Some health IT experts are raising concerns about the Data Segmentation for Privacy, or DS4P, standard, which aims to address electronic exchange of behavioral health data, Health Data Management reports.
Background
Behavioral health data are subject to disclosure protections in addition to those required under HIPAA. For example, one federal law — 42 CFR Part 2 — limits federally assisted substance misuse treatment programs’ ability to share behavioral data without patients’ signed consent.
In October, the Office of the National Coordinator for Health IT released the 2015 Edition Health IT Certification Criteria final rule, which includes the DS4P standard.
DS4P aims to address certain barriers in electronic exchange of behavioral health data by applying a set of metadata and encryption to a clinical document, which allows a provider to send behavioral health and substance misuse data to a system with technology that can identify and segregate such data.
Concerns
John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston and co-chair of the Health IT Standards Committee, said DS4P send-and-receive technology is not mature enough to be included in the final rule.
“The Health IT Standards Committee has recommended that no standard ever be included in regulations until it has a level of maturity, adoption and validation in the real world,” Halamka said, adding, “We said, ‘Do not include DS4P because it doesn’t meet any of those criteria.'”
Halamka noted that “the technology doesn’t exist” yet to fully support the policy goals of ONC and the Substance Abuse and Mental Health Services Administration.
In addition, the Health IT Policy Committee’s Privacy and Security Workgroup raised concerns with DS4P, such as:
- Limitations regarding document-level sequestration;
- Provider discomfort about electronic health records that are incomplete because patients have withheld certain information;
- Uncertainty about data entry policies and implications for subsequent disclosure;
- Uncertainty about DS4P’s ability to comply with 42 CFR Part 2 requirements once a document is received; and
- Uncertainty about whether DS4P is appropriate for enabling compliance with other data laws that lack redisclosure prohibitions