The amount of health data generated in digital form, stored in electronic databases internal or external to physician offices, and transmitted to and from family physicians’ practices continues to grow exponentially. The following data stewardship guidelines are intended to facilitate the appropriate collection, storage, transmission, analysis, and reporting of these data. Execution of these processes must be in a manner that is ethical and protects the interests, including the privacy and confidentiality, of both the patients and physicians generating this data.
These guidelines specifically address the conditions under which de-identified clinical and administrative data derived from physicians’ electronic systems is collected and used by third parties, e.g., public and private health plans, retail pharmacies, hospitals, clinical laboratories, and intermediaries, such as clearinghouses or application service providers, who store personal health data in remote systems.
NOTE: Nothing herein or below shall be construed as contravening the standards for health information contained in HIPAA relating to privacy, confidentiality, or security of personal health information. Generally, the recommendations below pertain to de-identified and aggregated data only.
- Submission of data from physician practices to third parties must be voluntary.
- Physician practices must reserve the right to submit data to entities of their own choosing, either in addition to or as part of the chain of data submission (e.g., to payers, health plans, or community data repositories), for purposes such as quality improvement, performance measurement and research programs.
- A framework for managing patient and physician consent, with appropriate granularity, must be established and maintained. This would include the ability of independent third parties to audit data use/release and a responsibility to inform affected parties regarding inappropriate use/release of their data.
- Third parties who collect, store, manage, or analyze data derived from physicians’ EHRs or other practice systems, must provide participants with a clear, written policy detailing the intended uses of such data prior to any data submission. In addition, any change in the policy or intended use of such data, must be relayed to participating practices prior to further submission and use of such data. This notification must be written, provided in a timely manner, and allow physician practices the right to decline those uses.
- Third party use policies must clearly distinguish between quality improvement, performance measurement and research uses of submitted data. Allowable and non-allowable uses of data must be delineated in addition to prioritization of allowable data uses.
- Third parties should share with physician practices any analysis of the practice’s data, whether individually or in aggregate, that has the potential to improve quality, safety, or efficiency in that practice.
- To maximize care quality and patient safety, data submitted to third parties, for the purposes of quality improvement, performance measurement or research, should be considered within the domain of peer review, and as such, be confidential, protected, and not subject to disclosure or discovery.
- Data quality issues must be evaluated and addressed at every step from collection to reporting. Data quality may include accuracy, validity, integrity, meaning, consistency and completeness. Poor quality data must not be allowed to propagate throughout the system, degrading patient safety and care quality.
- Adoption of standards defining data capture, semantics, representation, and messaging are needed for collection, transmission, storage, and analysis of these data and associated metadata. These standards would include core data sets, controlled vocabularies, and data structures.
- Storage of these data must adhere to industry and regulatory standards for data of similar criticality and confidentiality. Retention and destruction of data must comply with legal requirements and the rights of data supplies.
- A process must be in place for physician practices to validate any data after transmission as well as any analyses and resultant reports. There must be adequate time for practices to perform this validation.
- Third parties must be responsible for the timeliness and completeness of the reports back to physician practices. Though a summary report is desirable, practices must have the ability to drill down into areas of interest and have full access to applicable data, methods, and results.
- Payers who have collected data for quality or performance measurement purposes should allow real-time access to these data by the originating physician practices. The purpose of the data is to improve quality and safety, requiring the availability of actionable data at the point, and time, of care.
- Data required for submission must be clearly defined in both purpose and format. Only data critical to fulfilling the stated objectives should be required.
- Use of industry standards for networking and data sharing allows easy access to the reporting data either via the web or integrated into other applications through technologies such as application programming interfaces (APIs). To afford real-time access to the data and promote point of care use, reporting to participating physician practices should be at least web-based.
- Risk and severity issues must be considered in data analyses to maximize the value of quality and performance data and resultant reports.
(2004) (2009 COD)