E N D
Meeting Objectives ONC Cooperative Agreement FOA: “Privacy and security of health information, including confidentiality, integrity and availability of information, are integral to fostering health information exchange. States and SDEs must establish how the privacy and security of an individual’s health information will be addressed, including the governance, policy and technical mechanisms that will be employed for health information exchange.” • Review key issues for consideration in development of privacy & security policies and related agreements. • Review approaches in other states. • Understand Subcommittee roles. • Review process for discussing key issues and issuing recommendations. Discussion Document – Not for Distribution
Planning Approach: Workgroups & Stakeholder Engagement Governance Board/Steering Committee Manatt facilitates analysis and tracks & documents decisions Governance Work Group Finance Work Group Clinical & Tech Operations Work Group Legal & Policy Work Group Draft and Final Plans Components of Strategic and Operational Plan Compile Drafts, Feedback, and Public Input Engagement is transparent & inclusive...“stakeholders support what they create” Discussion Document – Not for Distribution
State HIE Cooperative Agreement: Legal/Policy • The Legal/Policy Workgroup will be charged with: • Establishing a statewide policy framework and process to oversee the development of policies to facilitate statewide HIE and protect health information as required by state and federal laws. • Identifying a process to work toward harmonizing federal and state legal and policy requirements to support HIE. • Developing a framework to assess the implications of cross-border HIE and identify a process to resolve potential conflicts. • Addressing enforcement mechanisms and the agreements necessary to ensure the appropriate oversight and accountability among HIE participants. Discussion Document – Not for Distribution
Legal/Policy/Privacy & Security Developing the statewide policies, practices, and enforcement mechanisms to protect the privacy and security of patient health information. Discussion Document – Not for Distribution
Example: Strategic Plan Workgroup Deliverables 6 Discussion Document – Not for Distribution
Example: Operational Plan Workgroup Deliverables 7 Discussion Document – Not for Distribution
Goal: Develop policies governing the exchange of Protected Health Information through North Carolina’s statewide health information network that will support improvement in patient care while maintaining patient trust and ensuring compliance with law. Key Policy Areas Patient Consent User Authorization User Authentication Access Controls Audit Protocols Breach notification and response Overview of Key Privacy & Security Issues Discussion Document – Not for Distribution
Overview of Key Privacy & Security Issues Cont’d • Consent: Policies establish the rights of consumers to decide whether and how their health information will be exchanged through NC statewide HIE, including the nature and form of consent and who consent is obtained by. These policies also address the purposes for which information may be used by those who access it. • Authorization: The process of determining whether a particular individual has the right to access protected health information through NC’s statewide HIE. Authorization is usually based on role-based access standards that take into account an individual’s job function and the information needed to successfully carry out a role. Authorization policies should set forth minimum requirements that HIE participants should follow when establishing role-based access standards and authorizing individuals to access information through NC’s statewide HIE. • Authentication: The process of verifying that an individual who has been authorized and is seeking to access information via NC’s statewide HIE is who he or she claims to be. Authentication policies represent an important technical security safeguard for protecting a patient’s information from various internal and external risks, including unauthorized access. Authentication policies should set forth minimum requirements that HIE participants should follow when authenticating individuals prior to allowing them to access information through NC’s statewide HIE. • Access: Access controls govern when and how a patient’s information may be accessed by HIE participants. Access policies should set forth minimum behavioral controls HIE participants should implement to ensure that: 1.) only Authorized Users access information; and 2.) they do so only in accordance with patient consent and with other requirements that limit their access to specified information (e.g., that which is relevant to a patient’s treatment). • Audits: Audits are oversight tools for recording and examining access to information (e.g., who accessed what data and when) and are necessary for verifying compliance with access controls developed to prevent/limit inappropriate access to information. Audit policies should set forth minimum requirements that HIE participants should follow when logging and auditing access to health information through NC’s statewide HIE. • Breach: Breach response and notification policies are designed to hold HIE participants accountable and to certain behavioral standards when privacy violations occur. Breach policies should set forth minimum standards HIE participants follow in the event of a breach of protected health information through NC’s statewide HIE, assure patients about the RHIO’s commitment to privacy, and mitigate any harm that privacy violations may cause. Discussion Document – Not for Distribution
Legal/Policy/Privacy & Security Considerations Privacy and Security policies may include authentication, authorization, access controls and audit (the “four A’s”). Federal requirements under HIPAA serve as a national floor for privacy and security, with state law and policy considerations layering on top. Existing privacy and security requirements must be considered in light of statewide electronic HIE. A collaborative governance process involving broad stakeholder representation is required to resolve threshold issues. State government blessing of any statewide policies developed as compliant with existing law can protect HIE participants from liability as a result of following policy. Key Questions How will policies be adopted and enforced? Can statewide privacy and security policies be adopted in compliance with existing law? Is a change in law required? What issues need to be incorporated into statewide policy guidance? What policies are necessary to govern consent? Are special policies required for sensitive health information? Will new statewide privacy and security policies apply only to HIE occurring through a statewide health information network (or other model) and not to existing one-to-one exchanges? 10 Discussion Document – Not for Distribution
Privacy & Security: Continuum • What is the State’s role in defining privacy and security policies for HIE in North Carolina? Statewide Establishment of Privacy and Security Standards HIE Participants Follow Existing State and Federal Law State Provides Guidance State Sets Policy State Provides Enforcement Discussion Document – Not for Distribution
Health Information Exchange: Changing the Privacy Paradigm Today“One-to-One” Exchange Tomorrow“Many-to-Many” Exchange • Human judgment plays a critical role in determining what information is shared and with whom • Phone conversations between clinicians for purposes of treatment frequently replace the need for physically exchanged information. • Authentication of requests for information is heavily reliant on relationships between organizations or individuals charged with information sharing. • In an environment of ubiquitous electronic HIE, data will be gathered or transferred between multiple entities without benefit of the familiar relationships of the old paradigm. • At the time of collecting the data, verification of the requester and sources will be critical, and may require sophisticated permission and authorization controls. Discussion Document – Not for Distribution
Health Information Exchange: Core Questions for Privacy and Security Policies • Should any provider have unrestricted access to all information without consent for treatment purposes? • Is provider access limited to treatment, or does it include other uses – quality assurance, care management, research, etc.? Provider Access to Information • Should payers have unrestricted access to information without consent, or should it be restricted to care management for patient benefit? Payer Access to Information • Do we want to require consumer access to information? Consumer Access to Information Discussion Document – Not for Distribution
Health Information Exchange: Governance and Privacy Framework • Local level – too small to have meaningful policies • State level – right for scale and enforceability • Federal level – run the risk of ambiguity Who sets the rules? • What do federal and State laws require? • What are the policy choices being made by governing authority? What are the rules? • Enforced through a RHIO governance model and/or contractual model? • State/federal regulators? Who enforces the rules? Discussion Document – Not for Distribution
Process for Developing Privacy & Security Policies Phase 1: Identify Issues Phase 2: Consent Phase 3: 4As • Other Areas to Be Addressed by Legal/Policy Workgroup Upon Completion of Phases 1-3: • Potential modifications to state confidentiality laws and regulations • Trust agreements • Interstate exchange • Legal/Policy Workgroup will also coordinate with Governance Workgroup on development of a regulatory/enforcement framework to ensure compliance with privacy & security policies. Discussion Document – Not for Distribution
Review of Key Policies: Consent Model Opt-in vs. opt-out and granularity details Who obtains consent Available information /treatment of sensitive health information Permissible uses of health information Break-the-glass (emergency access) Minor consent State Consent Policy Approaches: Nebraska, Vermont, New York, Massachusetts Discussion Document – Not for Distribution
NeHII VHIE • Hybrid federated model (Axolotl) • Hybrid federated model (GE Centricity) • NeHII is the SDE. • Policies have statewide reach. • Exclusive statewide HIE. • Policies have statewide reach. • Policies developed by NeHII Privacy & Security Committee (Committee of the Board). • Policies developed by VITL staff & consultants with input of stakeholders; approved by Board. • Compliance enforced through contracts. • Compliance enforced through contracts. • No amendment to state law (as of yet). • No amendment to state law. NeHII, VHIE, NYeC & MAeHC Background Architectural model, statewide applicability of policies, policy development process, enforcement, and whether state law was amended to support HIE provide key context for evaluating consent policy decisions. Discussion Document – Not for Distribution
NYeC MAeHC • Each of the 3 MAeHC pilots operated a centralized repository model (eCW/Wellogic) • NYeC is the SDE. • Policies have statewide reach. • Policies only applied to 3 pilots. Pilot project has concluded. • Policies developed through a statewide stakeholder workgroup and consensus process. • Policies developed by pilots with input from statewide privacy workgroup (HISPC). Approved by MAeHC. • Compliance enforced through contracts. • HIEs - condition of receiving grant funding under HEAL-NY • Compliance enforced through contracts. • No amendment to state law. • No amendment to state law. NeHII, VHIE, NYeC & MAeHC Background • Statewide shared services. Exchange facilitated through conformance to agreed upon protocols, standards, and policies. Discussion Document – Not for Distribution
Consent Model Key Takeaway: Each employ distinct consent models that take into account their technical architectures, state laws and consumer/provider preferences. VHIE • Opt-in. • If patient signs opt-in form, data sharing is enabled between all participating treating providers (patients may not control which providers disclose their information). • No further permission needed by participating treating providers to access data. • Patients receive reminder every 5 years that they have right to withdraw consent. NeHII • Opt-out. • 1.5% - 2.0% opt-out rate. • Opt-out is global (all of a patient’s information is excluded). • If a patient has opted-out, the RLS will return the patient’s name & demographic info with a note indicating the patient has opted-out of the HIE. • Patients may opt back in under a process that is more strict. MAeHC • Opt-in. • 94% opt-in rate. • Patients must grant each provider consent to disclose his/her information to the HIE’s clinical repository on an entity-by-entity basis. • One pilot allowed a RHIO-wide consent to disclose. • Unless a patient has opted-in, the patient will not show up in the HIE system at all. • No further permission needed by participating treating providers to access data. • Consents must be “refreshed” every two years. NYeC • Opt-in. • Consent obtained by accessing provider with option of “RHIO-wide” consent. • If patient signs opt-in form, providers listed on consent form have access to all data (patients may not control which providers disclose their information). • Patients receive reminder every 5 years that they have right to withdraw consent. Discussion Document – Not for Distribution
Available Information/Treatment of Sensitive Health Information VHIE • Included: Eventually all PHI as defined under HIPAA, including mental health and substance abuse information. • Excluded: None. No data filtering for sensitive health information. • Consents for exchange of information protected under 42 CFR Part 2 (alcohol/substance abuse) carry expiration dates. NeHII • Included: Lab & x-rays, medication & immunization history, transcribed diagnostic & treatment records, allergies & drug interactions, & other transcribed clinical reports created after NeHII’s start date. • Excluded: Records related to alcohol & substance abuse treatment programs, emergency protective custody proceedings, genetic testing, HIV testing, and mental health treatment. MAeHC • Included: “Shared Health Summary,” which featured: medication list, problem list, diagnosis, immunizations, allergies, smoking status, vital signs, procedures, lab results, & radiology results. Sensitive health information was included. • Excluded: None. No data filtering for sensitive health information. • Certain sensitive information (HIV and genetic test results) required a patient’s consent each time it was made available. When pilot HIE systems identified ICD-9 and CPT codes for HIV and genetic test results, they prompted providers to obtain additional consent. MAeHC reported workflow complications. NYeC • Standard State-approved consent form authorizes disclosure of HIV, mental health, genetic testing and other sensitive data. • Statewide policies suggest that HIEs assess the legal risks of making records of federally assisted alcohol and substance abuse treatment centers (42 CFR Part 2) available through the exchange. Federal guidance being solicited. Discussion Document – Not for Distribution
Permissible Uses of Health Information NeHII • Treatment and payment. • Actively considering use of information to facilitate public health reporting. VHIE • Treatment, payment, health care operations. • Specific patient authorization required for “secondary uses,” defined as those other than TPO, including marketing, uses by employers, and health plan use in quality review, among others. • Clinical researchers can apply for use of de-identified data for research. Duration/Revocation: • Until revoked (if no expiration date). • Consents for providers to release records covered by 42 CFR Part 2 must have an expiration date. • Patients receive reminder every 5 years that they have right to withdraw consent. MAeHC • Treatment, payment, health care operations and quality improvement. • No payer use of/access to data. • MAeHC operated a quality warehouse to aggregate and analyze data for provider performance reports, which it sent to health care providers to help improve care. Duration/Revocation: • Two years. • Consents can be revoked at will. NYeC • Level 1: Treatment, quality improvement, care management, and insurance coverage reviews. • Level 2: Any uses of PHI other than Level 1 uses, including but not limited to payment, research and marketing. Duration/Revocation: • Consent for Level 1 uses: until revoked. • Consent for Level 2 uses: must be time-limited & expire no more than 2 years after execution unless a longer duration is required to complete a research protocol. Discussion Document – Not for Distribution
Break the Glass (Emergency Access) VHIE • N/A. • If a patient has not opted-in, no information will be available for viewing in an emergency. NeHII • Currently not permitted. • While information about patients who opt-out is available, it is not accessible to providers. • NeHII’s Privacy & Security Committee is considering whether to allow emergency access in the future. MAeHC • N/A. • All participating providers can access available information about a patient once the patient grants the disclosing provider consent to disclose. NYeC • Yes Discussion Document – Not for Distribution
Minor Consent VHIE • No policy on minors at this time. NeHII • Information about STD testing or treatment of minors consented to by the minor is excluded from exchange. MAeHC • Records for minors between select ages were excluded from exchange. NYeC • Records for minors age 10 & over are excluded from exchange unless RHIO can develop a mechanism for segregating information relating to minor consent services from other information. Discussion Document – Not for Distribution
NC HIE Legal and Policy Workgroup Tasks • Outline privacy and security issues related to HIE within NC and between NC and other states, particularly neighboring states • Analyze existing state laws • Analyze the potential for modifying state laws and collaborations with other states to further enable HIE • Develop privacy and security policies and procedures necessary to enable and foster information exchange • Develop trust agreements (such as data sharing agreements, data use agreements, and reciprocal support agreements) that would promote the secure flow of health information • Design policies to address issues of noncompliance with federal and state laws and guidance applicable to HIE • Devise other methodologies to ensure the security of health data Discussion Document – Not for Distribution
Workgroup Subcommittees • Policy Subcommittee: Develop statewide policy framework that allows for incremental development of HIE policies over time as necessary to facilitate statewide HIE, including recommendations concerning consumer consent and access to protected health information. Develop policy framework for consent, the 4 A’s, sensitive health information and enforcement in a multi-exchange environment. • Security Subcommittee: Develop appropriate safeguards and oversight mechanisms are in place to ensure that state HIE participants protect health information as required by state and federal laws. • Legal Subcommittee: Create legal framework which will facilitate intrastate and interstate HIE, including a process to harmonize federal and state legal and policy requirements to support HIE, a process to resolve potential conflicts, a process to develop model legal agreements and related forms that can be used by regional or community HIE networks throughout NC to facilitate HIE. Develop analysis of state laws (1. consent issues, 2. other laws, 3. contractual issues) and associated recommendations. Discussion Document – Not for Distribution
Full Workgroup Responsibilities • Receive and discuss subcommittee reports • Provide recommendations on all workgroup issues Discussion Document – Not for Distribution
Proposed Subcommittee Procedures • Establish meeting procedures to ensure that all relevant perspectives are aired and no particular viewpoint dominates deliberations • Seek to achieve consensus on recommendations whenever possible • If consensus not possible, report majority recommendation to workgroup with accompanying summary of dissenting views Discussion Document – Not for Distribution
Privacy & Security – Threshold Issues Must Be Agreed Upon to Develop Statewide Privacy and Security Policies Discussion Document – Not for Distribution
Threshold Privacy & Security Issues (Continued) Discussion Document – Not for Distribution
Threshold Privacy & Security Issues (Continued) Discussion Document – Not for Distribution
Analytic FrameworkRHIO – Core Components Multi-stakeholder & All Consumers Nature of participants Transparent policy framework, inclusive decision making process Governance Improve quality, safety, efficiency of care Purpose of exchange/Mission Clinical data Type of information exchanged Protocols, standards and services How information is exchanged Privacy, security, authentication, authorization, access, and auditing policies Scope of services Provisions for ensuring consumer access to and control of data Consumer Access Discussion Document – Not for Distribution
For What Purposes May Information Available through NC’s Statewide HIE Be Used? Treatment Level 1 Uses? Provider-based quality improvement Payer-based care management Research Level 2 Uses? Marketing Public health Additional Levels? Law enforcement Others? Discussion Document – Not for Distribution
The provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party. A third party is an entity with whom a health care provider has a contractual relationship related to the provision, coordination or management of health care and related services for a consumer. Under this contractual relationship, the health care provider must ensure that the contracted entity adheres to new consent policies and procedures; Consultation between health care providers regarding a patient; and The referral of a patient from one health care provider to another. (Source: Modified from HIPAA) Potential Definitions of Uses of Information Treatment Activities by a provider and/or its contracted entities that include: • Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination; and • Disease management which can include a range of activities that involve the provider-controlled exchange of consumer health information with third parties with whom the provider has a contractual relationship related to the provision, coordination or management of health care and related services for a consumer. • Third party entities may include health plans (Source: Modified from HIPAA) Provider-based quality improvement Discussion Document – Not for Distribution
A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. (Source: HIPAA) Potential Definition of Uses of Information Activities by a health plan that include: • Conducting case management and care coordination; and • Disease management which can include a range of activities through which the health plan has direct access to patient-identifiable clinical data without the provider serving as an intermediary. (Source: Modified from HIPAA) Payer-based care management Research • Any communication about a product or service that encourages recipients to purchase or use the product or service. 1 • An arrangement whereby an RHIO participant and another entity discloses consumer health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. 2 (Source: Modified from HIPAA) Marketing 1 2 The HIPAA Privacy Rule contains a number of exceptions to marketing that do not require patient authorization. HITECH Section 13406 amended HIPAA such that if a Covered Entity is paid by an outside entity to send a communication to a patient, the communication is deemed to be marketing and requires prior authorization from the patient – even if that communication falls into one of the current exceptions to the definition in the Privacy Rule. Discussion Document – Not for Distribution
Consistent with applicable provisions of HIPAA: Disclosure to a law enforcement official as required by law including laws that require the reporting of certain types of wounds or other physical injuries. Disclosure in response to a law enforcement official’s request for PHI for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Disclosure in response to a law enforcement official’s request for PHI about an individual who is or is suspected to be be a victim of a crime. Other types of disclosures as allowed under HIPAA and state law. (Source: HIPAA) Potential Definitions of Uses of Information • Disclosure to a public health authority authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (Source: Modified from HIPAA) • Other types of public health disclosures as allowed under HIPAA and state law. Public health Law enforcement Discussion Document – Not for Distribution