The day before the ONC’s privacy and security subcommittee met to discuss policy recommendations for health information exchange query and response issues, Epic Systems CEO and subcommittee member Judy Faulkner got an email from a doctor in Madison, Wisconsin.

“I have a patient who moved to Chicago,” the doctor said, as Faulkner recounted at the subcommittee Tuesday. “She needs a bladder biopsy at Northwestern, which as you know is on Epic. She wanted me to look at the records, but I couldn’t unless she came to Madison and signed a release.”

That’s the protocol Northwestern Memorial Hospital has been using, not necessarily the norm. “Everybody can set it up in different ways,” Faulkner said.

Creating policy recommendations for HIE data query and response that reduces “real or perceived barriers,” without being overly prescriptive, is the privacy and security “Tiger Team” subcommittee’s task at hand in the coming months.

[See also: ONC panel seeks input on patient credentialing.]

As HIE query and responses become increasingly automated, one of the main questions is whether providers’ digital data exchange policies will follow the precedent of paper and manual information sharing.

In instances where the provider does not have control of the data, the subcommittee had previously recommended that patients have the ability to decide the fate of their information.

But as co-chair and eScription founder Paul Egerman asked: “If you have a system where there’s an automated query and an automatic response, does that mean that the record holder has control or do they not have control, and does our previous recommendation of meaningful consent apply?”

Faulkner then wondered, “Are we setting up a situation where by definition automated means they don’t have control?”

“Well, that’s the question,” Egerman said.

Previously, the subcommittee recommended three scenarios necessitating meaningful patient consent: when a centralized HIO makes information available to other parties, when a federated HIO controls access to individual patient data, and when information is aggregated outside of a provider or “organized healthcare arrangement.”

Both Faulkner and David McCallie, MD, VP of medical informatics at Cerner, were wondering if the issue could be solved by an algorithmic response “that just automates the decision process that exists today,” as McCallie put it.

If providers program automated queries and responses to match their health information management department policies for releasing data manually, Egerman asked, how does that affect the subcommittee’s goals?

“I would actually argue that we may have gotten it close to right in the straw response,” said Deven McGraw, the subcommittee chair and director of health privacy at the Center for Democracy & Technology.

“If the data holder maintains the ability to make decisions on when to disclose a patient’s information, they can choose to automate their decision, such as through algorithms that match how their HIM department’s customarily responds to record requests,” McGraw said, reading from a non-binding statement the subcommittee crafted previously.

[See also: Work under way on getting patient identity right.]

“Maybe that scenario doesn’t currently exist in any network,” McGraw added. “If that decision-making capability wasn’t there, then arguably that might trigger the requirements that we have laid out” for patient choice.

“I think you’re absolutely right on that,” Faulkner said. “There have to be some rules; each organization has the right to have different ways that they’ll agree to release information. There’s got to be the ability for the automated system to do it as that organization would do it.”