Health Information Security and Privacy Collaboration HISPC: Calming the Waters Across State Lines P - PowerPoint PPT Presentation


PPT – Health Information Security and Privacy Collaboration HISPC: Calming the Waters Across State Lines P PowerPoint presentation | free to view - id: 3cf3b-YWE0Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Health Information Security and Privacy Collaboration HISPC: Calming the Waters Across State Lines P


Does your state regulate the disclosure of PHI based on where the data are created? ... Hawaii, Maryland, North Carolina, Tennessee, Virginia, West Virginia, Maine, ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 55
Provided by: hipa


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Health Information Security and Privacy Collaboration HISPC: Calming the Waters Across State Lines P

Health Information Security and Privacy
Collaboration (HISPC) Calming the Waters Across
State Lines Presented by Alison K. Banger RTI
InternationalPresented atHIPAA Collaborative
of Wisconsin Fall Meeting September 2008,
Sheboygan, WI
2951 Flowers Rd.,
Suite 119, Atlanta, GA 30341
Phone 770-234-5049
  • Background on HISPC Phases 1 and 2
  • Phase 3 the 7 Collaborative Work Groups
  • Next steps

Phase 1
  • Timeline June 2006 April 2007
  • Participation 33 States and 1 territory
  • Scope Assess variation, develop solutions and
    implementation plans
  • Methods
  • Community-based research model
  • Engage a broad range of stakeholders
  • Follow common methodology
  • Panel of experts
  • National direction with local control

Phase 1 Products
  • Summary reports released
  • Assessment of Variation and Analysis of Solutions
  • Implementation Plans
  • Nationwide Summary
  • Reports and presentations publicly available
  • RTI Project site http//
  • AHRQ National Resource Center http//healthit.ahr

Key topic areas addressed by solutions
  • Harmonize the approach to patient permission for
  • Simplify the complex interplay among HIPAA
    privacy and security rules, other federal laws,
    and state laws.
  • Reduce variation in interpretations of HIPAA
  • Foster trust between providers participating in
    exchange and among consumers permitting their
    information to be exchanged

Phase 2
  • Timeline May December 2007
  • Participation 42 states and 2 territories
  • Scope
  • Implement 6-month projects
  • Develop plans for collaboration in Phase 3
  • Methods
  • 34 Phase 1 teams implement state-specific
  • All 44 teams contribute to collaborative proposals

Phase 2 Products
  • RTI Products
  • HISPC Toolkit
  • Impact Analysis report
  • State Products
  • November 2007 Conference Presentations
  • 34 states produce a multitude of state-specific
    deliverables, including reports, videos,
    websites, model agreements, model forms and
    educational toolkits
  • 42 states/territories submit proposals to
    participate in the Phase 3 collaborative work

Phase 3
Phase 3
  • Timeline April 2008 March 2009
  • Participation 40 states and 2 territories in 7
  • Scope Execute collaborative strategies developed
    in Phase 2
  • Methods
  • States work both individually and collaboratively
    to complete project scope
  • Co-chairs of each collaborative form steering
  • RTI partners with Georgetown on State and
    Territory Law Analysis

The 7 Collaborative Work Groups
  • Consent 1, Data Elements
  • Consent 2, Policy Options
  • Harmonizing State Privacy Law
  • Consumer Education and Engagement
  • Provider Education
  • Adoption of Standard Policies
  • Interorganizational Agreements

Consent 1, Data Elements
  • 11 States participating
  • IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI
  • Goals
  • To establish a model for identifying and
    resolving patient consent and information
    disclosure requirements across states.
  • To develop a foundational reference guide that
    describes and compares the requirements mandated
    by state law and any known regional or local
    consent policies and practices in each
    participating state.
  • Data Elements?
  • What consent information does a state need to
    reply to a request from another state? Signed
    consent form? With what information? Any
    restrictions? Do the answers change depending on
    the type or source of the information?

Consent 1 Progress Scenarios and Template
  • Scenarios
  • Treatment Non-Emergency
  • Treatment Emergency
  • Public Health
  • Template
  • Intricate, detailed set of spreadsheets
  • A battery of general questions with follow up
    questions for capturing additional detail
  • Completed by the legal work group in each state

General Questions
  • Does your state regulate the disclosure of PHI
    based on where the data are created?
  • Does your state regulate the disclosure of PHI
    based on who holds the data?
  • Does your state regulate the disclosure of PHI
    based on the type of data disclosed?
  • In the context of your state's disclosure laws,
    does the type of healthcare provider to whom the
    PHI is disclosed matter?

General Questions (continued)
  • Does your state regulate the disclosure of PHI by
    any other factors not listed above?
  • Does your state law distinguish between
    disclosing the complete medical record and
    disclosing parts of the record?
  • Does your state law have different disclosure
    requirements if disclosing within the state
    versus disclosing to healthcare providers in
    another state?
  • Does your state law mandate actions following a
    disclosure of PHI without consent?

Capturing Additional Detail
  • Grid of types of PHI by sources of PHI for
    recording where consent is required or other
    disclosure requirements exist
  • Worksheet for adding detail about any of the
    other disclosure requirements noted
  • EX Statutes governing mental health records,
    linked to medication history (type) generated by
    a mental health facility (source)
  • Worksheet for capturing legal citations
  • Worksheet for answering a battery of questions
    about any yes in the type/source grid.

Grid of Types of PHI by Sources of PHI
Impact of Consent 1
  • A guide to navigating cross-state variation in
    consent requirements
  • A comparative analysis that will allow
    individuals in different states to see areas
    where change might be required to better align
    with their neighbors to facilitate exchange

Consent 2, Policy Options
  • 4 States participating
  • CA, IL, NC and OH
  • Goals
  • To identify the different consent approaches
    within and between states
  • To propose policy approaches for consent that
    facilitate interstate electronic health
    information exchange

Consent 2 Progress
  • Formed 2 subgroups
  • Interstate consent (OH and IL)
  • Explore the viability of four specific legal
    mechanisms that states could use to resolve
    barriers to the exchange of protected health
    information among states that have conflicting
    state laws governing consent
  • Intrastate consent (NC and CA)
  • Identify and describe model approaches to consent
  • Test model approaches against scenarios (use
    cases) and pilot projects.
  • Allow other states to consider the risks and
    benefits of each approach as they evaluate
    policies and decide which approach to use

Interstate Consent Mechanisms
  • Uniform state law
  • Offers states the option to enact the same law
    governing consent, which would supersede any
    conflicting laws between adopting states.
  • Model Act
  • Similar to uniform law, except that it may or may
    not be adopted in its entirety. States
    frequently modify a model act to meet their own
    needs, or adopt only a portion of the model act.

Interstate Consent Mechanisms
  • Choice of law
  • A provision that states could adopt to specify
    which states law governs consent when PHI is
    requested to be exchanged between states with
    conflicting laws.
  • Interstate compact
  • A voluntary agreement between two or more states,
    designed to meet common problems of the parties
    concerned. Would supersede conflicting laws
    between states that join the compact.

Interstate Consent Subgroup Result
  • The collaborative will provide other states a
    systematic process for evaluating and selecting
    one of these mechanisms to align consent
    requirements for exchanging PHI between states
    that have conflicting privacy laws.

Intrastate Consent Model Approaches
  • Opt out Patients records are automatically
    placed into the HIE system and exchanged unless
    patient chooses to remove records.
  • Opt out with exceptions Patients records are
    automatically placed into the HIE system and
    exchange is allowed. However, patients have the
    right to opt out of having their records being
    shared with specified providers or other
  • No consent Patients records are automatically
    placed into the HIE system, regardless of patient
  • Opt in with restrictions Patients records are
    not automatically placed into the HIE system and
    exchange is not allowed without prior permission
    provided by the patient. Restrictions allowed.
  • Opt in unless otherwise required by law
    Patients records are not automatically placed
    into the HIE system and exchange is not allowed
    without prior permission provided by the patient.

  • Lab Results
  • Outpatient Care Coordination
  • Reportable Disease
  • Minor Seeking Birth Control
  • Substance Abuse Consultation
  • Data Warehouse/Decision Support

Intrastate Consent Subgroup Result
  • By systematically testing these options using the
    scenarios, the intrastate subgroup will
  • Generate a list of issues
  • Describe alternative solutions available through
    the various models
  • Critically analyze the alternatives and make

Harmonizing State Privacy Law
  • 7 States participating
  • FL, KY, KS, MI, MO, NM and TX
  • Goal
  • To advance the ability of states and territories
    to analyze and reform, if appropriate, existing
    laws to facilitate health information exchange
  • Primary deliverable is a framework for
    legislative action

Harmonizing State Privacy Law Progress
  • Updated State Law Report
  • 2 types of recent legislative successes
  • Incremental approaches addressing specific
  • Process-oriented approaches such as creation of a
    standard patient authorization form
  • Less successful
  • Attempts at enacting comprehensive detailed
    health information exchange legislation

Subject Matter Guide
  • Tabular result of legislative scan
  • Sort legislation into subject matter categories
    and indicate states that have legislation in each

Comparative Analysis Worksheet
  • Create expanded version of Subject Matter Guide

Harmonizing State Privacy Law Impact
  • States outside of the collaborative enter their
    data, identify gaps and set priorities for
    legislative action by determining if legislation
    is needed, feasible and compatible with other
  • Enables states to identify legislation that is
    critical for development.

Consumer Education and Engagement
  • 8 States participating
  • CO, GA, KS, MA, NY, OR, WA and WV
  • Goal
  • To develop a series of coordinated state-specific
    projects that focus on targeted population groups
    to describe the risks and benefits of health
    information exchange, educate consumers about
    privacy and security, and develop messaging to
    address consumer privacy and security concerns.

Consumer Engagement
  • States are currently working on their
    state-specific projects, which address priority
    education needs and often target specific
  • States have started to share their products with
    others in the collaborative
  • Websites are going live
  • Ultimately they will develop collaborative level
    products and guidelines for consumer education

State-specific draft deliverables
  • OR Revised the video produced under phase 2,
    soon to be publicly available
  • CO Fact sheet
  • GA Brochure
  • KS Rural consumer education needs assessment

West Virginia
  • Background document on benefits of health IT,
    electronic health records, interoperability
  • Consumer FAQs
  • Public Service Announcements for radio and TV
  • Posters
  • Brochures for physicians to distribute to
  • Brochures for consumers

West Virginia Benefits of EHR Brochure
West Virginia Privacy and Security Brochure
West Virginia Seniors Brochure
Consumer Education Impact
  • States educate and engage their consumers,
    addressing the topic or target population that is
    most important to them
  • States share their results with the collaborative
    (materials, dissemination plan, lessons learned)
    so that final sharable versions can made

Provider Education
  • 8 States Participating
  • FL, KY, LA, MI, MO, MS, TN and WY
  • Goals
  • To create a toolkit to introduce electronic
    health information exchange to providers
  • To increase provider awareness of the privacy and
    security benefits and challenges of electronic
    health information exchange

Provider Education Approach
  • Conduct baseline assessment Contact state and
    national provider associations gauge level of
    interest in and adoption of health IT and HIE.
    Capture preferred method of communication between
    each organization and its membership
  • Select one provider type and one communication
    channel for pilot study
  • Develop content core message with universal tag

Baseline Assessment
  • Contacted approximately 300 organizations
    conducted structured conversations
  • Organizational information
  • Organization type (e.g. member advocacy,
    research, govt agency)
  • Affiliate (physicians, nurses researchers,
  • Observations about members perceptions of HIT
    and HIE
  • Privacy and security concerns
  • Readiness for adoption
  • Acceptance of an educational campaign
  • Perceived barriers to exchange
  • Preferred communication channel

Selecting Provider Type for Pilot Campaign
  • Developed process
  • Assign score for each evaluation factor to each
    provider type
  • Manageable population appropriate size for
  • Targeted or well-defined population
  • Population with impact and importance
  • Similar learning style/communication channel
  • Engaged partner for pilot (ready and willing)
  • Select provider type with highest weighted average

Communication Matrix
Completed preliminary work
Provider Education Impact
  • After testing core message on one provider type
    using one communication channel, refine approach
    based on lessons learned and deploy campaign to
    additional types/channels
  • Enhance awareness
  • Address perceived barriers
  • Encourage adoption and participation in private
    and secure exchange to improve the quality of care

Adoption of Standard Policies
  • 10 States participating
  • AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA
  • Goals
  • To develop a set of basic policy requirements for
    authentication and audit
  • To define an implementation strategy to help
    states and territories adopt agreed-upon policies

Adoption of Standard Policies Progress
  • Developed a standard process for capturing
    current requirements for authentication and audit
  • Captured current requirements in 6 modeling
    states that have HIOs
  • AZ, CO and OK Federated models
  • WA Centralized health record banking model
  • CT Hybrid
  • NE (3) 1 Federated, 1 Banking, and 1 Hybrid

Adoption of Standard Policies Progress
  • Selected AHIC use cases for Medication Management
    and Laboratory EHR as scenarios for testing
    minimum authentication and audit requirements
  • Developed intricate, detailed, multipart template
    for capturing results
  • Will use data to expand reports on requirements

Adoption of Standard Policies Results
  • All states will begin to address any
    authentication and audit gaps they identify
  • States that have less stringent policies will
    know where they need to strengthen them to be on
    par with other exchanges
  • States that are in the process of forming HIOs
    and establishing authentication and audit
    policies will know what requirements theyll need
    to meet

Adoption of Standard Policies Result
  • Final report will be a guide to other states so
    they can understand the minimum authentication
    and audit policies for exchanging data.

Interorganizational Agreements
  • 7 states participating
  • AK, GU, IA, NJ, NC, PR and SD
  • Goals
  • To develop a standardized core set of privacy and
    security components to include in
    interorganizational agreements
  • To execute interorganizational agreements and
    exchange data through cross-state pilots wherever

Interorganizational Agreements Progress
  • Collected library of data use agreements
  • Developed classification scheme for all
    provisions in a data use agreement.
  • Applied classification scheme to every document
    in library
  • Generated master document of all provisions
    sorted by type of provision
  • Ranked provisions from most preferred to least
    preferred by type.
  • Identified provisions that would present a
    conflict, breach or issue with state laws,
    regulations, or case law.

Interorganizational Agreements Next Steps
  • Create model agreements
  • Coordinate with DURSA and others
  • Sign agreements
  • Exchange data in pilot studies

Current and Future Activities
  • ONC currently considering suggestions for
    follow-up projects solicited from HISPC
    collaboratives and states
  • ONC continues to manage intersections between
    HISPC and their other initiatives
  • Nationwide Conference tentatively scheduled for
    March 2009 in Washington DC

  • http//
  • http//
  • Identifiable information in this report or
    presentation is protected by federal law, Section
    924(c) of the Public Health Service Act, 42
    U.S.C. 299c-3(c). Any confidential identifiable
    information in this report or presentation that
    is knowingly disclosed is disclosed solely for
    the purpose for which it was provided