540 likes | 661 Views
Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State Lines Presented by Alison K. Banger RTI International Presented at HIPAA Collaborative of Wisconsin Fall Meeting September 2008, Sheboygan, WI.
E N D
Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State LinesPresented byAlison K. BangerRTI InternationalPresented atHIPAA Collaborative of Wisconsin Fall MeetingSeptember 2008, Sheboygan, WI 2951 Flowers Rd., Suite 119, Atlanta, GA 30341 Phone: 770-234-5049 Fax:770-234-5030 E-mail: abanger@rti.org
Overview • Background on HISPC Phases 1 and 2 • Phase 3: the 7 Collaborative Work Groups • Next steps
Phase 1 Timeline: June 2006 – April 2007 Participation: 33 States and 1 territory Scope: Assess variation, develop solutions and implementation plans Methods: • Community-based research model • Engage a broad range of stakeholders • Follow common methodology • Panel of experts • National direction with local control
Phase 1 Products Summary reports released • Assessment of Variation and Analysis of Solutions • Implementation Plans • Nationwide Summary Reports and presentations publicly available • RTI Project site: http://privacysecurity.rti.org • AHRQ National Resource Center: http://healthit.ahrq.gov
Key topic areas addressed by solutions • Harmonize the approach to patient permission for disclosure • Simplify the complex interplay among HIPAA privacy and security rules, other federal laws, and state laws. • Reduce variation in interpretations of HIPAA • Foster trust between providers participating in exchange and among consumers permitting their information to be exchanged
Phase 2 Timeline: May – December 2007 Participation: 42 states and 2 territories Scope: • Implement 6-month projects • Develop plans for collaboration in Phase 3 Methods: • 34 Phase 1 teams implement state-specific solutions • All 44 teams contribute to collaborative proposals
Phase 2 Products RTI Products: • HISPC Toolkit • Impact Analysis report State Products: • November 2007 Conference Presentations • 34 states produce a multitude of state-specific deliverables, including reports, videos, websites, model agreements, model forms and educational toolkits • 42 states/territories submit proposals to participate in the Phase 3 collaborative work groups
Phase 3 Timeline: April 2008 – March 2009 Participation: 40 states and 2 territories in 7 collaboratives Scope: Execute collaborative strategies developed in Phase 2 Methods: • States work both individually and collaboratively to complete project scope • Co-chairs of each collaborative form steering committee • RTI partners with Georgetown on State and Territory Law Analysis
The 7 Collaborative Work Groups • Consent 1, Data Elements • Consent 2, Policy Options • Harmonizing State Privacy Law • Consumer Education and Engagement • Provider Education • Adoption of Standard Policies • Interorganizational Agreements
Consent 1, Data Elements 11 States participating: • IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI Goals: • To establish a model for identifying and resolving patient consent and information disclosure requirements across states. • To develop a foundational reference guide that describes and compares the requirements mandated by state law and any known regional or local consent policies and practices in each participating state. Data Elements? • What consent information does a state need to reply to a request from another state? Signed consent form? With what information? Any restrictions? Do the answers change depending on the type or source of the information?
Consent 1 Progress: Scenarios and Template Scenarios: • Treatment – Non-Emergency • Treatment – Emergency • Public Health Template: • Intricate, detailed set of spreadsheets • A battery of general questions with follow up questions for capturing additional detail • Completed by the legal work group in each state
General Questions • Does your state regulate the disclosure of PHI based on where the data are created? • Does your state regulate the disclosure of PHI based on who holds the data? • Does your state regulate the disclosure of PHI based on the type of data disclosed? • In the context of your state's disclosure laws, does the type of healthcare provider to whom the PHI is disclosed matter?
General Questions (continued) • Does your state regulate the disclosure of PHI by any other factors not listed above? • Does your state law distinguish between disclosing the complete medical record and disclosing parts of the record? • Does your state law have different disclosure requirements if disclosing within the state versus disclosing to healthcare providers in another state? • Does your state law mandate actions following a disclosure of PHI without consent?
Capturing Additional Detail • Grid of types of PHI by sources of PHI for recording where consent is required or other disclosure requirements exist • Worksheet for adding detail about any of the other disclosure requirements noted • EX: Statutes governing mental health records, linked to medication history (type) generated by a mental health facility (source) • Worksheet for capturing legal citations • Worksheet for answering a battery of questions about any “yes” in the type/source grid.
Impact of Consent 1 • A guide to navigating cross-state variation in consent requirements • A comparative analysis that will allow individuals in different states to see areas where change might be required to better align with their neighbors to facilitate exchange
Consent 2, Policy Options 4 States participating: • CA, IL, NC and OH Goals: • To identify the different consent approaches within and between states • To propose policy approaches for consent that facilitate interstate electronic health information exchange
Consent 2 Progress Formed 2 subgroups: Interstate consent (OH and IL) • Explore the viability of four specific legal mechanisms that states could use to resolve barriers to the exchange of protected health information among states that have conflicting state laws governing consent Intrastate consent (NC and CA) • Identify and describe model approaches to consent • Test model approaches against scenarios (use cases) and pilot projects. • Allow other states to consider the risks and benefits of each approach as they evaluate policies and decide which approach to use
Interstate Consent Mechanisms Uniform state law • Offers states the option to enact the same law governing consent, which would supersede any conflicting laws between adopting states. Model Act • Similar to uniform law, except that it may or may not be adopted in its entirety. States frequently modify a model act to meet their own needs, or adopt only a portion of the model act.
Interstate Consent Mechanisms Choice of law • A provision that states could adopt to specify which state’s law governs consent when PHI is requested to be exchanged between states with conflicting laws. Interstate compact • A voluntary agreement between two or more states, designed to meet common problems of the parties concerned. Would supersede conflicting laws between states that join the compact.
Interstate Consent Subgroup Result • The collaborative will provide other states a systematic process for evaluating and selecting one of these mechanisms to align consent requirements for exchanging PHI between states that have conflicting privacy laws.
Intrastate Consent Model Approaches • Opt out: Patients’ records are automatically placed into the HIE system and exchanged unless patient chooses to remove records. • Opt out with exceptions: Patients’ records are automatically placed into the HIE system and exchange is allowed. However, patients have the right to opt out of having their records being shared with specified providers or other entities. • No consent: Patients’ records are automatically placed into the HIE system, regardless of patient preferences. • Opt in with restrictions: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient. Restrictions allowed. • Opt in unless otherwise required by law: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient.
Scenarios • Lab Results • Outpatient Care Coordination • Reportable Disease • Minor Seeking Birth Control • Substance Abuse Consultation • Data Warehouse/Decision Support
Intrastate Consent Subgroup Result • By systematically testing these options using the scenarios, the intrastate subgroup will: • Generate a list of issues • Describe alternative solutions available through the various models • Critically analyze the alternatives and make recommendations.
Harmonizing State Privacy Law 7 States participating: • FL, KY, KS, MI, MO, NM and TX Goal: • To advance the ability of states and territories to analyze and reform, if appropriate, existing laws to facilitate health information exchange • Primary deliverable is a framework for legislative action
Harmonizing State Privacy Law Progress Updated State Law Report • 2 types of recent legislative successes: • Incremental approaches addressing specific barriers • Process-oriented approaches such as creation of a standard patient authorization form • Less successful: • Attempts at enacting comprehensive detailed health information exchange legislation
Subject Matter Guide Tabular result of legislative scan • Sort legislation into subject matter categories and indicate states that have legislation in each area
Comparative Analysis Worksheet Create expanded version of Subject Matter Guide
Harmonizing State Privacy Law Impact • States outside of the collaborative enter their data, identify gaps and set priorities for legislative action by determining if legislation is needed, feasible and compatible with other states. • Enables states to identify legislation that is critical for development.
Consumer Education and Engagement 8 States participating: • CO, GA, KS, MA, NY, OR, WA and WV Goal: • To develop a series of coordinated state-specific projects that focus on targeted population groups to describe the risks and benefits of health information exchange, educate consumers about privacy and security, and develop messaging to address consumer privacy and security concerns.
Consumer Engagement • States are currently working on their state-specific projects, which address priority education needs and often target specific populations • States have started to share their products with others in the collaborative • Websites are going live • Ultimately they will develop collaborative level products and guidelines for consumer education
State-specific draft deliverables • OR: Revised the video produced under phase 2, soon to be publicly available • CO: Fact sheet • GA: Brochure • KS: Rural consumer education needs assessment
West Virginia • Background document on benefits of health IT, electronic health records, interoperability • Consumer FAQs • Public Service Announcements for radio and TV • Posters • Brochures for physicians to distribute to consumers • Brochures for consumers
Consumer Education Impact • States educate and engage their consumers, addressing the topic or target population that is most important to them • States share their results with the collaborative (materials, dissemination plan, lessons learned) so that final “sharable” versions can made available.
Provider Education 8 States Participating: • FL, KY, LA, MI, MO, MS, TN and WY Goals: • To create a toolkit to introduce electronic health information exchange to providers • To increase provider awareness of the privacy and security benefits and challenges of electronic health information exchange
Provider Education Approach • Conduct baseline assessment: Contact state and national provider associations; gauge level of interest in and adoption of health IT and HIE. Capture preferred method of communication between each organization and its membership • Select one provider type and one communication channel for pilot study • Develop content: core message with universal tag line
Baseline Assessment Contacted approximately 300 organizations; conducted structured conversations • Organizational information: • Organization type (e.g. member advocacy, research, gov’t agency) • Affiliate (physicians, nurses researchers, legislators) • Observations about members’ perceptions of HIT and HIE: • Privacy and security concerns • Readiness for adoption • Acceptance of an educational campaign • Perceived barriers to exchange • Preferred communication channel
Selecting Provider Type for Pilot Campaign Developed process: • Assign score for each evaluation factor to each provider type • Manageable population – appropriate size for state • Targeted or well-defined population • Population with impact and importance • Similar learning style/communication channel • Engaged partner for pilot (ready and willing) • Select provider type with highest weighted average
Communication Matrix Completed preliminary work
Provider Education Impact • After testing core message on one provider type using one communication channel, refine approach based on lessons learned and deploy campaign to additional types/channels • Enhance awareness • Address perceived barriers • Encourage adoption and participation in private and secure exchange to improve the quality of care
Adoption of Standard Policies 10 States participating: • AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA Goals: • To develop a set of basic policy requirements for authentication and audit • To define an implementation strategy to help states and territories adopt agreed-upon policies
Adoption of Standard Policies Progress • Developed a standard process for capturing current requirements for authentication and audit • Captured current requirements in 6 modeling states that have HIOs: • AZ, CO and OK: Federated models • WA: Centralized health record banking model • CT: Hybrid • NE (3): 1 Federated, 1 Banking, and 1 Hybrid
Adoption of Standard Policies Progress • Selected AHIC use cases for Medication Management and Laboratory EHR as scenarios for testing minimum authentication and audit requirements • Developed intricate, detailed, multipart template for capturing results • Will use data to expand reports on requirements
Adoption of Standard Policies Results • All states will begin to address any authentication and audit gaps they identify • States that have less stringent policies will know where they need to strengthen them to be on par with other exchanges • States that are in the process of forming HIOs and establishing authentication and audit policies will know what requirements they’ll need to meet
Adoption of Standard Policies Result • Final report will be a guide to other states so they can understand the minimum authentication and audit policies for exchanging data.
Interorganizational Agreements 7 states participating: • AK, GU, IA, NJ, NC, PR and SD Goals: • To develop a standardized core set of privacy and security components to include in interorganizational agreements • To execute interorganizational agreements and exchange data through cross-state pilots wherever possible