Healthcare providers should supply patients with layered and easy to understand notices of how their information will be used and protected when it is exchanged, says an advisory panel of the Health & Human Services Department.

Physicians should include this description in a short summary in the privacy practices notice that is required by HIPAA, and that patients receive and sign at office visits, the panel concluded at an Oct. 15 meeting. But more detailed information exchange explanations should be readily available to patients.

When written, the Health Insurance Portability and Accountability Act (HIPAA) did not foresee the broad exchange of personal health data.

Transparency about information exchange practices is necessary to establish credibility with patients, according to the privacy and security panel of the federal Health IT Policy Committee.

At the same time, providers have to "balance the need to give patients complete information on how their health data is shared while doing so in a way that is manageable for patients to read and understand," said Paul Egerman, a software entrepreneur and co-chair of the Privacy and Security Tiger Team. 

"The summary notice has to describe the uses of information and be written so that 90 percent of patients can understand it," he said.

Physicians should also discuss face-to-face information exchange practices with their patients, in particular when a third party, such as a health information organization, handles the transport of personal data and could trigger the need for consent, or when the provider's electronic health record is shared within an integrated delivery network, he said.

The tiger team's layered notice supports proposals that the policy committee submitted to HHS in August setting out triggers for patient consent in direct exchanges between providers or with testing labs. Meaningful use in 2011 requires that providers be able to conduct simple exchanges.

Underlying all the tiger team recommendations is the principle that patients should not be surprised by what happens to their information.
 
The Office of the National Coordinator for Health IT has a role in educating consumers about health information exchange. ONC can require that health information exchanges and regional health IT extension centers that it funds to conduct public education about their information sharing policies and practices, Egerman said.

The tiger team also began to consider authentication or verification of the identity of the person or organization seeking access to health information. The group will explore methods of organization level authentication to facilitate exchange and the digital credentials needed to prove identity verification.

For example, the Defense Department uses the Common Access Card for verification of identification to enter DOD facilities and as a token for computer network access.

Among the questions the tiger team will explore over the next few weeks are whether ONC should select an established technology standard for digital credentials and whether the certification of electronic health records should include the function for using that standard, Egerman said.