| Page # |
Line # |
Comments/Criticisms |
Suggested Alternatives |
| 15 |
1-13 |
Clarifications is needed on how a Record Locator Service (RLS) or Master Patient Index (MPI) will affect the classification of a RHIO as a Custodial CDR versus the classification of a RHIO as Owner CDR. Many RHIOs will manage a RLS or MPI which incorporates data from all RHIO participants. Data included in the RLS or MPI will often include patient demographics as well an indicator that links a patient to a facility or provider. |
N/A |
| 3 7 8 9 10 |
16 2 28 25 17 |
Throughout the White Paper patient trust and autonomy are underscored as important goals of RHIOs. Notwithstanding these provisions, (as articulated in these pages) the White Paper does not provide a definition of informed consent. (See attached HHC Summary of Concerns Attachment 1) |
At a minimum, informed consent should include: (i) the disclosure of the risks inherent in uploading information into the RHIO in addition to the risks of not permitting such disclosure; (ii) the benefits to the patient of participation in a RHIO; and (iii) the alternatives to participation in the RHIO. |
| 18 20 |
13-15 29-33 |
The White Paper does not define the term "Affirmative Consent." Is that the same as informed consent? (See attached HHC Summary of Concerns Attachment 1) |
|
| 19 20 |
28 29 |
Affirmative consent not required for one-to-one exchange of data. How do you implement a CDE with different consent requirements for different types of exchange and educate physicians on the difference? The White Paper does not address consent rules for children or those who have lost capacity. Once this custodianship is defined, we need to address those who regain capacity or age out. Interstate data exchange is also not addressed. |
|
| 20 |
43 |
"Providers and payers may, at their discretion, seek consent prior to disclosure of personal health information…(e.g. family planning and abortion service providers)" (20.43) This may not be difficult to implement at family planning clinics, but may be operationally difficult at other facilities that offer these types of services in addition to many other services that would not require additional consent. |
|
| 2 |
33-41 |
This appears inconsistent with Public Health Law 18[6], which covers disclosures by a healthcare provider to any "person or entity other than the subject of information or qualified persons…." Public Health Law 18[6] only exempts practitioners and personnel under contract with the healthcare facility. RHIOs are neither facility staff nor personnel. (See attached HHC Summary of Concerns Attachment 1) |
If disclosure of patient information to a RHIO is deemed part of a healthcare provider's operations, then, at minimum, a general written authorization for healthcare operations broad enough to cover RHIO operations (as part of a Treatment, Payment, and Operations combined authorization) is required. However, since the disclosure of patient information to a RHIO clearly affects patient autonomy, and yet, is not a required operation of the healthcare provider or necessary for the initial disclosing healthcare provider to treat the patient, there should at least be an opt out requirement OR a separate written consent for such disclosure of patient information into a RHIO, including a RHIO record locator. Failure to provide one of these options does not appear to meet the trust, informed consent and autonomy goals. |
| 14 |
8-9 |
Inconsistent with Page 2, lines 33-41 |
See comment directly above. |
| 23 |
22-26 |
The White Paper does not adequately address the disclosure of information pertaining to patients who have received mental health services. Even with the patient's consent, facilities may choose not to release information that may be "detrimental to the patient..." (Mental Hygiene Law 33.13(c)(7)). The treating practitioner must be notified prior to fulfilling a request for accessing copying of a clinical record. If the provider determines that the release will cause "substantial and identifiable harm to the patient or client or others", the treating practitioner may deny disclosure of all of part of the record. (Mental Hygiene Law 33.16(c)[3]). The clinical record may contain "sensitive information disclosed in confidence to the practitioner or treating practitioner by family members, friends, and other persons..." (Mental Hygiene Law 33.16(c)[3]. (See attached HHC Summary of Concerns Attachment 1) |
|
| 23 |
25 |
The White Paper does not cover the responsibility of RHIOs with respect to handling confidential HIV-related information. (See 10 NYCRR 63.9(a), (c)(noting the training requirements employees of contractors must undergo prior to handling confidential HIV-related information). (See attached HHC Summary of Concerns Attachment 1) |
|
| 14 15 |
20 24 |
The White Paper does not address applicable law pertaining to the restrictions on redisclosure of medical record information disclosed from participating providers to RHIO and other participating providers, namely, that redisclosure shall only take place where authorized by law. See Public Health Law 18(6)(providing that any disclosure made pursuant to Public Health Law 18 "should be kept confidential by the party receiving such information and the limitations on such disclosure in [Public Health Law 18 shall apply to such party") see also Mental Hygiene Law 33.13(f); Public Health Law 2782[5]; 42 CFR part 2). The White Paper does not note that the foregoing provisions require RHIOs to maintain the confidentiality of patient information received by the RHIO from participating providers. (See attached HHC Summary of Concerns Attachment 1) |
|
| cont'd 14 15 |
cont'd 20 24 |
Nor do these portions of the White Paper note that pursuant to parts 400 and 405 of the Department of Health Regulations, RHIOs, where serving in the role of contractor of a particular service, must comply "with all pertinent provisions of [Chapter five of title ten of the Official Compilation of Code Rules and Regulations of the State of New York]. 10 NYCRR 400.4(a)(3); see also 10 NYCRR 405.2(h), (l) (providing that any service furnished by a contractor must "comply with all applicable codes, rules and regulations" and must be pursuant to contract that meets the requirements of 10 NYCRR 400.4). Of course, Parts 400 and 405 also apply to hospitals and general hospitals, respectively. This requirement should be reflected in the White Paper. |
|
| 9 13 19 20 |
14 46 21 25 |
We agree that, "an interoperable health system facilitates a many-to-many relationship, enabling different information technology systems and software applications to exchange information accurately, effectively, and consistently." And we appreciate that the White Paper proposes to allow RHIOs certain flexibility by providing standards and services that serve as the floor for RHIO policies and practices. But, if the policies require only a minimum threshold, than each RHIO may still implement differing patient consent models, making interoperability between RHIOs difficult. For example, it is unclear how one RHIO can exchange information with another if the receiving RHIO has a more permissive data sharing policy among its participants. |
|
| 15 |
1 |
The white paper identifies that the Owner CDR Model will require more stringent consent rules. By defining the Custodial CDR Consent Rules as the floor, the white paper is not technologically neutral, as the administrative burden, (even if legally required) is higher for the ownership model. It is also unclear how a custodial RHIO could ever exchange with an owner RHIO without getting HIPPA authorizations. One can conclude that it would be better for all RHIOs to get HIPAA consent up front for that eventuality. |
|
| 21 |
13-15 |
It is the public policy of the State of New York that "[e]very patient [has] the right to ….refuse medication and threatment after being fully informed of and understanding the consequences of such actions." (Public Health Law 2803-c[1], [3][e]). Notwithstanding this policy, Public Health Law 2805-d does allow patients to be treated without informed consent where an emergency exists. Seemingly, disclosure of patient information attendant to such emergency is also most likely permitted. This is clearly distinguishable, however, from the case in which a subsequent treating provider accesses patient/medical, social, personal, or financial information under the break the glass exception if the information, including patient locator information, so accessed was uploaded to the RHIO without the patient's written consent. |
|
| cont'd 21 |
cont'd 13-15 |
In the latter example, unlike the former, the initial treating provider was not presented with an emergency; rather, a conscious choice was made not to obtain patient consent before uploading patient information and other confidential information into the RHIO. Simply put, if patients have the right to refuse medication and treatment, arguably patients have the right to refuse the disclosure of the corresponding medical records unless such disclosure is otherwise authorized by law. The approval of the Commissioner of Mental Health or Director of a facility must be secured prior to disclosing clinical record information from one Article 28 facility emergency service to another Article 28 facility emergency service. The break the glass provision does not address this statute. (Mental Hygiene Law 33.13 (d)). |
|
| 21 |
9, 21 |
Inability to Fully Opt Out The White paper allows for uploading of demographic AND clinical data without consent and for Emergency Break the Glass access. When combined, these provisions allow for a situation where a patient's data may be accessed in an emergency setting without the patient knowing - in fact, the patient might not even know that the data was available on the CDR since it can be uploaded without consent. While one could argue that currently a telephone call from an ER to a physician will generally lead to information exchange without consent, the current system allows the releasing physician to exercise judgement in deciding the type of information to be shared. This would not the the case in most if not all RHIO models. |
Consider adding requirement to notify patients after emergency "break the glass" access has occurred. |
| cont'd 21 |
cont'd 9, 21 |
Since uploading without consent is allowed, If a patient does not want their data accessed through the CDR, their only recourse is to deny consent to their providers individually. Although a patient may have declined access-consent for all of their physicians, if an emergency situation occurs at a new provider (where they have not yet had a chance to decline consent), their data will be accessed. This system denies any opportunity to fully opt-out. |
|
| 21 |
11 |
It should be clear that research is completely separate from marketing. There is evidence that many, if not most, patients will not approve of research done without their knowledge and permission, even if it is legally permissible and done anonymously. While it makes sense to study this issue separately the initial consents and HIPAA authorizations will have to reflect that research is or is not permissible. |
|
| 28 |
34 |
How is the term "payer" defined? How would the rule apply to providers that have assumed risk within a capitated payment model? Must ensure that data use consents are not coercive. (e.g. insurers including consents with enrollment information?) This may also be a particular problem in the research arena, where coercion is not permissible. |
|
| 23 |
36-37 |
The recommendation can be interpreted to mean that an individual provider may withhold specific information from the patient record while submitting other patient information into the record. If this is the case, then future providers who access the patient's record may be unaware of omissions or filtered information from the record and as a consequence, may be unable to deliver appropriate care. The recommendations in this paper envision a system in which anytime a provider uploads patient information to the RHIO, that patient's information is complete. This requires patient and provider education on proper use of the RHIO and gaining consent from patients. |
Recommend changing from "Clinicians must have the discretion, in consultation with their patients, to withhold information from the health information exchange." to "Clinicians may have the discretion, in consultation with their patients, to withhold information from the health information exchange." |
| 24 |
6-35 |
Must the consent form list the RHIOs with which there exists a data sharing relationship or the participants of the RHIOs with which there exists a data sharing relationship? (24.18) RHIOs are required to inform patients of how to obtain a list of current RHIO participants in real time. Will the standardized consent forms be translated for RHIOs? |
Recommend that a non-web alternative be required for patients without internet access. |
| 24 |
38-44 |
Part of true informed consent should be alerting the patient that information which was previously accessed will remain in the patient's record, even after consent is revoked. |
Add language to the standard RHIO consent form that states that information which was previously accessed will remain in the patient's record after consent is revoked. Add language that states that patients must have the ability to revoke all consents at one time - patients should not be required to revoke consent individually for each physician with access. |
| 26 |
35 |
The White Paper states that consent standards will be enforced through HEAL contracts - this cannot be a long term solution and seems to exclude enforcement of any exchange of data not funded by NYSDOH. |
|
| 26 |
13 |
Please define "audit" |
|
| 26 |
21 |
|
Will NYSDOH be providing specific timeframes for RHIOs to inform consumers of a breach? (26.21) Perhaps language from the NYC Information Security Breach and Notification Act would be appropriate. |
| 25 |
25 |
States that the consumer representative of the Board must "not otherwise participate in the operation of a RHIO." Please clarify what this means. Does this preclude a board member from serving on a RHIO committee workgroup that was not part of the board? |
|
