The document summarizes the key accomplishments and privacy challenges of the New Mexico Health Information Collaborative (NMHIC). It discusses how NMHIC was established in 2004 with funding from government agencies and community matching funds to create a statewide health information exchange. It describes the major privacy issues encountered, including balancing data sharing for treatment while respecting patient privacy and developing a hybrid consent model. It also outlines lessons learned around the importance of stakeholder engagement, education, and public trust for a sustainable health information exchange.
2. New Mexico Health Information Collaborative
◦ Key Accomplishments/Current Status
Privacy and Security Issues Encountered
◦ Federal vs. State Privacy Laws
◦ The Patient Consent Model
◦ Engaging and educating consumers and stakeholders
about privacy
◦ What about interstate health information exchange?
◦ Security—how to protect patient data
◦ What about other HIE uses than treatment?
◦ Lessons learned and future privacy policy
2
3. Created by LCF Research in 2004 to establish a health
information exchange
AHRQ funding with community matching funds
LCF Research
◦ non-profit applied health research and innovation institute
created in 1990
◦ Key interest in designing, implementing, and evaluating
interventions to improve health care
◦ History of innovation in provider-based disease mgt.
Impetus to HIT Involvement
◦ Major barrier to health care improvement/cost reduction
◦ Lack of use and exchange of electronic medical records
◦ Hence, LCF’s interest in creating the health information exchange
(HIE)
3
4. Clinician Requests Access to Patient Records with Patient Consent
EHR Gateway
State Public
Health Depts.
Hospital
Locates
the Patient’s
Records
Patient NMHIC Clinician
Office
HIE Network
Gathers & Lab
Assembles
the Patient’s
Records
Clinician Emergency
Room
Nationwide Health Information Network (NwHIN)
4
5. Funding
◦ primarily federal (AHRQ, ONC, SSA)
◦ some state and community match in development phase
State-designated entity for HIE and lead agency for HIT
Regional Extension Center
Current funding
◦ State HIE (ONC)
◦ NM Regional Extension Center (ONC)
◦ Soc. Sec. Admin. Disability Claims submission using HIE
Sustainability Task Force
◦ 2011-2012-federal requirement-community match
◦ Funding framework for 2013-2014 and after federal funding ends
5
6. $15 million funding invested to date (more funding
awarded through 2014)
One of 9 HIEs awarded ONC NwHIN Trial Implementation
Contract (2007-2010)
Designated by State of NM to lead the Health Information
Security and Privacy Collaborative (2006-2009)
◦ Initiated legislation to update state privacy laws and enact NM
Electronic Medical Record Act 2009
Designated by Governor as NM’s Statewide HIE Network—
May, 2009
First state to have its HIE plan approved by ONC
Recognized by ONC as a national leader in public health
reporting using the HIE
Awarded NM HIT Regional Extension Ctr.-2010
6
7. Statewide health information exchange
Established broadly representative statewide Board-2010
Data suppliers: all major Albuquerque area health systems
and hospitals, all the large medical groups, 2 largest testing
labs (70% of state’s population), a number of rural hospitals
(total participating hospitals:15)
1.3 million unique patients in the Master Patient Index (NM
pop.—2 million)
Live public health reporting to NM DOH (mandated lab results,
ED syndromic surveillance, immunizations)
Live clinical use underway—large cancer center
ED clinical use in 2 major hospitals in early 2012
Statewide HIE use by 2014
7
8. Innovation is exciting but “messy”
◦ NOT a linear process
Building an HIE network requires “persistence beyond
all reason” (to quote a participant)
The Big HIE Challenges
◦ Community Engagement
Sharing data across competing organizations was new and
threatening
Early years—HIE had great promise, but was new concept, so
limited hard evidence of impact on cost/quality
◦ Adequate funding for development
◦ Short and long-term sustainability
◦ PRIVACY AND SECURITY!
8
9. Much more difficult than anticipated, even though team
had much privacy experience
HIPAA standards were not sufficient
Much complexity beyond HIPAA (more restrictive state
laws in NM and other states)
HITECH privacy regs. (“HIPAA on steroids”)
What do the laws say—but also how do community
stakeholders feel about privacy?
What model of consent will be compatible with both legal
and community standards/concerns?
How to best engage community in addressing privacy
challenges?
9
10. Tricky to balance important HIE benefits to patients vs.
patients’ right to privacy and control of disclosures
Providers concerned about liability
Patients want a system to “filter” their data (share only
certain data or only with certain providers)
Technical barriers to such filtering
Clinical barriers to filtering (“illusion of completeness”)
What about use of HIE data for non-treatment purposes
(e.g., public health reporting, quality reporting, research,
health plan use)?
10
11. Researched NM state laws and health data laws in
other states
Found NM laws outdated, oriented to paper records,
and did not address HIE disclosure
NM laws stricter than HIPAA
◦ Written patient consent required for disclosure of
sensitive conditions, even for treatment (e.g. AIDs,
behavioral health, substance abuse, genetic tests)
Impediment to sharing of data between HIEs across
state lines if state laws differ (despite the national
DURSA agreement developed to facilitate such
exchange)
11
12. Identified stakeholders with different frames of reference to
help draft privacy legislation
◦ Attorneys, compliance officers, consumer advocacy groups,
providers, hospitals, public health entities, legislators, HIE advocates
Iterative and political process requiring two years
Provider concerns about sharing data with competitors and
liability if data incorrect or unavailable due to opting out
Consumer concerns about inadvertent disclosure of sensitive
information and desire to decide which data should be
shared
Issue of all data being shared with the HIE, but only disclosed
by HIE to providers with patient consent
What security measures would ease consumer fears
12
13. Recognizes electronic patient records as legal
Allows disclosure to HIE for development and
operations
Requires written patient consent for sensitive
information disclosure
◦ Except for “break the glass” override in medical emergencies
Requires HIE to maintain an audit log of access
HIE must provide an opt-out capability
Provides liability protection for HIE and provider if
patient chooses to opt out
13
14. A hybrid model
Patients have three consent options
1) Provide written consent for HIE to disclose data to
providers for treatment purposes (all data or no data—
no filtering capability)
2) No written consent to disclose data (exception only in
medical emergencies—”break the glass”)
3) Opt-out—no data shared by the HIE with anyone, even
in a medical emergency
No technical ability to “filter out” sensitive
information, so patient consent is “all or nothing”
today
14
15. Data security very important to both patients
and providers, given publicized breaches
User authorization and authentication
Encryption of data “in motion and at rest”
System includes detailed audit log
documentation
Patient review of audit logs (upon request)
15
16. Cumbersome consent process can undermine HIE use
and benefits—still working on this one
How to obtain consent quickly in emergency
department setting for non-emergent patients
What about use of and access to HIE for purposes
other than treatment?
◦ Health plan access
◦ Public health reporting
◦ Quality reporting
◦ Public reporting to guide consumer choice
◦ Research
NM has created two important community task
forces, one for non-treatment access and another for
sustainability
16
17. Broad representation on decision making Board for
HIE is essential
Communication plan is critical for patients,
providers, and other community stakeholders
◦ Must educate all groups
◦ Must emphasize HIE benefits and security protections as
well as patient right to consent/opt out
Must understand that “what is legal and what is
wise” are often two different things
Public trust is critical—so stakeholder engagement
and ownership is essential
17
18. Privacy and security will continue to be hard, time-consuming issues
for the foreseeable future—shortcuts won’t work. Often must ”go
slow to go fast”
Be sure to understand your state’s health data laws, the local culture
concerning privacy, and attitudes of influential stakeholders
Community “ownership” of the HIE is essential, as is community trust
Be willing to invest the time and expertise needed to communicate
carefully and extensively with providers and consumers
Public trust is a fragile thing but essential to an HIE’s success and
sustainability
A major factor is trust in the privacy and security of the HIE network
and its leaders
18
19. Contact Information
Maggie Gunter, PhD
President, LCF Research
2309 Renard Place SE, Suite 103
Albuquerque, NM 87106
Maggie@LCFresearch.org
505-938-9900
19