Bob Dieterle

Ed Martin

Patrick Murta

Tony Little

Rick Geimer

Dan Chaput

Alex Kontur

 

Regulatory Barriers

What do these mean for ability to implement/scale FHIR?

HIPAA Minimum Necessary

  • Bob – payer asks a provider for information. Provider decides what information is appropriate. Both have an obligation to respect minimum necessary and filter by the information needed to solve a particular problem.
    • In practice, b/c there is no way for the payer to know how the provider represents clinical information, the requests are generic (e.g. “I need the progress note”, “testing related to…”). As a result, the provider doesn’t know exactly what the payer needs and typically sends the entire record
    • Ed – couldn’t profiles address some of these challenges (i.e. by standardizing information sets)
      • Bob – maybe if you have a well bounded set of related services. A lot of important information is captured in text (notes). There are any number of places where the information may occur. FHIR can provide access to the whole record, which removes human mediation…how do you constrain access and/or deal with minimum necessary in such an environment?
    • Tony – in a perfect world, would the requester ask for particular resources/profiles?
      • Bob – changing the paradigm…historically thought of much information as a progress note (CDA, for example, was structured similarly). Now we have a set of resources, and we have to figure out how to rationalize those constructs with constructs derived from paper charts. Minimum necessary has been a failure, because it relies on “I know it when I see it”
      • Tony – how often does it get in the way of interoperability? In my experience you typically get the whole record and simply use a portion of it
      • Bob – therein lies the problem. If a payer pulls the whole record via
        FHIR, they may implicitly violate minimum necessary requirement
      • Ed – when we have somebody retrieving patient demographics, we don’t want to give out SSN. At the OAuth level we can refine scope of access (e.g. at the resource level)
      • Bob – you are restricting access based on organization/role? (Ed – yes) How do you provide flexibility re: what I’m asking for rather than who I am? (e.g. I need documentation to support an advance imaging order…which resources/parts of record are considered minimum necessary).
    • Bob - What if we changed minimum necessary to “declared purpose”? Assert I am getting access to: “do risk adjustment”, “check eligibility”, etc. Can only use the information for that purpose
      • Murta – in some ways we do that today, via agreements with provider groups
      • Bob – trying to replace minimum necessary (which has never worked and will probably work worse in a real-time access environment) with something easier to implement yet has enough privacy oversight and potential for enforcement. Concerned that creating thousands of profiles is not implementable/scalable
      • Murta – Agree that it’s fairly easy to implement from an API perspective, but may be more complex for payers because they don’t always cleanly segregate the data they receive [i.e. separating data for specific purposes]…not all payers have the level of sophistication to support that out of the box
      • Tony – compare the FB contracts for use of data…people weren’t against sharing data, but were against sharing for certain purposes. Patients want to know the “why” behind data sharing, rather than simple enumeration of the type of data
    • Ed – Can purposes be effectively grouped/categorized?
      • Murta – Did an exercise where we tried to map to LOINC codes…came up with ~10 high level groups, with up to 75 specific reasons under each
      • Ed – OAuth scopes provide categories by which to restrict access, may be able to use as a mechanism for restricting access to health data
    • Bob – In addition to minimum necessary, we also have to consider sensitive data (e.g. mental health, substance use, STDs, etc.). Should those classes of information be treated separately, or should they be included in a general release of information?
      • Murta – personally, I understand why sensitive data is excluded. We have technical solutions to do so (we usually mark the record to indicate that data is missing). My experience has been that it causes more confusion among treating providers…adds unnecessary burden and hampers treatment
      • Bob – do you expect another clinician to withhold that type of information?
      • Tony – depends on the specialty of the clinician, and whether the patient asks for the information to be withheld
      • Murta – is it in the best interests of the patient that you withhold that type of information?
      • Bob – many states require a release from the patient to exchange sensitive information even for treatment purposes. Frequently have heard that there is nothing you can do once sensitive information is exposed. Can you ascertain that information in a different way? (often yes)

 

HIPAA mandatory transactions

  • Bob – naming into regulation a specific release of a specific standard and requiring that you use nothing but that (e.g. X12 requirements in HIPAA). What does that mean for something like FHIR that continues to evolve? ONC has proposed an approach that named standards function as the “floor” and you can move on to new standards so long as they don’t break what you have to do
    • Geimer – concerned that the “floor” has “heavy gravity” and there aren’t proper incentives to move beyond it
    • Bob – If there is no value in going to the next version, why do we care? If there is value, why wouldn’t that drive upgrades?
    • Geimer – does the value override the obligation to maintain support for the old version as well? You can’t just get rid of the old stuff
    • Tony – becomes a tragedy of the commons…even if it improves value for the community, individuals won’t receive as much value and therefore won’t advance
    • Geimer – maybe the alternative involves reviewing/moving the floor on a regular basis? Concerned that there is no definite timeline for reviewing the standards and updating the regulation
    • Bob – this method at least allows organizations to get experience with new versions of standards, which makes it easier to advance the floor

 

[Add consent to the last slide of the presentation]

  • No labels