Premier and CHIME submitted comments on ONC’s proposed Trusted Exchange Framework and Common Agreement (TEFCA); both are concerned with how it will work with HIPAA and protect patient privacy.
Industry comment continues to roll in for the Office of the National Coordinator’s proposed Trusted Exchange Framework and Common Agreement, and much like with the proposed info blocking rule, industry stakeholders like Premier, CHIME, and the Association for Executives in Healthcare Information Technology are raising concerns around privacy and security.
While most groups support the intent behind the rule, some are concerned with how TEFCA will align with HIPAA, as well as state and federal regulations.
Specifically, Premier is concerned ONC doesn’t sufficiently address the complexities of patient access to their data, especially data that falls outside of HIPAA. While TEFCA proposes extending HIPAA to all TEFCA participants – including those that are not considered covered entities or business associates—ONC did not fully explain how it will be operationalized.
Premier urged ONC to expand on the proposal to explain how this would work.
ONC will also need to explain how TEFCA will take into consideration the patchwork of state privacy and security laws, as well as regulation around data access and consent.
“TEFCA is silent on this variation, other than to note that ‘all applicable law must be followed,’” Premier wrote. “Lacking additional clarity from ONC, stakeholders will continue to struggle to meet TEFCA requirements and all other applicable laws and regulations (including HIPAA, 42 CFR and information blocking).”
“Additionally, as Premier has stated in other comment letters, ONC should ensure that patients, beneficiaries, enrollees and their caregivers can understand the nuances of privacy and security of their health data, especially when such data is shared as part of TEFCA,” they added.
To correct this, Premier recommended ONC develop and launch a broad educational and outreach campaign to advise stakeholders – including patients and caregivers – on health information privacy and security, focusing on risks and challenges that fall outside the scope of HIPAA.
“We believe that TEFCA policies should be aligned as closely as possible with HIPAA,” Premier wrote.
HIPAA was a key concern for CHIME and AEHIT as well, especially in how TEFCA will interact with the privacy regulation and ONC’s info blocking rule. For one, electronic health information is too broadly defined, which may require providers to create new policies beyond HIPAA to offer patients meaningful opportunity to consent.
In doing so, CHIME and AEHIT said they’re concerned these “solutions” will actually create unnecessary administrative burdens and complexity for those providers.
“Providers are already very accustomed to working with HIPAA requirements and this wording creates a confusing and separate set of rules,” CHIME and AEHIT wrote. “Rather than creating new policies, a better approach would be to have providers leverage any opportunity under HIPAA (i.e., check in) when seeking consent.”
TEFCA states “all qualified health information networks, participants, and participant members who provide individual access services must publish and make publicly available a written notice describing their privacy practices regarding the access, exchange, use, and disclosure of EHI.”
Further, it mandates the notice mirror ONC’s Model Privacy Notice and explain how a patient can exercise their “meaningful choice” and who can be contacted about the privacy practices.
To CHIME and AEHIT: “It’s clear providers will now need to manage two different sets of privacy practices.”
“Any policies which supplant HIPAA or create unintended conflicts must be carefully examined,” CHIME and AEHIT wrote. “At the very least, ONC should create a crosswalk that clearly depicts where there is overlap and where new policies will be required.”
CHIME and AEHIT also expressed concern with “meaningful choice” or consent management. While patients should be able to decide on how their data will be shared, ONC’s definition is too broad and may create a number of challenges down the line.
For example, providers are permitted to share patient data as it relates to treatment, payment, and healthcare operations without a patient’s consent under HIPAA. However, TEFCA would mandate that patients have a say about where, how, and with whom their data is shared.
Further, TEFCA stressed that QHINs, participants, and participant members are required to give patients the opportunity to exercise this meaningful choice and request their data not be used are disclosed, except as required by applicable law. And participants are required to communicate this choice to QHINs, who must then communicate it to all other QHINs.
“Given HIPAA does not require providers seek consent prior to sharing data related to TPO, we believe it would set up two different and competing standards if providers will be required under TEFCA to seek consent for TPO-related data and non-TPO-related data,” CHIME and AEHIT wrote.
“We request ONC elaborate on how they envision providers manage these two separate processes,” they added.
The other concern for CHIME and AEHIT is around “applicable law.” Most states have stricter laws than HIPAA and each is different, which leads to a number of challenges and complexities. In fact, even federal and state governments are still struggling to determine how to make these privacy regulations align.
As a result, “TEFCA does nothing to make this easier and cannot solve the issue of stricter state policies. In fact, with added data exchange as called for under TEFCA these problems are only going to be exacerbated,” AEHIT and CHIME argued.
“Technology is still not at the point where it can easily flag charts to allow them to segregate the chart by these types of requirements (i.e. revocations or varying state laws),” CHIME and AEHIT wrote. “While there are some interfaces that help with state laws, the overall complexity is very hard to manage.”
“CHIME supports a patient’s right to decide how their information is used,” they continued. “However, there are constraints outside our members’ control that must be addressed in order to make this work.”
Premier shared similar sentiments, recommending ONC define meaningful choice to ensure it only applies to the exchange of health information that does not fall under the definitions of treatment, payment and operations, established by HIPAA.
“It is unclear if ONC anticipated any discrepancies (and how they would be resolved) between a patient’s meaningful choice and other consents/authorizations that the patient may have signed,” Premier wrote.
“Establishing a new choice standard for TPO would be inappropriate for HIPAA covered entities and business associates, as the current implied consent model for TPO is an ingrained standard that has served patients well,” they added.
ONC needs to clarify that meaningful choice applies only to data sharing not covered by HIPAA, along with the extent to which the proposed information blocking provisions of their proposed rules will relate to TEFCA.
Further, Premier said they’re also concerned meaningful choice will be challenging and complicated to operationalize. HIPAA has “engendered consumer trust,” and as such, TEFCA and all policies should align with HIPAA, including presumed consent for the exchange of protected health information for treatment, and minimum necessary exchange for payment and healthcare operations.
“We recommend that ONC encourage further discussion among state governors to harmonize state privacy laws concerning health information,” Premier wrote.
Date: July 10, 2019
Source: Health IT Security