A new federal rule that gives patients more control over healthcare information they choose to share with insurance companies pose challenges for CIOs who must build out technology to support it. One CIO said software can be fashioned to filter out information before it is passed to another party. But such software raises the sticky issue of who is best positioned—the patient, the physician or another party–to decide when such data is best withheld.
A revision to the Health Insurance Portability and Accountability Act requires doctors and hospitals not to disclose medical information to a patient’s insurer if the patient requests it and pays for services themselves. Doctors frequently make notations in their patients’ medical file, which could include information that allows insurers to make inferences about the patient’s health that patients may prefer to keep private. CIOs say that stopping the information from being revealed in notes is difficult, potentially setting up their organizations for paying millions of dollars in compliance penalties.
Beyond compliance issues, the new law brings into question whether patients would be informed enough to know the repercussions of their decisions. Speaking on a hypothetical software solution that would give patients the power to select data they didn’t want to share, Scott Joslyn, CIO of MemorialCare Health System, cited safety concerns. Clinicians would “lack a complete medical picture for the patient,” he said. Patients could check a default box that blocks potentially life-saving information from physicians providing them treatment.
The challenge of data segmentation isn’t limited to healthcare organizations. CIOs in retail and other industries offer consumers services that aim to take advantage of the glut of data people create on social software and mobile devices. Consumers often blindly opt-in, or agree to receive notifications or have their information shared with other service providers without realizing the implications of who they are allowing to do what with their data.
Given the topic, the stakes are higher when it comes to data segmentation and one’s own health records.
Physician notes about treatments provided and medications administered to patients’ healthcare records can help physicians better treat the patient in the future. But this is not always the case. For example, while it might be helpful for a dermatologist to read a note referencing a patient’s allergy to penicillin, a note that he had been treated for alcohol abuse at a clinic 20 years ago may not be germane to the treatment, said John Halamka, CIO of Beth Israel Deaconess Medical Center.
Under the new rule, a patient paying out of pocket for the service can choose that hospitals and physicians block service records from their insurer. This would provide patients more privacy and the peace of mind that insurance providers won’t use the notes as causes to increase health insurance premiums for patients they believe pose increased risks. “I, the patient, want to control data transferred for a specific purpose to a specific person,” said Mr. Halamka. Mr. Halamka equated the concept to the sharing on social networks where the user controls what information to share and with whom.
Mr. Halamka, a co-chair of a federal advisory committee on data standard, said healthcare CIOs need software that can identify potentially sensitive medical annotations in an electronic medical record (EMR), and redact them before the record is transferred. He said the problem could be addressed with an algorithm that automatically tags notes for removal before the record is passed to an insurer. The application would present check boxes that allow users to decide with whom what information gets shared.
Although such software is technically feasible — Facebook Inc. has built something similar for its social graph of over 1 billion users — it raises a significant question: who is best positioned to decide how data is segmented?
Martin Harris, CIO of the Cleveland Clinic, said such data segmentation is a “tricky area” because it is unclear whether the pathologist, a physician or a patient would have to set up the application to keep certain information private. Physicians might have to meet with patients to explain the potential outcome of selecting rules that would block information from the eyes of insurers and others. Even then, trying to account for every single nuance in who can see what is challenging. Mr. Harris said “many people need to be involved in understanding the nuances” of this issue.
These challenges will make it hard for hospitals to meet the Sept. 23 deadline for complying with the Congressional rule revision, which will be enforced by the U.S. Department of Health and Human Services Office for Civil Rights, the agency that oversees HIPAA. HHS declined to make a spokesperson available to comment in time for this article. But a spokesperson for the office told the Wall Street Journal earlier this month that HHS’ “hands are tied” with the out-of-pocket rule because it was mandated by Congress. That puts the onus squarely on CIOs at hospitals charged with implementing technologies and workflow processes that adhere to HIPAA rules.
Judy Hanover, an analyst tracking healthcare for IDC, said the issue is so complex that the only way she could think this could possibly work is if the patients paid cash, used an assumed name and a fake birth date. “It doesn’t fit the workflow in any way… it’s going to be hard to do it,” Ms. Hanover said.
Meanwhile, healthcare CIOs must brace for the fact that more patients may seek to eliminate paper trails by paying for healthcare services out of pocket. And they will reserve their right to have healthcare information stricken from their records. “There will always be a segment of the population that cares about granular control,” Mr. Halamka said.