Exchange policy

May 18, 2020
MUSC chief research information officer Dr. Leslie Lenert
Dr. Leslie Lenert, chief research information officer and director of the Biomedical Informatics Center at MUSC

Although it has trapped us inside our houses, the COVID-19 pandemic has, ironically, also reminded us that we belong to a larger community. Our actions affect not only our lives but those of our neighbors. We wear masks in public to protect ourselves and others from infection and rely on others to do the same for us.

Balancing the rights of the individual and the needs of the community requires a complicated calculus –a careful weighing of risks and benefits that can change as circumstances evolve. 

The pandemic has thrown that calculus off, and according to a recent commentary by MUSC chief research information officer Leslie Lenert, M.D., published in the Journal of the American Medical Informatics Association, that equation might require some rebalancing for patient privacy. 

Lenert, who also serves as vice president and chief medical officer of Health Sciences South Carolina, director of the Biomedical Informatics Center at MUSC and an associate principal investigator of the South Carolina Clinical and Translational Research Institute, explained this concept.

“Privacy is a tradeoff between the benefits to society of sharing data and the risk to individuals,” said Lenert. “In more normal times, the benefits accrue directly to individuals. But whenever we have an event like this, we need to rethink that risk-to-benefit ratio and try to work in ways that are optimal for the time.”

“The need to move the information has never been greater. Knowing whether someone who comes to an ED has been tested previously or if they’re infectious can really make a difference in preventing the spread of the infection and in keeping a facility open.”

-- Dr. Leslie Lenert

The Health Care Portability and Accountability Act, or HIPAA, protects patient privacy by fining or otherwise penalizing providers or institutions that do not adequately safeguard data, such as names, social security numbers and zip codes, which could be used to identify patients. States sometimes add their own patient privacy rules that conflict with federal guidelines, further complicating the situation.

Fear of fines for HIPAA violations can make hospitals wary of sharing patient information with other health care institutions, making it difficult to coordinate patient care. This lack of coordination can be particularly problematic during a pandemic, when care may be more disjointed. For example, a patient might be screened virtually at one institution, tested at another’s mobile site and hospitalized at a third. Without access to the patient’s data from all three institutions, the provider treating the hospitalized patient will be working in the dark. 

In his commentary, Lenert argues that an unimpeded flow of data through health information exchanges will be critical to an effective COVID-19 response. If multiple institutions in a region are willing to share their COVID-19-related patient data to such an exchange, the pooled data could be used to track the spread of the virus and assess the efficacy of local mitigation strategies. But for those institutions to be willing to share this data, Lenert believes they will need assurances that they will not be penalized for a HIPAA violation.

While writing his commentary and after its publication, Lenert frequently discussed his ideas with fellow members of the Health IT Advisory Committee at the Office of the National Coordinator for Health IT. Those conversations began a broader discussion that led to the Office of Civil Rights (OCR), which governs HIPAA, exercising its enforcement discretion, agreeing not to penalize institutions for HIPAA violations that occur when they are engaged in good faith efforts to combat the pandemic.

 The OCR has not rewritten HIPAA guidelines that ensure patient privacy but has relaxed its enforcement of them during the pandemic so as not to impede the response to COVID-19. For instance, to ensure that all patients with suspected COVID-19 can be safely evaluated by providers, OCR is not penalizing physicians who provide telehealth consultations using common communications technologies such as Skype and FaceTime (as long as they can regulate access) instead of the more secure platforms that are typically required. It also is not preventing institutions and their health provider partners from sharing patient data as needed to set up mobile testing sites, nor is it stopping them from sharing data about the spread of the infection throughout a region with each other, first responders and state and national health authorities.

To ensure that South Carolina remains nimble in its response to the epidemic, Lenert is currently working with information exchanges such as the Carolina eHealth Alliance (CeHA) to expand COVID-19 data access in the region. Charleston-based CeHA provides an emergency department alert system for EDs at four hospital organizations –MUSC, Roper Saint Francis, Trident Health and East Cooper Medical Center –and is an initiative of Health Sciences South Carolina, for which Lenert serves as a vice president and chief medical officer. 

“The need to move the information has never been greater,” said Lenert. ”Knowing whether someone who comes to an ED has been tested previously or if they’re infectious can really make a difference in preventing the spread of the infection and in keeping a facility open. For that reason, we really want to expand access to initiatives like the Carolina eHealth Alliance, which could help distribute the results around a region, community or state so that there’s one source for such data.”