Health information exchanges cannot share sensitive patient information beyond a simple point-to-point exchange without first obtaining a patient's consent, concluded the federal privacy and security tiger team.

The panel, which advises the Health Policy Committee, clarified the matter at an Aug. 16 meeting. Its previous guidance on the privacy obligations of health information exchanges (HIEs) had been unclear, according to panel members.

More specific language was required because some HIEs provide both multipoint exchange services among a provider community but also handle direct point-to-point exchange services.

These simpler exchanges do not require patient consent beyond what is covered in existing law, such as the Health Insurance Portability and Accountability Act (HIPAA), state laws, and fair information practices.

However, the panel said HIEs must obtain a patient's consent if they make personal health information collected during a direct exchange available to a third party.

"Providers have to offer the option to the patient whether or not they're going to participate in health information organizations," said Paul Egerman, a software entrepreneur and co-chair of the tiger team.

The tiger team published a 19-page letter with this and several other draft recommendations around privacy and security in simple exchanges and will present it to the Health IT Policy Committee Aug. 19.

Some patients may not want their provider to use a HIE to share their information if the HIE retains some control over their data in a simple exchange, the panelists said.

In such cases a provider can use a different organization to conduct the exchange. Or, it can use the same HIE, "as long as the provider maintains the control over the decision to exchange," according to the panel's draft recommendations.

Panel member Wes Rishel, a vice president with Gartner's healthcare practice, offered a case in point.

In the scenario, a physician orders and receives lab results through an HIE, which captures the results and begins to build a database with it. "If the patient does not consent to using the HIE, the physician has to go through a dual track," said Rishel.

The provider still needs to use the HIE services to obtain the lab results. But if the HIE performs both community and point-to-point exchange services, "it is precluded from using information under directed exchange without consent," he said.

The policy committee will offer its final recommendations to the Office of the National Coordinator in time for healthcare providers to meet upcoming deadlines for meaningful use.

As the tiger team winds down its work, some of its privacy and security work will also feed into a new policy committee work group being set up on NHIN governance, according to Joy Pritts, ONC chief privacy officer.

In creating the new panel, ONC wants to host discussions on what to include in a formal rulemaking that would establish rules of the road - including principles on consent and privacy - for organizations that participate in the nationwide health information network.