Privacy Protection for Substance Abuse Treatment Information: HIMSS 2012 Presentation

1. Privacy Protection for Substance Abuse
Treatment Information
An Example of Data Segmentation for Privacy
Johnathan Coleman, CISSP, CISM
Initiative Coordinator, Data Segmentation for Privacy
Office of the Chief Privacy Officer, ONC/HHS

2. Agenda
What is Data Segmentation?
Why Segment at All?
Regulatory Landscape
Use Case Example
Focus Area and Challenges
Data Segmentation Initiative: Scope and Outcome
Moving Forward/Next Steps
Conclusion
Community Participation
2

3. What is Data Segmentation?
“Process of sequestering from capture, access or view
certain data elements that are perceived by a legal entity,
institution, organization or individual as being
undesirable to share.”
Data Segmentation in Electronic Health Information Exchange: Policy
Considerations and Analysis
• Melissa M. Goldstein, JD; and
Alison L. Rein, MS, Director Academy Health
• Acknowledgements: Melissa M. Heesters, JD; Penelope P. Hughes, JD;
Benjamin Williams; Scott A. Weinstein, JD
3

4. Why Segment at All?
• Some healthcare information requires special handling that goes
beyond the protection already provided through the HIPAA Privacy rule.
• Additional protection through the use of data segmentation emerged in
part through state and federal privacy laws which address social
hostility and stigma associated with certain medical conditions.*
• Data Segmentation for Privacy provides a means for electronically
implementing choices made under these privacy laws.
* The confidentiality of alcohol and drug abuse Patient records regulation and the HIPAA privacy rule: Implications for
4 alcohol and substance abuse programs; June 2004, Substance Abuse and Mental Health Services Administration.

5. Examples of Heightened Legal Privacy Protections (1)
• Federal Confidentiality of Alcohol and Drug Abuse Patient Records
regulations [42 CFR Part 2] which protect specific health information
from exchange without patient consent.
• State and Federal laws protecting data related to select
conditions/types of data
– Mental Health
– Data Regarding Minors
– Intimate Partner Violence and Sexual Violence
– Genetic Information
– HIV-Related Information
5

6. Examples of Heightened Legal Privacy Protections (2)
• Laws protecting certain types of health data coming from covered
Department of Veterans Affairs facilities and programs [Title 38, Section
7332, USC]
– Sickle Cell Anemia
– HIV Related Information
– Substance Abuse Information
• In addition, there is a proposed federal rule [45 CFR Part
164.522(a)(1)(iv)] which would allow patients to withhold any health
information from payors for services they received and paid for out-of-
pocket.
6

7. User Story Example (1)
 The Patient receives care at their
 local hospital for a variety of conditions,
including substance abuse as part of
an Alcohol/Drug Abuse Treatment
Program (ADATP).

 Data requiring additional protection
and consent directive are captured and
recorded in the EHR system. The
patient is advised that the protected
information will not be shared without
their consent.
7 Provider/Healthcare Organization 1

8. User Story Example (2)
  A clinical workflow event
triggers additional data to be
sent to Provider/Organization
 2. This disclosure has been
authorized by the patient, so
the data requiring heightened
protection is sent along with a
prohibition on redisclosure.
 Provider/ Organization 2
electronically receives and
incorporates patient
additionally protected data,
data annotations, and
Provider/Healthcare Provider/Healthcare
prohibition on redisclosure.
8 Organization 1 Organization 2

9. User Story Example (3)
   The Patient receives care
for new, unrelated condition
and is referred by
Alle
rgie
s
Organization 1 to a specialist
Alle (Provider/Organization 3).
rgie
s Organization 1 checks the
consent directive and sends
authorized data to
Organization 3.
 Provider/Organization 3
electronically receives and
incorporates data which does
not require heightened
Provider/Healthcare Provider/Healthcare
protection.
9 Organization 1 Organization 3

10. Focus Area and Challenges (1)
• Some regulatory requirements mandate that certain types of data not
be disclosed without specific patient consent. Many of these
regulations were drafted prior to broad adoption of EHRs, and include
requirements (e.g. restrictions on re-disclosure) not easily implemented
electronically.
• Lack of granularity in current implementations results in reliance on out-
of–band handling (all-or-nothing choice is easier to implement).
• There are multiple levels at which segmentation can occur (e.g.
disclosing provider, intended recipient, or category of data such as
medications). There are no widely adopted standards to segment at
these levels.
• There are no widely adopted standards for transferring restrictions or
notice of restriction (e.g. for re-disclosures).
10

11. Focus Area and Challenges (2)
Underlying Challenge:
Enable the implementation and management of disclosure policies that:
• Originate from the patient, the law, or an organization.
• Operate in an interoperable manner within an electronic health information
exchange environment.
• Enable individually identifiable health information to be appropriately shared.
Technical Considerations:
• Prevalence of unstructured data/free text fields.
• Defining “sensitive information”: Pre-determining categories of information can
ease implementation, but patients express a strong preference for systems that
enable them to convey their personal preferences more fully.
11

12. Initiative Objectives
• Data Segmentation for Privacy aims to address standards needed to
protect those parts of a medical record deemed especially sensitive
or that may otherwise require additional privacy protection, while
allowing other health information to flow more freely.
• It will help enable interoperable implementation and management of
varying disclosure policies in an electronic health information
exchange environment, allowing providers to share specified
portions of an electronic medical record while retaining others, such
as information related to substance abuse treatment.
12

13. Data Segmentation Initiative: Scope
• Focus on defining the use case, user stories and requirements
supporting data segmentation for interchange across systems.
• The initiative builds on the PCAST* vision by testing recommendations
from the HITSC** for the development of metadata tags to be used for
exchanging data
• *PCAST: President's Council of Advisors on Science and Technology
• **HITSC: The Health Information Technology Standards Committee
13

14. Data Segmentation Initiative: Outcome
• Successful pilot test of a privacy protection prototype compliant with
Federal privacy and security rules across multiple systems
demonstrating interoperability.
• Validation of the applicability and adequacy of the recommended
standard(s) in implementing a data segmentation solution.
14

15. Solution Development Lifecycle
As of Feb 2012
15

16. Community Participation
Initiative Timing Outputs
Launch Date Oct 5, 2011 # Use Case Artifacts TBD
Elapsed Time (as-of today) 2.5 months # User Stories
11
(currently being explored)
Anticipated Ramp-Down Fall 2012
Use Case Complexity High
# Use Case WG Members 62
Participation & Process
# Wiki Registrants 148
# Committed Members 56
# Committed Organizations 52
# Cumulative Workgroups 1
# Workgroup Meetings Held* 28
# Days Between Meetings 5.4
16

17. Community Participation
AHIMA HIMSS
Allscripts HIPAAT International Inc
American College of Obstetricians and Gynecologists (ACOG) LINTECH
American College of Rheumatology MASS, Inc
Apelon, Inc McKesson
Apixio Medical Arts Rehabilitation, Inc.
Availity Meditology Services
Baycliffe Strategies Inc MedPlus/Quest Diagnostics
CAL2CAL Corp Metasteward LLC
CDC / DHQP MITRE
Center for Mental Health Services of SAMHSA National Health Data Systems
Covisint National Partnership for Women & Families
Datuit, LLC Ohio Health Information Partnership
Department of Veterans Affairs Oracle
Discoverture Health Solutions OZ Systems
Elekta Inc Private Access Inc
EnableCare Prosocial Applications, Inc.
Epic Quantal Semantics, Inc.
Eversolve, LLC RAIN
FairWarning Inc SAMHSA
GE Healthcare SG Healthcare Analytics
Gorge Health Connect, Inc. Texas State University
HACNet labs at SMU The National Council
17 HHS Thomson Reuters – Healthcare

18. Next Steps
• The ONC Data Segmentation Initiative is open for anyone to join. This
community meets frequently by webinar and teleconference and has
access to a Wiki page to facilitate discussion and the harmonization of
data standards. Information on how to join the Community can be
found on the Data Segmentation Wiki page:
http://wiki.siframework.org/Data+Segmentation+Sign+Up
• In order to ensure the success of DSI and the subsequent pilot, we
encourage broad and diverse participation to ensure the standards
reflect technology used across the industry and meet the needs of all
stakeholders.
• This is your chance to have an impact on the creation and
implementation of a pilot program in this important area of health IT
development.
18

19. Conclusion
• Data segmentation provides a potential means of protecting specific
elements of health information, both within an EHR and in broader
electronic exchange environments, which can prove useful in
implementing current legal requirements and honoring patient choice.
• In addition, segmentation holds promise in other contexts; the
electronic capture of data in structured fields facilitates the re-use of
health data for operations, quality improvement, public health, and
comparative effectiveness research.
Data Segmentation enables patients and providers to
share specific portions of the electronic medical
record, as guided by applicable policy.
19

20. References/Contact Information
• For more information on the President’s Council of Advisors on Science
and Technology (PCAST) Report go to:
http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf
• The full whitepaper by Melissa M. Goldstein, entitled, “Data Segmentation in
Electronic Health Information Exchange: Policy Considerations and Analysis” is
available at:
http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__privacy_and_security/1147
Thank you!
Johnathan Coleman, CISSP, CISM Scott Weinstein, J.D.
Initiative Coordinator, Data Segmentation for Privacy Office of the Chief Privacy Officer
Principal, Security Risk Solutions Inc. Office of the National Coordinator for Health
698 Fishermans Bend, Information Technology
Mount Pleasant, SC 29464 Department of Health and Human Services
20
Email: jc@securityrs.com Tel: (843) 647-1556 Email: scott.weinstein@hhs.gov