Capturing Social and Behavioral Domains and Measures in Electronic Health Records Phase 2 (2014) / Chapter Skim
Currently Skimming:
Appendix B: Privacy Concerns Related to Inclusion of Social and Behavioral Determinants of Health in Electronic Health Records
Appendix B: Privacy Concerns Related to Inclusion of Social and Behavioral Determinants of Health in Electronic Health Records
Pages 319-336
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 319... ...
to reinforce the privacy protections afforded to this information, and provides some additional recommendations to assure public trust in the collection, use and disclosure of SBDH information. In summary, eligible professionals and hospitals participating in the Meaningful Use program will want the trust of patients in collecting, using and sharing SBDH data, and compliance with applicable law is an essential first step toward gaining this trust.
|
From page 320... ...
today does not have the capability to segment data requiring authorization from data that may be shared without the need to obtain authorization. Notwithstanding the ability under law to collect, use, and share SBDH information for treatment purposes, eligible professionals and hospitals may still want to take additional steps -- above and beyond what the law requires -- to provide assurances to patients.
|
From page 321... ...
Surveys of privacy concerns and use of the Internet typically do not focus on health information but may provide some indication of public attitudes toward privacy and digital technologies that could be instructive. A recent Pew Research Center study found that persons ages 30–49 were most often eager to try to control access to their personal information (such as by using encryption or deleting cookies)
|
From page 322... ...
The Privacy Rule establishes the rules governing the use and disclosure of identifiable health information in either paper or electronic format (otherwise known as protected health information or PHI) by covered entities; the Security Rule establishes the security safeguards to be adopted to protect electronic identifiable health information (otherwise known as ePHI)
|
From page 323... ...
to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." With respect to the collection of SBDH data by eligible professionals and hospitals as part of the Meaningful Use program, these rules mean that providers will need to develop policies and protocols for routine receipt of data (for example, through direct feeds from social service agencies or through protocols for patient interviews) to assure that the information collected is what is reasonably necessary to fulfill the purpose (or purposes)
|
From page 324... ...
. USES AND DISCLOSURES FOR TREATMENT, OPERATIONS, AND PAYMENT The Privacy Rule includes provisions governing the use and disclosure of SBDH information and treats it the same as other information gathered by a professional and stored in the records (with the exception of psychotherapy notes -- see below)
|
From page 325... ...
by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and are separated from the rest of the individual's medical record."21 A covered entity is required to obtain the patient's express written authorization for any use or disclosure of psychotherapy notes, except for the following: • The treatment uses by the originator of the notes; • Use or disclosure in mental health professional training programs; • Use by the covered entity to defend itself in a lawsuit brought by the individual who is the subject of the notes; • Disclosures required by law; • Uses related to oversight of the originator of the notes; 17 Of note, HITECH requires HHS to issue guidance on the minimum necessary standard. See Section 13405(b)
|
From page 326... ...
Such a disclosure does not require the prior consent or authorization of the individual, although the eligible providers or eligible hospitals may need to inform the patient of this disclosure if that patient requests an "accounting" of disclosures from the record.25 Such disclosures would also be covered by the Privacy Rule's minimum necessary provisions; however, the eligible professional or eligible hospital can rely on the public health authority's reasonable determinations of what constitutes the minimum necessary amount of data required to be shared with the authority. Disclosures to Other Authorities (Not Public Health)
|
From page 327... ...
However, other provisions of the Privacy Rule contemplate the sharing by health insurers of information with "other government benefit programs," which suggests the regulators did not intend for all government benefits with a nexus to health to fall within the definition of a "public health" authority.
|
From page 328... ...
For example, if an eligible professional or hospital wants to voluntarily share identifiable SBDH data with a nonpublic health social service agency, they would need the prior authorization of the patient. To be valid, an authorization required by HIPAA must be in writing and include • A description of the information to be used or disclosed; • The name of the person or class of persons authorized to make the requested disclosure; • The name of the person or class of persons to whom the informa tion is to be disclosed; • A description of each purpose of the disclosure; • An expiration date or event; and • The signature of the individual or their legal personal representative.32 Uses and disclosures of identifiable SBDH data for research purposes require prior patient authorization -- but there are exceptions to this rule.33 For example, uses of this information in preparation for research (for example, to identify potential subjects who might be approached about involvement in a research study)
|
From page 329... ...
For example, CEHRT is required to include capabilities for identity proofing and authentication of system users, access controls, automatic log-off, encryption of data at rest and in motion, and protections for data integrity.38 But the eligible professional or hospital cannot depend on their CEHRT to fulfill all of their Security Rule responsibilities, which include administrative, technical, and physical safeguards. Professionals and hospitals are required, both by the Security Rule as well as by the Meaningful Use requirements, to conduct a security risk assessment and address any security deficiencies (HITECH, 2014)
|
From page 330... ...
Covered entities are not required to obtain commitments from de-identified data recipients not to re-identify this data, but they may decide to do so as a matter of practice. The HIPAA Privacy Rule also allows covered entities to use a "limited dataset" for health care operations, public health, and research.43 A limited dataset can be achieved by removing 16 categories of identifiers -- essentially the safe harbor list for de-identification, but dates and some geographic information are allowed to be retained.44 These data are considered to be PHI; unlike de-identified data, which is not regulated by HIPAA, covered entities may not use or disclose limited datasets without a data use agreement that establishes the permitted purposes for which the dataset may be used or disclosed and prohibits the re-identification of individual patients.45 There are advantages to the use of limited datasets.
|
From page 331... ...
. These rules allow information to be used by the actual Part 2 provider for treatment purposes -- but disclosure of this information, even for treatment purposes, requires the express authorization of the patient, and this information cannot be redisclosed by the recipient without obtaining new authorization from the patient.48 For example, if a substance abuse treatment provider refers a patient to an eligible professional or hospital, that substance abuse treatment provider would need to obtain authorization from the patient prior to sending identifiable information -- such as SBDH data -- to the professional or hospital.
|
From page 332... ...
without the express consent of the minor. HIPAA defers to state law on issues of minor consent and privacy.51 Other Non-Legal Considerations: Good Privacy Stewardship and the Limits of Technology To the extent that some SBDH data are of the type that patients are not accustomed to sharing with their medical providers, and that may be highly sensitive to some patients, eligible professionals and hospitals may seek to treat this information with greater sensitivity, even though HIPAA and other applicable laws may treat it the same as any other health information.
|
From page 333... ...
HIPAA expressly permits covered entities to do this,55 and in the case where HIPAA does not require prior written authorization, entities may use other ways to inform and gather assent from the patient. For example, a provider may document that a patient has orally agreed to share SBDH information, or may adopt a policy of informing patients about the policies and practices with respect to the use and disclosure of SBDH data and allow patients with objections to opt out.56 Note that if the right to opt out is provided, eligible professionals and hospitals should have the capability to honor decisions to opt out.
|
From page 334... ...
CONCLUSION Eligible professionals and hospitals participating in the Meaningful Use program may, under HIPAA, collect, use, and share SBDH data for treatment purposes, and disclose this data to public health officials acting within the scope of their authority, without the need to first obtain the consent of the patient. Express patient authorization is required to share SBDH data for purposes such as research (unless the authorization requirement is waived by a Privacy Board or an IRB)
|
From page 335... ...
2014. Capturing social and behavioral domains in electronic health records: Phase 1.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.