Friday, October 29, 2010

HHS to Host Regional Meeting in Los Angeles as Part of Psychotherapy Notes and Testing Data Study under the HITECH Act

The Data Types that fall under SAMHSA are those considered the most sensitive, and thus the ones that patients may want to control with a finer tool than simple opt-in and opt-out. This data is also more complex to understand exactly when an object contains hints of these topics. Thus making the labeling of confidentialityCode very complex. As I outline in  Data Classification - a key vector enabling rich Security and Privacy controls, the publisher of any objects is most likely to know if these sensitive topics are contained within, so they can label the object as "Restricted". But this label does not give any help to the Access Control engine on who should be allowed access.

The harder part is determining who needs-to-know when a access control decision needs to be made. One initial attempt at a solution resulted in a set of confidentialityCodes for each different type of data within this Restricted Classification. I don't think this is a good idea. The metadata that carries the confidentialityCode is Protected Information (aka PHI), but once the restricted information leaks into this metadata then all metadata must be protected at the level of Restricted. This results in a spiral of information that can't be available. We need a better solution. 
 
Right now I don't know what this better solution is, but do have a few ideas. I look forward to opportunities to have strong discussions on this topic. I however likely can't make this meeting.
 

October 15, 2010

The Substance Abuse and Mental Health Services Administration (SAMHSA) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study, in close cooperation with the Office for Civil Rights (OCR) pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5). This study is addressing whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”

As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the Sheraton Los Angeles Gateway Hotel in Los Angeles, California on November 18, 2010. The details of this meeting, as well as the project staff contact information.

The significant concepts and issues being addressed in this project include:
 
  • What  activities  and  information  are  considered  the  “test  data”  that  is  part  of  a  mental health evaluation?  What are the relevant distinctions among test materials, raw data, and reports  or  assessments  with  respect  to  the  level  of  protection  currently  afforded  and/or otherwise necessary?
  • Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?
  • Are  there  circumstances  under  which  test  data  should  be  disclosed  to  third  parties?  Should  the  individual’s  authorization  be  required  prior  to  such  a  disclosure?  To  whom should test data be released?
  • How  would  affording  mental  health  test  data  a  higher  level  of  protection  affect  the workflow  in  medical,  behavioral  health,  or  psychological  practices?  Are  there  any additional  implications  with  respect  to  clinical  integration  efforts  and  the  increasing availability of mental health services in general health care settings?
  • How  is  the  issue  of  greater  protection  for  test  data  affected  by  State  and  Federal  laws other than HIPAA? 
  •  In  light  of  the  increasing  reliance  on  electronic  health  records  and  the  exchange  of electronic  health  data,  what  are  the  implications  of  setting  more  stringent  requirements for the use and disclosure of test data?