The amount of health data generated in digital form, stored in electronic databases internal or external to physician offices, and transmitted to and from family physicians’ practices continues to grow significantly. The following data stewardship guidelines are intended to facilitate the appropriate collection, storage, transmission, analysis, and reporting of these data. Execution of these processes must be in a manner that is ethical and protects the interests, including the privacy and confidentiality, of both the patients and physicians generating these data.
These guidelines specifically address the conditions under which de-identified clinical and administrative data derived from physicians’ electronic systems are collected and used by third parties, e.g., public and private health plans, retail pharmacies, hospitals, clinical laboratories, and intermediaries, such as clearinghouses or application service providers, who store personal health data in remote systems.
NOTE: Nothing herein or below shall be construed as contravening the standards for health information contained in HIPAA and similar federal and state laws relating to privacy, confidentiality, or security of personal health information. Generally, the recommendations below pertain to de-identified and aggregated data only.
- Submission of data from physician practices to third parties must be voluntary.
- Physician practices must reserve the right to submit data to entities of their own choosing, either in addition to or as part of the chain of data submission (e.g., to payers, health plans, or community data repositories), for purposes such as quality improvement, performance measurement and research programs.
- A framework for managing patient and physician consent, with appropriate granularity, must be established and maintained. This would include the ability of independent third parties to audit data use/access and a responsibility to inform affected parties regarding inappropriate use/access of their data.
- Third parties who collect, store, manage, or analyze data derived from physicians’ practices, must provide written policies detailing the intended uses of such data. Additionally, any change in the intended use must be relayed to participating practices prior to further data transfer. Notification must be in written form, provided in a timely manner, and allow physician practices the right to decline further participation without penalty.
- Third party use policies must clearly distinguish between quality improvement, performance measurement, and research uses of submitted data. Allowable and non-allowable uses of data must be delineated in addition to prioritization of allowable uses.
- Poor quality data must not be allowed to degrade patient safety and care. Data quality may include accuracy, validity, integrity, meaning, consistency and completeness and must be evaluated and managed at every step from collection to reporting.
- Data storage must adhere to industry and regulatory standards for data of similar criticality and confidentiality. Retention and destruction of data must comply with legal requirements and the rights of data suppliers.
- A timely and efficient process must be in place for physician practices to validate any data after transmission as well as any analyses and resultant reports. There must be adequate time for practices to perform this validation.
- Entities that have collected data for quality or performance measurement purposes should allow real-time access to these data by the originating physician practices. Though a summary report is desirable, practice must have the ability to drill down into areas of interest with full access to applicable data, methods, and results.
- Data for submission must have both a clearly defined purpose and format. Only data critical to fulfilling the stated objectives should be submitted.
- To afford real-time access to the data and promote point-of-care use, reporting to participating physician practices should use industry standards for networking and data sharing either via the web or integrated into other applications through technologies such as application programming interfaces (API).
- Risk and severity issues must be considered in data analyses to maximize the value of quality and performance data and resultant reports.
(2004) (2019 COD)