ONC privacy chief talks APIs and how not to use HIPAA

By Jonah Comstock
Share

The ONC and OCR are tired of providers using HIPAA as an excuse not to share data with patients — the opposite of its intended purpose. That was the strongest message delivered by ONC Chief Privacy Officer Lucia Savage, who said during an educational session at HIMSS16 in Las Vegas that her office is working on an educational campaign, including blog posts, fact sheets, and new guidance documents, that aims to put an end to that misinformation.

“We’ve had a lot of people say over the years ‘I can’t send that data where you want because the privacy laws don’t allow me to do that.’ That happened to me personally in my family, and I know it’s happened to a lot of other people,” she said. “So we have this myth out there, but that’s not actually how the rules work.”

Savage went on to say that she wants to make it very clear that once patient data is in a patient’s hands, HIPAA doesn’t govern it. The law trusts patients to manage their own data.

“In the guidance that OCR issued on Thursday, they pretty much said if you’re a patient and you go to the view-download-transmit feature, and all the security features that need to be in place are in place… you should be able to just transmit. It shouldn’t have a second cost, and your physician shouldn’t get to second guess who you send it to,” she said. “You can send it to an acupuncturist, you can send it to your uncle who’s a retired family practice physician, you can send it to your masseuse, you can send it to your mother, you can send it to a third grader, you can send it to a billboard in Time’s Square. That latter might not be a very good idea, but you could if you wanted to, because it’s data about you and you’re the patient. You can disclose your data however you want.”

Savage made some other important clarifications about the rule. For one, although ONC’s Certified EHR guidelines under Meaningful Use are meant to support HIPAA, HIPAA isn’t limited to data found in the EHR. So if a patient wants a copy of a radiology image, HIPAA gives a patient a right to that, even if it’s not in the EHR.

“The access rules also say the patient gets to pick the format,” she said. “Some patients will want it in paper. Some will want it transmitted electronically to a third-party app that they’ve chosen to manage their health information for them. Some patients will want to get it on a CD.”

The only situations in which a doctor doesn’t have to comply with a patient’s format request are situations where doing so would endanger the provider’s information system.

“But let’s break that down for a second,” she said. “If you’re transmitting the data to a third party, and it’s going to reside at an insecure location at the third party, you have to really think, is that a threat to your system? Probably not. …You can’t just have a knee-jerk reaction. You actually have to think it through.”

Other cases where a physician can withhold data include psychiatrist notes, prison medical records, and cases where a physician thinks the information will cause harm to the patient or someone else — and in those cases the decision can be appealed.

Savage also talked a lot about the open API requirement being added to ONC’s 2015 guidance

“So we wrote an open API requirement into our 2015 edition rule and I wanted to talk about why,” she said. “It brings the data to the reach of everyone. To the patients, to their caregivers, the providers, the practice extenders, it facilitates dialogue among providers for integrated care. It helps hospitals communicate with downstream providers as patients are discharged. With all of those things, it makes the data more available.”

APIs also support privacy and security, Savage said, by making it easier for providers to share only a subset of the data with another provider or a business associate. And it supports better outcomes by eliminating many opportunities for transcription errors that can happen when hospital information is faxed or hand-delivered.