On August 4, HHS released an Advanced Notice of Proposed Rule Making (ANPRM) on metadata standards to support a nationwide electronic health information exchange. Section 3001 of the Health Information Technology for Economic and Clinical Health Act (HITECH) provides for the Office of the National Coordinator for Health Information Technology to develop a nationwide health information technology infrastructure including standards for metadata. The HIT Policy Committee suggested steps earlier this year to achieve the vision of the infrastructure contemplated under HITECH. A first step is the establishment of a minimal set of standards for metadata that could be attached to a patient summary care record. The purpose of the ANPRM is to solicit broad public comment on the proposed metadata standards.

What is "metadata"? Metadata is commonly referred to as "data about data" or "data that provides more information or detail about a piece of data." For example, metadata can tell you when a piece of data was created, accessed, modified and by whom. The ANPRM divides the metadata standards into three categories: (1) patient identity, or data elements about the patient; (2) provenance, or data elements about the source of the clinical data; and (3) privacy, or data elements about the types and sensitivity of the clinical data. The ANPRM sets forth proposed standards for each of these categories. Overall, HHS recommends that the HL7 CDA R2 requirements be adopted for all three categories in order to provide the widest coverage across the metadata elements. However, it does recognize that there are limitations to these standards in each category.

Proposed Metadata Standards

The ANPRM proposes the following data elements for the patient identity set:

  1. Name, including patient's name prefix, first and middle names, surname and suffix;
  2. Date of birth;
  3. Current primary address;
  4. Current primary zip code; and
  5. A unique patient identifier used by a healthcare provider, such as the last four digits of a social security number, patient's driver's license number or medical record number.

For the provenance metadata set, the following is proposed:

  1. A tagged data element identifier;
  2. Time stamp when the metadata was electronically signed; and
  3. A digital certificate of the signor and signor's organizational affiliation.

The proposed privacy metadata standards include:

  1. A policy pointer, which is a URL that points to the privacy policy that is in effect at the time the data element is released, including external policies; and
  2. Content metadata, which represents elements needed to implement organizational policies and state and federal privacy laws.

The content metadata is comprised of data type describing the underlying data from a clinical perspective and sensitivity indicating at a granular level the type of underlying data to enable protection with automated privacy filters. HHS expects that the privacy metadata will enable healthcare providers to filter sensitive information before releasing for disclosure and allow for another layer of patient privacy protection.

Impact on Healthcare Providers

The initial impact of the standards will be on electronic health record (EHR) vendors to develop the technology allowing providers to comply with the proposed metadata standards. After development, providers then will need to upgrade their EHR to comply with HITECH standards for metadata. Those providers with a more customized EHR may find themselves having to standardize certain forms to meet the metadata standards. Providers will need to have internal privacy policies in place and aggressive policy revisions as new regulations are proposed, to accommodate the policy pointer element. Staff training and education on the existence and anticipated use of the metadata elements also will be needed. Collaboration between healthcare IT and privacy professionals is imperative for implementation of the privacy metadata elements. HHS expects that once the EHR technology is able to apply the metadata standards, healthcare providers will develop innovative ways to use the capability, such as appropriately filtering data prior to making any disclosure for additional privacy/security protection and processing information for quality improvement and quality measurement.

Comments on the above standards and other topics such as additional metadata elements to consider, other naming conventions, codes for particularly sensitive health information and other potential uses of metadata are due by September 23, 2011.