How to keep sensitive information separate but accessible in a federated system
InfoWorld: Let me switch speaking of trust to an issue I've heard from several people on the health care provider side. One thing that really drives them nuts is how to handle the rules around AOD [Alcohol and Other Drugs], because there are stricter rules about information there, so even in the unified system, AOD stands apart. The primary physician may not know what is being prescribed, for example, by a psychiatrist or that a person is being treated for some sort of drug addiction, and there can be consequences of the isolation of information. I realize this is rooted in 1970s rules around privacy, when there was a lot of abuse of these records by insurance companies and employers and others, so legislators created these rules to basically wall it off. But in integrated care, walling it off is an issue. I'm curious if you're seeing this or if this is just a handful of people I happen to know who are frustrated by it. If this is an issue, how might it be addressed?
Fridsma: You're absolutely right. There are a lot of folks who are concerned that they follow the rules and regulations around protecting these particular kinds of diagnoses and behavioral health issues, issues that have to do with drug dependency and things like that. As a result, they would much rather not share data at all than risk breaching or sharing information in a way that would be not in compliance with the what the rules and regulations are.
This is something that we identified early on as a significant challenge, and we've been working very closely with SAMHSA [the Substance Abuse and Mental Health Administration] and primarily through Joy Pritts, our chief privacy and security officer, to develop technical specifications that help implement or support the policies that are out there around these behavioral health issues.
One of the things that we did is, over the course of the last year and a half or so, develop a project called Data Segmentation. It's data segmentation for privacy. It's a standard in the interoperability framework, one of the initiatives that we have that helps support the community to reach consensus around standards.
Coming out of that initiative, we developed technical specifications that allow you to take the medical record and segment those chunks that would be protected diagnoses or protected information that allows you to say, "Here's the whole medical record. Here's the chunk that I'm going to share with you as a primary care doctor. But I don't want you to share it with anybody else." That information gets carried with the electronic information so it carries with it the disclosure rules and things like that, so you can make sure that you can segment the data, that which you want to share and that which you don't want to share, and that which you're going to share but you don't want that person to forward it on to anyone else.
That early work is now being piloted. There are, I think, three or four pilots that are currently ongoing. There's a standard that's going through the standards balloting process right now, and we have some commercial enterprises that have adopted that standard, that demonstrated at HIMSS this past spring.
I think fundamentally it's really important, as you expressed, that behavioral health providers feel confident that they can share information and not have it disclosed in ways that would not be under the rules and regulations that that information is held. By providing that technical infrastructure that would enable that to occur, we hope to be able to engage behavioral health providers and others, because clearly there are patient safety and other issues that need to be addressed if that information is withheld or is not shared or is inadvertently shared.
InfoWorld: One health system I talked to, what it's done is basically put in the records that the person is being treated, no details as to what, and indicate, "You need to call us if you're treating this person, because there's something else going on that we can't put in the record." It basically put in a flag. That way at least you know there's something going on, as opposed to not knowing, because if you don't reveal that there is something going on, a person may make assumptions and just go blindly, not knowing there is an issue to even worry about. That's how one organization does it. Another one I've talked to basically says, "If it involves any medications, we have the psychiatrist, if they're being treated by a psychiatrist, review the medications from the primary physician." They sort of flip it the other way, where they put the responsibility on the person who has the most access, which the doctors didn't like at all. But they didn't know how else to deal with it. Those are two models I've come across.
Fridsma: One of the things that's important, at least from my perspective in the work that we do, is when it comes to the standards and the technical specifications that we work on, I don't want the technology to be a barrier to the policies that people want to apply or to implement. Regardless of how to handle that issue, we want to make sure that people don't say, "Well, there's no technology to do this, so therefore we aren't going to share at all." We want to be able to support the various use cases and make sure that we've got the right way to do this. So that's part of our responsibility, is to make sure that we've got the technical capabilities that allow the policies to be properly implemented.