EHR vendors don't have to draw a 'line in the sand' on reproductive data privacy

Larger companies are taking an "all or nothing" approach in light of proposed legislation, one HIE leader says, but electronic health record developers can look to modernized data lakes for inspiration and place guardrails around PHI.
By Andrea Fox
10:30 AM

Though an accomplished hiker, Nichole Sweeney, general counsel and chief privacy officer at CRISP and CRISP Shared Services, drove to the top of Mount Washington to face a fear of driving on high cliffs.  

Photo: Nichole Sweeney

Legislative proposals to protect reproductive health data in Maryland could set a precedent in the United States, says Nichole Sweeney,general counsel and chief privacy officer at CRISP, the state-designated health information exchange of Maryland, and CRISP Shared Services, a nonprofit infrastructure organization supporting six HIEs across the U.S.

In a Q&A with Healthcare IT News, Sweeney also explains why electronic health record vendors can better partner with healthcare organizations to maintain interoperability, stay in compliance with information blocking rules under the Cures Act and still restrict access to legally-protected data as well as what precautions health organizations can take to mitigate reproductive privacy risks in their development of artificial intelligence tools.

As an expert on HIPAA, 42 CFR Part 2, state laws and data-use agreements, Sweeney works to ensure regulatory compliance for her organizations and also advises CRISP's partners and HIE stakeholders on federal, state and regional laws and regulations that impact healthcare interoperability.

She described herself as passionate about healthcare policy and interoperability and dedicated to CRISP's patient-centric mission and noted that she collaborates on interoperability with other leaders through the Consortium for State and Regional Interoperability and Civitas Networks for Health (which is hosting its annual conference next week). 

Sweeney has also been tapped to work with the USVI Office of Health Strategy to help build out the Virgin Islands' foundational business and data-use agreements, contracts and policies for the initial development of a health technology infrastructure under the territory's agreement with CRISP.

Engaging with patients helps to inform her everyday decisions as a privacy officer to overcome challenges and leverage opportunities to innovate new technology and policies to improve health outcomes, said Sweeney.

"I'm particularly dedicated to empowering patients to take control of their health and advocate for themselves through increased education and awareness of the policies affecting their health data and care, and ultimately, their health outcomes," she said. "I feel it is imperative that the health industry better explain to patients their privacy rights and engage them in making decisions that affect said rights."

Q. In May, Maryland established a referendum for the 2024 election that, if passed, would ensure reproductive freedom as a central component of an individual's rights to liberty and equality and prohibit most state interventions. What will healthcare data holders need to do to protect reproductive health data?

A. There are a lot of moving pieces in Maryland when it comes to reproductive freedom and protection. This referendum would formalize in the state constitution what Maryland already guarantees. So, while this referendum is important for codifying what's already in place, I don't anticipate that it will pose any compliance risks for healthcare data holders.

However, this referendum impacts other bills that were adopted and will have significant compliance risks.

Maryland'sHB812 andSB786 regulate the disclosure of certain reproductive clinical information across electronic data exchange networks. Data sharing entities face a penalty of up to $10,000 per day if they aren't compliant, along with the serious potential of harming patients if this data were to get into the wrong hands.

The challenge here is that these data are exchanged by a complex network of care providers, organizations and stakeholders through a complex set of regulations and many levels of government. Since there is currently no way to separate specific reproductive health data from other gynecological and patient health data, implementing new protocols and technology to remain compliant is new territory for the industry as whole – with many organizations saying it's impossible.

As a result, many of these entities are avoiding compliance risks by taking a dichotomous approach, believing there are only two solutions to the problem: Continuing to share all of the data or completely stopping the exchange of records for any patient with a reproductive care encounter.

The "all or nothing" approach is a lose-lose.

In one scenario, all the patient's data is available to be shared through organizations that are connected to national networks, which increases the risk of potential criminalization if the data are unlawfully obtained by a state where such procedures are illegal.

The second scenario runs the risk of reverting a decade's worth of investment and innovation – at the very real cost of the care of every person with a uterus in the state.

Providers rely on comprehensive and accurate health data to understand a complete picture of a patient's health and lifestyle. Cutting off this flow of information would primarily affect people with uteruses and severely impact the quality of care they receive, including hindering the accessibility of wraparound services for whole-person care and addressing social determinants of health.

While the ability to block specific types of protected reproductive health data from leaving the state doesn't currently exist in traditional data sharing tools, there's no reason why it can't. I feel lucky to be a part of a company that is actively contributing to the solution to find a middle ground.

Q. How are data sharing entities in Maryland, like EHRs and HIEs, planning to manage patient data interoperability, if and when they contain any reference to this sensitive data?

A. Large electronic health records are leaning towards the "all or nothing" approach to comply with this new law, as the deadline at the state level is December 1. Developing such technology will require a significant investment of time and funding.

Even outside of the EHR, healthcare data is sourced from a variety of verticals and stakeholders throughout the ecosystem; patient clinical data comes from diagnosis codes, encounter notes, specialty providers, pharmacy and medications, laboratory results and much more. 

For reproductive services that may touch all these levels, a sensitive information leak is hard to prevent. Even if a reproductive procedure or encounter note were to be blocked or protected from other providers at the EHR level, a prescription for mifepristone may be visible in another information source, such as a pharmacy's health IT system, that would flag the event to others. 

[Editor's note: FDA says that "an individual should not take mifepristone, in a regimen with misoprostol, for medical termination of pregnancy if it has been more than 70 days since the first day of their last menstrual period." A legal battle to limit access is headed to the Supreme Court as of this week.

Because the EHR market is dominated by only a handful of corporations, there is a small percentage of stakeholders who are essentially responsible for the advancement and innovation of the very systems that touch every patient, in every setting, in every state. Without their buy-in and investment to engineer new tools and establish new protocols, meeting this mandate in a way that doesn't shut down patient data exchange will be challenging.

As it stands, the larger EHR market seems committed to drawing a line in the sand maintaining that this type of data privacy isn't possible. To protect themselves from potential liability or the likely reality that a solution won't immediately be perfect, they have determined the best course of action is to simply lock down the exchange of records with any potential reproductive encounter or service.

Some of the smaller vendors have been more proactive in helping create solutions, and I am grateful for that, but we won't have large-scale change until we have the major players ready to come to the table without having to find a perfect solution that completely shields them from liability.

As a not-for-profit HIE, CRISP can innovate within and amongst this framework to find and implement potential solutions across these disparate systems. Even if some EHRs do not feel comfortable trying to find a solution, we can help find a local solution for Marylanders and the other HIEs we support.

Q. What strategies can be implemented to protect this data and still comply with federal info blocking requirements?

A. Organizations can take lessons from health data utility models which utilize modernized data lakes that allow for a comprehensive data repository with advanced patient matching and parsing technology across their region.

They can ensure that clinicians and patients are included in this work and are tightly collaborating with IT teams to develop improved engineering and parsing of unique codes. It'll be a more manual process as the system kinks are worked out and we learn from the data, but any innovation requires this high level of involvement in the beginning.

Rather than shutting down the exchange of full patient records to avoid their inclusion on national exchange frameworks, we can put guardrails around common medications and procedures – and the providers and organizations who typically provide these services. To avoid information blocking concerns, such guardrails need to be created within the framework of an applicable state law or policy and/or at the patient's request.

Modernized data lakes allow for improved analytics and detection capabilities across master patient indexes and utilizing a state's HIE as a data lake utility can ensure all patient data is deposited into one repository, sensitive data is parsed out accordingly, and the remaining unprotected records are sent back out to larger networks.

This would allow for continued undisrupted exchange at the state level and ensure compliance with info-blocking rules and quality care standards. Likewise, an interoperable data repository and system could allow patients one centralized location to provide or withdraw consent for exchanging data that is considered legally or individually sensitive, rather than requiring a patient to make such an election at each point of care or each time the data is transferred.

However, to do this at scale across the many implicated verticals, we need all interested parties to join efforts in collaboration and implementation.

Without buy-in from all those involved in a patient's care and their adoption of these new technologies, we can't succeed. Despite what some organizations claim, complying with privacy laws, patient choice and these information-blocking requirements is possible. It is really, really hard, but it is possible if we have the drive to do so.

In fact, the healthcare industry has proven many times in the past that we collectively have the insight and innovation to achieve impressive transformation in high-pressure situations. For example, similar regulations have been put in place to protect data related to a patient's substance use disorder treatment. We can argue whether these regulations have been successful, but we know as a technology industry what solutions work and which do not – we just have not necessarily had the collective will to drive to these solutions.

Q. With regard to AI, how can companies evaluate algorithms to mitigate reproductive privacy risks?

A. Organizations doing the work of segmenting this data are undertaking herculean tasks of manual review and parsing. As a tool, AI will be a powerful asset in this work. One day we may get to a place where AI does most of this work for us with minimal human oversight, enabling the identification and privatization of sensitive information, while ensuring the right parties still have access.

Until then, an algorithm can't succeed unless it can learn from human logic and endeavors, so I encourage companies to commit to investing in finding a solution for now, understanding that these tools are likely right around the corner to make the work easier in the future.

And even when we get to that ultimate AI end-state, it's imperative that we continue to evaluate not only the algorithm inputs, but the impacts of those decisions and make changes accordingly. AI will magnify and amplify any bias and, likewise, privacy concerns, so both patients and clinicians must be a part of both the initial and ongoing training. At CRISP, before we even begin to think about such solutions, we are creating internal policies and procedures around the ethical, patient-centered use of AI.

For an organization vetting an AI or similar machine learning tool to mitigate reproductive privacy risks, I'd pay close attention to the vendor's security protocols and bias and ethics policies to ensure that the solution complies with not only HIPAA and other healthcare privacy regulations but also the need for AI fairness, transparency and explainability.

I'd also caution these organizations to overestimate the amount of human intervention needed in the setup and ongoing deployment and maintenance of such a tool. The last thing you want is to take a hands-off approach from the start and miss a glaring privacy or bias issue, which would just serve to put your organization at greater risk and, more importantly, further lose the trust of patients.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.