170 likes | 303 Views
New York Health Information Security and Privacy Collaboration (NY HISPC). Ellen Flink Project Director NYS DOH. AHRQ Annual Meeting September 27, 2007. New York State Environment General Context. Opportunity
E N D
New York Health Information Security and Privacy Collaboration (NY HISPC) Ellen Flink Project Director NYS DOH AHRQ Annual Meeting September 27, 2007
New York State EnvironmentGeneral Context • Opportunity • Rapidly expanding capacity for electronic health information exchanges through RHIOs • Challenge • Current State and Federal laws governing health information exchange written in paper-based world and do not contemplate RHIOs • Goal of NY HISPC • Create policy guidance governing the exchange of personally identifiable health information through RHIOs in NY that will support improvements in patient care while earning and maintaining patient trust
New York State EnvironmentHealth IT Activities • Coordinated leadership in public and private sectors • NYS DOH’s Office of Health Information Technology Transformation • New York e-Health Collaborative (NYeC) • Significant funding for state and regional initiatives • HEAL NY grants designed to improve quality and efficiency by providing capital funds to support health care restructuring and health IT adoption • Phase 1 totaled ~ $53 million for 26 projects – many are RHIOs and a handful are EMR focused • Phase 5 combines funding from Phase 3 and totals $105.75 million for RHIOs and CHITAs • External evaluator partnering with stakeholders and RHIOs to standardize evaluation metrics (quality and ROI) and methodologies • Collaborative policy framework • NY HISPC forging stakeholder consensus on policies and procedures to protect privacy and security, assuring consumer access and engagement
New York State Laws Health Information Exchange Current legal framework for HIE in NY is fragmented
New York State LawsConsent • Unlike HIPAA, New York law requires consent related to treatment, payment or health care operations • General consent acceptable for most disclosures • State law permits one-time, broadly worded consent for routine disclosures among covered entities • Oral or implied consent is permissible; written consent provides a paper trail in the event of potential disputes • General consent insufficient for • HIV/AIDS: Authorization must reference the nature of the information being disclosed, parties receiving the information and the purpose of the disclosure. • Mental Health: Limited disclosure rules for state-licensed facilities likely result in special consent requirements • Genetic Testing: Written consent required; must specifically reference fact that genetic testing results will be disclosed.
New York State Laws HISPC Part 1 Solutions & Implementation Approach Patient Engagement Priority Solutions Areas Consent Security/Access/Use Patient Identification New Laws Leadership Entity AccreditationProcess Clarification of Laws • Create new law where necessary to govern the electronic exchange of health information. Establish a private sector accreditation process for RHIOs that ensures a minimum level of privacy and security practices across the state. Evaluate whether accreditation would qualify for certain benefits such as eligibility for state funding, access to Medicaid data, etc. • Identify or establish an independent, statewide, public-private group to: • Convene stakeholders • Align HIE policies • Identify best practices • Publish recommendations • Provide technical, business practice and policy guidance Establish a shared interpretation of relevant state and federal regulations that impact HIE. Implementation Approach
New York HISPC Part 2Background • Diverse interpretations of State consent laws lead to multiple approaches to patient consent across RHIOs in NYS • Consumer participation in patient consent practices vary across RHIOs • Strong support within consumer advocacy community for existing state law protections that exceed HIPAA standards • Little statewide dialogue has taken place on a standardized patient consent form and process for RHIOs
New York HISPC Part 2Goal and Timeline Goal Implement trusted patient centered consent policies to protect privacy in an interoperable HIE environment Timeline July August September October November December Phase I: Assessment and Consensus Building Project Kickoff and Planning Phase II: Recommendation and Legislative Proposal Phase III: Standardized Consent Form and Process and Educational Plan
New York HISPC Part 2Deliverables • Phase I: Assessment and Consensus Building • Three stakeholder meetings • Inter-agency workgroup meeting • Engagement of neighboring states • Phase II: Recommendation and Legislative Proposal • White paper outlining the affirmative standardized consent form & process • Legislative proposal for a new consent law governing electronic, interoperable health information exchange • Operational plan for the new consent law • Phase III: Standardized Consent Form and Process & Education Plan • Model standardized consent form and/or outline associated processes • Patient/consumer educational plan
New York HISPC Part 2Starting Assumptions • Affirmative consent is necessary for the exchange of all health information through a RHIO. • Opinions vary about whether this is necessary under state law. • Conclusion based on belief by state officials that this is necessary public policy to earn patient trust and therefore, for the success of RHIOs. • New policies are necessary to provide clear rules in the marketplace for the benefit of consumers, providers and other RHIO stakeholders. • New policies should specifically govern HIE conducted among participants in RHIOs. • The policies must co-exist with HIPAA. • The policies may update, expand or strengthen state law.
New York HISPC Part 2Key Questions for Stakeholder Meetings • To what extent should consumers have the ability to direct what information is/is not included in the exchange? • Option 1: No filters – all in or all out. • Option 2: Filtering at provider level. • Option 3: Filtering at medical record level. • What characteristics should a standardized consent process have? • What is necessary to ensure the information is clear and the consumer exercises informed consent? • In what format can consent be obtained – electronic, written, oral, implied? • Durability and revocation • How should current administrative requirements be adapted to be meaningful in the new electronic environment? • How should RHIOs be defined? • What are the parameters of consumers’ right to access and control electronic personal health information?
Observations from First Stakeholder Meeting Definitional Issues Uses of information Exchange of sensitive information Standardized, meaningful consent process Enforcement and transparency Consumer engagement Key Questions for RHIO Consent Rules Activities: What are the preferred activities with respect to electronic health information exchange are we seeking to govern and support? Obligations: What are the obligations of participating in the activities defined above? Uses of information Exchange of sensitive information Standardized, meaningful consent process Benefits/Penalties: What are the consequences, including benefits and penalties, of meeting the obligations defined above? Enforcement: How and by whom will these benefits/penalties be enforced? Findings and Next Steps
New Policy Framework Mechanism for New Policy Framework Accreditation Legislation Regulation Contracts Obligations Adhere to consent policies regarding uses of information, exchange of sensitive information, patient engagement, etc. Benefits/Penalties State funds (e.g. HEAL) Medicaid data Safe harbor protections ENFORCEMENT
What Activities Do We Want to Support and Govern: Defining RHIOs for the Purposes of Consent HISPC PROJECT FOCUS
Key Questions: RHIO Activities • What type of information exchange is governed by your RHIO? • What makes this information exchange different than paper-based exchange? • How do implications of information exchange through RHIO change for patients? • What are the risks of this type of exchange?
Standardized Consent Process • Current State law: Does not specify requirements for a consent form or process • New law: What needs to be explicitly referenced in a consent form? • Purposes of disclosure • Names of providers involved in exchange • Special protections for certain information • Durability • Revocability • At what point is consent obtained? • Provider level • Facility level
Next Steps • Meeting 3: October 24th (NYC) • Present and discuss options for standardized consent process • Discuss parameters of consumer engagement in consent process • White Paper • DOH will post a white paper summarizing stakeholder meeting discussions for public comment • White paper will summarize pros and cons discussed at meeting for each topic area