Thomas, Your points are certainly well taken regarding qualified legal assistance. WEDI-SNIP (http://www.wedi.org/snip/) is where the bulk of the discussion is taking place regarding what HIPAA actually means and requires of industry stakeholders, and it is populated with quite a few lawyers, including our top health law firms. After 4 years of relatively non-stop, open discussions of how to comply with this regulation, we have grown up a virtual army of self-taught HIPAA "lawyers"... consultants like myself, who have volunteered to read through the regulations, follow the national discussion, and participate in writing the numerous white papers published on the SNIP web site.
Attorneys do comment frequently, but mostly in general terms. I'm sure that they realize, as you have pointed out so vigorously in this post, that many interpretations and arguments are possible in this complex area of law. When push comes to shove and these questions land in court, it's anyone's guess who will prevail. Nevertheless, US providers and system developers are in a dilemma. The government has published thousands of pages of convoluted legal and technical requirements in our Federal Register... and simply expects a half-million providers to "comply" with it. The regulations go into excruciating detail regarding security and privacy requirements, while the Transaction Rule goes into similar detail with respect to electronic communication between payers and providers, naming 8 or 9 specific X12 implementation guides to be used for claims, eligibility queries, payment advice, etc. Each IG contains hundreds of pages of specific requirements for each transaction, and are effectively part of "the law". Our government (mainly Centers for Medicare and Medicaid Services (CMS) and Dept. of Health and Human Services)encourages and occasionally participates in these unmoderated discussions. CMS and has compiled a "frequently asked questions" site, where its published answers are regarded by most as the definitive legal interpretations. Providers, however, are largely oblivious to the law and this rambling 5 year conversation among a couple thousand consultants, payers and clearinghouses. But even this band of self-appointed "HIPAA jailhouse lawyers" cannot agree on what HIPAA means in some of the more complex areas like who can be charged for what by a clearinghouse and the "Direct Date Entry (DDE) exception" to the transaction rule... yet, the regulation directly or indirectly impacts virtually all areas of system development for the US healthcare industry. Anyway... that's why I have become accustomed to "talking like a lawyer" about these issues. We have had no choice in the US, but to take up the law books ourselves. The government dropped this requirement on us, but has provided no accompanying legal or implementation assistance. That has largely been a volunteer effort through WEDI-SNIP. In fact, the regulation itself names WEDI and charges it with this very mission. It's a real party over here! Christopher J. Feahr, O.D. Optiserv Consulting (Vision Industry) Office: (707) 579-4984 Cell: (707) 529-2268 http://Optiserv.com http://VisionDataStandard.org ----- Original Message ----- From: "Thomas Clark" <tcl...@hcsystems.com> To: "Christopher Feahr" <chris at optiserv.com>; "norbert Lipszyc" <irl at club-internet.fr>; <openehr-technical at openehr.org> Sent: Wednesday, August 06, 2003 11:18 PM Subject: Re: Distributed Records - An approach > Hi Chris, > > One always has to check the 'terms and conditions' of the agreement > between the Patient and the Provider. Generalizing may lead one down the > wrong path. > > Comments in text. > -Thomas Clark > > ----- Original Message ----- > From: "Christopher Feahr" <chris at optiserv.com> > To: "Thomas Clark" <tclark at hcsystems.com>; "norbert Lipszyc" > <irl at club-internet.fr>; <openehr-technical at openehr.org> > Sent: Wednesday, August 06, 2003 11:51 AM > Subject: Re: Distributed Records - An approach > > > > the "control" issue is an interesting one. In the US, it is generally > > acknowledged that the patient "owns" the information in the record, but > > not the record, per se. > NOTE: check 'terms and conditions'. If unsure, consult a qualified attorney. > > ... There would be no legal basis that I can think > > of, for the patient to assert control over where the records are > > physically stored. > If the records are stored by the Patient then it may be the case that the > Patient owns both the information and the physical record. Consult a > qualified attorney. > > ... The law guarantees the patient reasonable access to > > a true copy of the info. > NOTE: Although supposedly a fundamental perceived right in HIPAA > I reserve comment until it has been adequately demonstrated and > precedent established in the courts. > > Unless statements in a legislature act are specifically identified as rights > and recovery for violation of those rights are clear and unambiguous > you might have a struggle establishing the statement as a right > (interpretation of a legislative act, or what was the intent of the > legislature). > > Consult a qualified attorney. > > ... and control over who else may see it (while it > > is *identified* as information about the patient... no control over > > "de-identified" data). > > COMMENT: > Control over access to information/records, in my opinion, is actual > control only where it is ABSOLUTE CONTROL AND violations are > specifically proscribed under the law. > > My interpretation of HIPAA is that control by the Patient is NOT ABSOLUTE. > Consult a qualified attorney. > > ... With respect to access and general security, > > HIPAA is now the common floor in the US, with the occasionally stricter > > state and local regulations "trumping" the HIPAA Privacy and Security > > Rules. > > > COMMENT: > This gets into 'supremacy' of the laws, i.e., federal versus state law. > Checkout the > insurance industry in the US and what impacts state Insurance Commissioners > have. HIPAA affects healthcare insurance providers in a big way and they > have > successfully lobbied for specific provisions. How come the 50 states have > previously been unable to successfully pass legislation at least as > significant as > HIPAA? > > Consult a qualified attorney. > > > BTW, a group of doctors here have introduced an even more problematic > > concept, they refer to as "stewardship". They are particularly > > concerned about data stores that will accumulate with e-Prescribing, and > > they do not want the information about what drugs are being prescribed > > going into marketing-oriented databases. > > This is a problem that DOES NOT EXIST in the UK (single-payer system > with rigid privacy/security laws). Insurance companies have been compiling > data on Patients and Drugs for some time even though they have agreed with > Congress not to do this. It is a real problem. > > An adequate discussion on this can be carried on only with a qualified > attorney present. > > ... The HIPAA Privacy Rule would > > certainly preclude that with patient- or provider-*identified* > > information. > > COMMENT: I suspect that this one should be handled by a qualified attorney. > > ... But HIPAA allows de-identified health information to be > > passed around freely. > > COMMENT: > Personally I view this as a security violation since little definition is > provided as > to how Patient records become 'de-identified'. Providers at all levels > should be > bound by the privacy/security presumed and expected by the Patient. > > 'de-identifying' records for whatever purpose is really tricky, e.g., if the > clinic > has had only one Patient in the last ten years with a rare disease and you > are > the Patient, one might consult a qualified attorney. > > Be sure to consult a qualified Plaintiffs attorney on this one. > > These docs seem to even want to retain a legal > > "stewardship" role with de-identified information... not likely to > > happen. > > Immediately coming to mind is 'intent of the law' and judicial > interpretation > of the law. My guess is that "stewardship" does not rise to a position > superior to federal law. > > Be sure to consult a qualified Plaintiffs attorney on this one. > > COMMENT: > The majority of your post includes issues properly addressed by qualified > attorneys, defendant and plaintiff; some issues better answered by one or > the > other but each better equiped to answer than I am.The common-law > jurisdictions in the US and the federal code and judicial system need to be > considered when making plans that involve or make contact with HIPAA. > > > > > Christopher J. Feahr, O.D. > > Optiserv Consulting (Vision Industry) > > Office: (707) 579-4984 > > Cell: (707) 529-2268 > > http //Optiserv.com > > http //VisionDataStandard.org > > ----- Original Message ----- > > From: "Thomas Clark" <tclark at hcsystems.com> > > To: "norbert Lipszyc" <irl at club-internet.fr>; "Christopher Feahr" > > <chris at optiserv.com>; <openehr-technical at openehr.org> > > Sent: Wednesday, August 06, 2003 10:54 AM > > Subject: Re: Distributed Records - An approach > > > > > > > Hi Norbert, > > > > > > Agree regarding the Patient's choice. It is a basic presumption on my > > > part and I too often forget to state it. > > > > > > Regional databases that maintain Patient records should be responsible > > to > > > the Patient who in turn dictates the 'terms and conditions, the major > > > loophole being prevailing law. However, the Patient should be able to > > > choose where to store the records (especially where paying to do so). > > > > > > Given a choice between the US and France I would choose to store them > > > in France because of the higher levels of security. > > > > > > Before deployment, and as soon as possible, these types of > > requirements > > > must be integrated in the design and affecting all levels. I just > > forget to > > > mention them. > > > > > > -Thomas Clark > > > > > > ----- Original Message ----- > > > From: "norbert Lipszyc" <irl at club-internet.fr> > > > To: "Christopher Feahr" <chris at optiserv.com>; <lakewood at copper.net>; > > > <openehr-technical at openehr.org> > > > Sent: Wednesday, August 06, 2003 1:23 AM > > > Subject: Re: Distributed Records - An approach > > > > > > > > > > The remarks of Christopher Feahr are very adequate, but they > > overlook the > > > > fact that in many areas, patients will have the decision as to where > > they > > > > want their records to be kept (trusted third parties for example, as > > in > > > the > > > > case of electronic signatures). therefore his conclusions are even > > more > > > > appropriate as they allow this freedom which is essential in many > > > countries, > > > > France in particular. > > > > Norbert Lipszyc > > > > ----- Message d'origine ----- > > > > De : Christopher Feahr <chris at optiserv.com> > > > > ? : <lakewood at copper.net>; <openehr-technical at openehr.org> > > > > Envoy? : mardi 5 ao?t 2003 17:28 > > > > Objet : Re: Distributed Records - An approach > > > > > > > > > > > > > Thomas, > > > > > This sounds workable to me. If I am understanding you correctly, > > we > > > > > need one (and only one??) registry in which anyone, anywhere (who > > is > > > > > authorized, of course) could look up a patient and determine which > > > > > "region" had master control at the moment over his record. If I'm > > a > > > > > provider living in the region where the records are primarily > > managed, > > > > > then when my system attempted to look up, say, the date of his > > last > > > > > Tetanus vaccination, it would find it immediately. If I was a > > provider > > > > > visited while the patient was traveling outside his "home" region, > > then > > > > > the same local query about his tetanus shot would tell me: "hold > > on a > > > > > minute, while we search all known registries to see where this > > guy's > > > > > home-region is... where his most current records will be located". > > ... > > > > > and then my region does a full record update from the current home > > > > > region? or just try to display his tetanus vaccination history? > > > > > > > > > > One of the problems alluded to is that different regions might be > > using > > > > > very different EHR structures. Thus a simple "record refresh" in > > region > > > > > B from the information stored in Region A is not so simple. It > > would > > > > > involve mappings at least, and possibly even data transformation. > > The > > > > > inability to assume an overarching authority seems to be the > > Achilles > > > > > heel. After a dozen record "movements" from one region to the > > next, > > > > > many little mapping and transformation errors may have accumulated > > to > > > > > thoroughly hose up the medical information in the patient's > > "master" > > > > > record. > > > > > > > > > > One way around the central record managing authority would be to > > have > > > > > VERY FEW regions... each with a well organized regional > > authority... who > > > > > come together under a global organization and work out a very > > tight > > > > > choreography for these refresh/hand-off operations. But this > > sounds > > > > > harder and no more likely to be created as one single authority > > such as > > > > > the UN imposing the requirements on all regions. > > > > > > > > > > I believe that the most critical point for global standardization > > and > > > > > what we must aim for (first) is the information in the record. > > When the > > > > > world has settled into that (something that will ALSO require a > > central > > > > > authority, but just for standardizing what the information > > elements > > > > > mean, not for choreographing complex record-merge operations), > > people > > > > > will gradually come around to the idea of moving to the next level > > of > > > > > system interoperability, with standard record structures. > > > > > > > > > > With only the information standardized globally, two large and > > > > > cooperative regions (say, US and Australia) could still choose to > > create > > > > > a US-Aus. information authority and orchestrate a high level of > > > > > interoperability for patients and providers floating anywhere > > within our > > > > > two countries. If the "functional regions" initially were more > > along > > > > > the sizes of counties and states, then we'd have a lot more hassle > > and > > > > > negotiating. So I would suggest the world start with the largest > > sized > > > > > regions that could be reasonably managed with the same EHR > > structure. > > > > > > > > > > The critical issue for all regional participants would be a > > strong, > > > > > competent regional authority... that operated in conformance to a > > set of > > > > > well defined "regional authority rules"... maintained by the UN?? > > > > > > > > > > Christopher J. Feahr, O.D. > > > > > Optiserv Consulting (Vision Industry) > > > > > Office: (707) 579-4984 > > > > > Cell: (707) 529-2268 > > > > > http //Optiserv.com > > > > > http //VisionDataStandard.org > > > > > ----- Original Message ----- > > > > > From: <lakewood at copper.net> > > > > > To: <openehr-technical at openehr.org> > > > > > Sent: Tuesday, August 05, 2003 12:11 AM > > > > > Subject: Distributed Records - An approach > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > With a background in fault tolerant computing I have a built-in > > > > > penchant for > > > > > > distributed files that are exact/backup copies of a master. > > Works > > > > > wonders > > > > > > for > > > > > > financial transactions. > > > > > > > > > > > > I don't believe that this model fits EHRs especially since one > > can > > > > > conceive > > > > > > of > > > > > > parallel, e.g., close proximity in time, operations directed at > > > > > > modifications > > > > > > originating at geographically distant locations.These > > operations, even > > > > > they > > > > > > occur > > > > > > across town (Clinic and distant Lab) create problems for record > > > > > management. > > > > > > > > > > > > Tying record management to physical location is not a solution. > > Remote > > > > > > medicine complicates this immediately. However, a constant > > occurs > > > > > > immediately, > > > > > > presuming that we do not have to deal with human clones (put a > > > > > <dash-number> > > > > > > in the ID). The Patient ID is it. Traditional approaches would > > require > > > > > that > > > > > > in all > > > > > > the world there is only one unique person being considered. > > > > > (hopefully). > > > > > > > > > > > > Hence each region could contain entries on residents, > > transients, > > > > > visitors. > > > > > > tourists, etc. that somehow make contact with healthcare > > > > > > facilities/Practitioners > > > > > > in the region. > > > > > > > > > > > > Registering the IDs and updating the regional databases requires > > that > > > > > only > > > > > > those > > > > > > regional Patients be administered. > > > > > > > > > > > > National and international databases can be established that > > will > > > > > receive > > > > > > and store > > > > > > regional registrations of Patient IDs, allowing one to scan > > these > > > > > databases > > > > > > to > > > > > > determine who holds regional records on individual Patients. One > > can > > > > > then > > > > > > retrieve all the records or part of them. This substantially > > reduces > > > > > the > > > > > > need for > > > > > > storage and bandwidth to manage records on a global scale. > > > > > > > > > > > > I presume that there is no need to have matching records for > > > > > individual > > > > > > Patients > > > > > > in all regions this Patient has been in an made contact with the > > > > > healthcare > > > > > > industry. If I take a cruise on the Rhine and require medical > > > > > attention it > > > > > > makes no > > > > > > sense to burden whatever region manages that healthcare system > > with > > > > > anything > > > > > > more than they had a tourist with a weak stomach. > > > > > > > > > > > > It would be nice to have a distributed registry that would show > > where > > > > > I had > > > > > > to > > > > > > stop off and get some help. At least the Public Health personnel > > would > > > > > > appreciate > > > > > > it. > > > > > > > > > > > > The important thing to me is to be able to access all the known > > > > > records and > > > > > > bundle them in a way that is appropriate for the healthcare > > personnel > > > > > > handling > > > > > > my latest complaints. > > > > > > > > > > > > BTW: The Fault Tolerant/Highly Available Systems can make sure > > that > > > > > the > > > > > > information requested is available but the applications have to > > > > > structure > > > > > > it. > > > > > > > > > > > > -Thomas Clark > > > > > > > > > > > > > > > > > > - > > > > > > If you have any questions about using this list, > > > > > > please send a message to d.lloyd at openehr.org > > > > > > > > > > - > > > > > If you have any questions about using this list, > > > > > please send a message to d.lloyd at openehr.org > > > > > > > > > > > > > - > > > > If you have any questions about using this list, > > > > please send a message to d.lloyd at openehr.org > > > > > > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
