120 likes | 231 Views
SW Tennessee’s experience The Legal Side of the Project Vicki Estrin – Program Manager vicki.y.estrin@vanderbilt.edu. Funding: AHRQ Contract 290-04-0006; State of Tennessee; Vanderbilt University. This presentation has not been approved by the Agency for Healthcare Research and Quality
E N D
SW Tennessee’s experience The Legal Side of the Project Vicki Estrin – Program Managervicki.y.estrin@vanderbilt.edu Funding: AHRQ Contract 290-04-0006; State of Tennessee; Vanderbilt University. This presentation has not been approved by the Agency for Healthcare Research and Quality Portions of this presentation derive from a planning engagement conducted with Accenture
Background Funding Sources September 21, 2004, Tennessee received a 5 year contract/grant from Agency for Healthcare Research and Quality (AHRQ) - total award is $4.8 million State of Tennessee provided additional funds in the amount of $7.2 million for the same 5 year period MidSouth eHealth Alliance will receive additional funding from the state to fund operations (e.g. Executive Director and local support staff) Initial Participating Organizations • Baptist Memorial Health Care Corporation – 4 facilities • Christ Community Health – 3 primary care clinics • Methodist Healthcare – 7 facilities including Le Bonheur Children’s Hospital • The Regional Medical Center (The MED) • Saint Francis Hospital & St. Francis Bartlett • St. Jude Children’s Research Hospital • Shelby County/Health Loop Clinics (11 primary care clinics) • UT Medical Group (200+ clinicians) • Memphis Managed Care-TLC (MCO) Vanderbilt’s Role “Donated” the use of its technology for the project Serves the functions of Project Management Office and Health Information Service Provider Responsible for compliance with the AHRQ contract Also supports as requested other HIT activities across the state at a planning level
Background: Organization and Governance • The MidSouth eHealth Alliance (MSeHA) – Organization responsible for the operations of a RHIO in the three counties • Board makes all final decisions on policy • Past Structure: Work groups make recommendations to the board • Privacy and Security • Technical • Clinical • Financial • Current Structure: Operations Committee (a.k.a. Management Committee in Connecting for Health Framework) was formed in August 2006 – initial membership will be the Privacy and Security Work Group. • Privacy and Security Work Group is dissolved • Function will be to review, educate, and advise the board on Policy and Procedure • Board will continue to make all final decisions on policy
Project Summary – Where we are today • Receive data from 15 sites and we are working on increasing the number of sites publishing as well as the amount of data each site is sending • Operational in two emergency departments • The MED went 24/7 on June 21, 2006 • St. Francis went 24/7 on August 22, 2006 • Issues with the system are primarily work flow related • Current challenge is capturing the right data to tell the right stories about the system • Working with our Evaluation team leader on the data • Starting the Financial Work Group to develop an ROI model (based upon our initial business case), document the value the system brings and to whom, and develop a self-sustaining business model.
Several key assumptions in our project related to legal and policy • Policy will drive technology • Where there is a conflict, the work groups will work together to work towards a mutually agreeable recommendation for the board • The MSeHA will dictate policy but the implementation (procedure) is to be carried out in a way that works best for a Participant • Example: The policy is all patients are notified about the MSeHA. How this happens depends on each organization's internal policies and procedures • We did not budget for legal fees so we needed to do as much as we could to avoid the fees • Relied heavily on the Connecting for Health Framework for model policies and model data sharing contract • Privacy and Security Work Group took ownership of the education process. They were responsible for educating their own organizations about the framework and the process.
What needs to be done regardless of your approach to contracting… • While we waited for a draft of the Model contract last summer, we recognized the need to tackle a number of issues… • Turns out these needed to be tackled sooner than later anyway • Who would have access to the MidSouth eHealth Alliance data? • Would we allow a patient to “opt out” of the RHIO (or “RHIO Out” as we now call it)? • Would we notify the patient in some way that their data was being shared? • What would we audit and track? • What policies do we need to have in place? • Who will write policies? • Etc. • The dialogue and debate around these issues laid the foundation for an environment of trust where all views are considered viable and discussed openly • Board members were kept apprised of the issues both by work group members and at board meetings. They weighed in on the issues when appropriate but waited till there was a recommendation from the work group before making any decisions.
The Connecting for Health Framework • The keyword is FRAMEWORK • The Model Contract specifically assists with identifying most of the issues that a Health Information Exchange needs to discuss and come to agreement on – it doesn’t provide answers – it provides questions. • We found it invaluable but got caught a couple of times in the process because we forgot it was a framework… • The Model Contract acknowledges a set of policies that everyone agrees to abide by • The Model Contract references the Management Committee that makes the policies and has representation from all of the Participants (those that publish data and/or also use the data) • We drafted the agreement for legal review by all participants BUT didn’t give them the policies or the structure for the Management Committee • We used much of the language from the Policy Framework to draft our initial set of polices
Timeline for the Regional Data Exchange Agreement Note: June through August the workgroup focused on key policy issues. This laid a foundation for trust and open dialogue. When we began working on the Regional Data Exchange agreement, our overall approach was to do as much work as we possibly could without incurring legal fees
How we used the Framework… • Model Contract gave us a common approach to start from • It identified areas we needed to address in our agreement • The language didn’t always flow for the members but it gave them an idea of what was intended • It took several readings to digest the format, terms, etc. • Initially, wrestled with the terms and definitions • Model forced MSeHA board and work group to discuss all parties’ assumptions • We kept most of the construct from the model although made a few deliberate changes – and that’s ok – that’s what was intended • We reference the license agreement but the MSeHA will sign a separate license agreement with Vanderbilt for software access • We don’t allow patients access to their records so we stripped out all of that language in the contract and policies • All audit requests are made through a Participant at this time • We don’t allow remote users at this time • Don’t have “Break the Glass” policy at this time • We provide the types of audit reports recommended but do it in a very different way
How we used the Framework… • The model did about 50 – 60 percent of the work for us by giving us the framework and example language in many cases from which to work • It supported our goal/approach of engaging counsel later in the process • There were issues related to indemnification and liability that ultimately were board decisions that all organizations will need to wrestle with • It raised the question of insurance for the MSeHA – getting the insurance coverage is a different story • The Model Policies gave us a benchmark to start with and sample language to start from • After the implementation at The MED we used the Framework to see if we missed anything in our haste to “go live” – we had and have made changes to the MSeHA policies to reflect the Framework’s language and intention
What we have to show for all of our effort and work • Participant Agreement • Signed by all Participants • Registration Application/Agreement • We created a document that is both an application to become a Participant and once an application is approved, it becomes the Agreement to be a Participant • Applicant declares whether or not they are a data submitter, data user, or both • Enrollment Forms • Authorized User Confidentiality statements (MSeHA and Vanderbilt) • Application for SecurID token • Terms of Use for SecurID • Operations Committee structure • Our board didn’t like the name “Management Committee” suggested in the Model Contract • MSeHA Policies • Policy on Policies and Procedures • Policy on Coordination of Alliance Policies and Participants’ Policies • Privacy and Security Policy • Conditions to be Met before a New Data Provider’s Data May be Used • Roles and Responsibilities • User Access • Auditing and Reporting • Mitigation • Insurance policy
Two last “factoids” • Remember our desire to do as much as possible without paying attorney fees? • To accomplish this took hours of effort on the part of all of the Participants • We spent 20+ hours in group meetings working on policies (April and May) • Each Participant had a minimum of one person who spent approximate 1 – 6 hours per week from March through May working on policies and educating the Participant’s legal counsel • The attorney we engaged, Rob Wilson from the Bogatin Firm has confirmed that we would have spent far more had this effort not been made but… • To date we have paid over $85,000 in legal fees • These fees do not include any of the costs for incorporation or filing for 501 c (3)