Title: Health Information Security and Privacy Collaboration HISPC: Calming the Waters Across State Lines P
1 Health Information Security and Privacy
Collaboration (HISPC) Calming the Waters Across
State Lines Presented by Alison K. Banger RTI
InternationalPresented atHIPAA Collaborative
of Wisconsin Fall Meeting September 2008,
Sheboygan, WI
2951 Flowers Rd.,
Suite 119, Atlanta, GA 30341
Phone 770-234-5049
Fax770-234-5030
E-mail abanger_at_rti.org
2Overview
- Background on HISPC Phases 1 and 2
- Phase 3 the 7 Collaborative Work Groups
- Next steps
3Phase 1
- Timeline June 2006 April 2007
- Participation 33 States and 1 territory
- Scope Assess variation, develop solutions and
implementation plans - Methods
- Community-based research model
- Engage a broad range of stakeholders
- Follow common methodology
- Panel of experts
- National direction with local control
4Phase 1 Products
- Summary reports released
- Assessment of Variation and Analysis of Solutions
- Implementation Plans
- Nationwide Summary
- Reports and presentations publicly available
- RTI Project site http//privacysecurity.rti.org
- AHRQ National Resource Center http//healthit.ahr
q.gov
5Key topic areas addressed by solutions
- Harmonize the approach to patient permission for
disclosure - Simplify the complex interplay among HIPAA
privacy and security rules, other federal laws,
and state laws. - Reduce variation in interpretations of HIPAA
- Foster trust between providers participating in
exchange and among consumers permitting their
information to be exchanged
6Phase 2
- Timeline May December 2007
- Participation 42 states and 2 territories
- Scope
- Implement 6-month projects
- Develop plans for collaboration in Phase 3
- Methods
- 34 Phase 1 teams implement state-specific
solutions - All 44 teams contribute to collaborative proposals
7Phase 2 Products
- RTI Products
- HISPC Toolkit
- Impact Analysis report
- State Products
- November 2007 Conference Presentations
- 34 states produce a multitude of state-specific
deliverables, including reports, videos,
websites, model agreements, model forms and
educational toolkits - 42 states/territories submit proposals to
participate in the Phase 3 collaborative work
groups
8Phase 3
9Phase 3
- Timeline April 2008 March 2009
- Participation 40 states and 2 territories in 7
collaboratives - Scope Execute collaborative strategies developed
in Phase 2 - Methods
- States work both individually and collaboratively
to complete project scope - Co-chairs of each collaborative form steering
committee - RTI partners with Georgetown on State and
Territory Law Analysis
10The 7 Collaborative Work Groups
- Consent 1, Data Elements
- Consent 2, Policy Options
- Harmonizing State Privacy Law
- Consumer Education and Engagement
- Provider Education
- Adoption of Standard Policies
- Interorganizational Agreements
11Consent 1, Data Elements
- 11 States participating
- IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI
- Goals
- To establish a model for identifying and
resolving patient consent and information
disclosure requirements across states. - To develop a foundational reference guide that
describes and compares the requirements mandated
by state law and any known regional or local
consent policies and practices in each
participating state. - Data Elements?
- What consent information does a state need to
reply to a request from another state? Signed
consent form? With what information? Any
restrictions? Do the answers change depending on
the type or source of the information?
12Consent 1 Progress Scenarios and Template
- Scenarios
- Treatment Non-Emergency
- Treatment Emergency
- Public Health
- Template
- Intricate, detailed set of spreadsheets
- A battery of general questions with follow up
questions for capturing additional detail - Completed by the legal work group in each state
13General Questions
- Does your state regulate the disclosure of PHI
based on where the data are created? - Does your state regulate the disclosure of PHI
based on who holds the data? - Does your state regulate the disclosure of PHI
based on the type of data disclosed? - In the context of your state's disclosure laws,
does the type of healthcare provider to whom the
PHI is disclosed matter?
14General Questions (continued)
- Does your state regulate the disclosure of PHI by
any other factors not listed above? - Does your state law distinguish between
disclosing the complete medical record and
disclosing parts of the record? - Does your state law have different disclosure
requirements if disclosing within the state
versus disclosing to healthcare providers in
another state? - Does your state law mandate actions following a
disclosure of PHI without consent?
15Capturing Additional Detail
- Grid of types of PHI by sources of PHI for
recording where consent is required or other
disclosure requirements exist - Worksheet for adding detail about any of the
other disclosure requirements noted - EX Statutes governing mental health records,
linked to medication history (type) generated by
a mental health facility (source) - Worksheet for capturing legal citations
- Worksheet for answering a battery of questions
about any yes in the type/source grid.
16Grid of Types of PHI by Sources of PHI
17Impact of Consent 1
- A guide to navigating cross-state variation in
consent requirements - A comparative analysis that will allow
individuals in different states to see areas
where change might be required to better align
with their neighbors to facilitate exchange
18Consent 2, Policy Options
- 4 States participating
- CA, IL, NC and OH
- Goals
- To identify the different consent approaches
within and between states - To propose policy approaches for consent that
facilitate interstate electronic health
information exchange
19Consent 2 Progress
- Formed 2 subgroups
- Interstate consent (OH and IL)
- Explore the viability of four specific legal
mechanisms that states could use to resolve
barriers to the exchange of protected health
information among states that have conflicting
state laws governing consent - Intrastate consent (NC and CA)
- Identify and describe model approaches to consent
- Test model approaches against scenarios (use
cases) and pilot projects. - Allow other states to consider the risks and
benefits of each approach as they evaluate
policies and decide which approach to use
20Interstate Consent Mechanisms
- Uniform state law
- Offers states the option to enact the same law
governing consent, which would supersede any
conflicting laws between adopting states. - Model Act
- Similar to uniform law, except that it may or may
not be adopted in its entirety. States
frequently modify a model act to meet their own
needs, or adopt only a portion of the model act.
21Interstate Consent Mechanisms
- Choice of law
- A provision that states could adopt to specify
which states law governs consent when PHI is
requested to be exchanged between states with
conflicting laws. - Interstate compact
- A voluntary agreement between two or more states,
designed to meet common problems of the parties
concerned. Would supersede conflicting laws
between states that join the compact.
22Interstate Consent Subgroup Result
- The collaborative will provide other states a
systematic process for evaluating and selecting
one of these mechanisms to align consent
requirements for exchanging PHI between states
that have conflicting privacy laws.
23Intrastate Consent Model Approaches
- Opt out Patients records are automatically
placed into the HIE system and exchanged unless
patient chooses to remove records. - Opt out with exceptions Patients records are
automatically placed into the HIE system and
exchange is allowed. However, patients have the
right to opt out of having their records being
shared with specified providers or other
entities. - No consent Patients records are automatically
placed into the HIE system, regardless of patient
preferences. - Opt in with restrictions Patients records are
not automatically placed into the HIE system and
exchange is not allowed without prior permission
provided by the patient. Restrictions allowed. - Opt in unless otherwise required by law
Patients records are not automatically placed
into the HIE system and exchange is not allowed
without prior permission provided by the patient.
24Scenarios
- Lab Results
- Outpatient Care Coordination
- Reportable Disease
- Minor Seeking Birth Control
- Substance Abuse Consultation
- Data Warehouse/Decision Support
25Intrastate Consent Subgroup Result
- By systematically testing these options using the
scenarios, the intrastate subgroup will - Generate a list of issues
- Describe alternative solutions available through
the various models - Critically analyze the alternatives and make
recommendations.
26Harmonizing State Privacy Law
- 7 States participating
- FL, KY, KS, MI, MO, NM and TX
- Goal
- To advance the ability of states and territories
to analyze and reform, if appropriate, existing
laws to facilitate health information exchange - Primary deliverable is a framework for
legislative action
27Harmonizing State Privacy Law Progress
- Updated State Law Report
- 2 types of recent legislative successes
- Incremental approaches addressing specific
barriers - Process-oriented approaches such as creation of a
standard patient authorization form - Less successful
- Attempts at enacting comprehensive detailed
health information exchange legislation
28Subject Matter Guide
- Tabular result of legislative scan
- Sort legislation into subject matter categories
and indicate states that have legislation in each
area
29Comparative Analysis Worksheet
- Create expanded version of Subject Matter Guide
30Harmonizing State Privacy Law Impact
- States outside of the collaborative enter their
data, identify gaps and set priorities for
legislative action by determining if legislation
is needed, feasible and compatible with other
states. - Enables states to identify legislation that is
critical for development.
31Consumer Education and Engagement
- 8 States participating
- CO, GA, KS, MA, NY, OR, WA and WV
- Goal
- To develop a series of coordinated state-specific
projects that focus on targeted population groups
to describe the risks and benefits of health
information exchange, educate consumers about
privacy and security, and develop messaging to
address consumer privacy and security concerns.
32Consumer Engagement
- States are currently working on their
state-specific projects, which address priority
education needs and often target specific
populations - States have started to share their products with
others in the collaborative - Websites are going live
- Ultimately they will develop collaborative level
products and guidelines for consumer education
33State-specific draft deliverables
- OR Revised the video produced under phase 2,
soon to be publicly available - CO Fact sheet
- GA Brochure
- KS Rural consumer education needs assessment
34West Virginia
- Background document on benefits of health IT,
electronic health records, interoperability - Consumer FAQs
- Public Service Announcements for radio and TV
- Posters
- Brochures for physicians to distribute to
consumers - Brochures for consumers
35West Virginia Benefits of EHR Brochure
36West Virginia Privacy and Security Brochure
37West Virginia Seniors Brochure
38Consumer Education Impact
- States educate and engage their consumers,
addressing the topic or target population that is
most important to them - States share their results with the collaborative
(materials, dissemination plan, lessons learned)
so that final sharable versions can made
available.
39Provider Education
- 8 States Participating
- FL, KY, LA, MI, MO, MS, TN and WY
- Goals
- To create a toolkit to introduce electronic
health information exchange to providers - To increase provider awareness of the privacy and
security benefits and challenges of electronic
health information exchange
40Provider Education Approach
- Conduct baseline assessment Contact state and
national provider associations gauge level of
interest in and adoption of health IT and HIE.
Capture preferred method of communication between
each organization and its membership - Select one provider type and one communication
channel for pilot study - Develop content core message with universal tag
line
41Baseline Assessment
- Contacted approximately 300 organizations
conducted structured conversations - Organizational information
- Organization type (e.g. member advocacy,
research, govt agency) - Affiliate (physicians, nurses researchers,
legislators) - Observations about members perceptions of HIT
and HIE - Privacy and security concerns
- Readiness for adoption
- Acceptance of an educational campaign
- Perceived barriers to exchange
- Preferred communication channel
42Selecting Provider Type for Pilot Campaign
- Developed process
- Assign score for each evaluation factor to each
provider type - Manageable population appropriate size for
state - Targeted or well-defined population
- Population with impact and importance
- Similar learning style/communication channel
- Engaged partner for pilot (ready and willing)
- Select provider type with highest weighted average
43Communication Matrix
Completed preliminary work
44Provider Education Impact
- After testing core message on one provider type
using one communication channel, refine approach
based on lessons learned and deploy campaign to
additional types/channels - Enhance awareness
- Address perceived barriers
- Encourage adoption and participation in private
and secure exchange to improve the quality of care
45Adoption of Standard Policies
- 10 States participating
- AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA
- Goals
- To develop a set of basic policy requirements for
authentication and audit - To define an implementation strategy to help
states and territories adopt agreed-upon policies
46Adoption of Standard Policies Progress
- Developed a standard process for capturing
current requirements for authentication and audit
- Captured current requirements in 6 modeling
states that have HIOs - AZ, CO and OK Federated models
- WA Centralized health record banking model
- CT Hybrid
- NE (3) 1 Federated, 1 Banking, and 1 Hybrid
47Adoption of Standard Policies Progress
- Selected AHIC use cases for Medication Management
and Laboratory EHR as scenarios for testing
minimum authentication and audit requirements - Developed intricate, detailed, multipart template
for capturing results - Will use data to expand reports on requirements
48Adoption of Standard Policies Results
- All states will begin to address any
authentication and audit gaps they identify - States that have less stringent policies will
know where they need to strengthen them to be on
par with other exchanges - States that are in the process of forming HIOs
and establishing authentication and audit
policies will know what requirements theyll need
to meet
49Adoption of Standard Policies Result
- Final report will be a guide to other states so
they can understand the minimum authentication
and audit policies for exchanging data.
50Interorganizational Agreements
- 7 states participating
- AK, GU, IA, NJ, NC, PR and SD
- Goals
- To develop a standardized core set of privacy and
security components to include in
interorganizational agreements - To execute interorganizational agreements and
exchange data through cross-state pilots wherever
possible
51Interorganizational Agreements Progress
- Collected library of data use agreements
- Developed classification scheme for all
provisions in a data use agreement. - Applied classification scheme to every document
in library - Generated master document of all provisions
sorted by type of provision - Ranked provisions from most preferred to least
preferred by type. - Identified provisions that would present a
conflict, breach or issue with state laws,
regulations, or case law.
52Interorganizational Agreements Next Steps
- Create model agreements
- Coordinate with DURSA and others
- Sign agreements
- Exchange data in pilot studies
53Current and Future Activities
- ONC currently considering suggestions for
follow-up projects solicited from HISPC
collaboratives and states - ONC continues to manage intersections between
HISPC and their other initiatives - Nationwide Conference tentatively scheduled for
March 2009 in Washington DC
54Links
- http//healthit.ahrq.gov
- www.hhs.gov/healthit
- http//privacysecurity.rti.org
- www.rti.org
- Identifiable information in this report or
presentation is protected by federal law, Section
924(c) of the Public Health Service Act, 42
U.S.C. 299c-3(c). Any confidential identifiable
information in this report or presentation that
is knowingly disclosed is disclosed solely for
the purpose for which it was provided