1

Health Information Security and Privacy Collaboration (HISPC):

Calming the Waters Across State Lines

Presented by Alison K. Banger RTI International

Presented atHIPAA Collaborative of Wisconsin Fall Meeting

September 2008, Sheboygan, WI

2951 Flowers Rd., Suite 119, Atlanta, GA 30341

Phone: 770-234-5049 Fax:770-234-5030 E-mail: abanger@rti.org

2

Overview

Background on HISPC Phases 1 and 2

Phase 3: the 7 Collaborative Work Groups

Next steps

3

Phase 1

Timeline: June 2006 – April 2007

Participation: 33 States and 1 territory

Scope: Assess variation, develop solutions and implementation plans

Methods: Community-based research model Engage a broad range of stakeholders Follow common methodology Panel of experts National direction with local control

4

Phase 1 Products

Summary reports released

Assessment of Variation and Analysis of Solutions

Implementation Plans

Nationwide Summary

Reports and presentations publicly available

RTI Project site: http://privacysecurity.rti.org

AHRQ National Resource Center: http://healthit.ahrq.gov

5

Key topic areas addressed by solutions

Harmonize the approach to patient permission for disclosure

Simplify the complex interplay among HIPAA privacy and security rules, other federal laws, and state laws.

Reduce variation in interpretations of HIPAA

Foster trust between providers participating in exchange and among consumers permitting their information to be exchanged

6

Phase 2

Timeline: May – December 2007

Participation: 42 states and 2 territories

Scope:

Implement 6-month projects

Develop plans for collaboration in Phase 3

Methods:

34 Phase 1 teams implement state-specific solutions

All 44 teams contribute to collaborative proposals

7

Phase 2 Products

RTI Products:

HISPC Toolkit

Impact Analysis report

State Products:

November 2007 Conference Presentations

34 states produce a multitude of state-specific deliverables, including reports, videos, websites, model agreements, model forms and educational toolkits

42 states/territories submit proposals to participate in the Phase 3 collaborative work groups

8

Phase 3

9

Phase 3

Timeline: April 2008 – March 2009

Participation: 40 states and 2 territories in 7 collaboratives

Scope: Execute collaborative strategies developed in Phase 2

Methods: States work both individually and collaboratively to

complete project scope

Co-chairs of each collaborative form steering committee

RTI partners with Georgetown on State and Territory Law Analysis

10

The 7 Collaborative Work Groups

Consent 1, Data Elements

Consent 2, Policy Options

Harmonizing State Privacy Law

Consumer Education and Engagement

Provider Education

Adoption of Standard Policies

Interorganizational Agreements

11

Consent 1, Data Elements

11 States participating:

IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI

Goals:

To establish a model for identifying and resolving patient consent and information disclosure requirements across states.

To develop a foundational reference guide that describes and compares the requirements mandated by state law and any known regional or local consent policies and practices in each participating state.

Data Elements?

What consent information does a state need to reply to a request from another state? Signed consent form? With what information? Any restrictions? Do the answers change depending on the type or source of the information?

12

Consent 1 Progress: Scenarios and Template

Scenarios:

Treatment – Non-Emergency

Treatment – Emergency

Public Health

Template:

Intricate, detailed set of spreadsheets

A battery of general questions with follow up questions for capturing additional detail

Completed by the legal work group in each state

13

General Questions

1. Does your state regulate the disclosure of PHI based on where the data are created?

2. Does your state regulate the disclosure of PHI based on who holds the data?

3. Does your state regulate the disclosure of PHI based on the type of data disclosed?

4. In the context of your state's disclosure laws, does the type of healthcare provider to whom the PHI is disclosed matter?

14

General Questions (continued)

5. Does your state regulate the disclosure of PHI by any other factors not listed above?

6. Does your state law distinguish between disclosing the complete medical record and disclosing parts of the record?

7. Does your state law have different disclosure requirements if disclosing within the state versus disclosing to healthcare providers in another state?

8. Does your state law mandate actions following a disclosure of PHI without consent?

15

Capturing Additional Detail

Grid of types of PHI by sources of PHI for recording where consent is required or other disclosure requirements exist

Worksheet for adding detail about any of the other disclosure requirements noted

EX: Statutes governing mental health records, linked to medication history (type) generated by a mental health facility (source)

Worksheet for capturing legal citations

Worksheet for answering a battery of questions about any “yes” in the type/source grid.

16

Grid of Types of PHI by Sources of PHI

17

Impact of Consent 1

A guide to navigating cross-state variation in consent requirements

A comparative analysis that will allow individuals in different states to see areas where change might be required to better align with their neighbors to facilitate exchange

18

Consent 2, Policy Options

4 States participating:

CA, IL, NC and OH

Goals:

To identify the different consent approaches within and between states

To propose policy approaches for consent that facilitate interstate electronic health information exchange

19

Consent 2 Progress

Formed 2 subgroups:

Interstate consent (OH and IL) Explore the viability of four specific legal mechanisms that

states could use to resolve barriers to the exchange of protected health information among states that have conflicting state laws governing consent

Intrastate consent (NC and CA) Identify and describe model approaches to consent Test model approaches against scenarios (use cases) and

pilot projects. Allow other states to consider the risks and benefits of each

approach as they evaluate policies and decide which approach to use

20

Interstate Consent Mechanisms

Uniform state law

Offers states the option to enact the same law governing consent, which would supersede any conflicting laws between adopting states.

Model Act

Similar to uniform law, except that it may or may not be adopted in its entirety. States frequently modify a model act to meet their own needs, or adopt only a portion of the model act.

21

Interstate Consent Mechanisms

Choice of law

A provision that states could adopt to specify which state’s law governs consent when PHI is requested to be exchanged between states with conflicting laws.

Interstate compact

A voluntary agreement between two or more states, designed to meet common problems of the parties concerned. Would supersede conflicting laws between states that join the compact.

22

Interstate Consent Subgroup Result

The collaborative will provide other states a systematic process for evaluating and selecting one of these mechanisms to align consent requirements for exchanging PHI between states that have conflicting privacy laws.

23

Intrastate Consent Model Approaches

Opt out: Patients’ records are automatically placed into the HIE system and exchanged unless patient chooses to remove records.

Opt out with exceptions: Patients’ records are automatically placed into the HIE system and exchange is allowed. However, patients have the right to opt out of having their records being shared with specified providers or other entities.

No consent: Patients’ records are automatically placed into the HIE system, regardless of patient preferences.

Opt in with restrictions: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient. Restrictions allowed.

Opt in unless otherwise required by law: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient.

24

Scenarios

Lab Results

Outpatient Care Coordination

Reportable Disease

Minor Seeking Birth Control

Substance Abuse Consultation

Data Warehouse/Decision Support

25

Intrastate Consent Subgroup Result

By systematically testing these options using the scenarios, the intrastate subgroup will:

Generate a list of issues

Describe alternative solutions available through the various models

Critically analyze the alternatives and make recommendations.

26

Harmonizing State Privacy Law

7 States participating:

FL, KY, KS, MI, MO, NM and TX

Goal:

To advance the ability of states and territories to analyze and reform, if appropriate, existing laws to facilitate health information exchange

Primary deliverable is a framework for legislative action

27

Harmonizing State Privacy Law Progress

Updated State Law Report

2 types of recent legislative successes:

Incremental approaches addressing specific barriers

Process-oriented approaches such as creation of a standard patient authorization form

Less successful:

Attempts at enacting comprehensive detailed health information exchange legislation

28

Subject Matter Guide

Tabular result of legislative scan

Sort legislation into subject matter categories and indicate states that have legislation in each area

AREA STATES WITH RELEVANT LEGISLATIONNUMBER OF

STATES

Privacy  

Comprehensive general privacy act Virginia 1

Comprehensive medical privacy act

Arkansas, Hawaii, Maryland, North Carolina, Tennessee, Virginia, West Virginia, Maine, North Dakota, Oklahoma, Puerto Rico, South Dakota, Texas, 13

Constitutional right to privacy

Arkansas, Connecticut, Florida, Hawaii, Illinois, Michigan, New Jersey, South Carolina, South Dakota, Wisconsin 10

29

Comparative Analysis Worksheet

Create expanded version of Subject Matter Guide

AreaCitation

/Link

More Stringent than HIPAA

References to Related State/Federal Law & Legislative Proposals

for patient care?

for population

health?

Privacy        

Comprehensive general

privacy act        

Comprehensive medical

privacy act        

Constitutional right to privacy        

30

Harmonizing State Privacy Law Impact

States outside of the collaborative enter their data, identify gaps and set priorities for legislative action by determining if legislation is needed, feasible and compatible with other states.

Enables states to identify legislation that is critical for development.

31

Consumer Education and Engagement

8 States participating:

CO, GA, KS, MA, NY, OR, WA and WV

Goal:

To develop a series of coordinated state-specific projects that focus on targeted population groups to describe the risks and benefits of health information exchange, educate consumers about privacy and security, and develop messaging to address consumer privacy and security concerns.

32

Consumer Engagement

States are currently working on their state-specific projects, which address priority education needs and often target specific populations

States have started to share their products with others in the collaborative

Websites are going live

Ultimately they will develop collaborative level products and guidelines for consumer education

33

State-specific draft deliverables

OR: Revised the video produced under phase 2, soon to be publicly available

CO: Fact sheet

GA: Brochure

KS: Rural consumer education needs assessment

34

West Virginia

Background document on benefits of health IT, electronic health records, interoperability

Consumer FAQs

Public Service Announcements for radio and TV

Posters

Brochures for physicians to distribute to consumers

Brochures for consumers

35

West Virginia Benefits of EHR Brochure

36

West Virginia Privacy and Security Brochure

37

West Virginia Seniors Brochure

38

Consumer Education Impact

States educate and engage their consumers, addressing the topic or target population that is most important to them

States share their results with the collaborative (materials, dissemination plan, lessons learned) so that final “sharable” versions can made available.

39

Provider Education

8 States Participating:

FL, KY, LA, MI, MO, MS, TN and WY

Goals:

To create a toolkit to introduce electronic health information exchange to providers

To increase provider awareness of the privacy and security benefits and challenges of electronic health information exchange

40

Provider Education Approach

Conduct baseline assessment: Contact state and national provider associations; gauge level of interest in and adoption of health IT and HIE. Capture preferred method of communication between each organization and its membership

Select one provider type and one communication channel for pilot study

Develop content: core message with universal tag line

41

Baseline Assessment

Contacted approximately 300 organizations; conducted structured conversations

Organizational information: Organization type (e.g. member advocacy, research, gov’t

agency) Affiliate (physicians, nurses researchers, legislators)

Observations about members’ perceptions of HIT and HIE: Privacy and security concerns Readiness for adoption Acceptance of an educational campaign Perceived barriers to exchange Preferred communication channel

42

Selecting Provider Type for Pilot Campaign

Developed process:

Assign score for each evaluation factor to each provider type

Manageable population – appropriate size for state Targeted or well-defined population Population with impact and importance Similar learning style/communication channel Engaged partner for pilot (ready and willing)

Select provider type with highest weighted average

43

Communication Matrix

Completed preliminary work

44

Provider Education Impact

After testing core message on one provider type using one communication channel, refine approach based on lessons learned and deploy campaign to additional types/channels

Enhance awareness

Address perceived barriers

Encourage adoption and participation in private and secure exchange to improve the quality of care

45

Adoption of Standard Policies

10 States participating:

AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA

Goals:

To develop a set of basic policy requirements for authentication and audit

To define an implementation strategy to help states and territories adopt agreed-upon policies

46

Adoption of Standard Policies Progress

Developed a standard process for capturing current requirements for authentication and audit

Captured current requirements in 6 modeling states that have HIOs:

AZ, CO and OK: Federated models

WA: Centralized health record banking model

CT: Hybrid

NE (3): 1 Federated, 1 Banking, and 1 Hybrid

47

Adoption of Standard Policies Progress

Selected AHIC use cases for Medication Management and Laboratory EHR as scenarios for testing minimum authentication and audit requirements

Developed intricate, detailed, multipart template for capturing results

Will use data to expand reports on requirements

48

Adoption of Standard Policies Results

All states will begin to address any authentication and audit gaps they identify

States that have less stringent policies will know where they need to strengthen them to be on par with other exchanges

States that are in the process of forming HIOs and establishing authentication and audit policies will know what requirements they’ll need to meet

49

Adoption of Standard Policies Result

Final report will be a guide to other states so they can understand the minimum authentication and audit policies for exchanging data.

50

Interorganizational Agreements

7 states participating:

AK, GU, IA, NJ, NC, PR and SD

Goals:

To develop a standardized core set of privacy and security components to include in interorganizational agreements

To execute interorganizational agreements and exchange data through cross-state pilots wherever possible

51

Interorganizational Agreements Progress

Collected library of data use agreements

Developed classification scheme for all provisions in a data use agreement.

Applied classification scheme to every document in library

Generated master document of all provisions sorted by type of provision

Ranked provisions from “most preferred” to “least preferred” by type.

Identified provisions that would present a conflict, breach or issue with state laws, regulations, or case law.

52

Interorganizational Agreements Next Steps

Create model agreements

Coordinate with DURSA and others

Sign agreements

Exchange data in pilot studies

53

Current and Future Activities

ONC currently considering suggestions for follow-up projects solicited from HISPC collaboratives and states

ONC continues to manage intersections between HISPC and their other initiatives

Nationwide Conference tentatively scheduled for March 2009 in Washington DC

54

Links

http://healthit.ahrq.gov

www.hhs.gov/healthit

http://privacysecurity.rti.org

www.rti.org

Identifiable information in this report or presentation is protected by federal law, Section 924(c) of the Public Health Service Act, 42 U.S.C. 299c-3(c). Any confidential identifiable information in this report or presentation that is knowingly disclosed is disclosed

solely for the purpose for which it was provided