Privacy Protection for Substance Abuse Treatment Information

An Example of Data Segmentation for Privacy

Johnathan Coleman, CISSP, CISM

Initiative Coordinator, Data Segmentation for Privacy

Office of the Chief Privacy Officer, ONC/HHS

Agenda

What is Data Segmentation?

Why Segment at All?

Regulatory Landscape

Use Case Example

Focus Area and Challenges

Data Segmentation Initiative: Scope and Outcome

Moving Forward/Next Steps

Conclusion

Community Participation

2

What is Data Segmentation?

“Process of sequestering from capture, access or view

certain data elements that are perceived by a legal entity,

institution, organization or individual as being

undesirable to share.”

Data Segmentation in Electronic Health Information Exchange: Policy

Considerations and Analysis

• Melissa M. Goldstein, JD; and

Alison L. Rein, MS, Director Academy Health

• Acknowledgements: Melissa M. Heesters, JD; Penelope P. Hughes, JD;

Benjamin Williams; Scott A. Weinstein, JD

3

Why Segment at All?

• Some healthcare information requires special handling that goes

beyond the protection already provided through the HIPAA Privacy rule.

• Additional protection through the use of data segmentation emerged in

part through state and federal privacy laws which address social

hostility and stigma associated with certain medical conditions.*

• Data Segmentation for Privacy provides a means for electronically

implementing choices made under these privacy laws.

4

* The confidentiality of alcohol and drug abuse Patient records regulation and the HIPAA privacy rule: Implications for

alcohol and substance abuse programs; June 2004, Substance Abuse and Mental Health Services Administration.

Examples of Heightened Legal Privacy Protections (1)

• Federal Confidentiality of Alcohol and Drug Abuse Patient Records

regulations [42 CFR Part 2] which protect specific health information

from exchange without patient consent.

• State and Federal laws protecting data related to select

conditions/types of data

– Mental Health

– Data Regarding Minors

– Intimate Partner Violence and Sexual Violence

– Genetic Information

– HIV-Related Information

5

Examples of Heightened Legal Privacy Protections (2)

• Laws protecting certain types of health data coming from covered

Department of Veterans Affairs facilities and programs [Title 38, Section

7332, USC]

– Sickle Cell Anemia

– HIV Related Information

– Substance Abuse Information

• In addition, there is a proposed federal rule [45 CFR Part

164.522(a)(1)(iv)] which would allow patients to withhold any health

information from payors for services they received and paid for out-of-

pocket.

6

Provider/Healthcare Organization 1

User Story Example (1)

7

The Patient receives care at their

local hospital for a variety of conditions,

including substance abuse as part of

an Alcohol/Drug Abuse Treatment

Program (ADATP).

Data requiring additional protection

and consent directive are captured and

recorded in the EHR system. The

patient is advised that the protected

information will not be shared without

their consent.

Provider/Healthcare

Organization 2Provider/Healthcare

Organization 1

User Story Example (2)

8

A clinical workflow event

triggers additional data to be

sent to Provider/Organization

2. This disclosure has been

authorized by the patient, so

the data requiring heightened

protection is sent along with a

prohibition on redisclosure.

Provider/ Organization 2

electronically receives and

incorporates patient

additionally protected data,

data annotations, and

prohibition on redisclosure.

Provider/Healthcare

Organization 3Provider/Healthcare

Organization 1

User Story Example (3)

9

The Patient receives care

for new, unrelated condition

and is referred by

Organization 1 to a specialist

(Provider/Organization 3).

Organization 1 checks the

consent directive and sends

authorized data to

Organization 3.

Provider/Organization 3

electronically receives and

incorporates data which does

not require heightened

protection.

Allergies

Allergies

Focus Area and Challenges (1)

• Some regulatory requirements mandate that certain types of data not

be disclosed without specific patient consent. Many of these

regulations were drafted prior to broad adoption of EHRs, and include

requirements (e.g. restrictions on re-disclosure) not easily implemented

electronically.

• Lack of granularity in current implementations results in reliance on out-

of–band handling (all-or-nothing choice is easier to implement).

• There are multiple levels at which segmentation can occur (e.g.

disclosing provider, intended recipient, or category of data such as

medications). There are no widely adopted standards to segment at

these levels.

• There are no widely adopted standards for transferring restrictions or

notice of restriction (e.g. for re-disclosures).

10

Focus Area and Challenges (2)

Underlying Challenge:

Enable the implementation and management of disclosure policies that:

• Originate from the patient, the law, or an organization.

• Operate in an interoperable manner within an electronic health information

exchange environment.

• Enable individually identifiable health information to be appropriately shared.

Technical Considerations:

• Prevalence of unstructured data/free text fields.

• Defining “sensitive information”: Pre-determining categories of information can

ease implementation, but patients express a strong preference for systems that

enable them to convey their personal preferences more fully.

11

Initiative Objectives

• Data Segmentation for Privacy aims to address standards needed to

protect those parts of a medical record deemed especially sensitive

or that may otherwise require additional privacy protection, while

allowing other health information to flow more freely.

• It will help enable interoperable implementation and management of

varying disclosure policies in an electronic health information

exchange environment, allowing providers to share specified

portions of an electronic medical record while retaining others, such

as information related to substance abuse treatment.

12

Data Segmentation Initiative: Scope

• Focus on defining the use case, user stories and requirements

supporting data segmentation for interchange across systems.

• The initiative builds on the PCAST* vision by testing recommendations

from the HITSC** for the development of metadata tags to be used for

exchanging data

13

• *PCAST: President's Council of Advisors on Science and Technology

• **HITSC: The Health Information Technology Standards Committee

Data Segmentation Initiative: Outcome

• Successful pilot test of a privacy protection prototype compliant with

Federal privacy and security rules across multiple systems

demonstrating interoperability.

• Validation of the applicability and adequacy of the recommended

standard(s) in implementing a data segmentation solution.

14

Solution Development Lifecycle

15

As o

f Feb 2

01

2

Community Participation

16

Launch Date Oct 5, 2011

Elapsed Time (as-of today) 2.5 months

Anticipated Ramp-Down Fall 2012

Initiative Timing

# Use Case Artifacts TBD

# User Stories (currently being explored)

11

Use Case Complexity High

# Use Case WG Members 62

Outputs

# Wiki Registrants 148

# Committed Members 56

# Committed Organizations 52

# Cumulative Workgroups 1

# Workgroup Meetings Held* 28

# Days Between Meetings 5.4

Participation & Process

Community Participation

17

AHIMAAllscriptsAmerican College of Obstetricians and Gynecologists (ACOG)American College of RheumatologyApelon, IncApixioAvailityBaycliffe Strategies IncCAL2CAL CorpCDC / DHQPCenter for Mental Health Services of SAMHSACovisintDatuit, LLCDepartment of Veterans Affairs Discoverture Health SolutionsElekta IncEnableCareEpicEversolve, LLCFairWarning IncGE HealthcareGorge Health Connect, Inc.HACNet labs at SMUHHS

HIMSSHIPAAT International IncLINTECHMASS, IncMcKessonMedical Arts Rehabilitation, Inc.Meditology ServicesMedPlus/Quest DiagnosticsMetasteward LLCMITRENational Health Data SystemsNational Partnership for Women & FamiliesOhio Health Information PartnershipOracleOZ SystemsPrivate Access IncProsocial Applications, Inc.Quantal Semantics, Inc.RAINSAMHSASG Healthcare AnalyticsTexas State UniversityThe National CouncilThomson Reuters – Healthcare

Next Steps

• The ONC Data Segmentation Initiative is open for anyone to join. This

community meets frequently by webinar and teleconference and has

access to a Wiki page to facilitate discussion and the harmonization of

data standards. Information on how to join the Community can be

found on the Data Segmentation Wiki page:http://wiki.siframework.org/Data+Segmentation+Sign+Up

• In order to ensure the success of DSI and the subsequent pilot, we

encourage broad and diverse participation to ensure the standards

reflect technology used across the industry and meet the needs of all

stakeholders.

• This is your chance to have an impact on the creation and

implementation of a pilot program in this important area of health IT

development.

18

Conclusion

• Data segmentation provides a potential means of protecting specific

elements of health information, both within an EHR and in broader

electronic exchange environments, which can prove useful in

implementing current legal requirements and honoring patient choice.

• In addition, segmentation holds promise in other contexts; the

electronic capture of data in structured fields facilitates the re-use of

health data for operations, quality improvement, public health, and

comparative effectiveness research.

19

Data Segmentation enables patients and providers to share specific portions of the electronic medical

record, as guided by applicable policy.

References/Contact Information

• For more information on the President’s Council of Advisors on Science

and Technology (PCAST) Report go to:http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf

• The full whitepaper by Melissa M. Goldstein, entitled, “Data Segmentation in

Electronic Health Information Exchange: Policy Considerations and Analysis” is

available at: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy_and_security/1147

Thank you!

20

Johnathan Coleman, CISSP, CISMInitiative Coordinator, Data Segmentation for PrivacyPrincipal, Security Risk Solutions Inc.698 Fishermans Bend,Mount Pleasant, SC 29464Email: jc@securityrs.com Tel: (843) 647-1556

Scott Weinstein, J.D.Office of the Chief Privacy OfficerOffice of the National Coordinator for Health Information TechnologyDepartment of Health and Human ServicesEmail: scott.weinstein@hhs.gov