Seeking Your Input: Personal Representatives and V, D, & T

The Health IT Policy Committee’s Privacy and Security Tiger Team is considering potential privacy and security policy issues that could arise when a family member, friend or legal designee is given access to patient information through the Certified EHR Technology “view/download/transmit” (V/D/T) capabilities.

Ideally, we want your comments in time to inform our discussions during a meeting we are convening Feb. 10.

HIPAA permits covered entities to share identifiable health information relevant to a patient’s care with family members or friends involved in a patient’s care, unless the patient objects.  It also requires covered entities to treat a “personal representative” (a person authorized under State or other applicable law to act on behalf of the individual in making healthcare related decisions) the same as they would treat the patient.  For example, personal representatives have the same rights of access to medical record information as the patient would have.  Because patients can access relevant health care information through V/D/T, the Tiger Team is considering whether there are additional privacy and security policy issues that need to be resolved when family or friends access the data.

That’s where you come in. To further inform this discussion, the Tiger Team wants broad input on this subject.  We offer the following questions to kick off this discussion but we invite comment on any issue related to this topic.

Personal Representatives:

  • Are there policy issues that need further resolution regarding personal representative access to view/download/transmit accounts?
  • How do health-care providers confirm that an individual is, in fact, a personal representative?

Friends & Family

  • How are patients’ friends and family provided with credentialed access to view/download/transmit accounts?
  • Is this access “all or nothing,” or are there more granular options?  If the latter, how does this get accomplished?

The Tiger Team will continue its discussion of these issues at its next meeting, scheduled for February 10th from 2:00 to 3:30 pm EST. Instructions on how to listen to this meeting here.

 

46 Comments

  1. Catherine Schulten says:

    I am wondering what are the technical requirements required around VDT? The VDT process implies a “self-service” capability that would support a portal through which one could query their own records and download/trasfer as appropriate. In order to do this process the patient or authorized representative would need to conduct the query using highly accurate parameters. For example, on a banking web portal we can access our own account because we personally set it up and the account login/passcode is associated with our verified accounts (checking, savings, loans, etc). Banking accounts all have one thing in common – an account number plus a PIN that is known only to us and the bank. Healthcare records don’t have that same contruct. They have MRNs (known primarily to the healthcare organization and not to us) and we don’t typically use PINs to gain access to our accounts.
    I’d be interested in understanding how this very basic first step of account/record recognition and accurate association of the record(s) to the correct patient will be achieved?
    Another issue I’m concerned about is the fact that in the world of healthcare there is a possibility of healthcare details to be incorrectly co-mingled or associated with the wrong patient (2 patients with the same name, gender and dob may have their healthcare records overlaid). In banking this rarely happens but in healthcare their are organizations that experience this issue at an alarming rate. How will this data quality issue be addressed once VDT is available and patient’s might have access to health information that is not theirs?

  2. Sue Ann Jantz says:

    Please consider how this will work with pediatric patients. Remember that once they reach 18, there has to be an

    Automatic shut off

    due to now adult children. Otherwise, mistakes, accidental disclosures, etc., WILL occur. For example, a parent’s access to a woman’s reproductive issues could be a serious problem.

    Also, we require a written, signed consent as our only way of HIPAA compliance to release information. It is easily available to check on our EMR system.

    If there are court-ordered releases or court-ordered guardians, we get that document and scan it in.

    Pediatrics is a really good model for you to use on this issue.

  3. Robert Davis says:

    For a covered entity to provide a printed copy of a defined portion of a medical record is possible and eliminates many of the issues related to view and download options.

    For either view or download access, how would we validate the identification of a person who is either the patient or a representative of the patient?

    Would they send an electronic message to the covered entity that has a validation key in the message.

    Who would be responsible to maintain the validation process and validation key?

    I believe a patient portal that is secure and only allows access to a specific patient medical record set ( limited to specific information) after confirming the ID of the person requesting and validating their credentials is the only way to accommodate this function. The credentialing is the most difficult task.

    • Very interesting discussion during the meeting, thank you all.

      A comment on identification from a German perspective: it appears that parts of the issues could be solved by having something available like the German postident Procedure which is offered as a service by the “Deutsche Post” – see http://www.deutschepost.de/dpag?tab=1&skin=hi&check=yes&lang=de_EN&xmlFile=1016309
      NOTE: I am not affiliated in any way with that enterprise!!

      Basically, you receive a request for identification from e.g. the bank you want to open an account in and you then can walk into the post office showing your ID and based on that the employee confirms that you are the person you claim to be.

      Drawback is that this takes some time (a couple of days) and it probably won’t work for your daughter being with the troops in Africa ;)

      Just some thoughts from across the Atlantic…

  4. Charles Bailey says:

    Thank you for the opportunity to comment on this complex subject. As I’m sure others will address broader questions of policy and ethics, I’ll confine my comments to a few implications of “sensitive information”, by which I mean specific data for which a patient may have an interest in limiting disclosure.

    Where the limitation on availability of specific information to a personal representative is a regulatory requirement (e.g. disclosure of reproductive or behavioral health services sought by unemancipated minors to parents or guardians), limits on the technical ability to distinguish those specific data from other similar data (e.g. medications used for behavioral health from medications used for other purposes) have meant that in other contexts, such as patient portals, personal representatives are not provided access to large portions of the patient record in order to avoid disclosure of potentially protected information. It would be beneficial in the context of V/D/T if more granular control of disclosure were available, in order to maximize the utility of this tool.

    Similarly, one of the potential uses of V/D/T is supporting patient-initiated “secondary use” of health records, such as for research or advocacy. If the mechanism for this use is to designate a personal representative for the purpose of retrieving or updating data, it will be necessary for the designation to be sufficiently granular to allow the patient to transfer the information of interest only.

    Both of these cases have obvious implications regarding authentication of the personal representative as well as authorization to access specific data. From the patient’s perspective, this may argue for a “role-based”, rather than “person-based” authorization system, though auditing requirements argue for person-based authentication.

  5. Patrick Jahn says:

    I would think it would be relevant to go up a level of the discussion and think about how it is handled now. If a patient comes in with ID, but is nonresponsive, how do they determine if someone is a personal representative? They have no ability to revoke consent for certain individuals, so an estranged relative could potentially be receiving medical information the patient prefer they not be privy to. That is a rather special case, but it is an important factor to consider with electronic authorization.

    I would think that a reasonably quick method of validation is for the party providing their consent, validation of an email address AND telephone number for the individual receiving consent in writing (electronic signature or secure data entry). Once documentation is made available, send an initial notification email to the personal representative to a secure web link using the provided phone number as an access code – this gives an audit trail for access in the event of unauthorized use. The connection would be to a temporarily available (for example, LOS + 7 calendar days) page with relevant patient data. With security in mind, it would be best to generate the XML report of the patient chart at the time the new documentation is available, then transmit the report securely to an isolated host site and have the credentialed representative connect to the isolated host.

    I do think you could configure the report task to only retrieve subsets of data for patient preference (so the granularity would apply across all accessing users, but would not be a binary all-for-all or none-for-none). If you were to do dynamic access, then the accessing credentials set, the report task, and the database would all have to speak to each toher at once. You could populate the report on-the-fly by the requesting user, but the load times would be volatile and potentially susceptible to MITM attack.

    I would say from a policy standpoint, establishing electronic access measures and best practices at a governing body level (either CMS or HIPAA guidelines) should be discussed, but there also should be considerations for potential international access (Iranian exchange student falls ill and wants his parents to have access to his records?) These kinds of scenarios could have more extensive implications than at first glance. Do you restrict access to only US IP’s? What if an IP has an active breach? How does an EMR dynamically respond to that? In the event of data loss or HIPAA violation outside of the control of the provider organization, who bears responsibility for the loss of privacy?

    Just some initial thoughts; I am a novice in HIT.

  6. K OBrien says:

    Per considerations of the founding documents of the United States I will never have a “personal representative” or any person acting as an intermediary. Long ago some people lied to emergency room staff and wrongfully claimed to be my kin and told them to show that they are becoming good citizens they said go ahead and declare me dead and harvest my organs. Guess when I woke up and what body part of mine was in the technician’s hands. The individual is supposed to have sole custody of their medical records.

  7. Heather Jelonek says:

    Mental health, behavioral health and substance abuse related treatment should be allowed to be shared by authorized patient representatives without loss/worry about protections of such information.

  8. Jack Ousey says:

    Very challenging problems with codifying access controls within EHR to VDT functionality related to personal representatives and family/relatives/friends are forseen.

    Personal representatives [164.502(g)(1)] and Family/friend/relatives [164.510(b)] appear in HIPAA as separate classes with different potential access levels to the individual’s PHI. The personal representative must be treated as the individual. There is no such express treatment for family/friends/relatives that I could find. In both classes though there are restrictions to the individual’s PHI to which they are provided access.

    164.510(b)(1)(i) and 164.510(b)(3) indicate only “relevant” PHI should be provided to family/relatives/friends. 164.502(g)(3)(i) also says of the personal representative have access to “…protected health information relevant to such personal representation…” The determination of what is “relevant” by an EHR seems to be very subjective and hard to codify in business rules driving security access controls to the PHI.

    The point is that there is a complex mapping of access to an individual’s PHI to person’s having once or more of the relationships listed above. Personal representative seems to have stronger access rights that family/relatives/friends. A family member will most likely be a personal representative in many cases, but not always. Access to PHI via VDT seems like it needs to be provided based on these relationships AND relevancy of relationship to the individual’s PHI.

  9. Barb Freeman says:

    If parents are divorced – how do we decide which parent should have access to the children’s patient portals?

    I would like to have it defined as to what the medical facility’s liability is with regard to unauthorized access to patient portals.

    • M.H. says:

      Look to legal custody (not physical custody). Most parents have joint legal custody concerning issues such as education, medical care, religion, etc, allowing both access to the information. Sole legal custody would only allow that parent access.

      Decision making regarding these issues is a separate discussion that may complicate your question.

    • Anonymous says:

      There is a real “rub” between the MU requirement of the problem list, the concern of putting sensitive PHI via lab results in the EHR where there is a personal representative. Most state laws provide minors to consent to certain procedures. The Privacy Rule provides three exceptions where a parent/Personal Representative is not treated as a parent/ PR. The first exception (where the minor can consent to treatment under state law) and the third exception (where the provider and minor and parent all agree to the minor having a confidential encounter) would be problematic. Here, the minor has an expectation of privacy, the Privacy Rule provides an exception to the PR receiving the information but the required problem list discloses the medical issue that is protected by state law. You can selective not put certain labs out on the EHR but the PR can still view the problem list. My recommended solution is to require a “check box” for encounters, labs, radiology, consults and the like for such protected encounters. Thank you for the opportunity to comment.

  10. Chris Evans says:

    I would have no problem with close members of the family having a access to details of my medical details, after asking me since my views could change depending on my state of sickness, i am suffering for the last few years with Lymes and no medical treatment is able to remove it, If I had H.I.V. would not be happy for all to see reports.
    I am in Vienna at the moment so my views may not apply.

  11. Access to the records for the confidential care for adolescent patients is protected by law in many states and is best practice as specified by multiple associations/experts in the field including AAP, AMA, AAFP, and ACOG. This usually includes care for pregnancy counseling, family planning, substance use, and mental health.

    Unfortunately, few EHR vendors have set up the record to allow for the granular control to protect parental access to the labs, appointments, provider notes, and medications associated with these visits. I am personally involved in a group of 100+ institutions who are trying to lobby with Epic in particular around providing more settings to restrict parental access to these records.

    I would be more than happy to talk to you about this issue.

    Carolyn Bradner Jasik, MD
    Assistant Medical Director for Informatics
    UCSF Benioff Children’s Hospital
    University of California, San Francisco
    jasikc@peds.ucsf.edu

  12. G Holt says:

    1) ANY aspect of the EHR should be lockable – with SPECIFIC individual clearances.
    In other words, a patient should be able to say WHAT SPECIFIC aspects of
    her/his EHR can be V/D/T’d by which individuals.

    2) Blocks to hacking and blocks to NSA/related snooping.
    Transmission of non-emergency data should include a PHYSICAL step
    that is NOT resolvable via networked computing. The entire area
    of hacking and snooping protections is an essential one
    and roadblocks to it need to be developed fully.

    3) Recall – as Snapchat discovered – that ANY transmission or
    or viewing (even for a few seconds) can be recorded and
    retransmitted. This is an important area for concern.

    4) BLANKET PERMISSIONS should NOT be allowed.
    Eg. clicking yes on a form or “terms and conditions”
    whether from an employer, insurer or provider should
    NOT be allowed to permit access. Access must be
    SPECIFIC SINGLE USE SPECIFIC DESIGNATION AND
    PERSONAL AND OFFLINE. Otherwise, there IS NO
    REAL PRIVACY.

  13. Lucy Johns MPH says:

    Hello Devon, Planning to attend. I appreciate your mentioning the “granular option.” I think patients should have this option when agreeing that others can see their records. Like, maybe not the plastic surgery I had once, or the therapist notes about the person I’m about to share with – like that. :-) Will listen for window to bring up. Thanks for seeking the public input! Regards, Lucy

  14. Susan Torzewski says:

    The organization I work for is struggling with how to handle this for teens (say 12 – 18) who do not want their parent(s) or caregivers to know “everything” in their record. Along with that there is the fact that now children up to age 26 may still be covered by the parents. Of course whoever is “paying” feels that they have a right to know…

  15. I wish I could sit in on this, but already have meetings scheduled at that time. I manage the patient portal at the University of Rochester Medical Center, and the whole issue of privacy laws how they interact with the electronic era is something I’d love to see addressed. Issues especially arise when the patient has diminished capacity. We cannot provide electronic proxy access to the patient’s portal without court documents in the chart. Hard to tell a husband/wife of 40+ years that we can’t provide electronic access to their spouse’s medical information (who has Alzheimer’s) because he/she hasn’t filed court papers.

  16. DJ Curran says:

    We have been allowing family members to access minor and adult patient’s portals for over 10 years. We have 20k minors and about the same number of adults which include adult childrens authorizing their parents, spouses with either one-way or dual access, or adult children with access to elderly parents. This has been a very popular feature with patients and their family members.

    We use the Epic MyChart Patient Portal allows the proxy to have their own account and “jump” to the family member’s record. When they access the family member, all information is tracted in the patient’s audit trail. When their proxy sends a message to the patient’s doctor’s office, the message and chart clearly show the “Message sent of behalf of ‘John’ by ‘Jane’.”

    The most common issues discussed at patient portal forums arise over parental access to adolecent records. Our legal/compliance dept’s interpretations of WI law says only AODA treatment and HIV screens need to be hidden from adolecents; if we were a federally funded facility we would need to hide family planning as well. That has allowed us to have truly transparent records for a patient’s proxy. Whereas there is the potential that a parent will find out their adolecent child sought “family planning” or STI testing without their knowledge and then harmed the child, the 99.9% of the population that benefits was deemed worth it. Locally, other healthcare organizations are not providing that transparent information and have to explain their policy to frustrated parents.

    For many years we required the adult patient to sign an authorization form granting access to the proxy. Similarly, we required one or both parents to sign the form for access to their children. We realized this outdated concept of a signature and paper submission was hindering our ability to offer the service. Now we have a simple “check box” on our electronic request forms. For adults, we then send a letter to the patient letting them know we have granted access to another person and send the requester their account activation instructions the following day. This enables a delay for the patient to contact us saying the request should not be granted. To date we have only had one patient contact us with questions and subsequently okayed the proxy. For children, we look to see if any legal documents preventing access are on file (i.e. terminated parental rights, court judgements, etc.) and if we can see a connection between the parent requester and child (birth record from our hospital, same address, or the requested being listed as emergency contact = to parent, insurance guarantor, etc.). When we have been unable to find details, we request documentation from the requestor.

    In my experience the most signifant issues portal providers experience are state regulations thought to protect a patient, but overly restrict those “trying to do the right thing” and trying to apply policies meant for the archaic paper world to an electronic one.

  17. John Moehrke says:

    I on my blog provided a perspective from the current standards readiness and maturity; as well as need to make this a stepping stone approach to a desired horizon.
    http://healthcaresecprivacy.blogspot.com/2014/02/enabling-patients-to-delegate.html

    Paper is not a bad thing, the automation behind the paper is what should be the focus. Especially when dealing with patients, a population that is very diverse.

  18. Swati Chakraborty says:

    It seems like an effort to use crowdsourcing in solving a complex issue on Access and Governance, which gets more complicated in Healthcare domain due to current privacy and security regulations. Crowdsourcing could be of great value if it is wisely facilitated in gathering input on different areas, which needs to be pre-identified by some subject matter experts and architects. Some of the comments offer good examples of either use case scenarios or solution patterns. I agree there should be a generic role based layer with multiple branching of personalized layers. Even though there are multiple paths, still all are within a limited set of possible options. It is very much doable by a team of people with specific skillsets led by technical subject matter expert with regulatory knowledge (oxymoron!). I am curious to attend.

  19. Two clear distinctions – one where patient is incapacitated and another where access is with permission of the patient. Per Germain Reinhardt’s comments, the first instance is the toughest one. In the second instance, there can be many technology solutions – patient portal – where I can give my userid and pw to my wife or caretaker, or ability to ‘link’ accounts with explicit permission, etc. Pharmacies like Medco (expressscripts) allows a ‘family’ account under a plan.

  20. Peter Bachman says:

    RBAC SAML XADES-XL X.509v3 Attribute CERT X.500 Identity transmitted from patient to EHR with preferences for data segmentation. Obviously starting with patient directives and leveraging powers of attorney etc.

  21. John Moehrke says:

    I think that HHS/ONC should set a clear long-term vision, horizon. This Horizon should be as complete as possible, yet reasonable given reasonable new technology. This horizon should be something that we all strive for, but for which we agree is 12-15 years away. Then HHS/ONC should set some stepping stones that give reasonable steps along the way. These steps might be seen by some as too-small, yet by others as too big. Those that want to achieve faster are free to strive for that visionary horizon.

    I worry most about the pachwork of privacy regulations around the USA, States, and such. This patchwork is not likely to be directly changed by HHS/ONC, but through vision this might show convergence. However without convergence on regulations it must be accepted that everyone can’t achieve the same level of steps or even the same goal.

    Further details can be found on my blog

  22. Adrian Gropper MD and Thomas Sullivan MD says:

    (Although we are vice-chair and chair of the IDESG Healthcare Workgroup, this comment was not voted on by the whole group and should be considered our personal opinion.)

    Our comment is:

    – that patients should not have to share their password with personal representatives (a major security violation) in order to provide access to View (and, by implication Download and Transmit) features of a certified EHR.

    – that patients should be able to restrict access to some features (e.g.: the right to invite other representatives, or the right to see mental health records) when they grant access to representatives;

    – that patients should have the ability to be notified by simple unencrypted email or text message whenever a representative signs-in to View / Download or Transmit. This is already a common security feature on the Web and required to keep the representatives on track.

    There are relatively simple ways of doing this that are standards-based, including OAuth2 and OpenID Connect (as piloted in RHEx) and would apply to Blue Button and Blue Button Plus as well. This issue is already part of the Blue Button best practice guidelines created by our Markle Panel when we developed Blue Button and published in August 2010. Here’s the report: http://www.markle.org/health/publications-briefs-health/1198-policies-practice-download-capability We hope this becomes HHS policy.

    The secure delegation of access to V/D/T involves only a single institution – the HIPAA Covered Entity – that can issue credentials for this purpose to anyone at the request of the patient in any manner they choose. However, we believe that HHS should try to anticipate the cost savings and patient engagement benefits of federated identity management and centralized user management of authorizations. To that end, HHS is encouraged to favor solutions that support federated identity credentials not just in healthcare but across industry sectors as represented in NSTIC / IDESG. In addition, for enhanced patient engagement, security and convenience, we suggest that HHS consider solutions compatible with the emerging User Managed Access (UMA) standard.

  23. Please consider moving the VDT meaningful use measure to a menu requirement. There are still policy implications being considered which means this has not been fully vetted, and is not ready to be a core requirement. This puts physicians and other providers in a precarious position.

  24. Sean Nolan says:

    The challenge here largely comes down to the difference between one-time, manual disclosure and ongoing, automated disclosure. For one-time disclosure, we’ve been dealing with the issue for years and it works as well as can be expected in the real world: the representative is or is not a legal guardian, they are or are not authorized by the patient at check-in time, and so on.

    However, over time things can break down because relationships aren’t static: minors are emancipated, couples get divorced, etc. — authorizations that are appropriate when given may not stay that way. And it is completely unreasonable to expect each and every provider to keep up with (or worse, be legally responsible for) every such life change in their patient population.

    The most effective way to minimize the problem is to put delegation in the hands of the patient rather than the provider. Personal systems such as Microsoft HealthVault enable individuals to manage their own relationships — inviting others to share access to their information in a flexible and granular way. In this world, a provider need only disclose information to the patient themselves — and the patient can then take responsibility for managing “downstream” sharing with others.

    This mechanism reduces the scope of the problem to only those that cannot take ownership of their own consent — primarily children or those with conditions that impair their cognitive abilities.

    Within that reduced scope, we can further eliminate many of the challenges by placing a relatively simple burden on providers — any consent given on behalf of a minor is systematically deemed invalid when that minor reaches a designated age. As has been mentioned in other comments, there is of course nuance here from state-to-state and for different information types; we recommend simply starting with the lowest common denominator for the sake of simplicity.

    This leaves us to deal with only the last edge cases, sticky situations such as contentious divorce that impact delegated consent. Here we would suggest that we be realistic in our ambitions — these gaps exist in the real world today, and there is no reason to expect we could do better just because there are computers involved. For example, a mother that presents at a pediatrician to pick up an immunization record is simply never asked if they are still the child’s legal guardian.

    The best we can do here is to periodically “refresh” delegated consent, much as we are asked to do for our basic clipboard data, not at every visit, but maybe once a year. Having placed this second burden on providers, we’ve done the best we can given the complexities of real life … and we should feel confident in moving forward.

  25. Ascension Health says:

    Personal Representatives:
    As you know, under the Privacy Rule, a person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.” Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information (“PHI”), as well as the individual’s rights under the Rule. In granting V/D/T access to personal representatives, we think it is important to distinguish between personal representatives (e.g., parents of minor children), who are often entitled to access the minor’s full medical record, and personal representatives (e.g. executors), whose access is limited to PHI that is relevant to their responsibilities as representatives. With respect to the latter group, health care providers granting V/D/T access will have to ensure that only the PHI that is relevant to the representation is made available to the representative, which could require data segmentation capabilities that are not available today. The ability to segment and withhold from the V/D/T function certain pieces of information may also be required where state laws place restrictions on the disclosure of sensitive health information, such as when a state law requires or authorizes a health care provider to withhold certain pieces of information that could cause harm to the individual (e.g., in order to protect the minor from harm, a provider could be required to withhold a minor’s health records from his parent if the records include discussion of parental abuse).
    In the context of access by personal representatives, we believe another important challenge will relate to electronic authentication of the representative. Today, before granting access to a personal representative in most instances, Ascension Health Ministries require that a written authorization form be completed and signed by both the patient and the representative. Further, each must produce acceptable forms of identification, which include but are not limited to the following: a military issued ID, state driver’s license, valid passport, durable power of attorney, court order guardianship papers, or a marriage license for emancipated minors. These paper-based processes, which we deem essential to ensure the security of our patients’ health information, could be extremely difficult to perform online. For example, even if we posted the required authorization forms online for patients and personal representatives to sign, they would still have to physically deliver them to the hospital, thus reducing the efficiency of an online system.

    Friends & Family
    If a patient does not object, a health care provider may, without the written authorization of the patient, disclose to a family member, other relative, close personal friend of the individual, or any other person identified by the individual, the PHI “directly relevant” to such person’s involvement with the individual’s care or payment related to the individual’s health care. Thus, because a health care provider may have to withhold certain pieces of PHI that are not relevant to the family member or friend’s involvement in the patient’s care, it is important to consider the inability of many electronic systems to tag and segment certain types of data from others. It will also be important, in implementing the V/D/T functionality for friends and family, for health care providers to be able to distinguish between unauthorized disclosures and authorized disclosures. To the extent that Certified EHR Technology and other electronic systems are incapable of tagging and segmenting data at a granular level, some health care providers may not be able to comply with the D/V/T requirement and the letter of the law at the same time.
    In the interest of ensuring patient privacy, Ascension Health Ministries require the completion of an approved written authorization form before providing access to PHI to friends and family members. It is important to note that Ascension Health Ministries are only capable of providing “all or nothing” access to authorized friends and family members when such access is electronic. One example of the data segmentation limitations that affect our ability to provide more granular access to friends and family members relates to the problem list requirement under Meaningful Use. As you know, a patient problem list is a required data element for both the view, download and transmit as well as transition of care core measures. Existing 2014 Certified EHR Technologies do not have the capability to segment problems based on sensitivity, as would be required for a patient who is opioid-dependent (SNOMED CT code 75544000).
    Ascension Health appreciates this opportunity to provide feedback and we look forward to a productive discussion by the Tiger Team on February 10th.
    * * * * * * * * *

  26. L Potter says:

    Kaiser Permanente has long promoted the ability of our members to use and share their electronic health information. Currently, nearly 4 and a half million people use our secure patient web portal, kp.org, to access personal health information and manage their care, including exchanging 1.2 million secure emails per month with their providers. We are also active in various stakeholder groups focused on developing innovative electronic tools to support and improve care delivery.

    We ask the Tiger Team to consider the following principles:

    Patients should have substantial flexibility to share their information, the ability to administer access rights – including being able to revoke them at any time – and should be fully informed about the benefits as well as the potential unintended consequences of authorizing personal representatives, family members or friends (third parties) to view, download or transmit (V/D/T) patient information, such as risks of unauthorized uses or disclosures.

    Until technology evolves to support methods that can reliably tag and segment data the “all or nothing” approach to authorizing V/D/T by third parties is the most feasible.
    o Consensus does not exist regarding tags for sensitive data; tagging unstructured data based on its content is not possible at present.
    o Data segmentation would lack consistency because of the wide variety of systems holding patient information.
    o The technology and standards have not yet evolved to support granular dynamic segmentation, particularly in patient portal environments, except at a binary level: a) limited discrete data (problems, meds, allergies, immunizations); or b) everything.
    o Scope and purpose can be controlled more easily in the paper world than in the EHR environment. Patient should clearly understand that they may not have the same amount of control when they authorize third parties to V/D/T from the EHR.

    The system to allow patients to authorize third parties to V/D/T information should be simple for patients and third parties to use, and relatively easy for providers to implement.

    V/D/T technology should be able to handle the execution of legal designations, such as durable medical power of attorney documents (some manual/legal intervention may be necessary to manage these controls).

    Establishing robust standards for designation of third parties authorized to V/D/T will be critical to support proper electronic identification, authentication, authorization and access controls.

    V/D/T functionality should also be able to incorporate established organizational policies and procedures for third party access to health information. For example:
    o Policies and procedures for electronically identifying and authenticating authorized third parties;
    o Requirements for a third party to establish an identity in the system prior to authorization by the patient;
    o System-supported electronic authorization by patients;
    o Mechanisms to control and monitor third party access via security logs.

    The development of policies and standards for V/D/T by authorized third parties should also consider important issues about the information itself:
    o Download/transmit capabilities create an even stronger need to establish national standards for persistent documentation and secure tagging of data provenance.
    o Standards should be developed, piloted and evaluated to ensure the integrity and traceability of EHR data that is downloaded and transmitted by patients, personal representatives, and family members/friends involved in the care of a patient.
    o Examine what liabilities may exist for the provider in cases of alleged data breach.
    o Address the potential ability of third parties to change or supplement the patient’s health information once they have V/D/T authority.

    Security policies and standards should address the particular vulnerability of third party V/D/T:
    o Controls on the use of certain technologies that allow information to be captured in a ‘view’ mode (for example, screen captures, photo captures, etc.) means that information may be further disclosed for unintended/unauthorized secondary uses, in ways that may break bonds between the data in that ‘view’ and associated provenance metadata.
    o Once data are downloaded by an authorized third party, there are no practical restrictions to handle the data in a secure manner. Thus, having clear statements/disclaimers about the risks and responsibilities of individuals downloading health information would be valuable to patients.
    o Patients should be informed that the transmit mechanism selected could impact document integrity and security.

  27. Jennifer Lord says:

    Potential privacy and security policy issues related to Certified EHR Technology V/D/T capabilities prompt the need to address long-standing gaps in our current systems, policies, and processes regarding documentation of the person/people caring for the patient between clinical encounters (defined by HIPAA as the “personal representative[s].”) I appreciate the opportunity to contribute to this important discussion.

    As national quality initiatives (MU, PQRS, PCMH, etc.) move us toward patient engagement, we realize the need to incorporate the patient’s personal caregivers, but current policies and technology lack capability to manage the information required.

    I hope you will consider a proposal to establish future standards in CEHRT to enable documentation of a patient’s “personal representative[s]” as part of a patient’s demographic information maintained in the medical record—to include, at a minimum: name/contact info, relationship, role in the patient’s care, specifics of electronic access/functionality authorized by the patient, as well as the patient’s electronic signature or other authentication. (If considered for Meaningful Use, an indication of “None” should count in the numerator.)

    While respecting the protection that HIPAA provides, we should be utilizing the technology available to enable patients to share their own health information with whomever they turn to for guidance, support, or direct care. Patient portals provide a mechanism to offer patients the same granular capability currently available to providers through most CEHRT: to add/remove “representatives” and define for each: what information (i.e., Problems, meds, allergies, labs, visit summaries, care plans, etc.) can be viewed/downloaded/transmitted; whether to be included in communications; and/or permitted select functionality (scheduling, refill requests, etc.)

    I realize this involves myriad complex issues, but I believe we need to start figuring it out if we truly want to improve the care, safety, and experience of today’s patients.

  28. Paul Winner says:

    The primary issue that I think needs clarification is how to handle pediatric and liberated patients. There are regulations that prevent us from allowing access to records for pediatric patients, and meaningful use requirements that don’t count parental access for pediatric patients. There seems to be no accounting in the current rules for denying access to minor records or converting parental access to minor access at age of maturity.

    The new rules announced in the FR last week regarding changes to the CLIA and HIPAA rules for denying access to records to patients if a healthcare provider submits information of some sort asserting that it is in the patient’s best interest that access not be granted requires changes to the regulations and the programs and procedures tracking access.

    I have also not seen any changes or assertions which ensure that entities hosting these systems keep the same HIPAA records that EHRs themselves are required to collect, and more importantly, provide to patients when asked. Surely the hospital or provider cannot be held accountable when the access is granted and hosted by an outside entity. However, the one host company, Cerner, that I am familiar with, has no way on their website for requesting HIPAA records.

  29. Jenique Keys says:

    The access of a representative becomes more complex and requires a close look. The first item to discuss is the process for establishing who is authorized by the patient to access and under which circumstances. Sharing with a representative perhaps would not be valid until the patient’s condition necessitated the sharing of information. Other patients may want information shared with a representative as it becomes available without regard to their own condition. This should be a decision that can be made similar to or perhaps even part of advanced directives or on admission to the hospital along with the patient privacy policy. Access should not be too difficult that an authorized representative doesn’t want to access the needed information. The more difficult it becomes to access information, the less likely the information will be accessed and used. The authorization given should not be an all or none access. . There are many sensitive items in a person’s medical record that perhaps they would not mind sharing general lab values or imaging reports, but would not desire that social history including sexual behaviors, alcohol, smoking, depression, and other social disorders be shared with others besides themselves. The topic then begs the question about the procedure for authorizing what information is available for access as well as how the information is going to be kept from accidental access. For example, a provider’s admission note or discharge note may comment on some lifestyles that the patient desired not be disclosed to a representative. Once a representative is authorized for access, a login to electronic site should be sufficient and that individual is responsible for keeping the login information secure. Similar to online banking. Online profile for representative should be a read only permission that is marked as representative.
    Patients should be able to have access to their information through V/D/T accounts, however before gaining this access, they should be able to make an apt with their PCM so that critical values and results can be explained. With that said, family members/friends/representatives who have been granted access, by the patient, to the patient’s information should be given the same treatment. If at any time a patient wants to remove a family member/representative from having access to their information, they should be able to do so without question. A representative/family member needs to have a notarized letter, signed by the patient, stating that they have full/partial access to a patient’s record. This letter should be placed in a patients records for Healthcare providers to confirm who the representative for the patient is. If a patient does not have a notarized letter, and they are admitted to the hospital, they can verbally appoint a representative.
    This issue comes down to what the patient wants to accomplish by allowing a personal representative access to their medical information. While allowing the patient to determine what information is accessed versus using all or nothing seems like a reasonable idea, if a patient is allowing someone access as a family member to help make medical decisions or navigate medical information, allowing them to access all of the information is probably a good idea. If the online banking model of access could be used and a patient had a shared portion and private portion of their record they could choose what was shared. Allowing the patient to give access to their online medical record is reasonable because it is one more patient empowered decision to give out the access.

  30. Jessica Kelley says:

    I assume there will be certain security settings on an individual’s account that can be shared with whoever is chosen as a “personal representative” such as a PIN or security questions. However, there should be options within the EHR to specify which types of information can be shared. If information sharing is set up in advance, it becomes less of a burden on the healthcare provider to confirm who is considered a personal representative of the patient. For example, a husband and wife setting up shared account information while healthy. However, in situations where a patient’s status changed unexpectedly, which is more common, the burden would fall on the healthcare provider to confirm the personal representative is in fact the right individual.

    Would account access to EHR by another individaul only require a one time initial setup? From then on it would be the responsibility of the patient, family member, or personal representative to only access EHR on a secure network, such as a private computer or other device. One concern is accessing electronic health records in public settings or over wifi connections, often considered less secure networks, which could pose the same risk for identity theft when accessing financial information in those environments. Would the programs used have a way of knowing the information is being accessed from a public setting and restrict it to only a secure network?

  31. Comments cover a wide variety of compelling access issues and scenarios for consideration.
    Whatever the final policies regarding access of patients’ records by designated representative/family/friend patients must be able to obtain an accounting of who accessed their information.

  32. John Schrom says:

    Thank you for the opportunity to provide comments about this issue.

    I’m very excited about the development and implementation of VDT functionality for MU2.

    I recall one instance a few years ago where I was tested for HIV, gonorrhea, chlamydia, and syphilis at a local clinic. My test results were reported online: negative for gonorrhea/chlamydia/syphilis, and “confidential” for HIV. Despite not having any real risk factors for HIV, this sent me in to a panic. The clinic didn’t answer their phones, and only checked their voicemail once per week. I eventually managed to contact one of the testing counselors and found out that I was actually negative for HIV but the clinic did not release those results online. Had I been allowed access to my entire medical record – as I understand is the goal with this MU requirement – my panic could have been avoided completely.

    Regarding the question of personal representatives and friends/family having access to a person’s medical records, I’d like to share two personal experiences.

    I am the only member of my family who has pursued an education and a career in health care. As a result, family and friends often ask questions related to health and medicine. My father, a disabled Vietnam veteran, had a series of cardiac problems a few years ago. In the midst of sorting this out and trying to figure out how to proceed, he provided me with access to his entire medical record – including both records relevant to his current issue and all historical documents. This included sensitive information which I do not believe he would have wanted to share if an alternative option existed.

    However, there simply wasn’t an easy way to limit the amount of information provided by content, type, or timeline. In an ideal world, he would be able to provide me access to relevant tests, medications, diagnoses, and notes, and be able to omit portions that aren’t relevant or which are particularly sensitive.

    Similarly, I recently attended a concert and ended up with some unknown person’s blood on my hand. My skin was intact but my significant other (SO), out of an abundance of caution, wants me to get tested for HIV and HCV once I’m outside the HIV window period. In an ideal world, I would be able to provide my SO with access to these test results directly, and not have to provide access to my entire medical record (which, similar to my father’s situation, may contain information that is irrelevant or details I may not wish to share).

    There are third party services which exist that would allow me to do this. Depending on the service and my health care provider (HCP), they would access medical information either via scraping patient portals, faxing or mailing a HIPAA authorization form, or through Blue Button+. However, as HIPAA only covers the HCP’s data storage and transmission, once I’ve retrieved my data via such a service, the service is not mandated to follow HIPAA’s privacy or security rules.

    This is problematic. These services could advertise that they are complaint with HIPAA without stating that their means of being compliant is that they aren’t actually required to follow it. By storing my data with a third-party service, I am inadvertently and unknowingly putting myself and my data at risk, since I’m assuming my data are securely stored in compliance with HIPAA.

    This could be solved by either encouraging EHRs to build in such functionality, or by making third-party services comply with HIPAA. In my opinion, the better option is to encourage EHRs to give patients the option to share their medical information at a granular level.

    For example, I might choose to share all of my HIV and HCV test results with my SO, but nothing else. Or, my father might choose to only share tests, notes, medications, and diagnoses from his most recent hospitalization with me and my mom. You can imagine this use case being extended: sharing your HIV/STI testing information with a potential sexual partner, sharing condition-specific test results and medications with a condition-specific support group, or sharing a list of a child’s medications with the school nurse or summer camp staff.

    If companies don’t already exist which do these things, I guarantee they will sprout up as patient medical data become more accessible. However, as discussed, by forcing patients to remove their data from the protections of HIPAA just to do these basic tasks, patients are unknowingly putting themselves at risk.

    So, as a family member of a patient, and as a patient myself, I hope that you take action to encourage EHRs to give patients the option to share limited, granular data with friends and family members.

  33. A personal representative can either be designated by the patient who has capacity via a proxy authorization or via an advance directive for healthcare or durable power of attorney for health care if the patient is incapacitated or deceased. The patient who has capacity would have his/her personal representative complete the proxy access form and receive their own user ID and password. The patient should have the ability to request termination of that proxy at any time.
     The issue of sensitive lab results should be addressed (CLIA just became finalized).
     There are also special protections under different state laws (e.g. GA, NJ) for information relating to AIDS/HIV, genetic testing, and mental health and substance abuse. Patient must be informed that there may be no way to segregate this sensitive information from the rest of the chart and will therefore be available for viewing to the proxy user.
     The patient should be made aware that in the event that they terminate the proxy relationship, the proxy may still have access to historical records and patient information that could have been downloaded or provided electronically during the duration of their proxy access. Providers could potentially offer an audit trail of downloads or record views by the proxy as a measure of transparency.
    o The issue of the personal representative when the patient is incapacitated or deceased must be examined. If there is a durable power of attorney or an advance healthcare directive, then the person designated in either documents would be the personal rep and have access to the records. If on the other hand, there is no such document, then the facility can rely on state law to identify who the personal representative entitled to the medical records is (e.g. living spouse, adult child…etc).
    o The issue of minors and their ability to have an electronic health record.
     At what age does a child have privacy rights in the eye of state law in regards to their medical record?
     What is the position of providers on parents viewing a teen’s medical record and available features? The default position under the law is that a parent or guardian has access to and control over a minor’s health information. There are however exceptions to that default position where the minor is able to consent to healthcare services:
     Minor has been emancipated through a legal proceeding or through marriage,
     A minor female for all health information related to birth control and abortion or a pregnancy,
     A minor for all information related to sexually transmitted disease
     A minor over the age of 12 who independently seeks mental health care, for all information related to that care
     A minor for information related to treatment for alcohol or drug abuse.
    o How does this information get segregated from the rest of the chart that the parent or guardian has the right to see?

  34. Through a signed authorization or proxy, signed by the patient. That individual should be given his/her own credentials to the patient’s echart. Request should still be submitted to the healthcare provider the same way it would be for paper records. The provider would then set-up the account for the proxy user.
     This approval could be facilitated through physical signature or the electronic equivalent via patient portals or other facilitating technology.
     Patient portals or other related technology could also provide routine validation and confirmation of personal representative designations on some routine frequency (e.g. every 6 months)
    o Through an advance healthcare directive or power of attorney if the patient is incapacitated or deceased. If no power of attorney, then state law would dictate order in which an individual is granted personal representative status (e.g. executor or administrator of the estate, surviving spouse, surviving child, any other family member).

  35. • How are patients’ friends and family provided with credentialed access to view/download/transmit accounts?
    o Once an individual is deemed to be a personal representative according to criteria listed above (section before), then entity can issue a user ID and password to the individual the same way they would issue the credentials to the primary user of the echart account. This can be done via email, via a letter that contains the credentials or registration to the portal at the provider’s site.
    o Audit functionality could also be offered to allow patients to view which of their friends and family have access to their records and which records have been viewed.
    • Is this access “all or nothing,” or are there more granular options? If the latter, how does this get accomplished?
    o It would be very difficult for providers to segregate certain sensitive test results from being viewed (e.g. AIDS/HIV results, mental health diagnosis..etc). There would be increased liability for the provider if they commit to segregating the data but end-up accidentally releasing it to the proxy. The more granular options could be made available depending on the technology offered by the EHR vendor.

  36. • Are there policy issues that need further resolution regarding personal representative access to view/download/transmit accounts?
    o A personal representative can either be designated by the patient who has capacity via a proxy authorization or via an advance directive for healthcare or durable power of attorney for health care if the patient is incapacitated or deceased. The patient who has capacity would have his/her personal representative complete the proxy access form and receive their own user ID and password. The patient should have the ability to request termination of that proxy at any time.
     The issue of sensitive lab results should be addressed (CLIA just became finalized).
     There are also special protections under different state laws (e.g. GA, NJ) for information relating to AIDS/HIV, genetic testing, and mental health and substance abuse. Patient must be informed that there may be no way to segregate this sensitive information from the rest of the chart and will therefore be available for viewing to the proxy user.
     The patient should be made aware that in the event that they terminate the proxy relationship, the proxy may still have access to historical records and patient information that could have been downloaded or provided electronically during the duration of their proxy access. Providers could potentially offer an audit trail of downloads or record views by the proxy as a measure of transparency.
    o The issue of the personal representative when the patient is incapacitated or deceased must be examined. If there is a durable power of attorney or an advance healthcare directive, then the person designated in either documents would be the personal rep and have access to the records. If on the other hand, there is no such document, then the facility can rely on state law to identify who the personal representative entitled to the medical records is (e.g. living spouse, adult child…etc).
    o The issue of minors and their ability to have an electronic health record.
     At what age does a child have privacy rights in the eye of state law in regards to their medical record?
     What is the position of providers on parents viewing a teen’s medical record and available features? The default position under the law is that a parent or guardian has access to and control over a minor’s health information. There are however exceptions to that default position where the minor is able to consent to healthcare services:
     Minor has been emancipated through a legal proceeding or through marriage,
     A minor female for all health information related to birth control and abortion or a pregnancy,
     A minor for all information related to sexually transmitted disease
     A minor over the age of 12 who independently seeks mental health care, for all information related to that care
     A minor for information related to treatment for alcohol or drug abuse.
    o How does this information get segregated from the rest of the chart that the parent or guardian has the right to see.

  37. Diane Wiskus says:

    The Health IT Policy Committee’s Privacy and Security Tiger Team presented a complex topic on the potential privacy and security issues that could arise when a family member, friend or legal designee is given access to the patient information through the Certified EMR Technology “view/download/transmit” (V/D/T) capabilities. As mentioned, a personal representative would have the same rights of access to the medical record information as the patient would have. However, the question is whether additional privacy and security policies need to be implemented in order for family and friends to access patient information.
    As a member of the Gay, Lesbian, Bisexual, and Transgendered (GLBT) community, obtaining access to our love’s one patient information can be a struggle. Currently, 22 states do not recognize same-sex domestic partners. Due to this disparity, I may not have the authority under state and or other applicable law access to patient information as a “personal representative”. With the advent of the electronic medical record and the importance of access to information, the current policy on how individuals are granted ”personal representative” needs to be updated to include domestic partners in states that do not recognize same-sex domestic partnerships. Why? It’s very simple. The state is not responsible for telling me who should have access to my medical record. It is my choice.
    As a daughter of aging parents, I feel having only restricted “family” access to the electronic medical record would hinder my ability to monitor medications, manage appointments, and understand their health history. With the advent of patient-family centered care across the country, family is encouraged to participate in their health care decisions and plan of care. Why would we then restrict a family’s access to the patient’s electronic medical record?
    As a mother of a future teenage daughter, I do respect her right to privacy. I am aware that having full disclosure of her medical record may prevent her from having crucial conversations with her doctors if she knew I had access to her medical record. However, I do feel having immediate access to immunizations and physical reports important. In this case teenagers, should have the authority to opt out for release of their full medical record.
    In conclusion, minimizing opportunities for privacy and security issues is at the center of this discussion. However, we must first educate the patient on what the benefits and risks are for granting access to their medical records. Secondly, we should adhere to the wishes of the patient despite State differences in recognizing same-sex domestic partnerships. Lastly, we need to recognize the value of promoting patient-family centered care by allowing full access to their electronic medical record.

  38. Ticia Gerber says:

    February 18, 2014

    Deven McGraw, JD, MPH, LLM
    Chair
    Privacy and Security Tiger Team
    Health IT Policy Committee
    Hubert H. Humphrey Building
    200 Independence Avenue SW
    Washington, DC 20201

    Dear Ms. McGraw:

    Health Level Seven International (HL7) appreciates the opportunity to provide feedback on potential privacy and security policy issues that could arise when a family member, friend or legal designee is given access to patient information through the Certified EHR Technology “view/download/transmit” (V/D/T) capabilities.

    HL7 is a not-for-profit, ANSI-accredited standards developing organization (SDO) dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services. HL7′s 2,300+ members represent approximately 500 organizations that comprise more than 90% of the information systems vendors serving healthcare in the US. As the global authority on standards for interoperability of health information technology, HL7 appreciates the opportunity to offer to provide our perspectives on these important issues. We would be happy to answer questions or provide further information on our response.

    Sincerely,

    Charles Jaffe, MD, PhD
    Chief Executive Officer
    Health Level Seven International

    Donald T. Mon, PhD
    Board of Directors Chair
    Health Level Seven International

    HL7’s Comments

    Personal Representatives:
    HL7’s COMMENTS
    • Are there policy issues that need further resolution regarding personal representative access to view/download/transmit accounts?
    Policy Issue (1) Patients need to be informed and meaningfully consent to their personal representatives (PRs) having the extent of access that VDT affords.

    The extent of access to a patient’s PHI is significantly increased via VDT. For some time, patients may remain accustomed to the level of access their personal representatives and friends and family members of their care team (PRs) have had in a paper-based health records environment, which is usually time limited, that is, from the time at which the patient agrees to having a PR. Patients may be comfortable in having a PR present during an encounter where the Patient can hear/see the PR’s interaction with the treating provider and has knowledge of what part of the patient’s medical history is being discussed. However, in the VDT environment, an appointed PR at the beginning of a serious illness, for example, would now have access to the entirety of the patient’s PHI available via VDT.

    Policy Issue (2) Patients should have the ability to specify the extent of PR access to the portions of their VDT accessible medical history that the patient deems necessary for improved care coordination. This is similar to a limited power of attorney.

    If VDT access can be more granularly controlled, patients would be able to meaningfully consent to PR access for the portions of the patient’s records or a specific time frame. Without granular, yet practical control, patients may be torn between maintaining their privacy and dignity by not consenting to PR access at all. If the HIPAA access for PRs and family members is not in the patient’s control, patients may opt to not have any PR involved in their care, which may not result in the best health outcomes.

    We therefore suggest that a practical consent model is established that can enable patients to manage their PHI appropriately and clearly identifies how consent is managed as data moves between providers, patients, and personal representatives, and clarifies the obligations of the PR to address the concerns of PHI becoming available beyond the immediate patient-provider relationship. Furthermore this should clarify whether a PR is to be considered the same or different from the patient and if so how to enable health IT to help manage this as data is exchanged.

    Policy Issue (3) Patients should be able to specify that policies for data access and use, such as a consent directive for disclosure, remain in place. Note: This is similar to a patient establishment of a DNR order. The PR should not be able, without specific authorization, to reverse this or other policies put in place in advance with the provider for sharing of their healthcare information.

    Another Issue raised by the HIT Privacy & Security Tiger Team statement in this request for input is: “HIPAA permits covered entities to share identifiable health information relevant to a patient’s care with family members or friends involved in a patient’s care, unless the patient objects. It also requires covered entities to treat a “personal representative” (a person authorized under State or other applicable law to act on behalf of the individual in making healthcare related decisions) the same as they would treat the patient. For example, personal representatives have the same rights of access to medical record information as the patient would have.”

    Clarification is needed about the extent of discretion that covered entities have to designate a patient’s PRs.

    Policy Issue (4) If covered entities do in fact have the right to select a patient’s PRs, then by policy, the PRs should only have access to the patient’s VDT records by virtue of explicit and granular patient control of what portions of those records may be accessed by the PRs. This is very important because of the risk that a PR could exercise the patient’s right to transmit the patient’s records to any entity without limit.

    • How do health-care providers confirm that an individual is, in fact, a personal representative?
    If patient’s had VDT PR access consent directives, preferably using the HL7 Consent Directive CDA standard, then the patient can specify PR identifying information that the provider can use to verify the identity of the PR. This is consistent with the view that patients have the right to set policy access by inclusion or by excluding some access to information that should not be shareable. Patient should be able to set and establish policy for whom and to what extent they wish to provide access to their VDT account.

    In addition providers should ensure that the PR is aware of any limitations preventing unauthorized actions to modify information prior to transmittal. This is required to ensure integrity of data sent on the patient’s behalf.

    We defer to providers to clarify what types of documentation they require before they grant access to a portal for a PR.

    Friends & Family
    • How are patients’ friends and family provided with credentialed access to view/download/transmit accounts?
    Patient PRs are typically provided credentialed access in the same manner as the patient, which should be based on HIPAA risk analysis of appropriate authentication LOA. In other words, the patients’ friends, family and other PR should be identified as IT users, identity proofed, provided an account ID separate from the patient, and all PR actions taken on behalf of the patient should be audited so that the patient can determine what actions have been taken on their behalf.

    • Is this access “all or nothing,” or are there more granular options? If the latter, how does this get accomplished?
    Typically, the PR receives the same access as the patient, which may be a concern as identified above.
    As discussed in our response to the policy issues, if VDT capabilities are going to benefit a patient’s care coordination, then the patient must be able to make granular access decisions or they are likely to avoid having PRs. A key consideration is that patients’ ability to mask portions of their VDT accessible records from their PRs is not likely to result in patient safety issues to the extent that masking portions of a patient record from treating clinicians.

    “All or nothing” option raises additional issues if HIPAA covered entities have discretion to designate PRs. As stated above, this may force some patients to choose between maintaining privacy preferences and having PRs, or even mentioning any potential PR to covered entities.

    In addition, covered entities may be leery of the potential for the perception of breach is a PR were to inappropriately access or disclose VDT PHI despite the patient’s right to transmit their records to whomever they please.

    The technical normative standards for accomplishing granular patient control are well-known and have been shown to be feasible in a number of ONC and FHA sponsored pilots, including: ONC Standards and Interoperability Data Segmentation for Privacy Implementation Guide and the HL7 and IHE standards version of the same; HL7 Consent Directive CDA; the HL7 Healthcare Privacy and Security Classification System; and HL7 Security Labeling Service.

    These efforts are summarized below:

    • CDA Consent Directive – which enables the electronic documentation of the act of a patient consenting or authorizing some policy, with parameters captured on that instance. This CDA consent directive can also hold a policy fragment or whole policy in a standards based policy language like XACML.
    o This could be used to capture a patient authorizing a Personal Representative. It can be used to identify various limitations that the PR would have.
    o This model has been piloted successfully
    o This model is starting to get traction.
    o Without specific drivers, it will likely take some number of years of maturation before it could be mandated. On the other hand, maturity may be advanced based upon community uptake and ONC priorities (e.g., meaningful use incentives).

    • Healthcare privacy/security Classification System (HCS) and the USA realm DS4P – a model for processing healthcare information relative to policies including consents/authorizations and relative to the requestor of data so as to provide the appropriate disclosure, thus preventing improper access.
    o This model has been piloted
    o This model has some very targeted uses
    o Without specific drivers it will likely take some number of years of maturation before it could be mandated. On the other hand, maturity may be advanced based upon community uptake and ONC priorities and by incorporating HCS into high priority projects such as HL7 Fast Healthcare Interoperability Resource (FHIR).
    o There are efforts to fold these concepts into the EHR functional model as well as FHIR.
    • This is a work in progress
    o There are efforts to define service definitions that would support these concepts
    • This is a work in progress.

    • Security/Privacy Audit Logging and Reporting – This supports the recording when data is accessed, used, or disclosed (as well as other security events), such that security and privacy accountability can be shown. Specific to this use-case is that following these standards enables providing the patient with an Accounting of Disclosures. This is a report that utilizes the Security/Privacy audit log as well as other knowledge to produce a report that shows what data was disclosed to who and why. This functionality should be seen as critical to the use-case being discussed to enable the patient to understand what is happening with their data, especially regarding their PR authorizations.
    o This is based on IHE-ATNA
    o This has been folded into EHR functional model
    o This has been folded into FHIR
    o This has a SOA service definition
    o This is in moderate use globally
    o More effort is needed on the reporting side
    o It likely is mature enough to encourage, but not mandate

    We believe that substantial efforts are in progress, but much more work is necessary to solidify these standards to support a practical consent model to manage personal representatives. In this regard, the applicable standards are not exclusive to the US realm. There is interest in the EU, and a proposed model DS4P Implementation Guide (Germany, Austria, Switzerland) has been proposed based upon the US balloted standard. These activities may encourage more rapid maturation and adoption.

  39. JD says:

    I’ve been through dual diagnosis and I realize how health is very important. I prioritize my health and the health of my family now. In fact, I think we should all do. The last thing we want is to realize that it is too late.

  40. Sharon says:

    A personal representative can be delegated by the patient who has capacity via a proxy authorization or via an advance directive for healthcare or durable power of attorney for health care if the patient is incapacitated or deceased. The patient who has capacity would have his/her personal representative complete the proxy access form and receive their own user ID and password. The patient should have the ability to request termination of that proxy at any time.

  41. sara jasmin says:

    Ah yes Thank you for the opportunity to comment on this complex subject. As I’m sure others will address broader questions of policy and ethics, I’ll confine my comments to a few implications of “sensitive information”, by which I mean specific data for which a patient may have an interest in limiting disclosure.

Leave a ReplyComment Policy


*