1. Organizational and Legal Issues�-- Developing organization and governance models for HIE Day 2 -Track 5 SECOND SESSION PRIVACY AND SECURITY
CONNECTING COMMUNITIES for BETTER HEALTH
2nd Annual Learning Forum and Exhibition
WALTER SUAREZ, MD, MPH
PRESIDENT, PUBLIC HEALTH DATA
STANDARDS CONSORTIUM
2. Privacy and Public Trust in Regional Networks
Establish a Strong Privacy Policy Framework
Build framework upon 5 HIPAA privacy principles
Patient privacy rights
Boundaries to use and disclosure
Balance privacy rights with public responsibility (i.e. public health)
Security
Accountability
Add more stringent state privacy components
State-by-state differences create some additional challenges across the National Health Information Network
Consider establishing a privacy board to create overall framework, oversee compliance across system
3. Enforcing Privacy and Security Across Network Participants
Five Principles:
Agreed-upon framework for both privacy and security standards
Education of each component
Chain of Trust Agreements
Liability boundaries (where does my responsibility ends and the other trading partner responsibility begins)
Internally policed
4. Addressing Variability in Adoption and Use of Privacy and Security Standards Across Network Participants
Difference between Privacy and Security:
Privacy:
Might not have a significant variability in how various organizations are implementing privacy (both HIPAA and State privacy standards might not leave much room for variability)
Security
Will have a much significant variability in the policies, procedures and methods used to protect the data
Network participants will need to:
Agree to comply with minimum security standards common across all participants
5. Cross-State Data Sharing Issues
Cross-state data sharing might be guided by:
HIPAA Privacy standard:
Regulating the use and disclosure of PHI generally
State laws from the originating state
In many cases restricting or requiring additional steps to allow disclosure
Although most state laws do not necessarily make distinctions whether a disclosure is within or outside state boundaries
State laws from receiving state
Data at the receiving state might now have to follow that states additional protections
Current data exchanges happen across states:
Many administrative transactions (claims) go from a provider to a �payer passing through various clearinghouses in various states�without becoming an issue
6. Role of ONCHIT and Standard Setting Organizations in Establishing Privacy and Security Baseline for Regional Networks
Limited Role if Any:
Would add a third layer of standards (federal-HIPAA, state, and federal-OCHIT)
Standard setting organizations not set to address security standards, except for those related to security features embedded into the electronic standard per-se
Would a change in HIPAA be needed?
It might be premature to address this issue, not knowing what are the characteristics of RHIOs and of Regional Networks of the future
At least those that exist today where able to continue to �operate and perform within the framework set by HIPAA
.
7. Cross-State Data Sharing Issues
Cross-state data sharing might be guided by:
HIPAA Privacy standard:
Regulating the use and disclosure of PHI generally
State laws from the originating state
In many cases restricting or requiring additional steps to allow disclosure
Although most state laws do not necessarily make distinctions whether a disclosure is within or outside state boundaries
State laws from receiving state
Data at the receiving state might now have to follow that states additional protections
Current data exchanges happen across states:
Many administrative transactions (claims) go from a provider to a �payer passing through various clearinghouses in various states�without becoming an issue
