Projects aim to segment data for privacy | Behavioral Healthcare Executive Skip to content Skip to navigation

Projects aim to segment data for privacy

June 8, 2015
by David Raths
| Reprints

Because people with behavioral health diagnoses have higher rates of other medical conditions, better integration of primary and behavioral healthcare has become a priority for federal agencies and provider organizations.

However, the necessary patient consent protocols for information sharing and the associated technology infrastructure are two issues seriously hampering the flow of patient records between behavioral and other medical providers. Progress has been slow.

Information exchange

Despite the billions spent on the establishment of regional and statewide health information exchanges (HIEs) over the past dozen years or so, few organizations that provide substance use treatment are participating in HIEs. Even for those with EHR systems, the hesitation to exchange patient data with other providers is largely due to concern about federal privacy laws.

The basic problem is that federal confidentiality regulations drafted in the early 1970s—commonly referred to as 42 CFR Part 2—state that without written authorization from the patient, clinicians cannot access patients’ substance use history and treatment regimens, except in cases of emergency. The regulation’s prohibition on unauthorized redisclosure has been a challenge for provider-to-provider information exchanges.

Rather than wholesale data flow in big batches, tight controls at the individual patient level are needed to make sure the patient’s consent travels with the data to control access. Further complicating matters, some state regulations conflict with federal regulations or pose even more stringent guidelines about protecting sensitive health information.

Progress is possible, though. At the state level, some HIEs are making small steps toward exchange within the framework of existing regulations.

For instance, the HIE in Maine recently started connecting with behavioral providers. One public provider with residential and community services for mental health is now sharing patient registration information, diagnoses, patient demographics, allergies and medications in the HIE. Per Maine law, information is only shared if the patient “opts in” or access is needed to respond to a medical emergency.

In Arizona, the Behavioral Health Information Network of Arizona (BHINAZ)—itself an HIE with seven behavioral organizations participating—is working with the existing statewide HIE used by physical health providers to advance the long-term goal of bidirectional exchange between them. But working through the consent issues has been a daunting task, according to organization officials. Teams have spent 18 months doing legal and technical work on consent.

Federal projects

At the federal level, the Office of the National Coordinator for Health IT (ONC) and SAMHSA have renewed efforts to pilot technology solutions that would allow patients to segment their data in online consent forms. ONC’s Data Segmentation for Privacy (DS4P) initiative, based on a new HL7 standard, developed guidelines for enabling data segmentation and management of patient consent preferences. In 2013, ONC funded six pilot projects that sought to develop data models and workflows that support centralized storage and retrieval of patient consent directives from a repository consistent with the DS4P guidelines, and more projects using the segmentation are in the works through SAMHSA.

In 2014, the health department of Prince Georges County, Md., worked with SAMHSA to develop an open source tool called Consent2Share (C2S), which is based on DS4P and allows patients of multiple providers to create consent directives specifying who is authorized to access their data. Kate Wetherby, a public health advisor to SAMHSA, says the five-month pilot with Prince Georges County was successful in establishing an electronic workflow for consent involving the HIE.

 “When a patient goes into Consent2Share, they actually select each provider they want to share information with, and what information they want to share with that provider,” she says.

The software also lets patients choose information they do not want to share, such as alcohol use, drug use, HIV, psychiatric notes, genetic testing or STDs. The patient can then see what the document will look like and secure it with an electronic signature.  

“The patient also has the capability to create a new consent form and revoke the older one anytime they want,” Wetherby says.

More challenging than the technology infrastructure is the process of making sure consent activities fit in clinician workflows. Prince Georges County created a process so that as soon as the patient comes in, the provider asks about sharing data.

“We needed to explain to patients why this is important, where the information is going and who is going to use it,” she says.

Once the pilot was completed, Prince Georges County continued to expand its use of C2S. The county’s deputy health officer, doesn’t have a background in substance use treatment but saw the need for integrating such data and championed the effort.

“The county still has work to do to expand it, but given the short time frame, they have been very successful,” Wetherby says. “The providers like it, and they have had good feedback from stakeholders.”

The pilot project proves that data sharing can be done, she says.

Although most HIEs will continue to struggle with managing consent for sharing sensitive data, Laura Rosas, lead public health advisor with SAMHSA, says the problem is not just with HIEs or the technology.

“There are a lot of misconceptions around HIPAA and confusion around rules for how to handle information,” Rosas says.

OTP exchange