Sequestration of Sensitive Data with HIE: A New Jersey Pilot

On April 27th, I presented at the American Health Lawyers Association (AHLA) conference in Washington D.C. as part of the Challenges and Solutions Involving EHRs and HIE.  My presentation, titled “Sequestration of Sensitive Data with Health Information Exchange: A New Jersey Pilot” examines the efforts of one HIE using a unique technological solution to segment sensitive data and “sequester” it behind a technological “break glass” mechanism to allow for greater granularity of choice and privacy options for data sharing.

You can download a full copy of my PowerPoint here.

A reprint of my entire associated article prepared for the AHLA conference follows, or you can download it here.

_______________________

Sequestration of Sensitive Data with Health Information Exchange:  A New Jersey Pilot

prepared by 

 Helen Oscislawski, Esq.,

Attorneys at Oscislawski LLC

for

American Health Lawyers Association

 

Challenges and Solutions Involving Electronic Health Records and Health Information Exchange

April 27, 2011

Washington, D.C.

Introduction

Patient consent and how to handle sensitive information are two of the most passionately-debated, hot-button issues with electronic health information exchange (HIE).  The crux of the tension lies between the need to make pertinent health information more readily accessible to the patient’s treating physicians, and the patient’s right to control and keep such information private.  On the one hand, it is argued that if health information technology (HIT) can be used to move information out of its “paper record-silo” and into the hands of the decision-making clinician wherever he or she may physically be located, this increases efficiency, reduces costs (i.e., from unnecessary, duplicative testing) and can ultimately result in overall better treatment delivered to the patient.  On the other hand, patients who seek medical treatment have certain expectation that their information will be kept confidential, and may not want to have all of their health information available to all of their physicians. 

These privacy and consent issues have been researched, analyzed and debated exhaustively over the last several years.  As a result, numerous credible whitepapers, legal analyses and resources have been developed and can be leveraged by HIE initiatives grappling with these same challenges.[1]   In addition, with the creation and subsequent funding of the Office of Nation Coordinator (ONC) for Health Information Technology (HIT), there has been a significantly improved and coordinated effort to providing guidance, recommendations and access to public resource that can help private and public HIE initiatives develop a consistent legal framework for consent.  

This whitepaper discusses an approach taken by one New Jersey hospital-based electronic HIE initiative attempting to protect sensitive information by implementing a technical safeguard referred to here as “sequestration” (the “NJ Pilot”).  The primary reason that technology was looked to as a solution was the desire to create balanced approach to HIE that more freely allows a patient’s general clinical information to be shared with clinicians involved in treatment of the patient and also restricts access to legally-protected sensitive data, unless the patient provides specific consent for his or her provider to access such sequestered information.

Patient Consent Options in Health Information Exchange

            Five (5) prevailing patient consent models have surfaced for HIE: (1) “No Consent” (2) “Opt-Out” (3) “Opt-Out, with Granularity of Choice” (4) “Opt-In” and (5) “Opt-In, with Granularity of Choice”.  These five models are described in detail in the whitepaper on patient consent in HIE prepared by the Department of Health Policy, School of Public Health and Health Services at George Washington University Medical Center (the “GWU Consent Whitepaper”).[2]  The HIE consent models recognized in the GWU Consent Whitepaper are summarized here:

No Consent

No opportunity for accommodation of individual preference with respect to participation in the HIE.  The health information of patients under the care of a participating provider organization is automatically included in and available (often according to certain rules) through the HIE.  The “No Consent” model is typically found in states that require no additional provisions for the electronic exchange of health information beyond the federal floor set by the HIPAA privacy regulations. In these states, electronic exchange can take place irrespective of and without obtaining patient preferences for participation (within the bounds of applicable federal and state laws). Not all HIOs with this authority exercise it, but no consent should be considered as an option in the spectrum.

Opt-Out

Default is for all or some pre-defined set of data (e.g., labs, summary record information) to be eligible automatically for exchange, with a provision that patients must be given the opportunity to Opt-Out in full. In a typical Opt-Out scenario, this could mean either that the information of the patient who Opts-Out is collected through the exchange (and used only for legally permitted purposes, such as public health reporting), but never shared with other providers for clinical care, or that the patient’s preferences are captured and propagated such that his/her clinical information never even enters the exchange. Regardless of where in the system the information exchange is blocked, this option allows for no granularity of patient preference, meaning that a patient’s information is either all in or all out. Many electronic exchange models with the legal authority to adopt the no consent approach ultimately end up using an Opt-Out approach instead.

Opt-Out, with Granularity of Choice  

Default is that all or some pre-defined set of data types are eligible for exchange, but there is granularity of choice given to patients such that patients can either Opt-Out in full (as described above) or: (1) selectively exclude categories of data/specific data elements from the exchange; (2) limit exchange of their information to specific providers/provider organizations; and/or (3) limit exchange of their information for specific purposes. The trade-off with this level of patient accommodation is that it is technically and procedurally more complex to administer and manage. Very few electronic exchange models have allowed for full granularity in the choice of data type exchanged, but some have allowed patient choice as to which provider types may gain access to their data via the exchange. Granularity of exchange at the individual provider level is procedurally more complicated and could pose additional management challenges. For these and other reasons, it has rarely been implemented. Most entities engaging in electronic exchange have not yet attempted to allow granularity with regard to purpose specification, as very few are currently using the information for purposes other than clinical care delivery and public health.

Opt-In

Default is that no patient data are automatically made available through the HIE. Patients wishing to make all, or a pre-defined set, of their information available must actively express their desire to participate. This option allows for no granularity of patient preference—meaning that a patient’s information is either all in or all out. Once participating, patients who Opt-In have no control over what information is shared, how, with whom, or for what purpose. The only exceptions here are: (1) permission is later revoked by the patient; or (2) other protections extend to the data (e.g., marketing provisions in the HIPAA privacy regulations).

Opt-In, with Granularity of Choice

Default is that no patient data are automatically made available through the HIE. Patients wishing to make all, or a pre-defined set, of their information available for exchange must actively grant their consent to participate. Patient then have the option to make all of their information eligible for exchange or exercise granularity  of choice to: (1) include only specific categories of data or data elements; (2) enable information to flow only to specific providers; and/or (3) allow their information to be exchanged only for specific purposes.

Selecting a Consent Approach

            Opt-In and Opt-Out are each recognized as a potentially acceptable approach for HIE, provided that the process implemented to effectuate the adopted approach complies with applicable law and affords the patient with an opportunity to exercise “meaningful choice”.[3]  However, each HIE initiative deciding which approach to adopt must evaluate these options in light of their particular HIE structure (i.e., point-to-point? centralized? federated?), what their selected technology can support, what their state laws permit, who their participants will be, and what the information shared through HIE will be used for (i.e., treatment only?).

      The NJ Pilot decided to proceed with implementing a baseline Opt-Out approach for several reasons.  First, the Opt-Out approach is well-documented in research papers and environmental scans evaluating HIE approaches to patient consent.  Of the nine states evaluated for purposes of the GWU Consent Whitepaper, three (Virginia, Tennessee, and Maryland) adopted an Opt-Out approach to patient participation for their respective state HIEs, and two (Delaware and Indiana) adopted a “No Consent” approach, which affords patients with even less choice with regard to whether or not their information will be shared through an HIE.[4]  

      Second, the ONC Privacy & Security Tiger Team acknowledged that an Opt-Out approach to patient HIE consent can be supported.  In its August 19, 2010 Letter to the National Coordinator regarding Recommendations for Privacy and Security in Health Information Exchange (the “August 19 Tiger Team Letter”) the Privacy & Security Tiger Team notes that irrespective of the form that consent takes – Opt-In or Opt-Out – what is most important is that the patient has the opportunity to exercise meaningful choice regarding whether their health information is shared.   Importantly, the Privacy and Security Tiger Team notes that:

“[w]hile the debate about consent often devolves into a singularly faceted discussion of opt-in or opt-out, we have come to the conclusion that both opt-in and opt-out can be implemented in ways that fail to permit the patient to give meaningful consent.” 

See August 19 Tiger Team Letter, page 10.  Therefore, from a federal policy perspective, an Opt-Out approach is permitted, so long as individuals are provided with an opportunity to make a meaningful choice with regard to their information being shared for HIE.  In connection with ensuring that patients understand their options with regard to participating in or “opting out” of HIE, the Privacy & Security Tiger Team also recommended that participants engaging in HIE should prepare and disseminate a layered Notice of Privacy Practices (NPP) which includes at least a short summary of electronic HIE information sharing policies, and with a more detailed notice to be made available for interested patients. 

      The Opt-Out consent model has other advantages.  First, it continues to afford patients with an opportunity to exercise choice over whether to allow providers to share their health information electronically for certain pre-defined permitted purposes (i.e., treatment), even when neither federal or state law may require any such specific consent from the patient for such sharing.  If the patient does not wish to participate, he or she can choose to “opt-out” and their information would not be made available to their physicians through the electronic HIE network.  Second, the approach gives physicians participating in the HIE network an immediate “snap shot” of their patient’s clinical history.  This in turn may then give the patient and his/her clinician the opportunity to potentially make better clinical decisions and prescribe or administer more appropriate medical treatment.[5]   Last, although current technology limitations are likely the main reason why granularity has not been more widely adopted, if patients are permitted to exercise significant granularity of choice over which components of their health information record should or should not be made available through the HIE network, this approach may reduce physicians’ trust in relying on data contained in the HIE.  From an administrative perspective, it was also decided that the Opt-Out approach would be somewhat less cumbersome to implement than the other choices. Therefore, after evaluating all of the forgoing, the NJ Pilot decided to implement the Opt-Out approach as a baseline for its HIE network. 

Federal and State Law Considerations

      While it is often presumed that the HIE consent question starts and ends with a determination as to what consent model will be adopted (i.e., Opt-In or Opt-Out?), this is not the case.   Once a consent approach is selected, it is still necessary to ensure that disclosure of health information from the source participant and the subsequent access to and use of that health information by the overseeing organization (the health information organization, or “HIO”), as well as other participants in the HIE network complies in full with all applicable federal and state laws.  

      The decision to adopt an Opt-Out consent model (or any one of the other HIE consent models, for that matter) subsequently affects what types of participants may join the HIE network without first having to obtain additional specific consent from their patients to disclose/share health information to or through the HIE network.  The answer to the foregoing question may then, in turn, be affected by the “permitted purposes” for which information collected in the HIE network can be accessed and used (e.g., treatment only), and what type of information will be automatically included (e.g., pulled into the centralized repository for the HIE network).   Finally, if and how the technology can (or cannot) support identification and sequestration of “sensitive” participants or data will affect whether the approach can be implemented in a compliant manner.  Therefore, the analysis involved with evaluating “second-layer” consent issues (e.g., after Opt-Out is adopted as the baseline) essentially becomes “a game of 3-dimensional chess”.[6]

      The NJ Pilot recognized that there could be many different goals for optimizing use of the information to be collected by the HIE network.  However, it focused first on how the Opt-Out approach can be implemented, within federal and state law parameters, when information is shared for treatment purposes only.   

1. HIPAA Permits Disclosures and Uses for Treatment Purposes.

      Over a decade after the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted, most covered entities understand that HIPAA, and its related Privacy Rule, does not require an individual’s prior written authorization before health information may be disclosed to another provider in connection with treatment purposes (referred to here as the “HIPAA Treatment Exception”).  For the most part, this continues to hold true.[7]   However, originally the HIPAA Treatment Exception was generally intended to prevent disruption of firmly-established workflows, consultation and referral activities between providers.  Thus, when applied to disclosures of health information through an HIE network, the federal government has indicated that HIPAA could be inadequate to cover all the different types of HIE models that are arising. 

      The recent enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) attempts to afford additional protections to health information.  Section 13424 of H.R. 1 requires:

(d) GAO REPORT ON TREATMENT DISCLOSURES.—Not later than one year after the date of the enactment of this title, the Comptroller General of the United States shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report on the best practices related to the disclosure among health care providers of protected health information of an individual for purposes of treatment of such individual. Such report shall include an examination of the best practices implemented by States and by other entities, such as health information exchanges and regional health information organizations, an examination of the extent to which such best practices are successful with respect to the quality of the resulting health care provided to the individual and with respect to the ability of the health care provider to manage such best practices, and an examination of the use of electronic informed consent for disclosing protected health information for treatment, payment, and health care operations.

(f) STUDY.— The Secretary shall study the definition of ‘‘psychotherapy notes’’ in section 164.501 of title 45, Code of Federal Regulations, with regard to including test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation, as determined by the mental health professional providing treatment or evaluation in such definitions and may, based on such study, issue regulations to revise such definition.

In addition, the HITECH Act includes specific provisions directing consideration of data segmentation.  Specifically Section 3002 of H.R. 1 requires the following:

 

SEC. 3002. HIT POLICY COMMITTEE.

 

(2) SPECIFIC AREAS OF STANDARD DEVELOPMENT.—

 

(A) IN GENERAL.—The HIT Policy Committee shall

recommend the areas in which standards, implementation

specifications, and certification criteria are needed for the

electronic exchange and use of health information for purposes

of adoption under section 3004 and shall recommend

an order of priority for the development, harmonization,

and recognition of such standards, specifications, and certification

criteria among the areas so recommended. Such

standards and implementation specifications shall include

named standards, architectures, and software schemes for

the authentication and security of individually identifiable

health information and other information as needed to ensure

the reproducible development of common solutions

across disparate entities.

 

(B) AREAS REQUIRED FOR CONSIDERATION.—For purposes of subparagraph (A), the HIT Policy Committee shall

make recommendations for at least the following areas:

 

(i) Technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek

care (or disclose information about a condition) because

of privacy concerns, in accordance with applicable law, and for the use and disclosure of limited data sets of such information.

[…]

(8) CONSIDERATION.—The National Coordinator shall ensure

that the relevant and available recommendations and comments    

from the National Committee on Vital and Health Statistics are considered in the development of policies.

The ONC Privacy & Security Tiger Team has also put forth recommendations regarding when patient “consent” may be required where third party health information organizations (HIOs) facilitate health information exchange.  Specifically, the ONC Privacy & Security Tiger Team notes that if information is aggregated outside of the auspices of the participating provider or an OHCA (which is a HIPAA term used to defined an “organized health care arrangement”), patients should have the opportunity for “meaningful” consent, even where the information being aggregated is intended solely to be used for treatment purposes.  See August 19, 2010 Tiger Team Letter.   Although the ONC Privacy & Security Tiger Team does not specifically define what would satisfy the “meaningful consent” requirement, the recommendation, nevertheless, does not prohibit the use of the “Opt-Out” method for providing patients with a meaningful opportunity to decide whether or not to allow their information to be shared and accessed through the HIE network (in accordance with the HIE’s defined standards and access rules). 

2. New Jersey Laws Are a Patchwork of Authorizing Provisions, Requirements, and Restrictions.

            New Jersey does not have a broad sweeping health information privacy law.  Instead, patients’ privacy rights are addressed through a patchwork of statutes, regulations, and some case law. Generally, with a few exceptions, these laws can be grouped or categorized as follows:

• Facility-specific laws (e.g,. hospitals; ACFs; SNFs; pharmacies; clinical labs etc.)
• Provider-specific laws (e.g., physicians; nurses; pharmacists; psychologists etc.)
• Sensitive Information laws (e.g., HIV/AIDS; Genetic Information; STDs etc.)
• Government Program-specific laws (e.g., Medicaid; Family Planning etc.)

Within the forgoing categories, there are provisions that govern or affect how health information can be used and disclosed. For instance, regulations governing New Jersey licensed acute care hospitals state:

“Every New Jersey hospital patient shall have the following rights, none of which shall be abridged by the hospital or any of its staff . . . 21. To confidential treatment of information about the patient. Information in the patient’s records shall not be released to anyone outside the hospital without the patient’s approval, unless another health care facility to which the patient was transferred requires the information, or unless the release of the information is required and permitted by law, a third party payment contract, a medical peer review, or the New Jersey State Department of Health.”

N.J.A.C. 8:43G-4.1(a)21.

However, the Board of Medical Examiner (BME) regulations governing New Jersey licensed medical practitioners contain a slightly different standard:

“Licensees shall maintain the confidentiality of professional treatment records, except that: 3. The licensee, in the exercise of professional judgment and in the best interests of the patient (even absent the patient’s request), may release pertinent information about the patient’s treatment to another licensed health care professional who is providing or has been asked to provide treatment to the patient, or whose expertise may assist the licensee in his or her rendition of professional services.”

N.J.A.C. 13:35-6.5(d)3.

      Since the provisions that protect health information under New Jersey law are peppered throughout various statutes and regulations, specific legal research and analysis was completed.  The resulting research was then used to determine how the Opt-Out approach could be implemented.

 

3. Restrictions by Type of Provider Type.

      Current New Jersey law permits certain providers to participate in an HIE network and share information for treatment purposes (with certain restrictions on sharing sensitive information, as discussed in the next section) pursuant to an Opt-Out approach without having to obtain any specific prior written consent of the patient (other than acknowledgement of decision not to Opt-Out).  Among the types of New Jersey providers that could participate under an Opt-Out baseline approach include: physicians, dentists, chiropractors, clinical laboratories, hospitals, long term care facilities, assisted living facilities, emergency medical services, and home health agencies.

In contrast, certain other providers are not permitted to share patient information with other participants through an HIE network, even for treatment purposes, unless specific prior written consent from the patient is obtained (hereinafter, referred to generally as “Restricted Providers”).   Examples of such Restricted Providers include: mental health facilities, drug and alcohol rehabilitation facilities (including 42 CFR Part 2 providers), New Jersey Department of Health And Senior Services’ local health agency providers, psychologists, family therapists, and social workers.

4. Restrictions on Type of Information.

      Information that is subject to additional protections under federal and/or state law (hereafter referred to as “Sensitive Information”) almost always require the patient’s prior written consent before being disclosed.  In addition, certain federal or state law protections may attach to such information and follow it downstream, so that prior written consent would need to be obtained by the subsequent “holder” of that information before it is re-disclosed again.  Therefore, if Sensitive Information appears anywhere in the data shared through the HIE nwork, it can only be disclosed and accessed after all requirements under federal and state law are met.

      The following categories of Sensitive Information are specifically protected by either federal or state law and must be restricted, unless specific federal and state requirements are met:

• 42 CFR Part 2 Records
• GINA (Genetic Information and Nondisclosure Act)
• Services paid for “out of pocket” (HITECH) (cannot be disclosed for payment purposes or health care operations if patient exercises right to restrict such use and disclosure of this information (however, the new HITECH restriction does not extend to allowing a patient to restrict disclosures for treatment));
• Psychotherapy Notes – as defined under HIPAA, disclosure requires prior written authorization of the individual;
• HIV/AIDS Information (N.J.S.A. 26:5C-8);
• Venereal Diseases (N.J.S.A. 26:4-41);
• Drug & Alcohol Rehabilitation Information (N.J.S.A. 26:2B-8);
• Mental Health Facility (N.J.A.C 10:37-6.79);
• Genetic Privacy Act of New Jersey (N.J.S.A. 10:5-43);
• Minor’s Emancipated Treatment (N.J.S.A. 9:17B-1); and
• Social Security Numbers.

            In addition, federal policy may move to require certain additional categories of information be treated as Sensitive Information.  The National Committee on Vital and Health Statistics (NCVHS) heard extensive testimony about the definitions of sensitive categories of health information beyond those that are currently recognized and protected under federal law.  On November 14, 2010, NCVHS issued its “Recommendations Regarding Sensitive Health Information” to the Department of Health and Human Services.  The NCVHS Recommendations suggest the following additional categories of information should potentially be treated as Sensitive Information in the HIE context:

• The following specific Mental Health Information:
  • Psychiatric diagnoses
  • Descriptions by patients of traumatic events
  • Descriptions or analysis or reports by the patients of emotional, perceptual, behavioral, or cognitive states[8]
• The following specific Sexuality and Reproductive Health Information:
  • Sexual activity
  • Sexual orientation
  • Gender dysphoria and sexual reassignment
  • Abortion, miscarriage, or past pregnancy
  • Infertility and use of assisted reproduction technologies
  • Sexual dysfunction
  • The fact of having adopted children

Implementing Opt-Out HIE with Sensitive Information

      After policy and legal considerations are vetted and implementation begins, process barriers often surface.   In cases were data from a Restricted Provider must be kept restricted until a patient affirmatively consents to such provider disclosing the information to through the HIE network, the restriction can be implemented relatively easily.  The particular Restricted Provider is simply flagged as a “opt-in” provider, and no data is ever automatically pulled or queried and accessed from such Restricted Provider through the HIE network.  Instead, queries must be affirmatively responded to and data can only be released if a specific consent to release has been obtained from the patient.

      In comparison, the issue of flagging sensitive information to be restricted cannot be handled in a similar manner when Opt-Out has been selected as a baseline approach.  Where federal and state law permit information to be shared without specific prior consent of the patient, and the patient has been given an opportunity to opt out of having their providers share the patient’s information through the HIE network, information can then be access by authorized providers in accordance with executed participation agreements and applicable laws.  However, where sensitive information is embedded in the data to be accessed, as is often the case with discharge summaries and other summary reports, the Opt-Out approach presents a problem because it is not possible to administratively manage identifying all such information and preventing access until the patient has given his or her consent (or not accessed if they have not).

      In light of the forgoing implementation issue, the NJ Pilot identified and is testing “plug in” software that scans data residing in the HIE repository and “tags” it where certain terms are found which correspond to rules developed around state and federal laws restricting access to such information unless certain pre-conditions have been met, such as the patient giving prior written consent.  Once identified, the tagged data element, or document if it is not a discrete data segment, is removed from viewing, but leaving a “flag” noting that certain information is incomplete and that additional requirements need to be met before it can be accessed i.e., the patient’s affirmative consent has been obtained.

Conclusion

            Sequestration of sensitive data through implementation and use of specialized technical application is an attempt to move HIE forward with a balanced approach.  The Opt-Out approach allows default sharing of general clinical information so that a longitudinal snapshot of a patients’ clinical medical and treatment history can be used by his or her physicians.  It is this type of record that physicians have expressed are most valuable to their clinical decision-making.  However, current laws continue to recognize that certain sensitive categories of information should be afforded specific protections.  In the HIE context, this has remained a stumbling block to effective exchange of information, often resulting in less-optimal alternatives (e.g., excluding certain information all together).  The NJ Pilot and sequestration technology attempts to take a new approach to an old problem.  The anticipated and hoped for end result will be a balanced approach that gives physicians access to valuable information that will improve the delivery of care to patients and at the same time giving patients ability to control access to certain sensitive information. 

[1] Among the pertinent research papers written on privacy and consent with health information exchange are the following:

• National Governors Association Center for Best Practices, State and Federal Consent Laws Affecting Interstate Health Information Exchange (March 2011);
• National Committee on Vital and Health Statistics, Recommendations Regarding Sensitive Health Information (November 10, 2010);
• Department of Health Policy, School of Public Health and Health Services, The George Washington University Medical Center, Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis (September 29, 2010);
• Substance Abuse and Mental Health Services Administration (SAMSHA), Applying Substance Abuse Confidentiality Regulations to Health Information Exchange (June 2010);
• Department of Health Policy, School of Public Health and Health Services, The George Washington University Medical Center, Consumer Consent Options for Electronic Health Information Exchange: Policy Consideration and Analysis (March 23, 2010);
• Health Policy Institute & O’Neill Institute for National and Global Health Law, Georgetown University, Privacy and Security Solutions for Interoperable Health Information Exchange; Report on State Law Requirements for Patient Permission to Disclose Health Information (August 2009); and
• Center for Democracy and Technology, Rethinking the Role of Consent in Protecting Health Information Privacy (January 2009).

[2]  Department of Health Policy, School of Public Health and Health Services, The George Washington University Medical Center, Consumer Consent Options for Electronic Health Information Exchange: Policy Consideration and Analysis (March 23, 2010).

[3] Letter dated August 19, 2010, from Privacy and Security Tiger Team to David Blumenthal, M.D., Chair of HIT Policy Committee and National Coordinator (pg 10).

[4] See GWU Consent Whitepaper, Appendix A.  (Note that four states adopted an Opt-In approach: Massachusetts, New York, Rhode Island, and Washington).

[5] By way of comparison, it was noted that if an Opt-In approach were to be implemented, then only health information from specific opted-in providers may be available through the HIE network to other clinicians involved in treating the patient.  This significantly reduces the potential utility of the HIE network to physicians, and the potential benefit to patients.

[6] Quoted from, Kristen Rosati, Consumer Consent for Health Information Exchange:  An Exploration of Options for Arizona’s HIEs, Arizona Health-e Connection, pg 2 (April 2008).

[7] It must be pointed out, however, that specifically how health information is transmitted and shared through an HIE network for treatment purposes must also be evaluated in light of HIPAA.  For instance, if the HIE network is utilized merely to transmit information from provider to provider (e.g., directed exchange), then the network would be considered a “conduit” for the information, much like a U.S. mail carrier.  However, if the HIE “holds” or “retains” the health information, and/or facilitates access and use to that information by participants of the network, then the role of the HIE would be considered that of a HIPAA Business Associate which performs certain functions on behalf of the participating covered entities who disclose or share their information with other providers through the HIE network.  In the second scenario, HIPAA would apply and limit how the HIO could access and use the health information being disclosed to it.  Additional legal complexity arises when the information in the HIE is to be used for secondary uses, which raises questions such as whether the HIO may use the information it is holding on behalf of its HIE network participants for purposes other than treatment.  At a minimum, any secondary uses would need to be permissible under HIPAA and spelled out in the HIPAA Business Associate Agreement between the HIE and the Participant, and specific patient consent would need to be obtained if required.   

[8] Important to note is that NCVHS excluded the following information from its definition of “sensitive” Mental Health Information:  medication lists; allergies and non-allergic drug interactions;  dangerous behavior within medical settings;  and information from medical notes, test, procedures, imaging or laboratory studies performed in a mental health facility that is not related to the mental health treatment but that would otherwise be considered medical information, such as cardiac studies to diagnose reported chest pain.