider joins the HIO after a consent is signed, and the patient later goes to that provider for care, Part 2 would require that the new HIO affiliated health care provider obtain the patient’s consent for access to the patient’s information. This is consistent with 42 CFR Part 2, §2.31(a)(2) that requires patient consent to include the names of the individuals or organizations that will be the recipients of the Part 2 data.

Q20. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to health care providers who are providing on-call coverage for HIO affiliated health care providers or with whom those affiliated providers consult?

A20. Yes, if those providing on-call coverage and consultation for an HIO affiliated provider are listed on the consent form. (See 42 CFR § 2.31(a)(2) requiring the specific name of the individual or organization to whom disclosure may be made to be included in the consent form.)

Q21. Can a Part 2 patient consent be used to enable multiple disclosures?

A21. Yes. Under a Part 2 patient consent, information may be disclosed multiple times, as long as the consent has not yet expired and the entities to whom the information is to be disclosed, the nature of the information, and the purpose for the disclosure specified in the consent form are still the same. A separate consent form does not need to be obtained each time a disclosure of Part 2 records is made.

Q22. Can a Part 2 program or HIO use a consent form that has no specific expiration date but rather states that disclosure is permitted until consent is revoked by the patient?

A22. No. Under 42 CFR § 2.31, a Part 2 consent form must list the date, event, or condition upon which the consent will expire, if not revoked before. Thus, it is not sufficient under Part 2 for a consent form to merely state that that disclosures will be permitted until the consent is revoked by the patient. It is, however, permissible for a consent form to specify the event or condition that will result in revocation, such as having its expiration date be “upon my death.”

Q23. Is “treatment” a sufficient description of the intended purpose of a disclosure on a Part 2 consent?

A23. Yes, it is sufficient for “treatment” to be listed on a consent form as the intended purpose of a disclosure under Part 2. A consent authorizing Part 2 patient information to be included in, or exchanged through, an HIO’s system for the purpose of “treatment” would not permit that information to be shared or used for other purposes, such as for payment, disease management, or quality improvement activities, among others.

Q24. Under Part 2, can any health care provider make the determination that a medical emergency exists, or must a Part 2 provider make that determination?

A24. Any health care provider who is treating the patient for a medical emergency can make that determination. Under the medical emergency provision in Part 2, §2.51, “patient identifying information may be disclosed to medical personnel who have a need for information about the patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” (42 CFR § 2.51(a)) This provision does not require that the Part 2 program make that determination. Thus, any treating provider who determines that a condition which poses an immediate threat to the health of an individual exists can make the decision to “break the glass” (the term used when a health care provider, in the case of an emergency, gets access to a patient’s records without the patient’s consent) and gain access to Part 2 records. This includes HIO affiliated health care providers treating an individual in a medical emergency who might seek access to records about a patient that are held in, or made available through, an HIO.

Q25. May a computer system be used to automatically determine whether a medical emergency exists and whether a disclosure of Part 2 data can be made without the patient’s consent?

A25. Automated electronic health information systems can be programmed to flag specific patient information for a provider to use in determining whether a medical emergency exists and may be programmed to provide alerts to authorized providers. However, one may not automate the determination of a medical emergency. Part 2 requires medical personnel treating an emergency (the treating provider) to use their professional judgment to determine whether the situation meets Part 2’s definition of a medical emergency, defined as a particular condition that poses an immediate threat to the health of any individual and requires medical intervention. Once a medical emergency has been determined, Part 2 information may be disclosed without the patient’s consent. (42 CFR § 2.51(a))

Q26. If a medical emergency exists, can the entire Part 2 record be released?

A26. Yes. If there is a medical emergency, Part 2 would allow the entire record to be released through an HIO to a treating provider who indicates that he or she needs access to that information to treat a condition that poses an immediate threat to the health of any individual and requires immediate medical intervention.

Q27. For documentation purposes, if a medical emergency is present, would it be permissible under Part 2 to have treating providers simply check a drop down box signifying the existence of such a medical emergency?

A27. Under Part 2 it is permitted, but not sufficient, for treating providers in a medical emergency to merely check a drop down box to signify that they deem that a medical emergency exists under Part 2’s definition. Part 2 requires that when a disclosure is made in connection with a medical emergency, the Part 2 program must document in the patient’s record the name and affiliation of the medical personnel receiving the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency. Thus, the same information must be recorded by treating providers in any medical emergency and conveyed to the Part 2 program. Automated electronic systems may be used to generate information necessary for a provider to make a determination of a medical emergency, to enable provider entry of emergency information, and/or to generate a report documenting the emergency. Other laws or legal requirements that are, or may be, applicable to HIO affiliated health care providers have similar requirements for audit trails to document the specifics of “break the glass” incidents, such that it enables review by the relevant privacy officer that such access was proper.

Q28. Under Part 2, may an HIO system make clinical decision support functions (such as showing a patient’s medications to clinicians when they write prescriptions, automatically ordering medications, and/or alerting clinicians about potential drug interactions) available to HIO affiliated health care providers in a medical emergency?

A28. Yes. Access without patient consent is permitted for information protected by Part 2 in circumstances that meet Part 2’s definition of a medical emergency (42 CFR § 2.51). When a treating provider determines that a true medical emergency exists, the system can show the physician the information that is needed to treat that medical emergency, including revealing Part 2 information. In circumstances not involving a medical emergency, the system could not disclose any Part 2 data to the treating physician in the absence of consent. The system could only tell the provider that a specific consent must be obtained, and it must be set up so that such a notice would not reveal the existence of protected Part 2 information.

Q29. Does the Part 2 definition of medical emergency also include mental health emergencies?

A29. Yes. Part 2 does not distinguish between physical and mental health emergencies. A medical emergency is simply defined as a health emergency affecting any individual that requires immediate medical intervention. (42 CFR § 2.51(a))

Q30. When the HIO keeps an electronic record of a medical emergency, does that fully meet Part 2’s requirement to document disclosures made in a medical emergencies in the patient’s record?

A30. No. Part 2 requires that when a disclosure is made in connection with a medical emergency, the Part 2 program (emphasis added) must document in the patient's record the name and affiliation of the recipient of the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency (42 CFR § 2.51(c)). Thus, data systems must be designed to ensure that the Part 2 program is notified when a “break the glass” disclosure occurs and Part 2 records are released pursuant to a medical emergency. The notification should include all the information that the Part 2 program is required to document in the patient’s records. The information about emergency disclosures should also be kept in the HIO’s electronic system.

Q31. If an HIO’s electronic system makes a disclosure in a medical emergency, would documenting the name of the discloser as “electronically disclosed through the system administered by HIO” meet Part 2’s requirement that the name of the person who made the disclosure be documented in the patient’s record?

A31. No. Part 2 requires that all the circumstances surrounding a disclosure in a medical emergency situation be immediately documented in writing in order to ensure that all the circumstances surrounding a medical emergency disclosure can be investigated and individuals held accountable for their decisions. The HIO is the vehicle for the disclosure of the Part 2 record but not the decision-maker. Thus, documenting the disclosure as “electronically disclosed through the system administered by the HIO,” while technically accurate, does not reveal the information that must be documented under Part 2 – the identity of the individual who determined that the situation was in fact a medical emergency and determined that the patient’s records should be released. The name of the person who makes the determination and documentation of disclosure made electronically through a system administered by the HIO should be recorded in the HIO’s electronic system.

Q32. If an HIO’s electronic system sends Part 2 data in a medical emergency to a printer or fax machine in the emergency room, can “the printer in the emergency department” meet Part 2’s requirement to document in the patient’s record the name of the person to whom the disclosure was made?

A32. No. Part 2 requires that “[t]he name of the medical personnel to whom disclosure was made and their affiliation with any health care facility” be recorded in order to ensure that all the recipients of the information were authorized to receive that information and used it appropriately. Therefore, the name(s) of the medical personnel who received the information and used it to treat the patient should be recorded. (42 CFR § 2.51(c))

Q33. Once Part 2 information is disclosed in a medical emergency, can that information be redisclosed without obtaining patient consent?

A33. Yes. In contrast to circumstances where information is disclosed through patient consent, if a medical emergency exists Part 2 provisions do not prohibit the redisclosure of Part 2 information once it is released. Consequently, medical personnel treating a patient for a medical emergency who are HIO affiliated providers may download and include in their own records the information they obtained in treating the emergency, and may then re-disclose that information to others without obtaining patient consent. However, all disclosures of information under the regulation must be limited to the information necessary to carry out the purpose of the disclosure (42 CFR § 2.13(a)).

Q34. If a patient has previously refused to consent to the release of his/her Part 2 record to a particular HIO affiliated health care provider, and then the patient is brought to that provider in a bona fide medical emergency situation, can that provider gain access through the HIO to the information without the patient’s consent under Part 2?

A34. Yes. Under Part 2, records can be released to a provider (including an HIO affiliated health care provider) treating a patient for a medical emergency even if the patient has previously explicitly stated that he/she does not wish his or her records released to that provider.

Q35. Can an HIO disclose data for Disease Management purposes under Part 2 without patient consent?

A35. No. The HIO may not disclose protected Part 2 information for Disease Management purposes unless the patient specifically authorizes such a redisclosure for that purpose in a consent form that meets Part 2’s requirements. It would be helpful for the consent form to explain the term “Disease Management” and even, perhaps, provide examples of how the information might be used.

If a Part 2 program discloses information to the HIO via a QSOA, the HIO would still need to obtain the patient’s consent before redisclosing the protected information to any third parties for Disease Management purposes.

A disclosure would be permitted in those rare situations where information disclosed by the HIO for Disease Management purposes does not implicitly or explicitly disclose the information protected by Part 2. An example would be when information is aggregated data that does not reveal that the patient has a drug or alcohol problem or the patient’s status as a participant in alcohol or drug treatment.

Q36. Under Part 2, would an HIO be permitted to disclose to an HIO affiliated payer the data of several patients held by the HIO, which may include Part 2 data, in order for the payer to target where interventions could be made with particular patients to improve care and management of disease?

A36. No. An HIO would not be permitted to disclose information protected by Part 2 to payers for any reason, including Disease Management, without a Part 2 consent specifically authorizing disclosure for that purpose.

Q37. If an HIO affiliated health care provider wishes to gain access to a minor’s Part 2 record held by the HIO, may the HIO or provider obtain only the consent of a parent or guardian, or must the minor’s consent also be obtained?

A37. Under Part 2, the HIO affiliated provider and/or the HIO (acting for the provider and Part 2 program) must always obtain the minor’s consent before the provider can gain access to the minor’s Part 2 record (42 CFR § 2.14). Depending on state law, the provider might also need to obtain the parent’s or guardian’s consent as well. Parental consent for a disclosure is required in addition to the minor’s only if the Part 2 program is required by state law to obtain parental consent before providing alcohol or drug treatment to the minor.

In other words, if a state law gives a minor the legal authority to consent to treatment on his/her own, without a parent’s or guardian’s permission or knowledge, then only the minor’s consent is required for the HIO to disclose the minor’s information to the HIO affiliated health care provider under Part 2. If state law requires parental consent for the minor to be provided alcohol or drug treatment, then the consent of both the minor patient and the parent or guardian is required before the Part 2 program or HIO can make any disclosures. The minor’s written consent must be obtained first in all cases.

In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest?  In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria. 

This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception".  In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).

Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular.  For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...

The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.

[Page 53208]

D. Section 164.506--Uses and Disclosures for Treatment, Payment, and Health Care Operations

1. Consent

December 2000 Privacy Rule. Treatment and payment for health care are core functions of the health care industry, and uses and disclosures of individually identifiable health information for such purposes are critical to the effective operation of the health care system. Health care providers and health plans must also use individually identifiable health information for certain health care operations, such as administrative, financial, and legal activities, to run their businesses and to support the essential health care functions of treatment and payment. Equally important are health care operations designed to maintain and improve the quality of health care. In developing the Privacy Rule, the Department balanced the privacy implications of uses and disclosures for treatment, payment, and health care operations and the need for these core activities to continue. The Department considered the fact that many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity's health care business. Given public expectations with respect to the use or disclosure of information for such activities and so as not to interfere with an individual's access to quality health care or the efficient payment for such health care, the Department's goal is, and has always been, to permit these activities to occur with little or no restriction.

Consistent with this goal, the Privacy Rule published in December 2000 generally provided covered entities with permission to use and disclose protected health information as necessary for treatment, payment, and health care operations. For certain health care providers that have direct treatment relationships with individuals, such as many physicians, hospitals, and pharmacies, the December 2000 Privacy Rule required such providers to obtain an individual's written consent prior to using or disclosing protected health information for these purposes. The Department designed consent as a one-time, general permission from the individual, which the individual would have had the right to revoke. A health care provider could have conditioned treatment on the receipt of consent. Other covered entities also could have chosen to obtain consent but would have been required to follow the consent standards if they opted to do so.

The consent requirement for health care providers with direct treatment relationships was a significant change from the Department's initial proposal published in November 1999. At that time, the Department proposed to permit all covered entities to use and disclose protected health information to carry out treatment, payment, and health care operations without any requirement that the covered entities obtain an individual's consent for such uses and disclosures, subject to a few limited exceptions. Further, the Department proposed to prohibit covered entities from obtaining an individual's consent for uses and disclosures of protected health information for these purposes, unless required by other applicable law.

The transition provisions of the Privacy Rule permit covered health care providers that were required to obtain consent to use and disclose protected health information they created or received prior to the compliance date of the Privacy Rule for treatment, payment, or health care operations if they had obtained consent, authorization, or other express legal permission to use or disclose such information for any of these purposes, even if such permission did not meet the consent requirements of the Privacy Rule.

March 2002 NPRM. The Department heard concerns about significant practical problems that resulted from the consent requirements in the Privacy Rule. Covered entities and others provided numerous examples of obstacles that the consent provisions would pose to timely access to health care. These examples extended to various types of providers and various settings. The most troubling, pervasive problem was that health care providers would not have been able to use or disclose protected health information for treatment, payment, or health care operations purposes prior to their initial face-to-face contact with the patient, something which is routinely done today to provide patients with timely access to quality health care. A list of some of the more significant examples and concerns are as follows:

• Pharmacists would not have been able to fill a prescription, search for potential drug interactions, determine eligibility, or verify coverage before the individual arrived at the pharmacy to pick up the prescription if the individual had not already provided consent under the Privacy Rule.
• Hospitals would not have been able to use information from a referring physician to schedule and prepare for procedures before the individual presented at the hospital for such procedure, or the patient would have had to make a special trip to the hospital to sign the consent form.
• Providers who do not provide treatment in person may have been unable to provide care because they would have had difficulty obtaining prior written consent to use protected health information at the first service delivery.
• Emergency medical providers were concerned that, if a situation was urgent, they would have had to try to obtain consent to comply with the Privacy Rule, even if that would be inconsistent with appropriate practice of emergency medicine.
• Emergency medical providers were also concerned that the requirement that they attempt to obtain consent as soon as reasonably practicable after an emergency would have required significant efforts and administrative burden which might have been viewed as harassing by individuals, because these providers typically do not have ongoing relationships with individuals.
• Providers who did not meet one of the consent exceptions were concerned that they could have been put in the untenable position of having to decide whether to withhold treatment when an individual did not provide consent or proceed to use information to treat the individual in violation of the consent requirements.
• The right to revoke a consent would have required tracking consents, which could have hampered treatment and resulted in large institutional providers deciding that it would be necessary to obtain consent at each patient encounter instead.

The transition provisions would have resulted in significant operational problems, and the inability to access health records would have had an adverse effect on quality activities, because many providers currently are not required to obtain consent for treatment, payment, or health care operations.

Providers that are required by law to treat were concerned about the mixed messages to patients and interference with the physician-patient relationship that would have resulted because they would have had to ask for consent to use or disclose protected health information for treatment, payment, or health care operations, but could have used or disclosed the information for such purposes even if the patient said ``no.''

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded (see section III.H. of the preamble for a discussion of the strengthened notice requirements).

Specifically, the Department proposed to make the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations more flexible for all covered entities, including providers with direct treatment relationships. Under this proposal, health care providers with direct treatment relationships with individuals would no longer be required to obtain an individual's consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, would have regulatory permission for such uses and disclosures.

The NPRM included provisions to permit covered entities to obtain consent for uses and disclosures of protected health information for treatment, payment, or health care operations, if they wished to do so. These provisions would grant providers complete discretion in designing this process. These proposed changes were partnered, however, by the proposal to strengthen the notice provisions to require direct treatment providers to make good faith efforts to obtain a written acknowledgment of receipt of the notice. The intent was to preserve the opportunity to raise questions about the entity's privacy policies that the consent requirements previously provided.

Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.''  The vast majority of commenters addressed the consent proposal. Most comments fell into three basic categories: (1) Many comments supported the NPRM approach to eliminate the consent requirement; (2) many comments urged the Department to require consent, but make targeted fixes to address workability issues; and (3) some comments urged the Department to strengthen the consent requirement.

The proposed approach of eliminating required consent and making obtaining of consent permissible, at the entity's discretion, was supported by many covered entities that asserted that it would provide the appropriate balance among access to quality health care, administrative burden, and patient privacy. Many argued that the appropriate privacy protections were preserved by strengthening the notice requirement. This approach was also supported by the NCVHS.

The comments received in response to the NPRM continued to raise the issues and obstacles described above, and others. For example, in addition to providing health care services to patients, hospices often provide psychological and emotional support to family members. These consultations often take place long distance and would likely be considered treatment. The consent requirement would make it difficult, or impossible in some circumstances, for hospices to provide these important services to grieving family members on a timely basis.

Comments explained that the consent provisions in the Rule pose significant obstacles to oncologists as well. Cancer treatment is referral-based. Oncologists often obtain information from other doctors, hospital, labs, etc., speak with patients by telephone, identify treatment options, and develop preliminary treatment plans, all before the initial patient visit. The prior consent requirement would prevent all of these important preliminary activities before the first patient visit, which would delay treatment in cases in which such delay cannot be tolerated.

Other commenters continued to strongly support a consent requirement, consistent with their views expressed during the comment period in March 2001. Some argued that the NPRM approach would eliminate an important consumer protection and that such a ``radical'' approach to fixing the workability issues was not required. They recommended a targeted approach to fixing each problem, and suggested ways to fix each unintended consequence of the consent requirement, in lieu of removing the requirement to obtain consent.

A few commenters argued for reinstating a consent requirement, but making it similar to the proposal for acknowledgment of notice by permitting flexibility and including a ``good faith'' standard. They also urged the Department to narrow the definition of health care operations and require that de-identified information be used where possible for health care operations.

Finally, a few commenters continued to assert that consent should be strengthened by applying it to more covered entities, requiring it to be obtained more frequently, or prohibiting the conditioning of treatment on the obtaining of consent.

Final Modifications.

The Department continues to be concerned by the multitude of comments and examples demonstrating that the consent requirements would result in unintended consequences that would impede the provision of health care in many critical circumstances. We are also concerned that other such unintended consequences may exist which have yet to be brought to our attention. The Department would not have been able to address consent issues arising after publication of this Rule until at least a year had passed from this Rule's publication date due to statutory limitations on the timing of modifications. The Department believes in strong privacy protections for individually identifiable health information, but does not want to compromise timely access to quality health care. The Department also understands that the opportunity to discuss privacy practices and concerns is an important component of privacy, and that the confidential relationship between a patient and a health care provider includes the patient's ability to be involved in discussions and decisions related to the use and disclosure of protected health information about him or her.

A review of the comments showed that almost all of the commenters that discussed consent acknowledged that there are unintended consequences of the consent requirement that would interfere with treatment. These comments point toward two potential approaches to fixing these problems. The Department could address these problems by adopting a single solution that would address most or all of the concerns, or could address these problems by adopting changes targeted to each specific problem that was brought to the attention of the Department. One of the goals in making changes to the Privacy Rule is to simplify, rather than add complexity to, the Rule. Another goal is to assure that the Privacy Rule does not hamper necessary treatment.

For both of these reasons, the Department is concerned about adopting different changes for different issues related to consent and regulating to address specific examples that have been brought to its attention. Therefore, the options that the Department most seriously considered were those that would provide a global fix to the consent problems. Some commenters provided global options other than the proposed approach. However, none of these would have resolved the operational problems created by a mandatory consent.

The Department also reviewed State laws to understand how they approached uses and disclosures of health information for treatment, payment, or health care operations purposes. Of note was the California Confidentiality of Medical Information Act. Cal. Civ. Code Sec. 56.

This law permits health care providers and health plans to disclose health information for treatment, payment, and certain types of health care operations purposes without obtaining consent of the individual.

The California HealthCare Foundation conducted a medical privacy and confidentiality survey in January 1999 that addressed consumer views on confidentiality of medical records. The results showed that, despite the California law that permitted disclosures of health information without an individual's consent, consumers in California did not have greater concerns about  confidentiality than other health care consumers. This is true with respect to trust of providers and health plans to keep health information private and confidential and the level of access to health information that providers and health plans have. 

The Department adopts the approach that was proposed in the NPRM, because it is the only one that resolves the operational problems that have been identified in a simple and uniform manner. First, this Rule strengthens the notice requirements to preserve the opportunity for individuals to discuss privacy practices and concerns with providers. (See section III.H. of the preamble for the related discussion of modifications to strengthen the notice requirements.) Second, the final Rule makes the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations optional on the part of all covered entities, including providers with direct treatment relationships. A health care provider that has a direct treatment relationship with an individual is not required by the Privacy Rule to obtain an individual's consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, have regulatory permission for such uses and disclosures. The fact that there is a State law that has been using a similar model for years provides us confidence that this is a workable approach.

Other rights provided by the Rule are not affected by this modification. Although covered entities will not be required to obtain an individual's consent, any uses or disclosures of protected health information for treatment, payment, or health care operations must still be consistent with the covered entity's notice of privacy practices. Also, the removal of the consent requirement applies only to consent for treatment, payment, and health care operations; it does not alter the requirement to obtain an authorization under Sec. 164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule or any other requirements for the use or disclosure of protected health information. The Department intends to enforce strictly the requirement for obtaining an individual's authorization, in accordance with Sec. 164.508, for uses and disclosure of protected health information for purposes not otherwise permitted or required by the Privacy Rule. Furthermore, individuals retain the right to request restrictions, in accordance with Sec. 164.522(a). This allows individuals and covered entities to enter into agreements to restrict uses and disclosures of protected health information for treatment, payment, and health care operations that are enforceable under the Privacy Rule.

Although consent for use and disclosure of protected health information for treatment, payment, and health care operations is no longer mandated, this Final Rule allows covered entities to have a consent process if they wish to do so. The Department heard from many commenters that obtaining consent was an integral part of the ethical and other practice standards for many health care professionals. It, therefore, does not prohibit covered entities from obtaining  consent. 

This final Rule allows covered entities that choose to have a consent process complete discretion in designing that process. Prior comments have informed the Department that one consent process and one set of principles will likely be unworkable. Covered entities that choose to obtain consent may rely on industry practices to design a voluntary consent process that works best for their practice area and consumers, but they are not required to do so.

This final Rule effectuates these changes in the same manner as proposed by the NPRM. The consent provisions in Sec. 164.506 are replaced with a new provision at Sec. 164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations. A new provision is added at Sec. 164.506(b) that permits covered entities to obtain consent if they choose to, and makes clear any such consent process does not override or alter the authorization requirements in Sec. 164.508. Section 164.506(b) includes a small change from the proposed version to make it clearer that authorizations are still required by referring directly to authorizations under Sec. 164.508.

Additionally, this final Rule includes a number of conforming modifications, identical to those proposed in the NPRM, to accommodate the new approach. The most substantive corresponding changes are at Secs. 164.502 and 164.532. Section 164.502(a)(1) provides a list of the permissible uses and disclosures of protected health information, and refers to the corresponding section of the Privacy Rule for the detailed requirements. The provisions at Secs. 164.502(a)(1)(ii) and (iii) that address uses and disclosures of protected health information for treatment, payment, and health care operations are collapsed into a single provision, and the language is modified to eliminate the consent requirement.

The references in Sec. 164.532 to Sec. 164.506 and to consent, authorization, or other express legal permission obtained for uses and disclosures of protected health information for treatment, payment, and health care operations prior to the compliance date of the Privacy Rule are deleted. The proposal to permit a covered entity to use or disclose protected health information for these purposes without consent or authorization would apply to any protected health information held by a covered entity whether created or received before or after the compliance date. Therefore, transition provisions are not necessary.

This final Rule also includes conforming changes to the definition of ``more stringent'' in Sec. 160.202; the text of Sec. 164.500(b)(1)(v), Secs. 164.508(a)(2)(i) and (b)(3)(i), and Sec. 164.520(b)(1)(ii)(B); the introductory text of Secs. 164.510 and 164.512, and the title of Sec. 164.512 to eliminate references to required consent.