Privacy Protection for Substance Abuse Treatment Information An Example of Data Segmentation for Privacy Johnathan Coleman, CISSP, CISM Initiative Coordinator, Data Segmentation for Privacy Office of the Chief Privacy Officer, ONC/HHS
Jul 18, 2015
Privacy Protection for Substance Abuse Treatment Information
An Example of Data Segmentation for Privacy
Johnathan Coleman, CISSP, CISM
Initiative Coordinator, Data Segmentation for Privacy
Office of the Chief Privacy Officer, ONC/HHS
Agenda
What is Data Segmentation?
Why Segment at All?
Regulatory Landscape
Use Case Example
Focus Area and Challenges
Data Segmentation Initiative: Scope and Outcome
Moving Forward/Next Steps
Conclusion
Community Participation
2
What is Data Segmentation?
“Process of sequestering from capture, access or view
certain data elements that are perceived by a legal entity,
institution, organization or individual as being
undesirable to share.”
Data Segmentation in Electronic Health Information Exchange: Policy
Considerations and Analysis
• Melissa M. Goldstein, JD; and
Alison L. Rein, MS, Director Academy Health
• Acknowledgements: Melissa M. Heesters, JD; Penelope P. Hughes, JD;
Benjamin Williams; Scott A. Weinstein, JD
3
Why Segment at All?
• Some healthcare information requires special handling that goes
beyond the protection already provided through the HIPAA Privacy rule.
• Additional protection through the use of data segmentation emerged in
part through state and federal privacy laws which address social
hostility and stigma associated with certain medical conditions.*
• Data Segmentation for Privacy provides a means for electronically
implementing choices made under these privacy laws.
4
* The confidentiality of alcohol and drug abuse Patient records regulation and the HIPAA privacy rule: Implications for
alcohol and substance abuse programs; June 2004, Substance Abuse and Mental Health Services Administration.
Examples of Heightened Legal Privacy Protections (1)
• Federal Confidentiality of Alcohol and Drug Abuse Patient Records
regulations [42 CFR Part 2] which protect specific health information
from exchange without patient consent.
• State and Federal laws protecting data related to select
conditions/types of data
– Mental Health
– Data Regarding Minors
– Intimate Partner Violence and Sexual Violence
– Genetic Information
– HIV-Related Information
5
Examples of Heightened Legal Privacy Protections (2)
• Laws protecting certain types of health data coming from covered
Department of Veterans Affairs facilities and programs [Title 38, Section
7332, USC]
– Sickle Cell Anemia
– HIV Related Information
– Substance Abuse Information
• In addition, there is a proposed federal rule [45 CFR Part
164.522(a)(1)(iv)] which would allow patients to withhold any health
information from payors for services they received and paid for out-of-
pocket.
6
Provider/Healthcare Organization 1
User Story Example (1)
7
The Patient receives care at their
local hospital for a variety of conditions,
including substance abuse as part of
an Alcohol/Drug Abuse Treatment
Program (ADATP).
Data requiring additional protection
and consent directive are captured and
recorded in the EHR system. The
patient is advised that the protected
information will not be shared without
their consent.
Provider/Healthcare
Organization 2Provider/Healthcare
Organization 1
User Story Example (2)
8
A clinical workflow event
triggers additional data to be
sent to Provider/Organization
2. This disclosure has been
authorized by the patient, so
the data requiring heightened
protection is sent along with a
prohibition on redisclosure.
Provider/ Organization 2
electronically receives and
incorporates patient
additionally protected data,
data annotations, and
prohibition on redisclosure.
Provider/Healthcare
Organization 3Provider/Healthcare
Organization 1
User Story Example (3)
9
The Patient receives care
for new, unrelated condition
and is referred by
Organization 1 to a specialist
(Provider/Organization 3).
Organization 1 checks the
consent directive and sends
authorized data to
Organization 3.
Provider/Organization 3
electronically receives and
incorporates data which does
not require heightened
protection.
Allergies
Allergies
Focus Area and Challenges (1)
• Some regulatory requirements mandate that certain types of data not
be disclosed without specific patient consent. Many of these
regulations were drafted prior to broad adoption of EHRs, and include
requirements (e.g. restrictions on re-disclosure) not easily implemented
electronically.
• Lack of granularity in current implementations results in reliance on out-
of–band handling (all-or-nothing choice is easier to implement).
• There are multiple levels at which segmentation can occur (e.g.
disclosing provider, intended recipient, or category of data such as
medications). There are no widely adopted standards to segment at
these levels.
• There are no widely adopted standards for transferring restrictions or
notice of restriction (e.g. for re-disclosures).
10
Focus Area and Challenges (2)
Underlying Challenge:
Enable the implementation and management of disclosure policies that:
• Originate from the patient, the law, or an organization.
• Operate in an interoperable manner within an electronic health information
exchange environment.
• Enable individually identifiable health information to be appropriately shared.
Technical Considerations:
• Prevalence of unstructured data/free text fields.
• Defining “sensitive information”: Pre-determining categories of information can
ease implementation, but patients express a strong preference for systems that
enable them to convey their personal preferences more fully.
11
Initiative Objectives
• Data Segmentation for Privacy aims to address standards needed to
protect those parts of a medical record deemed especially sensitive
or that may otherwise require additional privacy protection, while
allowing other health information to flow more freely.
• It will help enable interoperable implementation and management of
varying disclosure policies in an electronic health information
exchange environment, allowing providers to share specified
portions of an electronic medical record while retaining others, such
as information related to substance abuse treatment.
12
Data Segmentation Initiative: Scope
• Focus on defining the use case, user stories and requirements
supporting data segmentation for interchange across systems.
• The initiative builds on the PCAST* vision by testing recommendations
from the HITSC** for the development of metadata tags to be used for
exchanging data
13
• *PCAST: President's Council of Advisors on Science and Technology
• **HITSC: The Health Information Technology Standards Committee
Data Segmentation Initiative: Outcome
• Successful pilot test of a privacy protection prototype compliant with
Federal privacy and security rules across multiple systems
demonstrating interoperability.
• Validation of the applicability and adequacy of the recommended
standard(s) in implementing a data segmentation solution.
14
Solution Development Lifecycle
15
As o
f Feb 2
01
2
Community Participation
16
Launch Date Oct 5, 2011
Elapsed Time (as-of today) 2.5 months
Anticipated Ramp-Down Fall 2012
Initiative Timing
# Use Case Artifacts TBD
# User Stories (currently being explored)
11
Use Case Complexity High
# Use Case WG Members 62
Outputs
# Wiki Registrants 148
# Committed Members 56
# Committed Organizations 52
# Cumulative Workgroups 1
# Workgroup Meetings Held* 28
# Days Between Meetings 5.4
Participation & Process
Community Participation
17
AHIMAAllscriptsAmerican College of Obstetricians and Gynecologists (ACOG)American College of RheumatologyApelon, IncApixioAvailityBaycliffe Strategies IncCAL2CAL CorpCDC / DHQPCenter for Mental Health Services of SAMHSACovisintDatuit, LLCDepartment of Veterans Affairs Discoverture Health SolutionsElekta IncEnableCareEpicEversolve, LLCFairWarning IncGE HealthcareGorge Health Connect, Inc.HACNet labs at SMUHHS
HIMSSHIPAAT International IncLINTECHMASS, IncMcKessonMedical Arts Rehabilitation, Inc.Meditology ServicesMedPlus/Quest DiagnosticsMetasteward LLCMITRENational Health Data SystemsNational Partnership for Women & FamiliesOhio Health Information PartnershipOracleOZ SystemsPrivate Access IncProsocial Applications, Inc.Quantal Semantics, Inc.RAINSAMHSASG Healthcare AnalyticsTexas State UniversityThe National CouncilThomson Reuters – Healthcare
Next Steps
• The ONC Data Segmentation Initiative is open for anyone to join. This
community meets frequently by webinar and teleconference and has
access to a Wiki page to facilitate discussion and the harmonization of
data standards. Information on how to join the Community can be
found on the Data Segmentation Wiki page:http://wiki.siframework.org/Data+Segmentation+Sign+Up
• In order to ensure the success of DSI and the subsequent pilot, we
encourage broad and diverse participation to ensure the standards
reflect technology used across the industry and meet the needs of all
stakeholders.
• This is your chance to have an impact on the creation and
implementation of a pilot program in this important area of health IT
development.
18
Conclusion
• Data segmentation provides a potential means of protecting specific
elements of health information, both within an EHR and in broader
electronic exchange environments, which can prove useful in
implementing current legal requirements and honoring patient choice.
• In addition, segmentation holds promise in other contexts; the
electronic capture of data in structured fields facilitates the re-use of
health data for operations, quality improvement, public health, and
comparative effectiveness research.
19
Data Segmentation enables patients and providers to share specific portions of the electronic medical
record, as guided by applicable policy.
References/Contact Information
• For more information on the President’s Council of Advisors on Science
and Technology (PCAST) Report go to:http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf
• The full whitepaper by Melissa M. Goldstein, entitled, “Data Segmentation in
Electronic Health Information Exchange: Policy Considerations and Analysis” is
available at: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy_and_security/1147
Thank you!
20
Johnathan Coleman, CISSP, CISMInitiative Coordinator, Data Segmentation for PrivacyPrincipal, Security Risk Solutions Inc.698 Fishermans Bend,Mount Pleasant, SC 29464Email: [email protected] Tel: (843) 647-1556
Scott Weinstein, J.D.Office of the Chief Privacy OfficerOffice of the National Coordinator for Health Information TechnologyDepartment of Health and Human ServicesEmail: [email protected]