The harder part is determining who needs-to-know when a access control decision needs to be made. One initial attempt at a solution resulted in a set of confidentialityCodes for each different type of data within this Restricted Classification. I don't think this is a good idea. The metadata that carries the confidentialityCode is Protected Information (aka PHI), but once the restricted information leaks into this metadata then all metadata must be protected at the level of Restricted. This results in a spiral of information that can't be available. We need a better solution.
- What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?
- Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?
- Are there circumstances under which test data should be disclosed to third parties? Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?
- How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?
- How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?
- In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?