340 likes | 637 Views
VHA Health Information Access (HIA) Program. Mr. Shawn Hardenbrook Health Information Access Project Coordinator shawn.hardenbook@va.gov. May 19, 2008. HIA Program. Health Info Access (HIA) Office under the HDI Information Access & Privacy Office formed in 1Q FY08
E N D
VHAHealth Information Access (HIA) Program Mr. Shawn Hardenbrook Health Information Access Project Coordinator shawn.hardenbook@va.gov May 19, 2008
HIA Program Health Info Access (HIA) Office under the HDI Information Access & Privacy Office formed in 1Q FY08 Health Info Access Supervisor’s VA background: • Social Work Intern • Master Social Worker • Research Software Developer • Clinical Application Coordinator @ 3 sites • Class III Software Developer • CAPRI Developer (yes, it’s a VHA product) • OI&T Developer • VHA Health Information Access & Privacy Office HIA Project Coordinator
HIA Program Health Info Access Team Composition: • 1 Government manager • 5 Contractors – Washington DC, Bay Pines, and Salt Lake City • 3 Government staff – Richmond, Bay Pines, Memphis • 1 Additional Contractor to be added in 3Q 2008 • More positions to be added later as team responsibility grows… Background of employees includes DoD, IBM, Research Compliance, Software Quality Assurance, Policy and Planning, Direct Patient Care…
HIA Program Program Objectives: • HIA’s current focus is on “special user” access to VHA EHR data as well as providing easier, more efficient access to EHR data while maintaining proper compliance with VHA privacy and security. • The team performs privacy reviews on research studies seeking approval through ORD (real SSN requests and non-de-identified data, for example). Cont’d…
HIA Program Program Objectives (cont’d): • The team reviews/manages Data Transfer Agreements (DTA’s), Data Use Agreements (DUA’s), and MOU’s with agencies external to VA. • The team provides consultation for those seeking EHR data and aren’t sure how to get it.
HIA Program So why does VHA need yet another Central Office program when field sites already control access to EHR data through their ISO?...
HIA Program Not every data requestor falls under a local VA Medical Center…
EHR Access Issues • A variety of “special users” both in and outside VA have a need to access electronic health records at one or more sites. • Access at multiple sites has traditionally required a separate access/verify code at each site along with maintaining education requirements and logging in every 90 days to prevent expiration of accounts. (HRC in Kansas will eventually need direct access to all 120+ VistA systems, for example) Cont’d…
EHR Access Issues (cont’d) • “Access” can mean various levels of functionalities and restrictions – difficult to apply consistently when being managed by multiple sites. • Users may need to be restricted to just specific site(s). • Users may need to be restricted to just specific patient(s) – “Need to know” rule. • Users may or may not need to be prevented from changing or entering data into the record.
Special Users “Special users” include:
Available options for EHR Access • CPRS: Traditional award-winning GUI interface for EHR data. Highly complicated for users who need read-only access. No ability to block entry of EHR data. Somewhat limited ability to control patient-level access. No ability to synchronize limited patient lists and privileges between sites. • CAPRI: Provides CPRS-like access to EHR data without entry options and with simplified pre-defined reports. Provides access to all VHA sites through a single access/verify code. Provides a national-level audit trail for all patients accessed by a user. Cont’d…
Available options for EHR Access (cont’d) • VistAWeb: Slow, but very pretty interface. Easy to access from Internet browser without installation of software. Many search options. Detailed audit trail, but difficult to access audit reports for compliance monitoring. Access to patients is limited to local site unless user is granted national-level VW access. (Hurricane Katrina example) • CPRS Read-Only: Extremely stripped-down version of CPRS missing most of the features for which users like CPRS.
CAPRI Overview • Still lots of confusion in VHA about the purpose of the CAPRI product. YES, it’s a VHA product! • Designed initially for VBA as GUI replacement for AMIE roll-n-scroll. • VBA was not having success getting direct CPRS GUI access at sites in the 1990’s. • 2nd largest VistA application code-base. • Grassroots Class III turned Class I in 2001. • Has been modified over the years to meet VA needs. Cont’d…
CAPRI Overview (cont’d) • Used by multiple “special user” groups. • Has contained single sign-on capability for over 5 years. • Contains C&P functionality, but also EHR read-only functionality. • C&P exam functions for VHA providers are under active development. • Approximately 1/4 to 1/3 of monthly C&P exams are entered by VHA providers in CAPRI. • 99%+ of C&P exams are processed by VBA using CAPRI
VistAWeb Overview • Grassroots Class III turned Class I. • Designed to replace Remote Data Views in CPRS. • Built off of CAPRI single sign-on functionality. • Used primarily by VHA clinicians but also by some “special user” groups who need access to patients at multiple sites. Cont’d…
VistAWeb Overview • Is integrated inside CAPRI. All CAPRI users have VistAWeb by default. • Local sites have provided a link to VistAWeb on the CPRS Tools Menu for access to local patients. • There is also a direct interface through Internet Explorer – CPRS access not required.
CAPRI Data Entry Functions • Basic new patient registration in VistA • Ordering/management of C&P Exams • Requests for paper documentation • Change of address (currently disabled) • VHA Provider C&P Exam templates • Roll-n-scroll access to non-GUI functions • CAPRI does have a read-only mode which is controlled through security key assignment. (EHR data is always read-only, despite security keys.)
VistAWeb Data Entry Functions (Yes, this screen is blank on purpose.)
CPRS Read-Only • CPRS Read-Only functionality released 2002 as rapidly-developed reactionary measure to immediate business need. • High user satisfaction with traditional interface, which is extremely scaled-back for CPRS read-only. • Does NOT contain single-sign on capability • No central management of patient lists – a problem with VA Form 2122 (POA) , VA Form 2122a, and general user management Cont’d…
CPRS Read-Only (cont’d) • CPRS Read Only Access Directive released 2002, now expired. • General Access Directive written, never released. • Access Handbook not yet written. • HIA is finalizing a VHA Access Directive, with Access Handbook to follow. • HIA prefers CAPRI/VistAWeb to CPRS Read Only due to central management capabilities and more CPRS-like interface in CAPRI than is available in CPRS read-only. • Does everyone know CPRS Read-Only exists?
Health Info Access (HIA) Health Info Access Program Functions: • Manages national requests for CAPRI and VistAWeb access • Creates/revokes single sign-on accounts • Audits accounts for privacy/security requirements • Assists users in determining right solution for their needs Cont’d…
Health Info Access (cont’d) • Manages national-level restricted site lists • Manages national restricted patient lists • DUA/DTA Liaison • Actively developing tracking/registry system for user access, research (real SSN, protocol reviews involving access to national databases), and DUA/DTA’s. • …Will be adding more functions as they’re identified over time…
Requesting Access Through HIA Users interested in access should visit the HIA Homepage for detailed instructions and an access request form: http://vaww.vhaco.va.gov/privacy/HIA.htm Requirements: • Proof of Cybersecurity Training within past year • Proof of VHA Privacy Training within past year • Signed HIA Rules of Behavior • Signed Access Request Form
Requesting Access Through HIA Once paperwork is gathered, it can be: • Mailed by snail mail • If user has PKI -- scanned and emailed to HIA@va.gov • Submitted to secure fax server via the number found on the HIA homepage Approval paperwork is kept electronically and is available in PDF form, should there be a question about a user’s access. A central “registry” is being developed which may eventually be provided to field sites. That’s a bit down the road. Certain user groups have different approval processes which can be custom tailored (to be faster) when these user communities are identified as repeat customers.
Requesting Access Through HIA Local ISO name and email is required. But access forms do not need to be processed through the ISO for VHA users. HIA will remove access at expiration of training requirements, until proof is re-submitted. Users will be notified in advance of impending shut-off. All access is ultimately at the discretion of the Director, Health Data & Informatics
CPRS, VistAWeb or CPRS There is not ONE solution for all needs. • Users who need restricted patient lists for multiple sites (such as VSO’s) must use CAPRI • Users who don’t need data entry can use VW • Users without restricted patient lists can use VW • Users who need to register new patients (Federal Recovery Coordinators) must use CAPRI Cont’d…
CPRS, VistAWeb or CPRS cont’d… There is not ONE solution for all needs. • Users who need access at only 1 site can use CPRS read-only at a local level • Users who need auditing regularly should use CAPRI • Users who need to see C&P activity should use CAPRI • Users who’s access changes frequently (EPRP) should use CAPRI • GUI management tools for restricted lists exist for CAPRI but not CPRS – VBA manages over 8,000 of their own national accounts.
HIA can be contacted at: • HIA@va.gov • VHA OI HDI HIA • shawn.hardenbrook@va.gov (HIA Manager) Questions?