SERCH Project Recommendations for HIE and Disaster Preparedness

As Helen noted in her post on Thanksgiving, Superstorm Sandy re-emphasized the need for health care organizations to have plans in place for disaster preparedness, data backup and recovery. As New York and New Jersey rebuild, health care organizations are taking a closer look at what they can do to improve the availability of critical health care services for their patients, and in particular, the role of HIE in keeping patient information available.  

This past July, ONC released the results of a two-year effort by the Southeast Regional HIT-HIE Collaboration (SERCH) Project on Health Information Exchange in Disaster Preparedness and Response. The SERCH project began in November 2010 and included representatives from natural disaster-prone states such as Alabama, Arkansas, Florida, Georgia, Louisiana, and Texas. 

Supported by ONC, the SERCH Project was a state-led initiative aimed at identifying information-sharing challenges during natural disasters and developing strategic plans to incorporate HIE into disaster planning. The group developed an actionable plan to improve HIE capabilities in response to disasters, both during and in the aftermath, focusing particularly on interstate communication and information-sharing, and addressing legal and other barriers to the use and disclosure of patient information. 

Although limited primarily to the groundwork that needs to be covered prior to implementation of a fully-operational State HIE, the SERCH Project recommended five steps for any organization planning on sharing information through HIE to take to integrate HIE and disaster planning, especially where information-sharing could occur across state lines.

  1. Understanding the State’s disaster response policies and align with the State agency designated for Emergency Support Function #8 (Public Health and Medical Services) before a disaster occurs.
  2. Developing standard procedures approved by relevant public and private stakeholders to share electronic health information across State lines before a disaster occurs.
  3. Considering enactment of the Mutual Aid Memorandum of Understanding to establish a waiver of liability for the release of records when an emergency is declared and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. States should also consider using the Data Use and Reciprocal Support Agreement (DURSA) in order to address and/or expedite patient privacy, security, and health data-sharing concerns.
  4. Assessing the State’s availability of public and private health information sources and the ability to electronically share the data using HIE(s) and other health data-sharing entities.
  5. Considering a phased approach to establishing interstate electronic health information-sharing capabilities.

These recommendations can also be applied and implemented by individual HIE networks and organizations, not only at the state-level. 

A full copy of the whitepaper can be found on the Health IT website.  You can also find a summary of the report by Lee Stevens, Policy Director for the State HIE Program, as well as his blog post in 2011 on the Joplin Tornado and the role of EHRs at the Health IT Buzz

California HIE Demonstration Projects to Move Ahead with Opt-In Framework

This past Wednesday, the California Office of Health Information Integrity (CalOHII) released a comprehensive whitepaper examining patient consent and other HIE framework efforts for entities participating in the HIE Demonstration Projects and HIE throughout the state of California. CalOHII is the state entity designated for overseeing HIE in California as well as establishing and administering HIE demonstration projects within the state.  

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB).  Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy. 

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects.  The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

  ...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education.  The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations.  In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements. 

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community.  Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed.  The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices.  Regulations for the demonstration projects are expected to be finalized shortly. 

New Hampshire HIO Hits the Ground Running

After years of collaboration and planning, New Hampshire has announced the launch of its Health Information Organization, the NH-HIO, developed with the help of the New Hampshire Department of Health and Human Services Office of Health Information Technology, the Massachusetts eHealth Collaborative, and the New Hampshire Institute for Health Policy and Practice, as well as over 80 stakeholders.  The NH-HIO was officially established by House Bill 489 which was signed into law recently by New Hampshire Governor John Lynch.

Governor Lynch stated,

Technology should do for the health care industry what it has done for many other industries, and that's create efficiency and lower costs....This new law allows the creation of a health information organization which will mean a faster, easier and more secure transfer of health records, saving time and money, while still protecting patient privacy.

The NH-HIO has been designed to protect privacy and security while creating the infrastructure necessary to help coordinate care, reduce administrative costs and provide easier and timelier access for providers to needed patient information.  New Hampshire Health IT Coordinator, David Towne, stated,

I envision that the NH-HIO will be a unifying, collaborative organization that will identify and implement cost-cutting "win-win" health IT initiatives that benefit healthcare providers, healthcare purchasers, and most of all, patients.

The first Board of Directors meeting of the NH-HIO will be held later this month. For more information, the official press release can be found here

Maine Reverts Back to Opt-Out Approach for HIE

In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet.  Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy.  Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE.  Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository. 

After considerable push-back from HealthInfoNet, as well as physicians, hospitals and their respective professional associations, the Maine legislature has reconsidered and revised the proposal.

As rewritten, the proposed legislation would permit HealthInfoNet to continue operating on an opt-out basis, but would dictate specific rules for informing patients of their right to do so. Individuals would need to be provided with, at a minimum:

  • A separate form at the point of initial contact with a description of the risks and benefits of participating in the HIE;
  • A description of how and where to obtain more information or how to contact the HIE;
  • An opportunity for the patient to refuse to participate in the HIE; and
  • A declaration that health care treatment would not be withheldfrom the patient solely based upon the patient's refusal to participate in the HIE.

Although information regarding the HIE is currently included on provider and hospital Notice of Privacy Practices, many patients were not aware that their information was being exchanged through the HIE.  As Amy Landry, communications director at HealthInfoNet acknowledged, "nobody reads the Notice of Privacy Practices." The proposed legislation reflects a compromise between concerns for patient privacy and awareness and the need of the HIE to have a large enough patient population to be of value to physicians and hospitals.

Furthermore, the proposed legislation would require confidentiality policies and procedures for protecting the confidentiality, security and integrity of health care information.  It would also require the HIE to maintain records of all disclosures made by and through the HIE in addition to requiring compliance with all applicable federal laws and regulations dealing with privacy, security and breach notification as defined by 45 CFR Part 160 and 164. 

The amended Bill (LD 1337) may be accessed here.  

Maine Considers Opt-In Requirement for HIEs

New legislation has been proposed by privacy advocates in Maine that would govern how patient information is shared through the statewide HIE, HealthInfoNet.  LD 1337, which is entitled "The Act to Ensure Patient Privacy and Control with Regard to Health Information Exchanges", would require, among other things, that patients' "written informed authorization" be obtained before the HIE could collect, store, access or disclose any health care information of a patient.  

This marks a significant departure from HealthInfoNet's current procedures.  Currently, patients of HealthInfoNet-participating providers and hospitals are automatically enrolled in the HIE, but must be given the opportunity to actively opt-out of participation. If a patient exercises his or her choice and opts-out of HealthInfoNet, all of their health information is deleted from the central data repository maintained by the HIE.  Stakeholders had decided early on in the HIE's development that an opt-out approach would be in the best interest of patients, providers and the HIE.  HealthInfoNet's executive director and CEO stated,

All agreed that an opt-in policy was impractical and would not lead to enough participation to be of value.

Notably, a majority of HIEs currently in operation utilize the opt-out approach.  A survey conducted by the eHealth Initiative in July 2010 found that only 18 percentof the HIEs that were surveyed had policies requiring patients to opt-in to the HIE.  The minority of HIEs that utilize opt-in view privacy as paramount and as such, despite the higher burden, require patient consent before including their information in the HIE. 

However, while HIE privacy and consent discussions somehow always seem to regress back to the "opt in" versus "opt out" debate, the truth is that neither approach, on its own, will ensure patient privacy. The ONC's Privacy and Security Tiger Team stated in its August 19th Letter to the National Coordinator that patient consent currently accommodates both the opt-in and opt-out approach combined with "meaningful consent." 

In my view, the question of whether or not a patient should consent to -- or 'opt in' -- to having a third party HIO "aggregate and store" their information is far less important than the question of what happens to that information after it is stored there?  The HIO, after all, has contractual obligations pursuant to its HIPAA BAA with the covered entity data contributors, and as a result of HITECH, the HIO can be directly assessed for penalties if it runs afoul of HIPAA.  So then, one might ask,

what additional and real benefit is there to having patients 'opt in' to having their information stored by such third party HIO that is already required, pursuant to contractual (the HIPAA BAAA) and legal (HITECH) obligations, to safeguard that information to prevent unauthorized access or use?

Thus, whether the HIO implements an opt-in or an opt-out approach may not be the most important question.  Rather, time discussing privacy may be better spent on questions such as:

  • Are there clear access policies, and are user roles appropriately defined?
  • What is the authentication processes?
  • Are users adequately trained (and I mean really) on what are "appropriate" reasons and inappropriate reasons to access information in the HIE?
  • Has the HIE clearly defined what are "permitted" and "prohibited" uses of PHI in the HIE? 
  • Who audits for inappropriate access? 
  • Is there accountability, and how are violators punished?

Kansas Aligns State Privacy Laws with HIPAA as HIE Standard

Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate committee to stress that legislation is necessary to harmonize the “patchwork of about 200 statutes and regulations that are primarily focused on particular types of information…”  Representatives of the Kansas HIE explained that creating uniform privacy and security standards in Kansas for electronic HIE is critical because it affects the ability of providers to exchange and share information and coordinate care, which is key to higher quality and more efficient care, and better population health.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

  • adhere to the use and disclosure rules in HIPAA;
  • adhere to the requirements in HIPAA for safeguarding patient information;
  • comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.