An group advising the Health & Human Services Department on privacy matters is wrestling with determining at what point in a health information exchange it becomes necessary for providers to obtain consumer consent to approve the transaction.
That line is not clear in situations where intermediary organizations help providers transport data in one-to-one exchanges with other providers, for instance, said Deven McGraw, co-chairman of the Health IT Policy Committee's privacy and security work group at its meeting April 26.
The work group is grappling with the line, "where the comfort level of a one-to-one exchange breaks down and leads us to have more stringent privacy and security requirements, such as consumer choice of opt in or opt out," said McGraw, who is also director of the Health Privacy Project at the Center for Democracy and Technology.
The workgroup has recommended that current law under HIPAA is sufficient to protect personal health information in most one-to-one basic exchanges without additional consent, she said. Such exchanges normally take place between two parties who already have a business relationship, such as provider to provider or provider to lab.
Providers must conduct simple direct exchanges of health information as part of the first-stage requirements for meaningful use of electronic health records in order to qualify for incentives in 2011. In those situations, some providers might require a third-party, such as a directory service, to assist even in a simple one-to-one exchange.
"Where we get tripped up is when you still have direct exchange, but there is an intermediary facilitating that transport and what if that intermediary has access to data. When does that that cross over to an area where we have less comfort?" she said on behalf of the panel.
McGraw said technical personnel working on the NHIN Direct program have provided details of how intermediaries are likely to direct messaging and how that affects the data being transported. NHIN Direct is the plan to offer a streamlined version of the standards and services of the nationwide health information network to help physicians and small providers conduct simple exchanges securely over the Internet.
It is unclear under what circumstances network transport organzations might have access to patient data during the course of conveying the data. The panel will continue to discuss the scenarios in an upcoming May 7 meeting.
"We need to talk about data, access, use and retention policies, even when their functions are just transport and some minimal business operations," McGraw said.
