The Data Types that fall under SAMHSA are those considered the most sensitive, and thus the ones that patients may want to control with a finer tool than simple opt-in and opt-out. This data is also more complex to understand exactly when an object contains hints of these topics. Thus making the labeling of confidentialityCode very complex. As I outline in Data Classification - a key vector enabling rich Security and Privacy controls, the publisher of any objects is most likely to know if these sensitive topics are contained within, so they can label the object as "Restricted". But this label does not give any help to the Access Control engine on who should be allowed access.
The harder part is determining who needs-to-know when a access control decision needs to be made. One initial attempt at a solution resulted in a set of confidentialityCodes for each different type of data within this Restricted Classification. I don't think this is a good idea. The metadata that carries the confidentialityCode is Protected Information (aka PHI), but once the restricted information leaks into this metadata then all metadata must be protected at the level of Restricted. This results in a spiral of information that can't be available. We need a better solution.
Right now I don't know what this better solution is, but do have a few ideas. I look forward to opportunities to have strong discussions on this topic. I however likely can't make this meeting.
October 15, 2010
The Substance Abuse and Mental Health Services Administration (SAMHSA) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study, in close cooperation with the Office for Civil Rights (OCR) pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5). This study is addressing whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”
As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the Sheraton Los Angeles Gateway Hotel in Los Angeles, California on November 18, 2010. The details of this meeting, as well as the project staff contact information.
The significant concepts and issues being addressed in this project include:
- What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?
- Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?
- Are there circumstances under which test data should be disclosed to third parties? Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?
- How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?
- How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?
- In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?
No comments:
Post a Comment