As the Department of Defense looks for a new EHR system and aims to improve information sharing for veterans with lifetime digital health records, there are also several key patient privacy questions to consider.
According to a recent Rand Corporation report, the Pentagon will have to work through a number of patient privacy issues in the coming years — just as it looks to HIE and the virtual lifetime electronic health record (VLER) to help control costs, The TRICARE health plan accounting for about 7 percent of the DoD’s annual budget, at $54 billion.
See also: VA, DoD on tighter leash with iEHR.]
Among the healthcare industry, largely under HIPAA’s direction, there’s a general consensus about the principles that should guide HIE — patient consent, provider disclosure and information accuracy. “However, there is less consensus about the specific approaches used to implemente these principles,” wrote Rand researchers Susan Hosek and Susan Straus.
The central issue of privacy — patient consent and authorization for HIE — often comes with ambiguity and some controversy or even contradiction in patient sentiment. Public comments on HIPAA rules throughout the years, Hosek and Straus noted, show quite a few individuals saying they “own” their health records and that they should be asked for permission to release their data at every provider request. At the same time, surveys Hosek and Straus cited have found broad support for information exchange to improve medical care transitions and coordination.
[See also: DoD to go to market for its EHR.]
Among the changes DoD will need to consider, Hosek and Straus suggested, are the ability to record and implement patient restrictions on protected health information and more granular methods for consent on PHI for non-DoD providers. They also suggest the DoD consider the potential designs and usability of automated text processing to redact restricted PHI, particularly in unstructured data forms, like clinical notes.
The VLER will also need a well-defined consent framework, they argued. “We expect that it may be difficult to proceed with VLER without a meaningful consent procedure that reflects the principles proposed by the Office of the National Coordinator for Health Information Technology’s HIT Policy Committee ‘Tiger Team.’”
The Tiger Team’s proposal calls for “meaningful, revocable” consent for HIE, except for direct provider-to-provider exchange. Although HIPAA does allow providers to exchange patient data for treatment, payment and operations without patient authorization, Hosek and Straus said few civilian providers participating in TRICARE would be able or willing to do that, so the DoD may end up following the VA with a patient consent management system.
Two other related issues the DoD will have to consider are patient identifiers and patient-matching systems.
“Without a national system of unique patient identifiers, patient identity matching for HIE poses difficult challenges,” Hosek and Straus wrote. “Even if a unique patient identifier were established, the potential for errors in recording it would require additional matching on other patient identifiers to ensure that the right patient’s information is being exchanged.”
And in choosing between identifiers or matching algorithms, the DoD would not have much evidence to consider, they noted. Of the studies that have evaluated the relative merits and drawbacks of the two approaches, researchers used either simulations or proxy patient indexes. So there’s “very limited real world information on which to base a choice of patient identifiers, matching algorithm, match criteria, and manual review of the results of automated matching.”
Looking at the long-term needs for a VLER, Hosek and Straus suggested that the DoD evaluate several approaches to matching at a large scale, which is likely to be necessary as more civilian providers participate in the military health system and TRICARE, which currently covers health benefits for almost 10 million active and retired Pentagon employees.
Those evaluations, they wrote, should use “actual identifying data” from the DoD’s person data repository to test performance at scale and then to pilot approaches that show promise. The DoD should also measure the trade-offs in various approaches, they suggest, considering time needed to complete patient information requests and false negative and positive rates in patient matching.
