370 likes | 518 Views
Date : April 26, 2011 Time : 1:00 pm – 3:00 pm Location : NC Hospital Association 2400 Weston Parkway, Cary, NC Dial in : 1-866-922-3257; Participant Code : 654 032 36#. Agenda . Statewide HIE Governance ...Primary Tasks. Updates on NC HIE Operations and Workgroups. 4.
E N D
Date: April 26, 2011 Time: 1:00 pm – 3:00 pm Location: NC Hospital Association 2400 Weston Parkway, Cary, NC Dial in: 1-866-922-3257; Participant Code: 654 032 36#
Statewide HIE Governance...Today’s Objectives Continue Process of Developing Recommendations for QO Approach • Finalize Selection Criteria (today’s primary focus) • Revisit Fair Information Principles Criterion • Revisit QO Insurance Requirements Criterion • Revisit QO Financial Viability Criterion • Discuss Application/Selection Process • Oversight and Enforcement of Obligations
Proposed Selection Criteria for Qualified Organizations(STRAWMAN - FOR DISCUSSION ONLY) • Organized as a non-profit or for-profit corporation whose articles of incorporation have been filed with the North Carolina Department of the Secretary of State (or that has a certificate of good standing if incorporated in a state other than North Carolina). • Agree to comply with Statewide Policy Guidance (including technical specifications and privacy and security requirements) and ensure QO participants comply with them. • Agree to comply with “fair information” policy principles and require that QO participants comply with them. • Provide list of current NC HIE participants (as defined by the NC HIE Board),updated on a quarterly basis in compliance with the process established by the NC HIE Board, and plan for adding more participants. • Annually submit a Program Plan that describes specific activities in which the QO will engage. • Demonstrate financial viability as required by the NC HIE Board. • Includes demonstration of adequate and appropriate insurance coverage. Important Topics to Consider in Selection of Criteria • Extent to which criteria limit entities that could serve as QOs • Establishing and maintaining overall system efficiency & integrity • Understanding the administrative implications of compliance Red/italicized text indicates edits to proposed criteria that have not been approved by the Workgroup.
3. Agree to comply with “fair information” policy principles and require that QO participants comply with them Implementation Considerations • NC HIE will need to define “fair information” policy principles. Workgroup Recommendation: • QOs should be required to comply with fair information policy principles as well as ensure the compliance of QO participants with whom they have contracts; however, principles must be refined and carefully crafted so that they explicitly state related obligations.
Fair Information Principles • Fair Information Principles (FIPs) form the basis of information laws and policies in the US and globally and are the result of a series of reports, guidelines and model codes developed by government agencies in the US, Canada and Europe over the past 25 years. • The five core guiding principles of privacy protection that serve as the foundation of FIPs are: • Notice/Awareness • Choice/Consent • Access/Participation • Integrity/Security • Enforcement/Redress * Federal Trade Commission, Fair Information Practice Principles
Core Principles of Privacy Protection as Foundation for FIPs • Notice/Awareness – Consumers should be given notice of an entity’s information practices before any personal information is collected from them. Notice of some or all of the following have been recognized as essential to notice, including: • Identification of the entity collecting the data • Uses of the data • Any potential recipients of the data • Means by which data is collected • Whether provision of the data is voluntary or required and the consequences of refusal • Steps taken by the data collector to ensure the confidentiality, integrity and quality of the data • Choice/Consent – Consumers should be given options as to how any personal information collected from her or him may be used (allows for opt-in or opt-out consent model). • Access/Participation – Consumers should be able to both access data about themselves and contest that data’s accuracy or completeness. • Integrity/Success – Data must be accurate and security. • Enforcement/Redress – The core principles of privacy protection are only effective if enforcement/redress mechanisms are in place (includes self-regulation, private remedies and government enforcement). * Federal Trade Commission, Fair Information Practice Principles
ONC’s Fair Information Principles for HIE In December 2008, ONC adopted the following FIPs in its “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” as guidance for all entities involved in health information exchange: • Individual Access – Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format. • Correction – Individuals should be provided with a timely means to dispute the accuracy or integrity or their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. • Openness & Transparency – There should be openness and transparency about policies, procedures and technologies that directly affect individuals and/or their individually identifiable health information. • Individual Choice – Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information. Adopted by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information
ONC’s Fair Information Principles for HIE (cont.) • Collection, Use, and Disclosure Limitation – Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately. • Data Quality and Integrity – Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner. • Safeguards – Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure. • Accountability– These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches. Adopted by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information
Fair Information Principles: Key Questions for Discussion • Fair Information Principles tend to serve as overarching policy guidance and are supported by actionable procedure requirements. • Do we want to include Fair Information Principles as a guiding policy requirement for NC HIE QOs? • Fair Information Principles are closely related to information security and patient consent considerations. • If we adopt Fair Information Principles as a part of our statement of criteria, should they be explicitly included as an individual “line item” or should they be subsumed in criterion addressing compliance with Statewide Policy Guidance/privacy & security policies?
6. Demonstrate financial viability as required by the NC HIE Board. Implementation Considerations • Establishing a reasonable threshold will be essential to ensure that this criterion isn’t overly restrictive. • Options include: • Require that QO submit a financial statement showing net worth [ WG members did not endorse this option based on concern that it would exclude entities with modest resources] • Require that QO submit a plan for financial sustainability • Require that the QO submit an annual financial audit report from an independent audit firm Progress to Date • At the March 31 Workgroup meeting, members agreed that the NC HIE should establish a criterion to determine a QO’s financial viability to perform services required of a QO but requested additional information from NC HIE staff regarding varying approaches to verifying financial viability.
State Approaches to Financial Viability Criteria • Participants must provide MiHIN with an annual report of its financial position. • Participants must submit an annual audit report from an independent audit firm without a “going concern” qualification, disclaimer or adverse opinion(s) reflecting on the QO’s accounting procedure. • If an audit report does reflect any of the above, the QO must submit an action plan/timeline to remediate the issues and the plan must be approved by HIP TN. • Participants must: • Submit a schedule of proposed charges and a detailed business plan, including a three-year projection of expenses and income and other sources of future capital • Submit a rate plan outlining fee structures for HIE services (rates reviewed and approved) • Submit results of annual independent financial audit
Obtain insurance in amounts specified by the NC HIE Board Implementation Considerations • Insurance products could include: • Directors & Officers insurance • Errors & Omission insurance • Cyber-liability insurance Progress to date: At the March 31 Workgroup meeting, members agreed that the NC HIE should require that QOs obtain insurance coverage in amounts specified by the NC HIE Board, but requested additional information from NC HIE staff regarding other states’ approaches to insurance requirements (specifically, the types of insurance being required and coverage amounts) before finalizing the recommendation.
Liability Insurance Liability insurance relevant to HIEs and their partners include the following types: • Directors & Officers (D&O) insurance: provides financial protection for the directors and officers of an organization in the event they are sued in conjunction with the performance of their duties as they relate to the organization • Errors & Omissions (E&O) insurance and Cyberliability: protects the organization from claims if a participant holds it responsible for errors or for failure to perform as promised in the contract. This coverage is concerned with performance failures and negligence with respect to products and services. • Product Liability (for IT vendors): indemnifies a manufacturer, supplier, or retailer from liability to a purchaser or user caused by a foreseeable defect in the product. • Malpractice insurance (for care providers): indemnifies a provider for negligence (conduct that falls below the customary standard of care) related to professional medical decisions. In addition to other considerations, type of insurance and coverage amounts are impacted by technical model, data use policies and state law considerations. Agency for Healthcare Research and Quality (AHRQ), Liability Coverage for Regional Health Information Organizations
Liability Insurance (cont.) A June 2009 study found that at a minimum, most HIEs obtain D&O and E&O insurance and, in some cases, employers’ insurance and privacy & security liability policies. The study also concluded that: • The importance and weight of liability issues varies among HIEs. • In some instances, liability concerns determined the legal and governing status of an HIE (e.g., Delaware HIN) where in others the ability to leverage existing liability practices of larger governing entities reduced liability concerns (e.g., Indiana Network for Patient Care). In other settings, some HIEs believe that electronic exchange of health information should not add any more substantial liability than paper-based exchange. • Obtaining liability coverage takes a considerable amount of time. • Identifying risks and accountability of various participants, looking for and settling on an underwriter and educating the underwriter on HIE are time-intensive activities. • High degree of legal uncertainty remains. • Lack of precedent regarding how courts would approach a privacy and security breach, little clarity about who would be held liable. • Uncertainties have wide range of effects on insurance policies, including increased premiums and overlapping liability coverage among participants. Agency for Healthcare Research and Quality (AHRQ), Liability Coverage for Regional Health Information Organizations
Liability Insurance (cont.) Key findings on liability insurance continued: • Insurance policy options are growing but remain limited. • Underwriter’s traditional model is based on entity’s assets and risk quantification; for HIEs underwriters must consider other factors such as technical architecture, services provided, types of data exchanged and security controls. • There is wide variability in liability insurance practices across HIEs. • Variability is a reflection of both the emerging landscape of HIE and the unique local and regional communities from which HIEs emerge. • Sovereign immunity has advantages and disadvantages. • Operational HIEs are divided on the role of the state or federal government in offering immunity to HIEs and their partners. Some feel that benefits include increased stakeholder participation, decreased start-up costs and long-term sustainability; others posit that if immunity is available, HIEs may not be sufficiently rigorous in establishing privacy and security controls. Agency for Healthcare Research and Quality (AHRQ), Liability Coverage for Regional Health Information Organizations
Liability Insurance: Key Questions for Discussion • Who are the entities that take on liabilities because of participation in an HIE? May include: • NC HIE organization and board of directors • NC HIE employees • IT vendors • Partnering organizations / Qualified Organization – data sources • Partnering organizations / Qualified Organization– data users • State agencies that participate in the HIE • Physicians (connecting through a QO or through an alternate provider connection point) • Are all emerging categories of HIE liability coverage relevant to all QOs (e.g., directors’ and officers’ liability, data theft, data mismanagement, data generation errors, data misuse, etc.)? • What circumstances specific to North Carolina may impact liability coverage (e.g., state law considerations, HIE technical models, data use policies, etc.)?
Liability Insurance: Key Questions for Discussion • Can we come to consensus on whether or not demonstration of insurance coverage should be a requirement for QOs? • If so, do we have enough information to make a specific recommendation as to type, amount, etc.? • If not, Workgroup options could include continuing research and discussion in future meeting, asking staff to make a recommendation for review, adopting a policy that adequate insurance coverage should be required but partnering with early adopters / initial QOs to determine what appropriate parameters might be so that coverage is adequate but requirement is not onerous, etc.
Should there be exceptions? • Mandatory • One set of mandatory criteria for all QOs • State example: Maryland • Establishment of “Optional” Criteria • One set of mandatory criteria that all QOs (or categories of QOs) must meet; additional “optional” criteria • State example: Tennessee • Creation of an Exceptions Process • One set of mandatory criteria for all QOs, ability to appeal for exceptions on a case-by-case basis or by stakeholder category • State example: Tennessee • Tiering of Qualified Organizations • Data sharing partners are grouped by size, service level, and organization type, among other factors. Different criteria are applied to each group (or tier). For instance, small provider groups may be required to meet different criteria than large IDNs. • State example: Oregon
Criteria Exceptions: Key Questions for Discussion • Should all criteria be mandatory or should their be flexibility in selection process? • If so, should flexibility be based on type of organization? Mission of organization (e.g., focus on connecting rural or underserved providers to network)? Other factors? • If not, does this limit the participation of entities who may bring value to the statewide network? • If flexibility is built into selection process, how should it be structured? • Limit on number or type of criteria that can waived? • Some mandatory in all circumstances, others optional? • Justification required for waiving criteria and how assessed?
Renewal Process: Key Questions for Discussion • Should entities be required to renew their QO status on a regular basis? • If so, how often should QOs be required to reapply for QO status? • Should the renewal process differ from the first-time application process and how? • Should QOs be required to meet new selection criteria established since last application? • Should first-time QOs receive only provisional designation for a certain period of time before receiving ongoing designation?
Governance Workgroup – Next Steps • Develop recommendations related to application process, including review of application process in other states. High level overview of steps might include: • NC HIE establishes application process for interested entities. • NC HIE establishes application review process. • NC HIE establishes process to notify applicant and the public that an organization has been deemed as a QO. • NC HIE establishes ongoing re-qualification process. • Develop recommendations related to enforcement and oversight: • Define Metrics • Create evaluation process (ongoing compliance) • Establish processes for • Dispute resolution • Organizations seeking to voluntarily rescind QO status • Expulsion of non-compliant QOs
NC HIE Workgroups...Working Timelines Core Services Develop RFP Review, Negotiate, Award Deploy Services Legal/Policy Workstream Finalize draft legislation Develop Privacy and Security Policy and Procedures Qualified Organizations Develop Qualified Org Criteria Participation Agreements Develop Participation Agreement Enforcement and Oversight Define Oversight Roles and Enforcement Mechanisms
Principles to Guide Development of Qualified Organizations The following principles were developed by the Work Group and endorsed by the NC HIE Board at its July 2010 meeting to guide the development of Qualified Organizations:
Qualified Organizations Business, Technical & Legal Relationships
Statewide HIE Components North Carolina Health Information Exchange (NC HIE) • NC HIE is North Carolina’s public-private partnership that supports an open and transparent, statewide, collaborative process which creates statewide policy guidance (i.e., “rules of the road”) for the statewide HIE network • NC HIE provides core technology services and selected “value-added” services accessible via the statewide HIE network. State of North Carolina • The State of North Carolina, working through the NC State HIT Coordinator and its various Departments, (1) identifies and protects the public interest through its regulatory roles, (2) collects, stores, and provides access to health information in support of its various missions, such as Medicaid and public health, and (3) supports efforts to obtain public funds for HIE. NC HIE Policy Guidance • Statewide Policy Guidance, developed by the NC HIE through the Workgroup process and with Board approval, provides a common and consistent technical, privacy, security, and legal framework for participants in HIE and ensures the secure, interoperable exchange of data through the statewide network. • Statewide Policy Guidance typically includes: (1) detailed rules for privacy and security, technical interoperability, and financial obligations; (2) vendor contract requirements; (3) ongoing governance structure and participation; and (4) enforcement mechanisms.
Statewide HIE Components (continued) Qualified Organization (QO)* • QOs are entities that have permission to access, consume and make available HIE services on the statewide HIE network. • QOs meet a set of established criteria, have gone through an approval process, and have signed agreements to abide by Statewide Policy Guidance. • QOs ensure that participants and vendors with which they have contracts meet the requirements to carry out statewide policies. Qualified Organization Participant • A provider or entity that participates in the statewide network through a QO. • Note: As the Work Group develops criteria and requirements for QOs, it will be important to consider access to the statewide HIE network through means other than Qualified Organizations.
Policy/Contractual Relationships: Interconnecting Participants EHR Vendor HIE Vendor Contract for technical services Abide Statewide Policy Guidance Contract for technical services HIE Vendor Abide Statewide Policy Guidance QO Participant Contracts for access to HIE services, with reciprocating agreement to abide by Statewide Policy Guidance Contracts for Technical services State of North Carolina Provides access to data Contract for access to HIE services Qualified Organization NC HIE Abide Statewide Policy Guidance Abide Statewide Policy Guidance Manages Provides Input Work Groups Output Statewide Policy Guidance* Governance Clinical/Tech Ops Finance * Statewide Policy Guidance will be approved by NC HIE Board Legal/Policy