The Institute of Medicine Committee on the Recommended Social and Behavioral Domains and Measures for Electronic Health Records has been tasked with identifying domains and measures that capture the social determinants of health to inform the development of recommendations for Stage 3 Meaningful Use of electronic health records (EHRs). In its initial report, the committee has identified a candidate set of domains for consideration for inclusion in EHRs (IOM, 2014). This paper addresses privacy concerns related to the inclusion of social and behavioral determinants of health (SBDH) in EHRs. This paper discusses the purpose of assuring appropriate privacy protections for this information, summarizes the federal privacy and security laws that govern this information and the technical capability of certified EHR technology (CEHRT) to reinforce the privacy protections afforded to this information, and provides some additional recommendations to assure public trust in the collection, use and disclosure of SBDH information.
In summary, eligible professionals and hospitals participating in the Meaningful Use program will want the trust of patients in collecting, using and sharing SBDH data, and compliance with applicable law is an essential first step toward gaining this trust. Eligible professionals and hospitals will need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules with respect to this infor-
1 Center for Democracy and Technology.
mation; other federal laws, such as the rules protecting identifiable data coming from most substance abuse treatment programs, may also apply. The professional or hospital may need to comply with state law with respect to the collection, use, and disclosure of this information; an examination of potentially applicable state laws is beyond the scope of this paper.
HIPAA allows SBDH information to be collected by health care providers where the information is reasonably necessary to accomplish the purposes for which it is collected. HIPAA also allows SBDH information to then be used and disclosed for individual treatment purposes without the need to first obtain the oral consent or written authorization of the individual. Disclosures to public health authorities acting within the scope of their authority may also be made without the need to obtain consent or authorization. However, disclosures to other state and local authorities, or uses and disclosures for purposes not related to treatment of the patient (or payment for that care) may require the patient’s prior express authorization. Professionals and hospitals are required to abide by laws requiring specific patient authorization prior to disclosure; however, most certified EHR technology (CEHRT) today does not have the capability to segment data requiring authorization from data that may be shared without the need to obtain authorization.
Notwithstanding the ability under law to collect, use, and share SBDH information for treatment purposes, eligible professionals and hospitals may still want to take additional steps—above and beyond what the law requires—to provide assurances to patients. Such steps could include assuring greater transparency to patients about uses and disclosures of this information; providing patients with some choices about the collection and sharing of this information (such as through verbal consent or opting-out); and adopting role-based access controls. However, the capability of CEHRT to deploy additional protections for this data within the EHR is uncertain.
The ethical foundation for keeping patient information confidential dates back to the Hippocratic Oath. A 2013 survey of consumer attitudes toward health information technology and health information exchange found a high percentage of public support for EHRs, but 50 percent of respondents (all of whom had experience with doctors using EHRs) thought EHRs would worsen privacy and security (Ancker et al., 2013). These results essentially reaffirmed previous surveys conducted between 2010–2012 on health information technology or EHRs and privacy concerns. The consequences for failing to address privacy and security concerns could be significant for some patients: one out of eight patients does not seek
treatment for a sensitive medical condition, or withholds critical information from health care providers, because of concerns about confidentiality (Agaku et al., 2013).
Do certain segments of the population care more—or less—about health privacy? A thorough review of the research in this area is beyond the scope of this paper. In a 2005 survey of attitudes toward health information technology and privacy, the California HealthCare Foundation found people with chronic illnesses and racial and ethnic minorities reported even higher levels of concern about the privacy of their medical records and were more likely than average to withhold information for fear of its being improperly used (California HealthCare Foundation, 2005). The 2013 survey cited above found no distinction in privacy concerns based on sociodemographic variables; however, the sample for the survey likely underrepresented minorities, particularly Hispanics. Surveys of privacy concerns and use of the Internet typically do not focus on health information but may provide some indication of public attitudes toward privacy and digital technologies that could be instructive. A recent Pew Research Center study found that persons ages 30–49 were most often eager to try to control access to their personal information (such as by using encryption or deleting cookies), and low-income Internet users were more likely to report negative experiences with Internet use, such as having an email or social media account compromised, having their reputation damaged by online activity, or being stalked or harassed online (Rainie et al., 2003).
The information included in the candidate domains identified by the committee in the initial report may be highly sensitive to some individuals. For example, patients may worry that information about alcohol use, if shared outside of the treatment setting, may be used to affect their employment status or affect their ability to obtain a loan. Patients may be concerned about being treated differently because professional and hospital staff sees information about food or housing insecurity, socioeconomic characteristics, or exposure to violence. Particularly in smaller towns, where the local hospital may be one of the largest employers, patients may be concerned about socioeconomic or behavioral information being seen by friends, co-workers or neighbors. Such information is of the type that patients may not expect to have collected and stored in their doctor’s or their hospital’s medical record.
If the conditions for receipt of Meaningful Use incentive payments either require or encourage the collection of this information, eligible professionals and hospitals will need to take care to comply with any applicable privacy and security laws and ideally adopt organizational or institutional good data stewardship practices to earn (and keep) patient trust in the collection, use, and disclosure of this information. This paper discusses the applicable federal laws that could apply to the collection, use,
and disclosure of SBDH information, as well as additional considerations that may help build trust in having this information be part of treatment, care coordination, and population health activities.
Eligible professionals and eligible hospitals meet the definition of “covered entity” under HIPAA,2 and therefore are required to comply with the HIPAA privacy and security regulations, known as the Privacy Rule and the Security Rule. The Privacy Rule establishes the rules governing the use and disclosure of identifiable health information in either paper or electronic format (otherwise known as protected health information or PHI) by covered entities; the Security Rule establishes the security safeguards to be adopted to protect electronic identifiable health information (otherwise known as ePHI). (The Privacy Rule requires entities to adopt reasonable security safeguards for paper records.3)
The definition of PHI is broad and includes SBDH data collected by a covered entity. Health information “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual”; or payment for care (emphasis added).4 Health care “means care, services or supplies related to the health of an individual.”5 It includes, “but is not limited to, preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, counseling service, assessment or procedure [with regard to] the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body.”6 When health information is identifiable to a patient, as long as it is not specifically exempt from coverage under HIPAA (which would not be the case for identifiable information collected by eligible professionals and eligible hospitals), it is PHI and governed by HIPAA. SBDH information falls within HIPAA’s definition of health care, and because it will initially be collected to inform treatment decisions, there is no doubt it is PHI.
HIPAA’s Privacy Rule does not require providers to get the patient’s oral consent or written authorization before collecting PHI. However,
2 45 CFR 160.103.
3 45 CFR 164.530(c).
4 45 CFR 160.103.
the HIPAA Privacy Rule’s “minimum necessary” provisions do set some parameters with respect to “requests” for PHI.7 When information is being requested from another covered entity (for example, from another health care provider), the “minimum necessary” provisions require the request to be limited to that which is “reasonably necessary to accomplish the purpose for which the request is made.”8 With respect to requests for PHI that are made on a routine or recurring basis, a provider must implement policies and procedures that limit the PHI requested to that which is reasonably necessary to fulfill the purpose for the request.9 For other requests—those not made of other covered entities or that do not occur on a routine basis—the provider is required to develop criteria that will enable requests to be limited to what is reasonably necessary to accomplish the purpose and review individual requests in accordance with those criteria.10 “Minimum necessary” standard: “when using or disclosing [PHI], or when requesting [PHI] from another covered entity, a covered entity must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” With respect to the collection of SBDH data by eligible professionals and hospitals as part of the Meaningful Use program, these rules mean that providers will need to develop policies and protocols for routine receipt of data (for example, through direct feeds from social service agencies or through protocols for patient interviews) to assure that the information collected is what is reasonably necessary to fulfill the purpose (or purposes) for which it is collected. Where the collection is not routine but more episodic, there is still a requirement to develop criteria to be applied to individual requests to assure that collection meets the “reasonably necessary” standard.
Note in the case of information that is collected directly (or even automatically) by the provider from another source, such as a social service agency, that there may be rules governing the ability of the other source of this information to release it. For example, the Privacy Act of 1974 generally prohibits federal agencies from releasing personal information about individuals without their authorization, with some exceptions,11 and states frequently have their own versions of privacy laws that restrict the ability of state agencies to release personal information.12 The governor of the Commonwealth of Massachusetts recently came under criticism for upholding privacy laws and failing to release information regarding whether the
7 45 CFR 164.514(d)(1).
8 45 CFR 164.514(d)(4)(i).
9 45 CFR 164.514(d)(4)(ii).
10 45 CFR 164.514(d)(4)(iii).
11 5 U.S.C. § 552a.
12 See, for example, the California Information Practices Act of 1977, Civil Code Section 1798.
person accused of setting off bombs in the crowd watching the Boston Marathon received state benefits (Post Staff Report, 2013).
The Privacy Rule includes provisions governing the use and disclosure of SBDH information and treats it the same as other information gathered by a professional and stored in the records (with the exception of psychotherapy notes—see below). Eligible professionals and hospitals may use and disclose this information, along with other information gathered from the patient, to treat the patient, and for treatment-related administrative tasks (known as health care operations), without needing to first obtain the oral consent or written authorization of the patient.13 Health care operations includes (but is not limited to) “population-based activities relating to improving health or reducing health care costs, . . . case management and care coordination, contacting [professionals] and patients with information about treatment alternatives, and related functions that do not include treatment.”14
Professionals and hospitals may also disclose this information, without the need for prior consent or authorization, for purposes of obtaining payment for care. All uses and disclosures of PHI (except disclosures for treatment purposes) are subject to the Privacy Rule’s aforementioned “minimum necessary” standard: “when using or disclosing [PHI], a covered entity must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use [or] disclosure.”15 This standard requires a covered entity to identify the persons or classes of persons who need access to PHI to carry out their duties, and the category or categories of PHI to which access is needed—and then make reasonable efforts to limit PHI access according to those decisions.16 Although the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, has issued little guidance on implementation of the minimum necessary standard, these provisions arguably would obligate covered
13 45 CFR 164.502(a)(1)(ii). Treatment is “the provision, coordination, or management of health care and related services by one or more health care providers,” including coordinating or managing health care with a third party. 45 CFR 164.501.
14 45 CFR 164.501.
15 45 CFR 164.502(b)(1).
16 45 CFR 164.514(d)(2).
entities to take reasonable steps to limit access to SBDH data to workforce members with a need to know.17
A covered entity is permitted to rely, “if such reliance is reasonable under the circumstances,” on a requested disclosure of PHI as meeting the standards for minimum necessary if it is disclosing information for public health purposes if the public health authority represents that the information requested is the minimum necessary for the stated purpose.18 The HIPAA Privacy Rule also allows professionals and hospitals to rely on the information requests from another covered entity, such as a payer, for what constitutes minimum necessary.19 Consequently, if a payer does not request or require the information, professionals and hospitals will need to consider whether disclosing SBDH data is necessary to support payment. The Privacy Rule’s minimum necessary provisions also prohibit the disclosure of an entire medical record, except when the entire record is specifically justified as the amount reasonably necessary to accomplish the purpose of the use, disclosure, or request.20 These provisions arguably require professionals and hospitals to have a way to prevent access to or disclosure of certain types of data in the EHR, including SBDH, if such data is not needed to accomplish a given purpose; however, as noted later in the report, it is not clear that certified EHRs can accomplish segmentation of this data.
As noted above, psychotherapy notes are treated differently under the Privacy Rule. Psychotherapy notes are “recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and are separated from the rest of the individual’s medical record.”21 A covered entity is required to obtain the patient’s express written authorization for any use or disclosure of psychotherapy notes, except for the following:
- The treatment uses by the originator of the notes;
- Use or disclosure in mental health professional training programs;
- Use by the covered entity to defend itself in a lawsuit brought by the individual who is the subject of the notes;
- Disclosures required by law;
- Uses related to oversight of the originator of the notes;
17 Of note, HITECH requires HHS to issue guidance on the minimum necessary standard. See Section 13405(b)(1)(B) of the Health Information Technology for Economic and Clinical Health Act. As of the writing of this report, the guidance had not been issued.
18 45 CFR 164.514(d)(3)(iii)(A).
19 45 CFR 164.514(d)(3)(iii)(B).
20 45 CFR 164.514(d)(5).
21 45 CFR 164.502.
- Disclosures to coroners and examiners to help determine cause of death; and
- Disclosures to prevent an imminent threat to health or safety.22
Consequently, SBDH data collected by a mental health professional in psychotherapy notes would enjoy greater protection but be less available for use in treatment by other professionals.
Disclosures to Public Health Authorities
The Privacy Rule permits the disclosure of PHI to public health authorities “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.”23 A public health authority is an agency or authority of the United States, a state or territory (or a political subdivision thereof), or an Indian tribe, “or a person or entity acting under grant of authority from or under contract with such public agency … that is responsible for public health matters as part of its official mandate.”24 Consequently, an eligible professional or hospital may disclose SBDH data to a public health authority, as long as that public health authority has legal authorization to collect (either on the initiative of the public health authority or as initiated by the professional or hospital) that data. Such a disclosure does not require the prior consent or authorization of the individual, although the eligible providers or eligible hospitals may need to inform the patient of this disclosure if that patient requests an “accounting” of disclosures from the record.25 Such disclosures would also be covered by the Privacy Rule’s minimum necessary provisions; however, the eligible professional or eligible hospital can rely on the public health authority’s reasonable determinations of what constitutes the minimum necessary amount of data required to be shared with the authority.
Disclosures to Other Authorities (Not Public Health)
Eligible professionals and hospitals may have a need (or face a legal requirement) to disclose SBDH data from their records to other, nonpublic health authorities. Not all governmental authorities will fall under the definition of a “public health” authority; for example, an agency whose purpose is to connect individuals with other social services, like income
22 45 CFR 164.508(a)(2).
23 45 CFR 164.512(b).
24 45 CFR 164.501.
25 45 CFR 164.528. The report is required to account for the past 6 years of disclosures required to be covered. Although this has not been formally studied, anecdotally these reports are rare requested by patients. See Health IT Policy Committee (2013).
or food and nutrition assistance, would likely not be considered a public health authority.26
The Privacy Rule does permit disclosures of PHI by eligible professionals and hospitals where they are required to do so by law.27 For example, if a state has a law requiring the disclosure of SBDH data to a particular agency, an eligible professional or hospital can make that disclosure without running afoul of HIPAA. The Privacy Rule also permits professionals and hospitals to disclose PHI:
- To public health or other authorities “authorized by law to receive reports of child abuse or neglect”;
- To report abuse, neglect, or domestic violence to an entity authorized by law to receive such reports;
- To certain entities or individuals for workplace safety matters; and
- To avert a serious and imminent threat to health or safety.28
Note that these are permitted, and not required, disclosures under HIPAA. In the absence of another law or professional obligation to disclose this information, an eligible professional or hospital is not required to disclose SBDH or any other type of PHI for these purposes. These disclosures also are subject to HIPAA’s minimum necessary standard.
HIPAA also permits PHI to be disclosed for law enforcement purposes—but there are limits to the amount of information that can be disclosed when the disclosure is not being conducted pursuant to a subpoena or other court order.29 For example, an eligible professional or hospital may disclose limited information to assist in the identification or location of a suspect, fugitive, or material witness or missing person.30 The information that may be disclosed is limited to name and address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death (if applicable), and a description of distinguishing facial characteristics31—in other words,
26 There is no definitive guidance on the breadth of the definition of a public health authority, and the definition of “health care” under HIPAA is broad, as noted earlier in this paper. However, other provisions of the Privacy Rule contemplate the sharing by health insurers of information with “other government benefit programs,” which suggests the regulators did not intend for all government benefits with a nexus to health to fall within the definition of a “public health” authority. See 45 CFR 164.512(k)(6).
27 45 CFR 164.512(a).
28 45 CFR 164.512(b), (c), and (j).
29 45 CFR 164.512(f).
30 45 CFR 164.512(f)(2).
31 45 CFR 164.512(f)(2)(i).
largely not SBDH data in the domains identified in the committee’s draft report.
Uses and Disclosures Requiring Authorization: Research
Under the Privacy Rule, a use or disclosure of PHI—including SBDH information—that is not expressly permitted by the Privacy Rule requires the prior authorization of the patient. For example, if an eligible professional or hospital wants to voluntarily share identifiable SBDH data with a nonpublic health social service agency, they would need the prior authorization of the patient. To be valid, an authorization required by HIPAA must be in writing and include
- A description of the information to be used or disclosed;
- The name of the person or class of persons authorized to make the requested disclosure;
- The name of the person or class of persons to whom the information is to be disclosed;
- A description of each purpose of the disclosure;
- An expiration date or event; and
- The signature of the individual or their legal personal representative.32
Uses and disclosures of identifiable SBDH data for research purposes require prior patient authorization—but there are exceptions to this rule.33 For example, uses of this information in preparation for research (for example, to identify potential subjects who might be approached about involvement in a research study) does not require prior patient authorization, as long as the information is not removed from covered entity.34 In addition, a privacy board or institutional review board (IRB) may waive the requirement for authorization if it determines (and documents) that the use or disclosure of PHI involves no more than minimal risk to the privacy of the individuals based on, at the least, the presence of the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research;
32 45 CFR 164.508(c)(1).
33 Research is a “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” See 45 CFR 164.502.
34 45 CFR 164.512(i)(1)(ii).
- With a few exceptions, adequate written assurances that the PHI will not be reused or redisclosed to any other person or entity;
- The research could not practicably be conducted without the waiver; and
- The research could not practicably be conducted without access to the information.35
The Privacy Rule has historically required authorizations for research uses and disclosures of PHI to be study specific and not general in nature. However, recently the Office for Civil Rights issued guidance allowing patients to more generally authorize future research using their PHI, as long as the description of the future research uses is sufficient that the data subjects would reasonably expect their information to be used for that research.36
As noted above, the HIPAA Security Rule applies to electronic PHI (or ePHI),37 and the Rule does not vary by the type of PHI—so SBDH data collected by eligible professionals and hospitals is subject to the same rules under HIPAA as apply to other types of PHI they collect. CEHRT includes functionalities that can assist them with compliance. For example, CEHRT is required to include capabilities for identity proofing and authentication of system users, access controls, automatic log-off, encryption of data at rest and in motion, and protections for data integrity.38
But the eligible professional or hospital cannot depend on their CEHRT to fulfill all of their Security Rule responsibilities, which include administrative, technical, and physical safeguards. Professionals and hospitals are required, both by the Security Rule as well as by the Meaningful Use requirements, to conduct a security risk assessment and address any security deficiencies (HITECH, 2014). They also must comply with all Security Rule requirements, and consider all “addressable” implementation specifications. Such specifications are not per se required but are also not optional. Covered entities are expected to implement addressable specifications unless they document the reasons why those specifications cannot be implemented and adopt an alternative measure that provides the same or similar safeguards.39 For example, encryption of information while at rest
35 45 CFR 154.512(i)(2).
36 78 Fed. Reg. 5566, 5612–13 (January 25, 2013).
37 45 CFR 164.302.
38 45 CFR 170.302, sections (O)–(V).
39 45 CFR 164.306(d)(3).
(in storage) is an addressable implementation specification. Consequently, encryption of data at rest is not absolutely required by the Security Rule, but the expectation is that it will be implemented unless the covered entity provides documentation for declining to implement encryption and adopting alternative safeguards instead.
Information That Is Not Easily Identifiable:
De-Identified Data and Limited Datasets
The HIPAA Privacy and Security Rules apply only to information that is identifiable. Information that is “de-identified”—which is defined as information “with respect to which there is no reasonable basis to believe that the information can be used to identify an individual”40—is not subject to HIPAA, whether it is SBDH or another type of information. The Privacy Rule provides two methodologies for de-identifying health information: the safe harbor, which requires the removal of 18 categories of identifiers41 and no actual knowledge that the data can be re-identified; and the expert or statistician method, which requires that a person with appropriate statistical experience determines and documents that the risk of re-identification, given the anticipated recipients of the data and the other information that might be reasonably available to them, is very small.42 Note that under both methodologies, the standard is not zero risk of re-identification; consequently, some very low, residual risk is likely to exist even in a properly de-identified HIPAA dataset. Covered entities are not required to obtain commitments from de-identified data recipients not to re-identify this data, but they may decide to do so as a matter of practice.
The HIPAA Privacy Rule also allows covered entities to use a “limited dataset” for health care operations, public health, and research.43 A limited dataset can be achieved by removing 16 categories of identifiers—essentially the safe harbor list for de-identification, but dates and some geographic information are allowed to be retained.44 These data are considered to be PHI; unlike de-identified data, which is not regulated by HIPAA, covered entities may not use or disclose limited datasets without a data use agreement that establishes the permitted purposes for which the dataset may be used or disclosed and prohibits the re-identification of individual patients.45 There are advantages to the use of limited datasets. For example, limited datasets may frequently meet the criteria for waiving the requirement for
40 45 CFR 164.514(a).
41 45 CFR 164.514(b)(2).
42 45 CFR 164.514(b)(1).
43 45 CFR 164.514(e)(3).
44 45 CFR 164.514(e)(2).
45 45 CFR 164.514(e)(4).
authorization to use PHI for research purposes.46 In addition, a limited dataset may be a way of achieving minimum necessary standards for health care operations, research, and public health disclosures.47
Other Laws Protecting the Privacy and Security of Health Information
Information that is collected by a federally funded or federally assisted substance abuse treatment provider, and that identifies or has the potential to identify the patient as someone receiving (or who has received) substance abuse treatment, is also governed by federal law—42 CFR Part 2 (otherwise known as Part 2). These rules allow information to be used by the actual Part 2 provider for treatment purposes—but disclosure of this information, even for treatment purposes, requires the express authorization of the patient, and this information cannot be redisclosed by the recipient without obtaining new authorization from the patient.48 For example, if a substance abuse treatment provider refers a patient to an eligible professional or hospital, that substance abuse treatment provider would need to obtain authorization from the patient prior to sending identifiable information—such as SBDH data—to the professional or hospital. The substance abuse treatment provider is required to provide notice to the recipient that the information is subject to Part 2 and cannot be further disclosed without prior patient authorization.49 Once the professional or hospital receives that data (with the patient’s authorization), they can use it to treat the patient—but cannot further disclose it without additional patient authorization. If they do obtain this authorization, they are required to similarly provide notice to the recipient that this information cannot be redisclosed without authorization.
State laws also may provide additional protections for certain types of SBDH information. HIPAA does not preempt any state laws that provide greater privacy protections for patients.50 As a result, many states have enacted laws providing greater protections for certain types of information—such as mental health or genomic data, or HIV test results. Often these laws require express consent or authorization from the patient before information can be disclosed. Eligible professionals and hospitals collecting SBDH will need to consider whether there are additional laws in their states governing how they collect, use, and disclose this information. (A more comprehensive examination of state law is beyond the scope of
46 45 CFR 164.512(i)(2)(ii).
47 Section 13405(b)(1)(A) of the Health Information Technology for Economic and Clinical Health Act.
48 42 CFR Part 2, Sections 2.13, 2.32.
49 Id. Section 2.32.
50 45 CFR 160.203.
this paper.) Of note, states also often have laws providing greater protections to certain types of data about minors. For example, California allows minors to consent to receive certain types of medical care—such as sexual and reproductive health care—without the need to obtain the consent of a parent or guardian (Adolescent Health Working Group, 2002). In that case, the minor has the right to keep that information confidential, and the information cannot be disclosed to the parent or guardian (or sometimes to any others) without the express consent of the minor. HIPAA defers to state law on issues of minor consent and privacy.51
Other Non-Legal Considerations:
Good Privacy Stewardship and the Limits of Technology
To the extent that some SBDH data are of the type that patients are not accustomed to sharing with their medical providers, and that may be highly sensitive to some patients, eligible professionals and hospitals may seek to treat this information with greater sensitivity, even though HIPAA and other applicable laws may treat it the same as any other health information. For example, information about financial resource strain, food and housing insecurity, social connections and social isolation, exposure to violence, and socioeconomic characteristics is not information patients are generally accustomed to having collected by their medical providers, and they may consider it to be sensitive.52 HIPAA provides some parameters for how health care providers can collect, use, and disclose this information, but once the information is disclosed, even where done lawfully, the recipient may not be subject to HIPAA or other confidentiality standards.
Ultimately, the goal of protecting the privacy and confidentiality of this information is to earn the trust of the patients in its collection, use, and disclosure for important, legitimate purposes. Eligible professionals (EPs) and eligible hospitals (EHs) should consider the mantra often relied on by the federal Health IT Policy Committee: the patient should not be surprised to learn what happens to their health data. At a minimum, this suggests EPs and EHs should make efforts to be transparent to patients about collection, use, and disclosure of their health information and this may be particularly true for SBDH data that may raise heightened sensitivities. Such transparency does not have to be a lengthy disclosure form—even a conversation with the patient in a face-to-face, virtual, or telephone setting can be helpful. HIPAA requires covered entities to provide patients with
51 45 CFR 164.502(g)(2).
52 Note, however, that some have argued that special treatment for sensitive information perpetuates stigma. See, for example, Evans and Burke (2008) and Mills (2009).
a Notice of Privacy Practices53—but this notice is not required to focus on the details of what covered entities actually do with health information but instead explains what HIPAA permits and what types of uses and disclosures require authorization.54 The notice historically has not been easily read or understood by patients (Houchhauser, 2003), although recent improvements to the model notice may result in increased reading and comprehension (HHS, 2014). But given the way this notice has historically been treated by patients, transparency efforts with respect to collection, use and disclosure of SBDH data should not be addressed by mere inclusion in the HIPAA-required Notice of Privacy Practices.
Often transparency goals can be met through an informed consent process. As noted above, HIPAA does not require the consent or authorization of the patient to share SBDH data for treatment purposes, or for public health or other legally required purposes—but an eligible professional or hospital may decide to obtain consent as a matter of practice. HIPAA expressly permits covered entities to do this,55 and in the case where HIPAA does not require prior written authorization, entities may use other ways to inform and gather assent from the patient. For example, a provider may document that a patient has orally agreed to share SBDH information, or may adopt a policy of informing patients about the policies and practices with respect to the use and disclosure of SBDH data and allow patients with objections to opt out.56 Note that if the right to opt out is provided, eligible professionals and hospitals should have the capability to honor decisions to opt out.
In general, access to information under HIPAA is for those with a need to have the information in order to perform their duties, and the minimum necessary rule—which applies to collection and use of PHI, and disclosures of PHI except for treatment purposes—reinforces the need to take precautions to reveal only relevant data to appropriate persons for lawful purposes. Under the HIPAA Security Rule, covered entities are required to implement procedures to control and validate a person’s access based on their role or function,57 but the Rule leaves discretion to covered entities about how to implement this. Eligible professionals and hospitals should consider the potential for access controls to assure only appropriate access to some of the more sensitive aspects of patient records, keeping in mind the technological capabilities (and potential limits) of their CEHRT.
53 45 CFR 164.520(a).
54 45 CFR 164.520(b).
55 45 CFR 164.506(b).
56 The HIPAA Privacy Rule does provide patients with a right to request that information not be used or disclosed; however, the Rule does not require providers to agree to this request. See 45 CFR 164.522(a).
5745 CFR 164.310(a)(2)(iii).
The presence of laws providing special protections to certain types of data or with respect to certain types of uses or disclosures—and the desire to afford such protections even in the absence of legal requirements—has led to calls for technical capability within CEHRT to segment or sequester such sensitive information, so patients can make more granular choices with respect to data sharing (enabling them to allow sharing of less sensitive information and to withhold sensitive information, depending on the circumstances). However, the certification requirements for CEHRT do not require the inclusion of segmentation capabilities, and as a result, CEHRT used by eligible professionals and hospitals may not have the capability to honor commitments to patients with respect to granular consent. The Health IT Policy Committee, through its Privacy and Security Tiger Team, is currently considering the viability of technical capabilities to segment substance abuse treatment data covered under Part 2 that were initially piloted as part of the Standards and Interoperability Framework of the Office of the National Coordinator for Health IT (Bowman, 2014). Although this capability is being tested for use by providers covered by Part 2, and potentially the non–Part 2 providers to whom they customarily refer, it is technology that may be useful to provide additional protections to other types of sensitive data. But whether CEHRT will include this functionality in the future (either through a certification requirement or through voluntary inclusion of this capability) is unknown.
Eligible professionals and hospitals participating in the Meaningful Use program may, under HIPAA, collect, use, and share SBDH data for treatment purposes, and disclose this data to public health officials acting within the scope of their authority, without the need to first obtain the consent of the patient. Express patient authorization is required to share SBDH data for purposes such as research (unless the authorization requirement is waived by a Privacy Board or an IRB) and with other social service agencies. Professionals and hospitals will need to assure compliance with baseline federal (and potentially state) health privacy laws; however, building the trust of patients in the collection, use, and responsible sharing of this information is critical and may require the adoption of additional measures, such as transparency and consent (either opt in or opt out) and access controls. Eligible professionals and hospitals will need to determine whether such additional measures, when they are dependent on technology, can actually be accomplished by their CEHRT.
Adolescent Health Working Group. 2002. Understanding confidentiality and minor consent in California: An adolescent provider toolkit. San Francisco, CA: Adolescent Health Working Group.
Agaku, I. T., A. O. Adisa, O. A. Ayo-Yusuf, and G. N. Connolly. 2013. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. Journal of the American Medical Informatics Association 21(2):274–278.
Ancker, J. S., M. Silver, M. C. Miller, and R. Kaushal. 2013. Consumer experience with and attitudes toward health information technology: A nationwide survey. Journal of the American Medical Informatics Association 20(1):152–156.
Bowman, D. 2014. Tiger team: Data segmentation recommendations to come in june. FierceEMR. http://www.fierceemr.com/story/tiger-team-data-segmentation-recommendations-comejune/2014-05-09 (accessed June 24, 2014).
California HealthCare Foundation. 2005. National consumer health privacy survey 2005. Sacramento: California HealthCare Foundation.
Evans, J. P., and W. Burke. 2008. Genetic expectionalism. Too much of a good thing? Genetics in Medicine 10(7):500–501.
Health IT Policy Committee. 2013. Privacy & security tiger team: Accounting of disclosures recommendations. Presentation of the Health IT Policy Committee. Washington, DC: U.S. Department of Health and Human Services.
HHS (U.S. Department of Health and Human Services). 2014. Model notices of privacy practices. http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html (accessed June 24, 2014).
HITECH (Health Information Technology for Economic and Clinical Health Act). 2014. Meaningful Use core objectives for security risk analysis. http://www.hitechanswers.net/meaningful-use-core-objective-security-risk-analysis (accessed June 23, 2014).
Houchhauser, M. 2003. Compliance vs. communication: Readability of HIPAA notices. https://www.privacyrights.org/print/ar/HIPAA-Reading.htm (accessed June 24, 2014).
IOM (Institute of Medicine). 2014. Capturing social and behavioral domains in electronic health records: Phase 1. Washington, DC: The National Academies Press.
Mills, C. 2009. Stigma and openness. Philosophy & Public Policy Quarterly 29(1/2) (Winter/Spring):19–23.
Post Staff Report. 2013. Mass. refuses to reveal how much Boston bomber recieved from welfare accessed cites right to privacy. New York Post. http://nypost.com/2013/04/25/mass-refuses-to-reveal-how-much-boston-bomber-received-from-welfare-cites-right-toprivacy (accessed June 23, 2014).
Rainie, L., S. Kiesler, R. Kang, and M. Madden. 2003. Anonymity, privacy, and security online. Washington, DC: PewResearch Center. http://www.pewinternet.org/files/old-media//Files/Reports/2013/PIP_AnonymityOnline_090513.pdf (accessed June 23, 2014).
This page intentionally left blank.