ONC Releases Governance Framework for Trusted HIE

After backtracking on developing "Rules of the Road" for trusted electronic health information exchange (HIE) last year, ONC has released its promised Governance Framework for HIE after months of collaboration with stakeholders. Crafted through public listening sessions, hearings, partnerships and the NHIE Governance Forum, the Governance Framework,

Reflects what matters most to ONC when it comes to national health information exchange governance and the principles in which ONC believes,

stated Dr. Mostashari last Friday in his Health IT Buzz Blog. Short and sweet, the Governance Framework provides guidelines for the governance of HIE.

The Governance Framework sets forth four sets of principles for HIE which are specifically geared towards HIOs and other entities that set HIE policy such as state agencies and partnerships:

  • Organizational principles, focusing on transparency and openness, inclusiveness, oversight and enforcement;
  • Trust principles, focusing on meaningful choice to participate in HIE and to limit types of data exchange, transparency in privacy and security practices, and the accuracy of information;
  • Business principles, providing open access and standards to promote collaboration; and
  • Technical principles, ensuring technology can accomodate exchange through the use of standards and implementation specifications, testing and collaboration with voluntary consensus standards organizations. 

Of particular interest is the recommendation that HIOs provide a "Notice of Data Practices" entirely separate from the Notice of Privacy Practices each participating organization in an HIO would provide to its patients describing HIE activities. The Notice would describe not only uses and disclosures of identifiable information, but de-identified information as well

Furthermore, organizational principles would include,

[P]romot[ing] inclusive participation and adequate stakeholder representation (especially among patients and patient advocates) in the development of policies and practices.

Another recommendation would prompt HIOs to maintain and publish statistics on their exchange capacity, including number of users and patients, type of standards implemented and transaction volume, as well as to disseminate "up-to-date" information on compliance with statutes and regulations, best practices and even potential security vulnerabilities.

Is the Governance Framework helpful to HIOs? Maybe. It does NOT

Prescribe specific solutions but lays out milestones and outcomes that ONC expects for and from HIE governance entities as they enable electronic HIE.

It is a far cry from guidance for the every day problems HIOs are faced with as expressed by numerous stakeholders to ONC, such as sharing data across state lines, sustainability, variations in standards between providers and HIOs, and differences in policies governing who may access patient data (i.e., clinicians only vs. administrative and other personnel).

It does, however, provide at least a "common founation" for HIOs to build their organizational structure and policies upon. And it's better than a set of regulations and rules for HIE and HIOs that no one is ready for.  

To read the full Governance Framework and for additional information on ONC's HIE activities, visit ONC's HIE Governance website.   

HHS Releases RFI on Interoperability and HIE

HHS, CMS and ONC have released a Request for Information (RFI) seeking input on policies and programs to encourage health information exchange (HIE) through interoperable systems.  Although the Medicare and Medicaid EHR Incentive Programs and other federal efforts are rapidly increasing the adoption of standards based HIE and EHR technology,

This alone will not be enough to achieve the widespread interoperability and electronic exchange of information necessary for delivery reform where information will routinely follow the patient regardless of wheter they receive care....

The overarching goal is to develop and implement a set of policies that would encourage providers to routinely exchange health information through interoperable systems in support of care coordination across health care settings.  

HHS therefore seeks comment on several options for encouraging HIE among providers and settings of care through a hodge-podge of existing statutory vehicles (primarily CMS and ONC programs and projects). In addition to requesting comment on these existing vehicles, CMS and ONC seek to identify what is currently working to encourage HIE, and which changes would have the biggest impact on HIE adoption, including regulatory requirements.

Furthermore, although long neglected under the EHR Incentive Programs, CMS and ONC specifically seek comment on what policies and programs would have the most impact on post-acute and LTC care providers as well as behavioral health.  They ask for insight into how these programs and policies should be implemented and developed to maximize care coordination and quality improvement for these populations. In addition, CMS and ONC specifically seek comment on policies and programs which would most impact patient access and use of their electronic health information for management of their care.   

Post-Acute and Long-Term Care Providers.  HHS acknowledges the low rates of EHRs and HIE among LTC and post-acute care providers and identifies existing authority which could be leveraged to expand HIE.  These include incorporating HIE as key components of:

  1. Medicaid health homes;
  2. Demonstration and pilot projects under Medicaid and the Childrens Health Insurance Program (CHIP);
  3. Home and community based services (HCBS), which would include LTC;
  4. State expansions of HIE infrastructure as part of the Medicaid EHR Incentive Program, and
  5. CMS Conditions of Participation or Coverage

Settings of Care.  HHS additionally acknowledges the need to accelerate HIE across providers, including ambulatory care, behavioral health, laboratory, and post-acute and LTC. For example, HHS seeks comment on:

  1. New e-specified measures for exchanging summary records following transitions of care aligned with CMS quality reporting programs, including the EHR Incentive Programs;
  2. Medicare Shared Savings Program, requiring or encouraging Accountable Care Organization (ACO) to engage in HIE as part of coordination of care;
  3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of use of interoperable technology for HIE to facilitate model participation decisions and requirements;
  4. Model testing to align Medicare and Medicaid financing and care integration under the Capitated Financial Alignment model.

Consumer and Patient Engagement.  HHS and CMS seek to encourage engagement of patients in their care by improving their access to health information and electronic communication between their health care providers.  Options to encourage consumer and patient engagement include:

  1. Incorporating new measures into Medicare Advantage Program consumer assessment serveys (CAHPS);
  2. Blue Button availability to all CMS beneficiaries;
  3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of incentives for consumers to more actively participate in their health; and
  4. Direct access to lab results from laboratories (CLIA and HIPAA Amendments).

The RFI will be published today in the Federal Register.  Comments may be submitted up to 5pm on April 22, 2013. 

ONC Setting Stage for NHIN Governance Guidance

Last year, ONC announced that it would not be moving forward on establishing governance regulations for the Nationwide Health Information Network (now called the "eHealth Exchange") as a result of the comments and feedback it received.  Instead, it proposed to move forward with developing best practices guidance and support activities for existing governance initiatives and goals in nationwide health information exchange (HIE).

This year, ONC is kicking off several activities to support HIE governance. First, a federal funding opportunity is available for existing governance entities to further develop and adopt policies, interoperability requirements, and business practice criteria relating to HIE. Applications may be submitted until February 4 on Grants.gov

Secondly, Dr. Mostashari and ONC have scheduled an open Town Hall listening session for this coming Thursday, January 17, as well as February 14 in order for stakeholders to express their priorities, concerns or issues.  Based on stakeholder input, the HIT Policy Committee and HIT Standards Committee are expected to hold a public hearing then on January 29 to discuss current HIE policies, practices and impediments, as well as opportunities to strengthen and improve governance. 

Finally, ONC will develop and publish a series of governance "guidelines" based on the feedback it has received for effective and trustworthy HIE.  Stay tuned for more information on ONC's new site for HIE Governance

SERCH Project Recommendations for HIE and Disaster Preparedness

As Helen noted in her post on Thanksgiving, Superstorm Sandy re-emphasized the need for health care organizations to have plans in place for disaster preparedness, data backup and recovery. As New York and New Jersey rebuild, health care organizations are taking a closer look at what they can do to improve the availability of critical health care services for their patients, and in particular, the role of HIE in keeping patient information available.  

This past July, ONC released the results of a two-year effort by the Southeast Regional HIT-HIE Collaboration (SERCH) Project on Health Information Exchange in Disaster Preparedness and Response. The SERCH project began in November 2010 and included representatives from natural disaster-prone states such as Alabama, Arkansas, Florida, Georgia, Louisiana, and Texas. 

Supported by ONC, the SERCH Project was a state-led initiative aimed at identifying information-sharing challenges during natural disasters and developing strategic plans to incorporate HIE into disaster planning. The group developed an actionable plan to improve HIE capabilities in response to disasters, both during and in the aftermath, focusing particularly on interstate communication and information-sharing, and addressing legal and other barriers to the use and disclosure of patient information. 

Although limited primarily to the groundwork that needs to be covered prior to implementation of a fully-operational State HIE, the SERCH Project recommended five steps for any organization planning on sharing information through HIE to take to integrate HIE and disaster planning, especially where information-sharing could occur across state lines.

  1. Understanding the State’s disaster response policies and align with the State agency designated for Emergency Support Function #8 (Public Health and Medical Services) before a disaster occurs.
  2. Developing standard procedures approved by relevant public and private stakeholders to share electronic health information across State lines before a disaster occurs.
  3. Considering enactment of the Mutual Aid Memorandum of Understanding to establish a waiver of liability for the release of records when an emergency is declared and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. States should also consider using the Data Use and Reciprocal Support Agreement (DURSA) in order to address and/or expedite patient privacy, security, and health data-sharing concerns.
  4. Assessing the State’s availability of public and private health information sources and the ability to electronically share the data using HIE(s) and other health data-sharing entities.
  5. Considering a phased approach to establishing interstate electronic health information-sharing capabilities.

These recommendations can also be applied and implemented by individual HIE networks and organizations, not only at the state-level. 

A full copy of the whitepaper can be found on the Health IT website.  You can also find a summary of the report by Lee Stevens, Policy Director for the State HIE Program, as well as his blog post in 2011 on the Joplin Tornado and the role of EHRs at the Health IT Buzz

Are We Ready for the Nationwide Health Information Network? ONC Releases RFI for Governance of NwHIN

Currently, more than 500 hospitals and over 4,000 practices and clinics participate in the Nationwide Health Information Network (NwHIN).  According to the Federal Health Architecture (FHA) program in the Office of the National Coordinator for Health Information Technology (ONC), (InformationWeek, March 2012), most of the hospitals are those involved in programs operated by the Departments of Defense (DoD) and Veterans Affairs (VA).  Although participants also include entities such as Kaiser Permanente, health information exchanges or organizations (HIEs/HIOs) such as HealthBridge, and federal agencies including CMS, the DoD and VA, the overall percentage of participation in the NwHIN remains relatively low. 

The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information.  Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.  

Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges.  However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general.  Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically. 

In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange.  The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.   

We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free.  77 FR 28545. 

In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:

  1. Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
  2. Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
  3. Process for retiring and updating CTEs to address current exchange needs,
  4. Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
  5. Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.

Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs.  However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus.  The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.

ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases.  Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.

Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316.  NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on.  NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.

Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes: 

  1. For purposes of medical treatment;
  2. When information exchange is mandatorily required under law; or
  3. Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.

Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain.  In addition, an NVE would be required to implement and use one of two types of transport specifications:  unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications. 

The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?

A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments.  Public comments on the RFI are due June 14, 2012 and may be submitted online at https://www.federalregister.gov/articles/2012/05/15/2012-11775/nationwide-health-information-network-conditions-for-trusted-exchange

**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012.  Comments must be submitted by 11:59PM Eastern Daylight Time. 

NeHC Releases Roadmap for Growth and Evolution of HIE, and Legal HIE Listed as a Helpful Resource!

Following ONC's release of its Program Information Notice "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program," (the P&S PIN discussed in a previous blog post) the National eHealth Collaborative (NeHC) has released a roadmap for successful and widespread growth of HIE to improve health and healthcare after extensive collaboration with private and public stakeholders (the HIE Roadmap). NeHC is a pubic-private partnership established through a grant from the ONC and is led by some of the nation's most respected thought leaders, and so we were thrilled to discover that our blog, Legal Health Information Exchange, was identified by NeHC as one of only a selected group of "Helpful Resources" found at Exhibit B of its HIE Roadmap. You can register with NeHC to download a copy of the HIE Roadmap here

Entitled "The Landscape and a Path Forward," the HIE Roadmap sets forth current HIE connectivity and exchange approaches across the nation, as well as federal efforts towards developing the foundation for interoperability and trusted HIE through common standards, services and policies.  It highlights those strategies for integrating these federal and private sector efforts, emphasizing the current progress that has been made and those challenges and barriers remaining to be overcome. 

Most importantly, it hopes to provide a roadmap of the major steps communities can follow to achieve progress towards HIE.  The HIE Roadmap states,

...Given the rapid market and policy changes and technology innovations occurring right now, there is confusion among healthcare stakeholders about how best to proceed with implementing HIE.  Leading HIE organizations are indeed charting new ground.  Emerging HIE efforts can and should learn from those who are further along in order to...leapfrog toward success."

It notes that in 2010, the number of public HIEs increased 81% from 37 to 67 with a whopping 210% increase in operating private HIEs, from 52 to 160.  Providing clear examples of leading HIE efforts, their leverage of national standards for exchange, and other factors contributing success, the HIE Roadmap seeks to capture the vision for why HIE is important to improving patient care and to the performance of our healthcare system, as well as provide a framework and a path forward for those working towards achieving HIE in their communities. 

The HIE Roadmap highlights several of the most notable challenges and barriers to HIE, including:

  • Funding and sustainability;
  • Variations in implementation of interoperability standards;
  • Provider adoption;
  • Disparate EMRs; and
  • Privacy and security concerns.

However, it recognizes that these challenges and barriers are being "tackled and overcome."  The HIE Roadmap highlights ONC efforts towards building a foundation of interoperability and trusted exchange, in particular, recommendations of the HIT Policy and Standards Committees and their workgroups, such as the Meaningful Use, Information Exchange, and Privacy and Security Policy Workgroups.  It highlights the importance the Direct Project and the Nationwide Health Information Network (NHIN) continues to play in developing a strong interoperable foundation and the potential the Direct Project and NHIN have to promote best practices, compliance with existing national standards and implementation recommendations, and following through responsibility to protect health information.

The HIE Roadmap describes the approaches taken by several HIE initiatives across the nation, including:

  • Care Connectivity Consortium, comprised of five leading health systems, Kaiser Permanent, Mayo Clinic, Geisinger Health, Intermountain Healthcare and Group Health;
  • HealthBridge, with 50 participating hospitals, 800 physician practices, and 7,500 physicians;
  • Indiana HIE (IHIE), with 90 hospitals and 19,000 participating physicians;
  • Inland Northwest Health Services (INHS), with an air ambulance collaborative, rehabilitation hospital, and IT management for 38 hospitals and EMR services for 750 physicians, and which also partners with the Departments of Defense and Veterans Affairs; and
  • Kaiser Permanente, which includes the Kaiser Foundation Health Plan and subsidiaries, 37 hospitals and over 450 clinical facilities, and the Permanente Medical Group Practices.

While highlighting the various strategies implemented by these initiative, the HIE Roadmap also recognizes that,

Indeed, interoperable HIE is a journey without a definite endpoint.  Many different approaches are being used, stakeholders are at different stages along this journey, and there is by no means a "one size fits all" model. 

It notes, however, that a key priority of many of these initiatives is to provide standards-based services to small physician practices, recognizing that most healthcare is delivered in these physician practices and the challenges they face.  Finally, the HIE Roadmap sets forth four major "steps" or phases for implementing successful and sustainable HIE, which starts wtih developing the HIE's objectives and vision.

In conclusion, the HIE Roadmap states,

The ultimate goal of HIE is to ensure that the right information is available at the right time and place every time to support the delivery of high quality, well coordinated, and cost effective patient-centered healthcare.  Keeping a consistent and clear focus on what is best for the patient is above all else the smartest way to stay on course in the ever-changing environment of HIE.

Grantees of HIE Funds Get "PIN-ned" on Privacy, Security and Patient Consent

 Pushpin.jpgOn March 22, 2012 HHS/ONC released a new Program Information Notice (PIN) called the "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program" (P&S PIN).  The P&S PIN applies to all State Health Information Exchange Cooperative Agreement Program Recipients, including State Designated Entities (SDEs), SDE sub-grantees, and other direct grantees of the federal HIE Cooperative program. Here is a link to the HHS/ONC PIN website.

The P&S PIN requires all SDEs to submit as part of a 2012 annual SOP (Strategic and Operational Plan) an update of their privacy and security framework consisting of all relevant statewide policies and practices adopted by recipients, and operational policies and practices for HIE services being implemented by Grant recipients of funding in whole or in part with federal cooperative agreement funds (HIE Grant Recipients).

Among other things, each HIE Grant Recipient will need to submit how their existing privacy and security policies align with each domain of the Fair Information Practices (FIPs), which the ONC and the ONC's Privacy & Security Tiger Team have each previously pointed to as providing a privacy and security framework for networked HIE.  The FIPs are:

  1. Openness and Transparency
  2. Collection and Use and Disclosure Limitation
  3. Safeguards
  4. Accountability
  5. Individual Access
  6. Correction
  7. Individual Choice
  8. Data Quality and Integrity

Specifically, Point-to-Point Directed HIE Exchange Models will be required to demonstrate that their P&S policies address FIPs 1-4, and have the option of addressing FIPs 5-8. HIE models that aggregate data will be required to demonstrate that their P&S policies address FIPs 1-8. If any GAPs exist between a FIP and the HIE Grant Recipient's current policies (i.e. a domain is not addressed), this must be identified and a strategy timeline and action plan for addressing these gaps in the 2012 SOP update must be provided.

One of the most debated topics with networked HIE has been patient consent. Many HIEs and stakeholders have asked the federal government on guidance on when and what form of consent is required for networked HIE.  

The P&S PIN addresses patient consent with HIE, and requires that aggregated HIE models offer, at a minimum, individuals with a meaningful choice with regard to whether their individually identifiable health information (IIHI) may be exchanged through an HIO entity that aggregates data.

The P&S PIN then further goes on to define “meaningful choice” as including:

  • Made with advance knowledge
  • Not used for discriminatory purposes or as condition for receiving treatment
  • Made with full transparency and education
  • Commensurate with circumstances for why IIHI is exchanged
  • Consistent with patient expectations
  • Revocable at any time

Notably, the P&S PIN confirms that both opt-in and opt-out are acceptable means of satisfying patient choice. On Wednesday, March 27th,  I had the opportunity to speak at the HIPAA Summit in Washington D.C. where an audience member asked whether a “no choice” HIE model is now no longer a viable option for HIE.  Both Joy Pritts, ONC Privacy Officer, and Deven McGraw, Co-Chair of the ONC P&S Tiger Team, confirmed that at least with respect to HIE Grant Recipients who are operating an aggregated HIE model, the P&S PIN must be followed and each patient must be afforded with meaningful choice to participate in networked HIE. It's also important to note that while the P&S PIN requirement could potentially be satisfied through obtaining written consent from the patient, written consent is not required and, moreover, Ms Pritts specifically pointed out that obtaining a written blanket consent without any supporting meaningful processes would not meet the FIP standard. Thus, whether an opt-in or opt-out model is used, HIOs must focus on ensuring that educational information about HIE is being delivered to patients, and the patient's decision-making process is meaningful.

The FIPs are nothing new, and ONC actually issued its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information back in December of 2008!  Ever since then, I have been advising HIE initiatives to BUILD their HIE Policies around the FIPs and this ONC guidance document. Here is an example of how I crosswalk the FIPs with my template set of HIE Policies for HIOs that aggregate IIHI.

For a copy of a sample set of our HIE Policies, email me at helen@oscislaw.com, or visit www.ohcsolutions.com which going live soon as a source for legal forms and templates.

California HIE Demonstration Projects to Move Ahead with Opt-In Framework

This past Wednesday, the California Office of Health Information Integrity (CalOHII) released a comprehensive whitepaper examining patient consent and other HIE framework efforts for entities participating in the HIE Demonstration Projects and HIE throughout the state of California. CalOHII is the state entity designated for overseeing HIE in California as well as establishing and administering HIE demonstration projects within the state.  

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB).  Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy. 

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects.  The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

  ...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education.  The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations.  In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements. 

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community.  Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed.  The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices.  Regulations for the demonstration projects are expected to be finalized shortly. 

Helen to Speak on Solving Privacy Dilemmas with Health Information Exchange at national Health Care Info Privacy Forum

Privacy Forum pic.JPGPrivacy Forum 2.JPGPrivacy Forum 3.JPGPrivacy Forum 4.JPG














To Register, click here.


Kansas Aligns State Privacy Laws with HIPAA as HIE Standard

Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate committee to stress that legislation is necessary to harmonize the “patchwork of about 200 statutes and regulations that are primarily focused on particular types of information…”  Representatives of the Kansas HIE explained that creating uniform privacy and security standards in Kansas for electronic HIE is critical because it affects the ability of providers to exchange and share information and coordinate care, which is key to higher quality and more efficient care, and better population health.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

  • adhere to the use and disclosure rules in HIPAA;
  • adhere to the requirements in HIPAA for safeguarding patient information;
  • comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.   

(meta-data) "TAG, You-Are-It" (ONC, CMS, DHHS) !

This December 2010, the President’s Council of Advisors on Science and Technology (“PCAST”) released its Report titled “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” and, boy, it makes meaningful use look like a walk in the park!

The Report notes, among many other things, that the current structure of available health IT systems is inadequate, resulting in user difficulty, unavailability of relevant information, such as best practices, limited capability for sharing data across systems, patient concerns regarding improper access, and the inability to search or aggregate and de-aggregate data where necessary for research, public health, quality improvement, or patient safety. In essence, current health IT systems cannot easily support the desired outcomes. The Report identifies key legislation and regulations responsible for moving the development of health IT forward, namely, HITECH and the “meaningful use” EHR Incentive Program, as well as demonstration projects to develop experience and the necessary conditions for progress. However, the Report stresses the urgency of accelerating and redirecting much needed federal groundwork for HIE.

The Report notes the successes of early adopters of integrated EHR systems (i.e., Kaiser Permanente and VHA), while recognizing areas of functionality still in dire need of improvement, such as interoperability. It finds data exchange and aggregation central to accomplishing potential health IT benefits yet rejects current HIE models as being “ill-suited” as the basis for a national health information infrastructure due to durability and interoperability concerns. PCAST considers new technologies, such as “cloud-based” EHR products, patient personal health records, and data aggregation “middleware” products for interoperability that have potential to remove barriers and create solutions, as well as other promising models for data exchange.

PCAST rejects standardized health record formats and service-oriented architecture (SOA) in favor of metadata-tagged data elements and data-element access services (DEAS), the advantages of which the Report describes in detail. Such “tags” are small pieces of information accompanied by a larger “megadata tag” which groups them by attributes as well as required privacy and security protection.

The Report argues that a universal exchange language based upon tagged dataelements (i.e., DEAS and metadata-tagged data) is more sophisticated and better for privacy and security.

For example, DEAS would require authentication of an individual into the system and allow only access to information based upon the role he or she is assigned. To obtain access to encrypted tagged data elements, based upon a patient’s privacy choices, the individual would have to have the proper credentials and role. It is also crucial to note that the Report rejects that such a system would require “universal patient identifiers” or create a central repository of patient information.

Furthermore, the Report explores how HIPAA is ill-equipped, and possibly detrimental to medical research and care, to handle the changes in health IT and how HITECH both partially remedies and exacerbates this situation, such as accounting of disclosures which will “stifle innovation”.

Finally, the Report argues that federal leadership is necessary to combat economic concerns and incentivize information exchange and development of health IT systems. Adopting standardized metadata, aligning economic incentives (such as through “meaningful use”), encouraging technological innovation and competition, supporting development of network infrastructures through appropriately designed pilot projects, and developing a regulatory health IT structure along with regulatory oversight all are suggested by the Report as necessary.

PCAST detail several layers and roadmaps for government agencies to progress towards the realization of a national health IT infrastructure. It also recommends guidelines for transitioning from existing EHRs and information exchange systems to the new tagged data element model advocated by the Report, and addresses generation of necessary early design choices by ONC and the Report’s vision for future CMS meaningful use requirements. The Report concludes with specific short and mid-term recommendations for ONC, DHHS, CMS, and other agencies in order to realize the objectives outlined in the Report towards establishment of a national health IT infrastructure.   In response, ONC, for one, appears to have already set up a PCAST Report Workgroup, and the first meeting is scheduled for January 14, 2011.

 To review PCAST’s summary of Recommendations of who should do what next, click Continue Reading below.

Continue Reading

NCVHS Defines What Sensitive Info HIEs Should Sequester

Prepared by Krystyna Nowik, Esq.

The National Committee on Vital and Health Statistics (NCVHS) released an advisory letter to the Department of Health and Human Services (HHS) on November 10 addressing recommendations for the management of sensitive information in the HIE context.  NCVHS, which is the statutory public advisory body for HHS, explored and identified categories of sensitive health information requiring new technologies and methods for segmenting and protecting such information in electronic health records.  The advisory letter, which coordinates with Health IT Policy Committee recommendations and requirements, addresses preliminary categories of sensitive information, including:

  • The new HITECH cash payments (“payment in full” and “out-of-pocket” restriction);
  • Genetic information;
  • Psychotherapy notes;
  • Substance abuse treatment records;
  • HIV information;
  • Sexually transmitted disease information;
  • Sexuality and reproductive health information;
  • Certain health information for minors, where protected by state law;
  • Mental health information; and
  • Certain circumstances where the entire medical record may be deemed sensitive (e.g., domestic violence, victims of violent crime).

In addition, the NCVHS advisory letter includes five core recommendations for HHS.  Among these are identifying and publishing best practices for managing categories of sensitive information, and investing in research for enhancing health information exchange and electronic health record capabilities and in pilot tests and projects for assessing feasibility, effects, efficacy and the costs and benefits of such capabilities. 

The NCVHS recommendations will serve as a platform for HHS to conduct research, develop technologies and implement pilot tests and projects with an eye towards understanding the feasibility, technical standards, effects on patient care, and the costs and benefits of managing sensitive information.  As NCVHS stated in the advisory letter,

[o]ur nation is committed to deploying interoperable health record to improve patient health, health care, and public health.  Patient trust is critical to patient participation in this deployment, and, therefore, we must invest in technologies that will promote this trust.

Drug and Alcohol Treatment Info "Ok" to Go

Over the summer, the ONC and SAMHSA (Substance Abuse and Mental Health Services Administration) held a session to discuss the application of the Substance Abuse Confidentiality Regulations to electronic health information exchange through HIOs (Health Information Organizations).  David Blumental, National Coordinator, ONC, and Joy Pritts, Chief Privacy Officer were among the distinguished panel leading the discussion on this very important topic.

In short,SAMHSA and ONC support the use and disclosure of 42 CFR Part 2 information through an HIO, as long the Part 2 Rules are followed.  Although SAMHSA's position is concerning to some who fear that including such sensitive information for HIE will make it susceptible to breaches and improper disclosures, the agency found that there are significant positive health benefits that patients could gain from allowing an HIO to facilitate proper exchange of their records electronically.

For an INCREDIBLY helpful Q&A Guidance document regarding how SAMHSA believes Part 2 Drug & Alcohol Treatment records can be appropriately used and disclosed through an HIO, visit their website at http://www.samhsa.gov/healthprivacy/, or click "Continue Reading" below for copy of their Questions & Answers on this topic ....

Continue Reading

The 800-Pound HIE Gorilla Tiger in "Meaningful Use"

There has been a lot of discussion around the Meaningful Use (MU) criteria. CMS has an entire website dedicated to the subject, as does ONC. Although the clinical criteria of MU may garner much of the attention, the privacy and security components are also significant.  In particular, the MU criteria pertaining to Health Information Exchange (HIE) raise certain fundamental privacy questions.

In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest?  In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria

This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception".  In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).

Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular.  For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...

The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.

Continue Reading