VA over-disclosure of EHR data highlights difficulty in managing fine-grained consent

In its Monthly Report to Congress On Data Incidents for the month of September (the exact time period noted on the report is August 30 – October 3, 2010), the Department of Veterans Affairs (VA) describes an incident in which an active duty member of the Army was determined to be ineligible for deployment based on information contained in a “progress note” recorded at a previous time by a doctor working at a Veterans’ Center where the soldier had been treated. The contents of the progress note were apparently available to doctors at Fort Benning (where the soldier was preparing to deploy), despite the fact that no authorization had been given for the release of the Vet Center information the Department of Defense (DoD). While the specifics of the treatment record were not described, it appears from the incident summary that the information from the Vet Center was transmitted from the VA’s VistA electronic health record (EHR) system to the AHLTA system used by the DoD as a matter of routine procedure, but that the specific information in the progress note should not have been included in the health information transferred from the VA to the DoD. VA Chief Information Officer Roger Baker is cited in an article on the incident as believing that the progress note contents were shared incorrectly because the full contents of the progress note (apparently recorded as a free-text field) aren’t scanned to determine if there is any sensitive information in them for which explicit consent must be obtained prior to disclosure.

The VA is investigating this incident to try to determine exactly how the information in question was transmitted, and whether the fact that it was constitutes a violation of HIPAA or any other relevant health data privacy statutes. The privacy and confidentiality of several specific types of treatment data (including treatment for drug or alcohol abuse and for diseases like HIV and sickle cell anemia) in veteran medical records is protected under 38 U.S.C. §7331, although in general the restrictions on disclosure here do not apply to government “components furnishing health care to veterans and the Armed Forces.” Much of the health data transfer between the VA and the DoD occurs automatically as individuals move among different treatment facilities, and through the bi-directional health information exchange (BHIE) DoD doctors are able to view patient data stored in VA systems (and vice-versa), including progress notes. In this case, while the Army doctor at Fort Benning apparently recalled accessing the soldier’s information through AHLTA, a technical analysis suggested that the DoD system did not access the VA records, so some data sharing method other than BHIE may have been involved.

Quite aside from the technical mechanism that allowed this over-disclosure to occur, this incident highlights the difficulties associated with providing fine-grained control over access to and disclosure of information stored in EHRs. Much of the recent debate over consent in health information exchange has been focused on the consent model to be used, such as opt-in or opt-out. In many ways, handling granularity within a consent management approach is much more complicated than the consent model used. A policy analysis on consumer consent options for electronic health information exchange commissioned by the Office of the National Coordinator and published last March describes several different ways in which fine-grained consent might be applied to data in electronic health records. Many of the ways to sub-divide an individual health record according to patient privacy or sensitivity concerns are not easy to implement within existing EHR systems and schemas, and even if granular consent models are implemented in external policy engines, directories, or databases, to be able to incorporate granular consent by data type, provider, or encounter may require parsing and analyzing the entire electronic health record before any health information exchange request can be fulfilled. Similarly, some of the standard schemas and message constructs recommended for use in health information exchange may by default contain more information than is needed to satisfy a given request. The challenge of restricting health data disclosure according to consent directives is made even more challenging by the use of free-text fields within EHR schemas that, as was seemingly the case with the progress note in the recent VA incident, may knowingly or unknowingly contain information that should be subject to disclosure restrictions.