Panel drafts privacy recommendations for health data exchanges

Recommendations developed in response to specific privacy-related questions

A "tiger team" that advises the federally chartered Health IT Policy Committee will submit a list of recommendations on Thursday for ensuring the privacy and security of personally identifiable health information in health data exchanges.

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

A 19-page letter, detailing all of the recommendations is scheduled to be submitted to David Blumenthal, chairman of the HIT Policy Committee on Thursday. (A draft of the letter is available here.)

One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

However, any data exchange that involves a third party does require specific and "meaningful" patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said.

The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data -- for instance, they should be able to permit the exchange of certain kinds of health data, but not all.

Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what's specified in their service agreements, the panel recommended.

Third parties should also be required to retain personal health data only for as long as it is reasonably needed, and once they no longer need the data they should then be required to destroy it, the panel said.

All third parties having access to patient health information also need to comply with HIPAA privacy and security requirements.

The so-called tiger team has been working for the past few months to try to develop privacy recommendations for health care data, prior to Oct. 1 of this year. That's the date by which hospitals will need to demonstrate that they have achieved "meaningful use" of health information technology in order to receive millions of dollars in federal incentives under the American Recovery and Reinvestment Act.

The act sets aside close to $17 billion in incentives for hospitals and health care providers that use health information technology in a meaningful way.

The tiger team's proposals will need to be reviewed and approved by the HIT Policy Committee before they can go into effect.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon