Your SlideShare is downloading. ×

Case Study “HIE Consumer & Stakeholder Engagement: Privacy and Security of Patient Data”


Published on

Given well-publicized data breaches nationally and the spread of health information exchange (HIE), the issue of privacy and security of patient data shared through HIE networks is one of the most …

Given well-publicized data breaches nationally and the spread of health information exchange (HIE), the issue of privacy and security of patient data shared through HIE networks is one of the most complex and sensitive issues in establishing and maintaining trust among consumers, physicians, and other major community stakeholders. In this presentation, we discuss the privacy and security challenges the New Mexico Health Information Exchange (NMHIC) has encountered in its HIE development history and the lessons it has learned concerning them.
Federal and state privacy law compatibility: beyond HIPAA and HITECH
Privacy approaches: opt-out, opt-in, hybrid
Educating consumers and providers about HIE benefits & risks
Privacy policies needed to support interstate information exchange
Engaging consumers, providers, and other community stakeholders about uses of HIE data & other privacy decisions

Published in: Education, Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Maggie Gunter, PhDPresident, LCF Research iHT2 Health IT Summit January 18, 2012 Phoenix, Arizona
  • 2.  New Mexico Health Information Collaborative ◦ Key Accomplishments/Current Status Privacy and Security Issues Encountered ◦ Federal vs. State Privacy Laws ◦ The Patient Consent Model ◦ Engaging and educating consumers and stakeholders about privacy ◦ What about interstate health information exchange? ◦ Security—how to protect patient data ◦ What about other HIE uses than treatment? ◦ Lessons learned and future privacy policy 2
  • 3.  Created by LCF Research in 2004 to establish a health information exchange AHRQ funding with community matching funds LCF Research ◦ non-profit applied health research and innovation institute created in 1990 ◦ Key interest in designing, implementing, and evaluating interventions to improve health care ◦ History of innovation in provider-based disease mgt. Impetus to HIT Involvement ◦ Major barrier to health care improvement/cost reduction ◦ Lack of use and exchange of electronic medical records ◦ Hence, LCF’s interest in creating the health information exchange (HIE) 3
  • 4. Clinician Requests Access to Patient Records with Patient Consent EHR Gateway State Public Health Depts. Hospital Locates the Patient’s Records Patient NMHIC Clinician Office HIE Network Gathers & Lab Assembles the Patient’s Records Clinician Emergency RoomNationwide Health Information Network (NwHIN) 4
  • 5.  Funding ◦ primarily federal (AHRQ, ONC, SSA) ◦ some state and community match in development phase State-designated entity for HIE and lead agency for HIT Regional Extension Center Current funding ◦ State HIE (ONC) ◦ NM Regional Extension Center (ONC) ◦ Soc. Sec. Admin. Disability Claims submission using HIE Sustainability Task Force ◦ 2011-2012-federal requirement-community match ◦ Funding framework for 2013-2014 and after federal funding ends 5
  • 6.  $15 million funding invested to date (more funding awarded through 2014) One of 9 HIEs awarded ONC NwHIN Trial Implementation Contract (2007-2010) Designated by State of NM to lead the Health Information Security and Privacy Collaborative (2006-2009) ◦ Initiated legislation to update state privacy laws and enact NM Electronic Medical Record Act 2009 Designated by Governor as NM’s Statewide HIE Network— May, 2009 First state to have its HIE plan approved by ONC Recognized by ONC as a national leader in public health reporting using the HIE Awarded NM HIT Regional Extension Ctr.-2010 6
  • 7.  Statewide health information exchange Established broadly representative statewide Board-2010 Data suppliers: all major Albuquerque area health systems and hospitals, all the large medical groups, 2 largest testing labs (70% of state’s population), a number of rural hospitals (total participating hospitals:15) 1.3 million unique patients in the Master Patient Index (NM pop.—2 million) Live public health reporting to NM DOH (mandated lab results, ED syndromic surveillance, immunizations) Live clinical use underway—large cancer center ED clinical use in 2 major hospitals in early 2012 Statewide HIE use by 2014 7
  • 8.  Innovation is exciting but “messy” ◦ NOT a linear process Building an HIE network requires “persistence beyond all reason” (to quote a participant) The Big HIE Challenges ◦ Community Engagement  Sharing data across competing organizations was new and threatening  Early years—HIE had great promise, but was new concept, so limited hard evidence of impact on cost/quality ◦ Adequate funding for development ◦ Short and long-term sustainability ◦ PRIVACY AND SECURITY! 8
  • 9.  Much more difficult than anticipated, even though team had much privacy experience HIPAA standards were not sufficient Much complexity beyond HIPAA (more restrictive state laws in NM and other states) HITECH privacy regs. (“HIPAA on steroids”) What do the laws say—but also how do community stakeholders feel about privacy? What model of consent will be compatible with both legal and community standards/concerns? How to best engage community in addressing privacy challenges? 9
  • 10.  Tricky to balance important HIE benefits to patients vs. patients’ right to privacy and control of disclosures Providers concerned about liability Patients want a system to “filter” their data (share only certain data or only with certain providers) Technical barriers to such filtering Clinical barriers to filtering (“illusion of completeness”) What about use of HIE data for non-treatment purposes (e.g., public health reporting, quality reporting, research, health plan use)? 10
  • 11.  Researched NM state laws and health data laws in other states Found NM laws outdated, oriented to paper records, and did not address HIE disclosure NM laws stricter than HIPAA ◦ Written patient consent required for disclosure of sensitive conditions, even for treatment (e.g. AIDs, behavioral health, substance abuse, genetic tests) Impediment to sharing of data between HIEs across state lines if state laws differ (despite the national DURSA agreement developed to facilitate such exchange) 11
  • 12.  Identified stakeholders with different frames of reference to help draft privacy legislation ◦ Attorneys, compliance officers, consumer advocacy groups, providers, hospitals, public health entities, legislators, HIE advocates Iterative and political process requiring two years Provider concerns about sharing data with competitors and liability if data incorrect or unavailable due to opting out Consumer concerns about inadvertent disclosure of sensitive information and desire to decide which data should be shared Issue of all data being shared with the HIE, but only disclosed by HIE to providers with patient consent What security measures would ease consumer fears 12
  • 13.  Recognizes electronic patient records as legal Allows disclosure to HIE for development and operations Requires written patient consent for sensitive information disclosure ◦ Except for “break the glass” override in medical emergencies Requires HIE to maintain an audit log of access HIE must provide an opt-out capability Provides liability protection for HIE and provider if patient chooses to opt out 13
  • 14.  A hybrid model Patients have three consent options 1) Provide written consent for HIE to disclose data to providers for treatment purposes (all data or no data— no filtering capability) 2) No written consent to disclose data (exception only in medical emergencies—”break the glass”) 3) Opt-out—no data shared by the HIE with anyone, even in a medical emergency No technical ability to “filter out” sensitive information, so patient consent is “all or nothing” today 14
  • 15.  Data security very important to both patients and providers, given publicized breaches User authorization and authentication Encryption of data “in motion and at rest” System includes detailed audit log documentation Patient review of audit logs (upon request) 15
  • 16.  Cumbersome consent process can undermine HIE use and benefits—still working on this one How to obtain consent quickly in emergency department setting for non-emergent patients What about use of and access to HIE for purposes other than treatment? ◦ Health plan access ◦ Public health reporting ◦ Quality reporting ◦ Public reporting to guide consumer choice ◦ Research NM has created two important community task forces, one for non-treatment access and another for sustainability 16
  • 17.  Broad representation on decision making Board for HIE is essential Communication plan is critical for patients, providers, and other community stakeholders ◦ Must educate all groups ◦ Must emphasize HIE benefits and security protections as well as patient right to consent/opt out Must understand that “what is legal and what is wise” are often two different things Public trust is critical—so stakeholder engagement and ownership is essential 17
  • 18.  Privacy and security will continue to be hard, time-consuming issues for the foreseeable future—shortcuts won’t work. Often must ”go slow to go fast” Be sure to understand your state’s health data laws, the local culture concerning privacy, and attitudes of influential stakeholders Community “ownership” of the HIE is essential, as is community trust Be willing to invest the time and expertise needed to communicate carefully and extensively with providers and consumers Public trust is a fragile thing but essential to an HIE’s success and sustainability A major factor is trust in the privacy and security of the HIE network and its leaders 18
  • 19. Contact Information Maggie Gunter, PhD President, LCF Research2309 Renard Place SE, Suite 103 Albuquerque, NM 505-938-9900 19