1 Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State...
-
Upload
robyn-white -
Category
Documents
-
view
213 -
download
0
Transcript of 1 Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State...
1
Health Information Security and Privacy Collaboration (HISPC):
Calming the Waters Across State Lines
Presented by Alison K. Banger RTI International
Presented atHIPAA Collaborative of Wisconsin Fall Meeting
September 2008, Sheboygan, WI
2951 Flowers Rd., Suite 119, Atlanta, GA 30341
Phone: 770-234-5049 Fax:770-234-5030 E-mail: [email protected]
2
Overview
Background on HISPC Phases 1 and 2
Phase 3: the 7 Collaborative Work Groups
Next steps
3
Phase 1
Timeline: June 2006 – April 2007
Participation: 33 States and 1 territory
Scope: Assess variation, develop solutions and implementation plans
Methods: Community-based research model Engage a broad range of stakeholders Follow common methodology Panel of experts National direction with local control
4
Phase 1 Products
Summary reports released
Assessment of Variation and Analysis of Solutions
Implementation Plans
Nationwide Summary
Reports and presentations publicly available
RTI Project site: http://privacysecurity.rti.org
AHRQ National Resource Center: http://healthit.ahrq.gov
5
Key topic areas addressed by solutions
Harmonize the approach to patient permission for disclosure
Simplify the complex interplay among HIPAA privacy and security rules, other federal laws, and state laws.
Reduce variation in interpretations of HIPAA
Foster trust between providers participating in exchange and among consumers permitting their information to be exchanged
6
Phase 2
Timeline: May – December 2007
Participation: 42 states and 2 territories
Scope:
Implement 6-month projects
Develop plans for collaboration in Phase 3
Methods:
34 Phase 1 teams implement state-specific solutions
All 44 teams contribute to collaborative proposals
7
Phase 2 Products
RTI Products:
HISPC Toolkit
Impact Analysis report
State Products:
November 2007 Conference Presentations
34 states produce a multitude of state-specific deliverables, including reports, videos, websites, model agreements, model forms and educational toolkits
42 states/territories submit proposals to participate in the Phase 3 collaborative work groups
8
Phase 3
9
Phase 3
Timeline: April 2008 – March 2009
Participation: 40 states and 2 territories in 7 collaboratives
Scope: Execute collaborative strategies developed in Phase 2
Methods: States work both individually and collaboratively to
complete project scope
Co-chairs of each collaborative form steering committee
RTI partners with Georgetown on State and Territory Law Analysis
10
The 7 Collaborative Work Groups
Consent 1, Data Elements
Consent 2, Policy Options
Harmonizing State Privacy Law
Consumer Education and Engagement
Provider Education
Adoption of Standard Policies
Interorganizational Agreements
11
Consent 1, Data Elements
11 States participating:
IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI
Goals:
To establish a model for identifying and resolving patient consent and information disclosure requirements across states.
To develop a foundational reference guide that describes and compares the requirements mandated by state law and any known regional or local consent policies and practices in each participating state.
Data Elements?
What consent information does a state need to reply to a request from another state? Signed consent form? With what information? Any restrictions? Do the answers change depending on the type or source of the information?
12
Consent 1 Progress: Scenarios and Template
Scenarios:
Treatment – Non-Emergency
Treatment – Emergency
Public Health
Template:
Intricate, detailed set of spreadsheets
A battery of general questions with follow up questions for capturing additional detail
Completed by the legal work group in each state
13
General Questions
1. Does your state regulate the disclosure of PHI based on where the data are created?
2. Does your state regulate the disclosure of PHI based on who holds the data?
3. Does your state regulate the disclosure of PHI based on the type of data disclosed?
4. In the context of your state's disclosure laws, does the type of healthcare provider to whom the PHI is disclosed matter?
14
General Questions (continued)
5. Does your state regulate the disclosure of PHI by any other factors not listed above?
6. Does your state law distinguish between disclosing the complete medical record and disclosing parts of the record?
7. Does your state law have different disclosure requirements if disclosing within the state versus disclosing to healthcare providers in another state?
8. Does your state law mandate actions following a disclosure of PHI without consent?
15
Capturing Additional Detail
Grid of types of PHI by sources of PHI for recording where consent is required or other disclosure requirements exist
Worksheet for adding detail about any of the other disclosure requirements noted
EX: Statutes governing mental health records, linked to medication history (type) generated by a mental health facility (source)
Worksheet for capturing legal citations
Worksheet for answering a battery of questions about any “yes” in the type/source grid.
16
Grid of Types of PHI by Sources of PHI
17
Impact of Consent 1
A guide to navigating cross-state variation in consent requirements
A comparative analysis that will allow individuals in different states to see areas where change might be required to better align with their neighbors to facilitate exchange
18
Consent 2, Policy Options
4 States participating:
CA, IL, NC and OH
Goals:
To identify the different consent approaches within and between states
To propose policy approaches for consent that facilitate interstate electronic health information exchange
19
Consent 2 Progress
Formed 2 subgroups:
Interstate consent (OH and IL) Explore the viability of four specific legal mechanisms that
states could use to resolve barriers to the exchange of protected health information among states that have conflicting state laws governing consent
Intrastate consent (NC and CA) Identify and describe model approaches to consent Test model approaches against scenarios (use cases) and
pilot projects. Allow other states to consider the risks and benefits of each
approach as they evaluate policies and decide which approach to use
20
Interstate Consent Mechanisms
Uniform state law
Offers states the option to enact the same law governing consent, which would supersede any conflicting laws between adopting states.
Model Act
Similar to uniform law, except that it may or may not be adopted in its entirety. States frequently modify a model act to meet their own needs, or adopt only a portion of the model act.
21
Interstate Consent Mechanisms
Choice of law
A provision that states could adopt to specify which state’s law governs consent when PHI is requested to be exchanged between states with conflicting laws.
Interstate compact
A voluntary agreement between two or more states, designed to meet common problems of the parties concerned. Would supersede conflicting laws between states that join the compact.
22
Interstate Consent Subgroup Result
The collaborative will provide other states a systematic process for evaluating and selecting one of these mechanisms to align consent requirements for exchanging PHI between states that have conflicting privacy laws.
23
Intrastate Consent Model Approaches
Opt out: Patients’ records are automatically placed into the HIE system and exchanged unless patient chooses to remove records.
Opt out with exceptions: Patients’ records are automatically placed into the HIE system and exchange is allowed. However, patients have the right to opt out of having their records being shared with specified providers or other entities.
No consent: Patients’ records are automatically placed into the HIE system, regardless of patient preferences.
Opt in with restrictions: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient. Restrictions allowed.
Opt in unless otherwise required by law: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient.
24
Scenarios
Lab Results
Outpatient Care Coordination
Reportable Disease
Minor Seeking Birth Control
Substance Abuse Consultation
Data Warehouse/Decision Support
25
Intrastate Consent Subgroup Result
By systematically testing these options using the scenarios, the intrastate subgroup will:
Generate a list of issues
Describe alternative solutions available through the various models
Critically analyze the alternatives and make recommendations.
26
Harmonizing State Privacy Law
7 States participating:
FL, KY, KS, MI, MO, NM and TX
Goal:
To advance the ability of states and territories to analyze and reform, if appropriate, existing laws to facilitate health information exchange
Primary deliverable is a framework for legislative action
27
Harmonizing State Privacy Law Progress
Updated State Law Report
2 types of recent legislative successes:
Incremental approaches addressing specific barriers
Process-oriented approaches such as creation of a standard patient authorization form
Less successful:
Attempts at enacting comprehensive detailed health information exchange legislation
28
Subject Matter Guide
Tabular result of legislative scan
Sort legislation into subject matter categories and indicate states that have legislation in each area
AREA STATES WITH RELEVANT LEGISLATIONNUMBER OF
STATES
Privacy
Comprehensive general privacy act Virginia 1
Comprehensive medical privacy act
Arkansas, Hawaii, Maryland, North Carolina, Tennessee, Virginia, West Virginia, Maine, North Dakota, Oklahoma, Puerto Rico, South Dakota, Texas, 13
Constitutional right to privacy
Arkansas, Connecticut, Florida, Hawaii, Illinois, Michigan, New Jersey, South Carolina, South Dakota, Wisconsin 10
29
Comparative Analysis Worksheet
Create expanded version of Subject Matter Guide
AreaCitation
/Link
More Stringent than HIPAA
References to Related State/Federal Law & Legislative Proposals
for patient care?
for population
health?
Privacy
Comprehensive general
privacy act
Comprehensive medical
privacy act
Constitutional right to privacy
30
Harmonizing State Privacy Law Impact
States outside of the collaborative enter their data, identify gaps and set priorities for legislative action by determining if legislation is needed, feasible and compatible with other states.
Enables states to identify legislation that is critical for development.
31
Consumer Education and Engagement
8 States participating:
CO, GA, KS, MA, NY, OR, WA and WV
Goal:
To develop a series of coordinated state-specific projects that focus on targeted population groups to describe the risks and benefits of health information exchange, educate consumers about privacy and security, and develop messaging to address consumer privacy and security concerns.
32
Consumer Engagement
States are currently working on their state-specific projects, which address priority education needs and often target specific populations
States have started to share their products with others in the collaborative
Websites are going live
Ultimately they will develop collaborative level products and guidelines for consumer education
33
State-specific draft deliverables
OR: Revised the video produced under phase 2, soon to be publicly available
CO: Fact sheet
GA: Brochure
KS: Rural consumer education needs assessment
34
West Virginia
Background document on benefits of health IT, electronic health records, interoperability
Consumer FAQs
Public Service Announcements for radio and TV
Posters
Brochures for physicians to distribute to consumers
Brochures for consumers
35
West Virginia Benefits of EHR Brochure
36
West Virginia Privacy and Security Brochure
37
West Virginia Seniors Brochure
38
Consumer Education Impact
States educate and engage their consumers, addressing the topic or target population that is most important to them
States share their results with the collaborative (materials, dissemination plan, lessons learned) so that final “sharable” versions can made available.
39
Provider Education
8 States Participating:
FL, KY, LA, MI, MO, MS, TN and WY
Goals:
To create a toolkit to introduce electronic health information exchange to providers
To increase provider awareness of the privacy and security benefits and challenges of electronic health information exchange
40
Provider Education Approach
Conduct baseline assessment: Contact state and national provider associations; gauge level of interest in and adoption of health IT and HIE. Capture preferred method of communication between each organization and its membership
Select one provider type and one communication channel for pilot study
Develop content: core message with universal tag line
41
Baseline Assessment
Contacted approximately 300 organizations; conducted structured conversations
Organizational information: Organization type (e.g. member advocacy, research, gov’t
agency) Affiliate (physicians, nurses researchers, legislators)
Observations about members’ perceptions of HIT and HIE: Privacy and security concerns Readiness for adoption Acceptance of an educational campaign Perceived barriers to exchange Preferred communication channel
42
Selecting Provider Type for Pilot Campaign
Developed process:
Assign score for each evaluation factor to each provider type
Manageable population – appropriate size for state Targeted or well-defined population Population with impact and importance Similar learning style/communication channel Engaged partner for pilot (ready and willing)
Select provider type with highest weighted average
43
Communication Matrix
Completed preliminary work
44
Provider Education Impact
After testing core message on one provider type using one communication channel, refine approach based on lessons learned and deploy campaign to additional types/channels
Enhance awareness
Address perceived barriers
Encourage adoption and participation in private and secure exchange to improve the quality of care
45
Adoption of Standard Policies
10 States participating:
AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA
Goals:
To develop a set of basic policy requirements for authentication and audit
To define an implementation strategy to help states and territories adopt agreed-upon policies
46
Adoption of Standard Policies Progress
Developed a standard process for capturing current requirements for authentication and audit
Captured current requirements in 6 modeling states that have HIOs:
AZ, CO and OK: Federated models
WA: Centralized health record banking model
CT: Hybrid
NE (3): 1 Federated, 1 Banking, and 1 Hybrid
47
Adoption of Standard Policies Progress
Selected AHIC use cases for Medication Management and Laboratory EHR as scenarios for testing minimum authentication and audit requirements
Developed intricate, detailed, multipart template for capturing results
Will use data to expand reports on requirements
48
Adoption of Standard Policies Results
All states will begin to address any authentication and audit gaps they identify
States that have less stringent policies will know where they need to strengthen them to be on par with other exchanges
States that are in the process of forming HIOs and establishing authentication and audit policies will know what requirements they’ll need to meet
49
Adoption of Standard Policies Result
Final report will be a guide to other states so they can understand the minimum authentication and audit policies for exchanging data.
50
Interorganizational Agreements
7 states participating:
AK, GU, IA, NJ, NC, PR and SD
Goals:
To develop a standardized core set of privacy and security components to include in interorganizational agreements
To execute interorganizational agreements and exchange data through cross-state pilots wherever possible
51
Interorganizational Agreements Progress
Collected library of data use agreements
Developed classification scheme for all provisions in a data use agreement.
Applied classification scheme to every document in library
Generated master document of all provisions sorted by type of provision
Ranked provisions from “most preferred” to “least preferred” by type.
Identified provisions that would present a conflict, breach or issue with state laws, regulations, or case law.
52
Interorganizational Agreements Next Steps
Create model agreements
Coordinate with DURSA and others
Sign agreements
Exchange data in pilot studies
53
Current and Future Activities
ONC currently considering suggestions for follow-up projects solicited from HISPC collaboratives and states
ONC continues to manage intersections between HISPC and their other initiatives
Nationwide Conference tentatively scheduled for March 2009 in Washington DC
54
Links
http://healthit.ahrq.gov
www.hhs.gov/healthit
http://privacysecurity.rti.org
www.rti.org
Identifiable information in this report or presentation is protected by federal law, Section 924(c) of the Public Health Service Act, 42 U.S.C. 299c-3(c). Any confidential identifiable information in this report or presentation that is knowingly disclosed is disclosed
solely for the purpose for which it was provided