Deven, I might agree with you about the intent and scope of the Code of Conduct but my concerns are about the HL7 standards that drive the implementation of patient-directed exchange.

This is an Implementation Guide. The HL7 Background does not even mention a Code of Conduct and that’s entirely appropriate because it’s a technical specification, not a policy.

HIPAA does not require a Code of Conduct for either patient or physician-facing apps, although the physician-facing app case obviously includes one by default. A code of conduct is not required for patient-directed sharing via US Mail or fax.

Maybe I misunderstand CARIN’s and HL7’s intent and there will be no link between the Code of Conduct and the HL7-compliant patient-directed FHIR API practice. If that’s the case, then clearly the patient-directed FHIR API will also be accessible to physician-facing apps using HIPAA-compliant systems, including EHRs. In that case, CARIN Alliance and HL7 can just clarify this point and we will be well along to meeting the four points I suggest are needed for a consensus.

Adrian, I believe you misread the CARIN Code of Conduct and the intent behind it. The purpose of the Code of Conduct is provide consumers with a tool to use in selecting a personal health record app or platform IF the consumer decides to use one in order to access their health information through FHIR APIs. The language in the Code and introductory material defining “consumer-directed exchange” as involving an app selected by a consumer, and differentiating it from circumstances where covered entities like hospitals and doctors share data directly with one another under the TPO (treatment, payment, operations) exceptions to HIPAA, is just about narrowing the scope of what the voluntary code is intended to cover. It is not an intent to confine the health data sharing universe to only circumstances where patients hire apps.

There are many instances of data sharing per HIPAA – including when covered entities disclose data pursuant to the Privacy Rule without the need for patient authorization and when individuals invoke their HIPAA right of access to obtain copies of their data, either for themselves or to have it sent elsewhere (such as to another doctor or hospital). The Code does not limit that sharing at all – it doesn’t even address it (or at least that was not the intent).

I believe the intent for the Code is to invite personal health record app vendors attest to it — which would provide consumers with a tool for choosing apps IF and only IF they decide to hire one for collecting and then managing their health records. So in your scenario, Ascension could not “adopt the Code” to preclude a patient from exercising her HIPAA rights to have information sent directly to Mayo. Ascension would only “adopt the Code” if it were offering a personal health record app to patients and decided it wanted to attest to the Code as a way of assuring patients regarding the app’s data practices. And in that case, the Code would apply to the activities of the app and not necessarily to Ascension’s other practices with patient data.

In my view, the Code serves an important purpose – but it is far narrower than the role that you have ascribed to it.

An answer to one simple question would be a good start:

Why is CARIN excluding patient-directed sharing between one hospital and another hospital if that is already allowed by US Mail or Fax?

All of our readers should speculate on this but I’m especially curious to hear from two trusted leaders in this space, Apple and Commonwealth Fund, who are lending their name to this organization.