Health Information Security and Privacy Collaboration HISPC: Calming the Waters Across State Lines P

1
Health Information Security and Privacy
Collaboration (HISPC) Calming the Waters Across
State Lines Presented by Alison K. Banger RTI
InternationalPresented atHIPAA Collaborative
of Wisconsin Fall Meeting September 2008,
Sheboygan, WI
2951 Flowers Rd.,
Suite 119, Atlanta, GA 30341
Phone 770-234-5049
Fax770-234-5030
E-mail abanger_at_rti.org
2
Overview

• Background on HISPC Phases 1 and 2
• Phase 3 the 7 Collaborative Work Groups
• Next steps

3
Phase 1

• Timeline June 2006 April 2007
• Participation 33 States and 1 territory
• Scope Assess variation, develop solutions and
  implementation plans
• Methods
• Community-based research model
• Engage a broad range of stakeholders
• Follow common methodology
• Panel of experts
• National direction with local control

4
Phase 1 Products

• Summary reports released
• Assessment of Variation and Analysis of Solutions
• Implementation Plans
• Nationwide Summary
• Reports and presentations publicly available
• RTI Project site http//privacysecurity.rti.org
• AHRQ National Resource Center http//healthit.ahr
  q.gov

5
Key topic areas addressed by solutions

• Harmonize the approach to patient permission for
  disclosure
• Simplify the complex interplay among HIPAA
  privacy and security rules, other federal laws,
  and state laws.
• Reduce variation in interpretations of HIPAA
• Foster trust between providers participating in
  exchange and among consumers permitting their
  information to be exchanged

6
Phase 2

• Timeline May December 2007
• Participation 42 states and 2 territories
• Scope
• Implement 6-month projects
• Develop plans for collaboration in Phase 3
• Methods
• 34 Phase 1 teams implement state-specific
  solutions
• All 44 teams contribute to collaborative proposals

7
Phase 2 Products

• RTI Products
• HISPC Toolkit
• Impact Analysis report
• State Products
• November 2007 Conference Presentations
• 34 states produce a multitude of state-specific
  deliverables, including reports, videos,
  websites, model agreements, model forms and
  educational toolkits
• 42 states/territories submit proposals to
  participate in the Phase 3 collaborative work
  groups

8
Phase 3
9
Phase 3

• Timeline April 2008 March 2009
• Participation 40 states and 2 territories in 7
  collaboratives
• Scope Execute collaborative strategies developed
  in Phase 2
• Methods
• States work both individually and collaboratively
  to complete project scope
• Co-chairs of each collaborative form steering
  committee
• RTI partners with Georgetown on State and
  Territory Law Analysis

10
The 7 Collaborative Work Groups

• Consent 1, Data Elements
• Consent 2, Policy Options
• Harmonizing State Privacy Law
• Consumer Education and Engagement
• Provider Education
• Adoption of Standard Policies
• Interorganizational Agreements

11
Consent 1, Data Elements

• 11 States participating
• IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI
• Goals
• To establish a model for identifying and
  resolving patient consent and information
  disclosure requirements across states.
• To develop a foundational reference guide that
  describes and compares the requirements mandated
  by state law and any known regional or local
  consent policies and practices in each
  participating state.
• Data Elements?
• What consent information does a state need to
  reply to a request from another state? Signed
  consent form? With what information? Any
  restrictions? Do the answers change depending on
  the type or source of the information?

12
Consent 1 Progress Scenarios and Template

• Scenarios
• Treatment Non-Emergency
• Treatment Emergency
• Public Health
• Template
• Intricate, detailed set of spreadsheets
• A battery of general questions with follow up
  questions for capturing additional detail
• Completed by the legal work group in each state

13
General Questions

• Does your state regulate the disclosure of PHI
  based on where the data are created?
• Does your state regulate the disclosure of PHI
  based on who holds the data?
• Does your state regulate the disclosure of PHI
  based on the type of data disclosed?
• In the context of your state's disclosure laws,
  does the type of healthcare provider to whom the
  PHI is disclosed matter?

14
General Questions (continued)

• Does your state regulate the disclosure of PHI by
  any other factors not listed above?
• Does your state law distinguish between
  disclosing the complete medical record and
  disclosing parts of the record?
• Does your state law have different disclosure
  requirements if disclosing within the state
  versus disclosing to healthcare providers in
  another state?
• Does your state law mandate actions following a
  disclosure of PHI without consent?

15
Capturing Additional Detail

• Grid of types of PHI by sources of PHI for
  recording where consent is required or other
  disclosure requirements exist
• Worksheet for adding detail about any of the
  other disclosure requirements noted
• EX Statutes governing mental health records,
  linked to medication history (type) generated by
  a mental health facility (source)
• Worksheet for capturing legal citations
• Worksheet for answering a battery of questions
  about any yes in the type/source grid.

16
Grid of Types of PHI by Sources of PHI
17
Impact of Consent 1

• A guide to navigating cross-state variation in
  consent requirements
• A comparative analysis that will allow
  individuals in different states to see areas
  where change might be required to better align
  with their neighbors to facilitate exchange

18
Consent 2, Policy Options

• 4 States participating
• CA, IL, NC and OH
• Goals
• To identify the different consent approaches
  within and between states
• To propose policy approaches for consent that
  facilitate interstate electronic health
  information exchange

19
Consent 2 Progress

• Formed 2 subgroups
• Interstate consent (OH and IL)
• Explore the viability of four specific legal
  mechanisms that states could use to resolve
  barriers to the exchange of protected health
  information among states that have conflicting
  state laws governing consent
• Intrastate consent (NC and CA)
• Identify and describe model approaches to consent
• Test model approaches against scenarios (use
  cases) and pilot projects.
• Allow other states to consider the risks and
  benefits of each approach as they evaluate
  policies and decide which approach to use

20
Interstate Consent Mechanisms

• Uniform state law
• Offers states the option to enact the same law
  governing consent, which would supersede any
  conflicting laws between adopting states.
• Model Act
• Similar to uniform law, except that it may or may
  not be adopted in its entirety. States
  frequently modify a model act to meet their own
  needs, or adopt only a portion of the model act.

21
Interstate Consent Mechanisms

• Choice of law
• A provision that states could adopt to specify
  which states law governs consent when PHI is
  requested to be exchanged between states with
  conflicting laws.
• Interstate compact
• A voluntary agreement between two or more states,
  designed to meet common problems of the parties
  concerned. Would supersede conflicting laws
  between states that join the compact.

22
Interstate Consent Subgroup Result

• The collaborative will provide other states a
  systematic process for evaluating and selecting
  one of these mechanisms to align consent
  requirements for exchanging PHI between states
  that have conflicting privacy laws.

23
Intrastate Consent Model Approaches

• Opt out Patients records are automatically
  placed into the HIE system and exchanged unless
  patient chooses to remove records.
• Opt out with exceptions Patients records are
  automatically placed into the HIE system and
  exchange is allowed. However, patients have the
  right to opt out of having their records being
  shared with specified providers or other
  entities.
• No consent Patients records are automatically
  placed into the HIE system, regardless of patient
  preferences.
• Opt in with restrictions Patients records are
  not automatically placed into the HIE system and
  exchange is not allowed without prior permission
  provided by the patient. Restrictions allowed.
• Opt in unless otherwise required by law
  Patients records are not automatically placed
  into the HIE system and exchange is not allowed
  without prior permission provided by the patient.
  

24
Scenarios

• Lab Results
• Outpatient Care Coordination
• Reportable Disease
• Minor Seeking Birth Control
• Substance Abuse Consultation
• Data Warehouse/Decision Support

25
Intrastate Consent Subgroup Result

• By systematically testing these options using the
  scenarios, the intrastate subgroup will
• Generate a list of issues
• Describe alternative solutions available through
  the various models
• Critically analyze the alternatives and make
  recommendations.

26
Harmonizing State Privacy Law

• 7 States participating
• FL, KY, KS, MI, MO, NM and TX
• Goal
• To advance the ability of states and territories
  to analyze and reform, if appropriate, existing
  laws to facilitate health information exchange
• Primary deliverable is a framework for
  legislative action

27
Harmonizing State Privacy Law Progress

• Updated State Law Report
• 2 types of recent legislative successes
• Incremental approaches addressing specific
  barriers
• Process-oriented approaches such as creation of a
  standard patient authorization form
• Less successful
• Attempts at enacting comprehensive detailed
  health information exchange legislation

28
Subject Matter Guide

• Tabular result of legislative scan
• Sort legislation into subject matter categories
  and indicate states that have legislation in each
  area

29
Comparative Analysis Worksheet

• Create expanded version of Subject Matter Guide

30
Harmonizing State Privacy Law Impact

• States outside of the collaborative enter their
  data, identify gaps and set priorities for
  legislative action by determining if legislation
  is needed, feasible and compatible with other
  states.
• Enables states to identify legislation that is
  critical for development.

31
Consumer Education and Engagement

• 8 States participating
• CO, GA, KS, MA, NY, OR, WA and WV
• Goal
• To develop a series of coordinated state-specific
  projects that focus on targeted population groups
  to describe the risks and benefits of health
  information exchange, educate consumers about
  privacy and security, and develop messaging to
  address consumer privacy and security concerns.

32
Consumer Engagement

• States are currently working on their
  state-specific projects, which address priority
  education needs and often target specific
  populations
• States have started to share their products with
  others in the collaborative
• Websites are going live
• Ultimately they will develop collaborative level
  products and guidelines for consumer education

33
State-specific draft deliverables

• OR Revised the video produced under phase 2,
  soon to be publicly available
• CO Fact sheet
• GA Brochure
• KS Rural consumer education needs assessment

34
West Virginia

• Background document on benefits of health IT,
  electronic health records, interoperability
• Consumer FAQs
• Public Service Announcements for radio and TV
• Posters
• Brochures for physicians to distribute to
  consumers
• Brochures for consumers

35
West Virginia Benefits of EHR Brochure
36
West Virginia Privacy and Security Brochure
37
West Virginia Seniors Brochure
38
Consumer Education Impact

• States educate and engage their consumers,
  addressing the topic or target population that is
  most important to them
• States share their results with the collaborative
  (materials, dissemination plan, lessons learned)
  so that final sharable versions can made
  available.

39
Provider Education

• 8 States Participating
• FL, KY, LA, MI, MO, MS, TN and WY
• Goals
• To create a toolkit to introduce electronic
  health information exchange to providers
• To increase provider awareness of the privacy and
  security benefits and challenges of electronic
  health information exchange

40
Provider Education Approach

• Conduct baseline assessment Contact state and
  national provider associations gauge level of
  interest in and adoption of health IT and HIE.
  Capture preferred method of communication between
  each organization and its membership
• Select one provider type and one communication
  channel for pilot study
• Develop content core message with universal tag
  line

41
Baseline Assessment

• Contacted approximately 300 organizations
  conducted structured conversations
• Organizational information
• Organization type (e.g. member advocacy,
  research, govt agency)
• Affiliate (physicians, nurses researchers,
  legislators)
• Observations about members perceptions of HIT
  and HIE
• Privacy and security concerns
• Readiness for adoption
• Acceptance of an educational campaign
• Perceived barriers to exchange
• Preferred communication channel

42
Selecting Provider Type for Pilot Campaign

• Developed process
• Assign score for each evaluation factor to each
  provider type
• Manageable population appropriate size for
  state
• Targeted or well-defined population
• Population with impact and importance
• Similar learning style/communication channel
• Engaged partner for pilot (ready and willing)
• Select provider type with highest weighted average

43
Communication Matrix
Completed preliminary work
44
Provider Education Impact

• After testing core message on one provider type
  using one communication channel, refine approach
  based on lessons learned and deploy campaign to
  additional types/channels
• Enhance awareness
• Address perceived barriers
• Encourage adoption and participation in private
  and secure exchange to improve the quality of care

45
Adoption of Standard Policies

• 10 States participating
• AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA
• Goals
• To develop a set of basic policy requirements for
  authentication and audit
• To define an implementation strategy to help
  states and territories adopt agreed-upon policies

46
Adoption of Standard Policies Progress

• Developed a standard process for capturing
  current requirements for authentication and audit
  
• Captured current requirements in 6 modeling
  states that have HIOs
• AZ, CO and OK Federated models
• WA Centralized health record banking model
• CT Hybrid
• NE (3) 1 Federated, 1 Banking, and 1 Hybrid

47
Adoption of Standard Policies Progress

• Selected AHIC use cases for Medication Management
  and Laboratory EHR as scenarios for testing
  minimum authentication and audit requirements
• Developed intricate, detailed, multipart template
  for capturing results
• Will use data to expand reports on requirements

48
Adoption of Standard Policies Results

• All states will begin to address any
  authentication and audit gaps they identify
• States that have less stringent policies will
  know where they need to strengthen them to be on
  par with other exchanges
• States that are in the process of forming HIOs
  and establishing authentication and audit
  policies will know what requirements theyll need
  to meet

49
Adoption of Standard Policies Result

• Final report will be a guide to other states so
  they can understand the minimum authentication
  and audit policies for exchanging data.

50
Interorganizational Agreements

• 7 states participating
• AK, GU, IA, NJ, NC, PR and SD
• Goals
• To develop a standardized core set of privacy and
  security components to include in
  interorganizational agreements
• To execute interorganizational agreements and
  exchange data through cross-state pilots wherever
  possible

51
Interorganizational Agreements Progress

• Collected library of data use agreements
• Developed classification scheme for all
  provisions in a data use agreement.
• Applied classification scheme to every document
  in library
• Generated master document of all provisions
  sorted by type of provision
• Ranked provisions from most preferred to least
  preferred by type.
• Identified provisions that would present a
  conflict, breach or issue with state laws,
  regulations, or case law.

52
Interorganizational Agreements Next Steps

• Create model agreements
• Coordinate with DURSA and others
• Sign agreements
• Exchange data in pilot studies

53
Current and Future Activities

• ONC currently considering suggestions for
  follow-up projects solicited from HISPC
  collaboratives and states
• ONC continues to manage intersections between
  HISPC and their other initiatives
• Nationwide Conference tentatively scheduled for
  March 2009 in Washington DC

54
Links

• http//healthit.ahrq.gov
• www.hhs.gov/healthit
• http//privacysecurity.rti.org
• www.rti.org
• Identifiable information in this report or
  presentation is protected by federal law, Section
  924(c) of the Public Health Service Act, 42
  U.S.C. 299c-3(c). Any confidential identifiable
  information in this report or presentation that
  is knowingly disclosed is disclosed solely for
  the purpose for which it was provided