NeHC Releases Roadmap for Growth and Evolution of HIE, and Legal HIE Listed as a Helpful Resource!

Posted by Krystyna Monticello on April 03, 2012

Following ONC's release of its Program Information Notice "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program," (the P&S PIN discussed in a previous blog post) the National eHealth Collaborative (NeHC) has released a roadmap for successful and widespread growth of HIE to improve health and healthcare after extensive collaboration with private and public stakeholders (the HIE Roadmap). NeHC is a pubic-private partnership established through a grant from the ONC and is led by some of the nation's most respected thought leaders, and so we were thrilled to discover that our blog, Legal Health Information Exchange, was identified by NeHC as one of only a selected group of "Helpful Resources" found at Exhibit B of its HIE Roadmap. You can register with NeHC to download a copy of the HIE Roadmap here

Entitled "The Landscape and a Path Forward," the HIE Roadmap sets forth current HIE connectivity and exchange approaches across the nation, as well as federal efforts towards developing the foundation for interoperability and trusted HIE through common standards, services and policies.  It highlights those strategies for integrating these federal and private sector efforts, emphasizing the current progress that has been made and those challenges and barriers remaining to be overcome. 

Most importantly, it hopes to provide a roadmap of the major steps communities can follow to achieve progress towards HIE.  The HIE Roadmap states,

...Given the rapid market and policy changes and technology innovations occurring right now, there is confusion among healthcare stakeholders about how best to proceed with implementing HIE.  Leading HIE organizations are indeed charting new ground.  Emerging HIE efforts can and should learn from those who are further along in order to...leapfrog toward success."

It notes that in 2010, the number of public HIEs increased 81% from 37 to 67 with a whopping 210% increase in operating private HIEs, from 52 to 160.  Providing clear examples of leading HIE efforts, their leverage of national standards for exchange, and other factors contributing success, the HIE Roadmap seeks to capture the vision for why HIE is important to improving patient care and to the performance of our healthcare system, as well as provide a framework and a path forward for those working towards achieving HIE in their communities. 

The HIE Roadmap highlights several of the most notable challenges and barriers to HIE, including:

  • Funding and sustainability;
  • Variations in implementation of interoperability standards;
  • Provider adoption;
  • Disparate EMRs; and
  • Privacy and security concerns.

However, it recognizes that these challenges and barriers are being "tackled and overcome."  The HIE Roadmap highlights ONC efforts towards building a foundation of interoperability and trusted exchange, in particular, recommendations of the HIT Policy and Standards Committees and their workgroups, such as the Meaningful Use, Information Exchange, and Privacy and Security Policy Workgroups.  It highlights the importance the Direct Project and the Nationwide Health Information Network (NHIN) continues to play in developing a strong interoperable foundation and the potential the Direct Project and NHIN have to promote best practices, compliance with existing national standards and implementation recommendations, and following through responsibility to protect health information.

The HIE Roadmap describes the approaches taken by several HIE initiatives across the nation, including:

  • Care Connectivity Consortium, comprised of five leading health systems, Kaiser Permanent, Mayo Clinic, Geisinger Health, Intermountain Healthcare and Group Health;
  • HealthBridge, with 50 participating hospitals, 800 physician practices, and 7,500 physicians;
  • Indiana HIE (IHIE), with 90 hospitals and 19,000 participating physicians;
  • Inland Northwest Health Services (INHS), with an air ambulance collaborative, rehabilitation hospital, and IT management for 38 hospitals and EMR services for 750 physicians, and which also partners with the Departments of Defense and Veterans Affairs; and
  • Kaiser Permanente, which includes the Kaiser Foundation Health Plan and subsidiaries, 37 hospitals and over 450 clinical facilities, and the Permanente Medical Group Practices.

While highlighting the various strategies implemented by these initiative, the HIE Roadmap also recognizes that,

Indeed, interoperable HIE is a journey without a definite endpoint.  Many different approaches are being used, stakeholders are at different stages along this journey, and there is by no means a "one size fits all" model. 

It notes, however, that a key priority of many of these initiatives is to provide standards-based services to small physician practices, recognizing that most healthcare is delivered in these physician practices and the challenges they face.  Finally, the HIE Roadmap sets forth four major "steps" or phases for implementing successful and sustainable HIE, which starts wtih developing the HIE's objectives and vision.

In conclusion, the HIE Roadmap states,

The ultimate goal of HIE is to ensure that the right information is available at the right time and place every time to support the delivery of high quality, well coordinated, and cost effective patient-centered healthcare.  Keeping a consistent and clear focus on what is best for the patient is above all else the smartest way to stay on course in the ever-changing environment of HIE.

Grantees of HIE Funds Get "PIN-ned" on Privacy, Security and Patient Consent

Posted by Helen Oscislawski on March 31, 2012

 Pushpin.jpgOn March 22, 2012 HHS/ONC released a new Program Information Notice (PIN) called the "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program" (P&S PIN).  The P&S PIN applies to all State Health Information Exchange Cooperative Agreement Program Recipients, including State Designated Entities (SDEs), SDE sub-grantees, and other direct grantees of the federal HIE Cooperative program. Here is a link to the HHS/ONC PIN website.

The P&S PIN requires all SDEs to submit as part of a 2012 annual SOP (Strategic and Operational Plan) an update of their privacy and security framework consisting of all relevant statewide policies and practices adopted by recipients, and operational policies and practices for HIE services being implemented by Grant recipients of funding in whole or in part with federal cooperative agreement funds (HIE Grant Recipients).

Among other things, each HIE Grant Recipient will need to submit how their existing privacy and security policies align with each domain of the Fair Information Practices (FIPs), which the ONC and the ONC's Privacy & Security Tiger Team have each previously pointed to as providing a privacy and security framework for networked HIE.  The FIPs are:

  1. Openness and Transparency
  2. Collection and Use and Disclosure Limitation
  3. Safeguards
  4. Accountability
  5. Individual Access
  6. Correction
  7. Individual Choice
  8. Data Quality and Integrity

Specifically, Point-to-Point Directed HIE Exchange Models will be required to demonstrate that their P&S policies address FIPs 1-4, and have the option of addressing FIPs 5-8. HIE models that aggregate data will be required to demonstrate that their P&S policies address FIPs 1-8. If any GAPs exist between a FIP and the HIE Grant Recipient's current policies (i.e. a domain is not addressed), this must be identified and a strategy timeline and action plan for addressing these gaps in the 2012 SOP update must be provided.

One of the most debated topics with networked HIE has been patient consent. Many HIEs and stakeholders have asked the federal government on guidance on when and what form of consent is required for networked HIE.  

The P&S PIN addresses patient consent with HIE, and requires that aggregated HIE models offer, at a minimum, individuals with a meaningful choice with regard to whether their individually identifiable health information (IIHI) may be exchanged through an HIO entity that aggregates data.

The P&S PIN then further goes on to define “meaningful choice” as including:

  • Made with advance knowledge
  • Not used for discriminatory purposes or as condition for receiving treatment
  • Made with full transparency and education
  • Commensurate with circumstances for why IIHI is exchanged
  • Consistent with patient expectations
  • Revocable at any time

Notably, the P&S PIN confirms that both opt-in and opt-out are acceptable means of satisfying patient choice. On Wednesday, March 27th,  I had the opportunity to speak at the HIPAA Summit in Washington D.C. where an audience member asked whether a “no choice” HIE model is now no longer a viable option for HIE.  Both Joy Pritts, ONC Privacy Officer, and Deven McGraw, Co-Chair of the ONC P&S Tiger Team, confirmed that at least with respect to HIE Grant Recipients who are operating an aggregated HIE model, the P&S PIN must be followed and each patient must be afforded with meaningful choice to participate in networked HIE. It's also important to note that while the P&S PIN requirement could potentially be satisfied through obtaining written consent from the patient, written consent is not required and, moreover, Ms Pritts specifically pointed out that obtaining a written blanket consent without any supporting meaningful processes would not meet the FIP standard. Thus, whether an opt-in or opt-out model is used, HIOs must focus on ensuring that educational information about HIE is being delivered to patients, and the patient's decision-making process is meaningful.

The FIPs are nothing new, and ONC actually issued its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information back in December of 2008!  Ever since then, I have been advising HIE initiatives to BUILD their HIE Policies around the FIPs and this ONC guidance document. Here is an example of how I crosswalk the FIPs with my template set of HIE Policies for HIOs that aggregate IIHI.

For a copy of a sample set of our HIE Policies, email me at helen@oscislaw.com, or visit www.ohcsolutions.com which going live soon as a source for legal forms and templates.

Federal Government Releases Updated DURSA for NHIN Participants

Posted by Helen Oscislawski on December 07, 2011

An Amended and Restated DURSA dated May 3, 2011 was released November 30, 2011.  The DURSA is an acronym for the "Data Use and Reciprocal Support Agreement."  It is a comprehensive agreement to govern the exchange of health data through the Nationwide Health Information Network Exchange (NHIN).  It is a multi-party single agreement that establishes the rules of engagement and obligations to which all Participants agree and that all Participants sign as a condition of joining the NHIN community. A clean copy of the updated DURSA can be downloaded from the NHIN's Participant "Onboarding" Website, or by clicking here. The Office of National Coordinator (ONC) has also posted a Redline version comparing the most recent May 2011 version of the DURSA against its predecessor (scroll all the way down to the "DURSA" subcategory). 

According to a PowerPoint posted by the ONC that summarizes all the changes to the November 2009 version of the DURSA, here are some of the more significant ones that NHIN Participants can expect:

  • The term “Nationwide Health Information Network” is defined more broadly, and ONC is phasing out its use altogether.
  • The composition of the Coordinating Committee is being downsized/reduced significantly. ONC indicated that the current composition is not scalable given the rapid growth in the number and type of Participants.
  • The definition of "Permitted Purposes" has been revised to support varied types of transactions and not preclude legitimate reasons to transact Message Content including treatment, payment, limited healthcare operations with respect to the patient that is the subject of the data being exchanged, public health activities, meaningful use and disclosures based on an authorization from the individual.
  • Each Participant is required to (i) validate information about its Users prior to issuing the User credentials; (ii) use the credentials to verify the identity of its Users before enabling the User to transact Message Content; and (iii) provide truthful assertions.  The November 2009 version did not specifically require Participants to “identity proof” their Users or explicitly require a Participant to submit truthful information in the assertions and statements that accompany a Message.  At the time, the DURSA developers assumed that these issues would be addressed in the Specifications, but they were not.
  • Combines duties of a responder and requestor into duties of a Submitter, and adds that Messages must comply with Applicable Law, the DURSA, Operating P&P, applicable Performance and Service Specifications. Submitter must represent that all assertions or statements related to the submitted Message are true and accurate. Also, it is the responsibility of the Submitter – the one disclosing the data – to make sure that it has met all legal requirements before disclosing the data, including, but not limited to, obtaining any consent or authorization that is required by law applicable to the responding Participant.
  • Removed 24 notice requirement to Coordinating Committee before suspending a Participant.  Recognized that process is onerous.  Participant can now be voluntarily suspend from 5-10 days.

The government noted that the process has proven itself inefficient and has impeded the ability to amend [Operating Policies and Procedures, and technical specifications]......

  • The November 2009 version required 2/3 of non-governmental and 2/3 of governmental Participants to approve all changes to the Operating policies and procedures.  The government acknowledged that this process has proven itself inefficient and has impeded the Coordinating Committee’s ability to revise the Operating Policies and Procedures.  In the May 2011 version, the process for revising and adopting new Operating Policies & Procedures has been revised.  Prior to approving new Operating P&Ps, Coordinating Committee will solicit comments from the Participants.  There will be a 30 day objection period once the Coordinating Committee approves new or amended Operating P&P.  New or amended Operating P&Ps go into effect unless 1/3 of the Participants object.  If 1/3 object, then 2/3 of non-governmental and 2/3 of governmental Participants must approve before the new or amended OP&Ps become effective.
  • In the Nov 2009 version, approval of new or amended Performance and Service Specifications required the Coordinating Committee to make a determination of “materiality,” which then dictates the Technical Committee’s process of approving the Spec change.  The government noted that the process has proven itself inefficient and has impeded the ability to amend the Performance and Service Specifications and adopt new Performance and Service Specifications.  With the new May 2011 version of the DURSA, new and amended Performance and Service Specifications will be approved in the same way that new and amended Operating P&Ps are approved.

HITPC Releases Tiger Team EHR Amendment/Correction Recommendations

Posted by Helen Oscislawski on July 27, 2011

The ONC Health Information Technology Policy Committee (HITPC) released the Privacy & Security Tiger Team (Tiger Team) recommendations concerning amendments and corrections to electronic medical records (EMRs) in a letter to HHS on July 25, 2011 (HITPC Letter).  The Tiger Team's two recommendations are:

  • Certified electronic health record (EHR) technology for Meaningful Use Stage 2 should have the capability to support amendments to health information as well as support compliance with HIPAA obligations to respond to patient requests for amendments, specifically (i) to make it technologically possible for providers to make amendments consistent with their obligations with respect to the legal medical record (e.g., access/view the original data and identify changes made); and (ii) attach any information from the patient and any rebuttal from the entity regarding disputed data.
  • Certified EHR technology for Meaningful Use Stage 2 should have the ability to transmit amendments, updates or appended information to other providers to whom data in question had previously been transmitted. 

The recommendations address the concerns of stakeholders regarding technological capabilities of EHR systems to assist covered entities in complying with HIPAA amendment and correction procedures for their EMRs.  They also address issues concerning data integrity and quality when correcting errors in patient information not at the request of the patient or communicating updates in patient information. 

HIPAA requires covered entities to comply with specific procedures for correcting or amending protected health information (PHI) within their records where a patient requests such correction or amendment.  In addition, the principle of "correction" was adopted by the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which requires timely means provided to individuals to dispute the accuracy or integrity of their health information.  

The Tiger Team recommends that the HIT Standards Committee develop standards, specifications and criteria for the certified EHR technology, and that any technological capabilities be kept as simple as possible to start.  Capabilities could evolve over time and become more complex, including "potentially greater standarization and automation."  Most notably, the Tiger Team rejected placing affirmative obligations on providers to inform other providers and entities about errors which were not identified in response to a patient's request, citing the "range of different errors that could occur" and the potential difficulty in distinguishing between what was a difference in medical opinion and an actual error, deciding,

...Providers' existing ethical and legal obligations were sufficient to motivate them to use appropriate professional judgment regarding when to inform any known or potential recipients of amendments to health data.

Finally, the HITPC letter notes that the Tiger Team considered whether health information exchange organizations (HIOs) should be obligated to correct errors and transmit amendments or updates to affected providers where they may be responsible for such errors.  The Tiger Team has specifically sought input from the HITPC and will continue to research existing HIO policies prior to developing future recommendations on this issue. 

The full HITPC letter may be found here: HITPC Privacy & Security Tiger Team Amendment Recommendations

Doctors and Patients Mostly Agree on IT

Posted by Helen Oscislawski on February 01, 2011

Government Health IT reported yesterday that according to a national survey released January 31st by the Markle Foundation, patient and physicians share many similar views regarding increasing beneficial use of health information technology to improve delivery of care, as well as the necessary privacy protections that should go along with the shift to utlize electronic medical records.  The Markle Foundation states on its website that the Markle Survey of Health in a Networked Life is

[t]he first of its kind to compare the core values of physicians and the general public, referred to here also as patients based on their opinions as consumers of health care, on deployment of information technology in health care.

Key findings in the Markel Survey include:

  • 74% of the doctors surveyed would prefer computer-based means of sharing patient information with each other.
  • 47% of the doctors would prefer computer-based means of sharing records with their patients. (Only 5% do so today.)
  • 74% of doctors said patients should be able to share their information electronically with their doctors and other practitioners.
  • 10% of the public reported currently having an electronic PHR (up from 3% who reported having one in Markle’s 2008 survey).
  • 70% of the public and 65% of the doctors agreed that patients should be able to download their personal health information online.
  • 70% of the public said patients should get a written or online summary after each doctor visit, but only 36% of the doctors agreed. (Only 4% of doctors say that they currently provide all their patients a summary after every visit).

Other findings from the survey include:

  • 70% to 80% of both patients and doctors support privacy-protective practices, such as letting people see who has accessed their records, notifying people affected by information breaches, and giving people mechanisms to exercise choice and correct information.
  • 65% of the public and 75% of doctors agreed that it’s important to have a policy against the government collecting personally identifiable health information for health IT or health care quality-improvement programs.
  • If there are safeguards to protect identity,however, at least 68% of the public and 75% of the doctors expressed willingness to allow composite information to be used to detect outbreaks, bioterror attacks, and fraud, and to conduct research and quality and service improvement programs.
  • 75% of the public and 73% of the doctors said it will be important to measure progress on improving health care quality and safety to ensure the public health IT investments will be well spent. Both groups (each at 69%) agreed on the importance of specific requirements to improve the nation's health in areas like heart disease, obesity, diabetes, and asthma.
  • Many are unaware of the health IT incentives: 85% of the public and 36% of doctors describe themselves as not very or not at all familiar with the health IT incentives program, which makes subsidies available for doctors and hospitals to increase use of information technology.

For a detailed copy of the report, visit Markle Foundation's Latest Surveys.

Patient Protection and Affordable Care Act Declared Unconstitutional

Posted by Helen Oscislawski on January 31, 2011

In a brief 78 page Opinion, Federal District Court Judge Roger Vinson of the U.S. District Court of the Northern District of Florida struck down portions of the the Patient Protection and Affordable Care Act on constitutional grounds.  The impact of that decision on PPACA initiatives in Florida, such as Accountable Care Organizations, remains to be seen, althought the DOJ has expressed its intent to appeal the ruling. In addition, Deputy Senior Advisor Stephanie Cutter responded:

We don't believe this kind of judicial activism will be upheld and we are confident that the Affordable Care Act will ultimately be declared constitutional by the courts.

She characterized the ruling as "well out of the mainstream of judicial opinion," noting that 12 federal judges have dismissed challenges to the law's constitutionality and two--in Michigan and Virginia--have upheld the law.

(meta-data) "TAG, You-Are-It" (ONC, CMS, DHHS) !

Posted by Helen Oscislawski on December 31, 2010

This December 2010, the President’s Council of Advisors on Science and Technology (“PCAST”) released its Report titled “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” and, boy, it makes meaningful use look like a walk in the park!

The Report notes, among many other things, that the current structure of available health IT systems is inadequate, resulting in user difficulty, unavailability of relevant information, such as best practices, limited capability for sharing data across systems, patient concerns regarding improper access, and the inability to search or aggregate and de-aggregate data where necessary for research, public health, quality improvement, or patient safety. In essence, current health IT systems cannot easily support the desired outcomes. The Report identifies key legislation and regulations responsible for moving the development of health IT forward, namely, HITECH and the “meaningful use” EHR Incentive Program, as well as demonstration projects to develop experience and the necessary conditions for progress. However, the Report stresses the urgency of accelerating and redirecting much needed federal groundwork for HIE.

The Report notes the successes of early adopters of integrated EHR systems (i.e., Kaiser Permanente and VHA), while recognizing areas of functionality still in dire need of improvement, such as interoperability. It finds data exchange and aggregation central to accomplishing potential health IT benefits yet rejects current HIE models as being “ill-suited” as the basis for a national health information infrastructure due to durability and interoperability concerns. PCAST considers new technologies, such as “cloud-based” EHR products, patient personal health records, and data aggregation “middleware” products for interoperability that have potential to remove barriers and create solutions, as well as other promising models for data exchange.

PCAST rejects standardized health record formats and service-oriented architecture (SOA) in favor of metadata-tagged data elements and data-element access services (DEAS), the advantages of which the Report describes in detail. Such “tags” are small pieces of information accompanied by a larger “megadata tag” which groups them by attributes as well as required privacy and security protection.

The Report argues that a universal exchange language based upon tagged dataelements (i.e., DEAS and metadata-tagged data) is more sophisticated and better for privacy and security.

For example, DEAS would require authentication of an individual into the system and allow only access to information based upon the role he or she is assigned. To obtain access to encrypted tagged data elements, based upon a patient’s privacy choices, the individual would have to have the proper credentials and role. It is also crucial to note that the Report rejects that such a system would require “universal patient identifiers” or create a central repository of patient information.

Furthermore, the Report explores how HIPAA is ill-equipped, and possibly detrimental to medical research and care, to handle the changes in health IT and how HITECH both partially remedies and exacerbates this situation, such as accounting of disclosures which will “stifle innovation”.

Finally, the Report argues that federal leadership is necessary to combat economic concerns and incentivize information exchange and development of health IT systems. Adopting standardized metadata, aligning economic incentives (such as through “meaningful use”), encouraging technological innovation and competition, supporting development of network infrastructures through appropriately designed pilot projects, and developing a regulatory health IT structure along with regulatory oversight all are suggested by the Report as necessary.

PCAST detail several layers and roadmaps for government agencies to progress towards the realization of a national health IT infrastructure. It also recommends guidelines for transitioning from existing EHRs and information exchange systems to the new tagged data element model advocated by the Report, and addresses generation of necessary early design choices by ONC and the Report’s vision for future CMS meaningful use requirements. The Report concludes with specific short and mid-term recommendations for ONC, DHHS, CMS, and other agencies in order to realize the objectives outlined in the Report towards establishment of a national health IT infrastructure.   In response, ONC, for one, appears to have already set up a PCAST Report Workgroup, and the first meeting is scheduled for January 14, 2011.

 To review PCAST’s summary of Recommendations of who should do what next, click Continue Reading below.

Continue Reading