HIT Policy Committee Privacy and Security Tiger Team

1. HIT Policy CommitteePrivacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Amendments & Corrections July 6, 2011 1

2. Tiger Team Members • Deven McGraw, Chair, Center for Democracy & Technology • Paul Egerman, Co-Chair • Dixie Baker, SAIC • Christine Bechtel, National Partnership for Women & Families • Rachel Block, NYS Department of Health • Neil Calman, Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, EPIC Systems Corp. • Leslie Francis, University of Utah; NCVHS • Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center • David Lansky, Pacific Business Group on Health • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative • Special assistance on this issue provided by Dan Rode, AHIMA • Deborah Lafky, ONC • Joy Pritts, ONC • Judy Sparrow, ONC 2

3. ONC Principles & HIPAA ONC’s Nationwide Privacy and Security Framework for the Electronic Exchange of Individually Identifiable Health Information states: Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information (IIHI), and to have erroneous information corrected or to have a dispute documented if their requests are denied. The HIPAA Privacy Rule sets forth specific requirements covered entities must follow in responding to patient’s requests for amendments. Certified EHRs should have the technical capability to comply with these requirements. 3

4. Recommendations Certified EHR Technology should have the capability in MU Stage 2 to support amendments to health information, and in particular to support a provider’s compliance with HIPAA obligations to respond to patient requests for amendments. Specifically, the systems should make it technically possible for providers to: Make amendments to a patient’s health information in a way that is consistent with the entity’s obligations with respect to the legal medical record (i.e., there should be the ability to access/view the original data and to identify any changes to it). Append information from the patient and any rebuttal from the entity regarding disputed data. 4

5. Recommendations (cont.) Certified EHR Technology should have the ability by MU Stage 3 to transmit amendments, updates or appended information to other providers to whom the data in question has been previously transmitted. 5

6. HIT Standards Committee The HIT Standards Committee should recommend any necessary standards, implementation specifications, and certification criteria to accomplish the foregoing recommendations, which should include the ability to incorporate amendments or updates transmitted from other entities. The Tiger Team recommends that the technical capabilities be initially kept as simple as possible and evolve over time to greater complexity, including potentially greater standardization and automation. 6

7. Additional Thoughts The Tiger Team did not see a need to impose additional obligations on providers with respect to transmitting amendments that are “self-discovered” (i.e., not triggered by a patient request). Current legal and ethical obligations are sufficient. The Tiger Team is seeking feedback on whether there should be corrections/amendments obligations on HIOs. 7