The “information blocking” regulations and the Trusted Exchange Framework and Common Agreement (TEFCA) are expanding possibilities for individuals to access their electronic health information directly from health information exchanges. But as HIEs and large national networks prepare for individual access, they are raising questions about how to assure they are accurately matching individuals to their health information and to understand their potential liability under HIPAA regulations for sending an inaccurate match.
In a July 20 letter to the Office for Civil Rights (OCR) at the Department of Health & Human Services, five leading interoperability groups claim that certain interpretations of the breach notification rules are causing obstacles to interoperability and the adoption of electronic PHI (ePHI) with individuals.
Leaders from CARIN Alliance, DirectTrust, Commonwell Health Alliance, eHealth Exchange, and Civitas Networks for Health requested a meeting with OCR staff to discuss ways to address this issue. “We want to strongly emphasize that without OCR providing formal guidance or enforcement discretion on this topic, there will be significant adverse consequences to achieving nationwide interoperability and patient access,” they wrote.
As HIEs and large national HIE networks begin to prepare for individual access, they are raising questions about how to assure, to the extent possible, they are accurately matching individuals to their electronic health information, and to understand their potential liability under the HIPAA regulations for sending an inaccurate match.
As the letter explains, HIEs predominantly disclose or facilitate disclosure of information for treatment purposes. Most HIE treatment disclosures are done in response to queries, and matching information to the correct patient occurs by attempting to match demographic variables such as full name, address, full date of birth, phone number, and in some cases the last four digits of a social security number, using a variety of deterministic and probabilistic matching algorithms.
“In conversations with large national HIE networks, we have learned that these networks typically return only one patient’s records in response to a treatment query, or if there is insufficient data in the query to yield a unique match, no records will be returned. TEFCA standards similarly mandate that only unique matches be returned. Notwithstanding efforts to assure return of only the correct patient’s records in response to a given query, the possibility exists that the wrong patient’s records will be sent. In such a case, HIEs and participants in existing large networks rely upon the following exception to the HIPAA breach definition: “Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in future use or disclosure in a manner not permitted [by the Privacy Rule].”
The exception was an important element in the regulatory framework, the letter explains, because it addressed potential liability for Covered Entities and their Business Associates related to circumstances beyond their control for benign disclosures of PHI, and as such, helped lead to the adoption of national exchange networks for treatment purposes.
Like the treatment use case, the organizations say, the exception is as important to the future success and adoption of individual access services. It reflects a reality about the difficulty in achieving 100 percent matching accuracy, despite ongoing efforts by ONC and industry to improve matching accuracy. “However, it is not as clear that the HIPAA breach notification rules are as supportive of the responsible exchange of digital health information through HIEs when patients choose apps or services that are not covered by HIPAA. When a non-HIPAA app offering individual access services queries an HIE or national network for individual access using some of the same demographic data fields, the return of records is not subject to a clear exemption from breach liability. As a result, and based on discussions with national networks, we have been told that the networks are seeking to establish an even higher threshold for matching a query to a unique patient in terms of number of demographic data fields and the source of those data fields — a threshold for which there is no standard definition and that may be difficult to operationalize. The threat of potential penalties in the event of a breach — and having to inform individuals and HHS (on an annual basis) — is an obstacle to facilitating individual access through HIEs and the TEFCA using the same infrastructure used today to support treatment queries.”
Given the 21st Century Cures Act initiatives supporting expanded data access for patients through their chosen application, the organizations suggest that further guidance from OCR would be welcomed to address this matching issue.
On Twitter, Ryan Howells of the CARIN Alliance explained that “this is a proposal about how we might reasonably implement patient access as a *required* response on a volunteer network while trying to protect the rights/privacy of the patient and legal risk of health systems/payers who have made good faith efforts.”
Also on Twitter, Brandon Keeler, a senior product manager at startup Zus Health and previously a product manager at Redox and Epic, said he disagreed with the gist of the letter. “The continual degradation of the trust of the networks is accelerated by giving providers with bad matching an out. The right approach is to continue to strongly advance shared patient credentials as the next major step in Patient Request,” he wrote. “I'm not against OCR relaxing things here (distinctly for it) but probably subsequent to setting a bar for matching algorithm quality, rolling out consumer credentials, and actually making sure reciprocity happens for the existing use case.”
Kristen Valdes, the founder and CEO of b.well Connected Health and a CARIN Alliance board member, responded on Twitter by saying, “We have to start moving away from unique credentials (or portal tethering). If we want successful access and use of data, we can’t continue to ask consumers to maintain logins to the approximately 70 places their data resides. A standard for identity — federated — is the path forward.”
The organizations copied both ONC and Sequoia on this letter, because they said that addressing this issue is essential to leveraging the TEFCA since it applies flow down of applicable HIPAA privacy and security provisions to all participants whether Covered Entities, Business Associates, or not, to facilitate nationwide individual access services.