The document summarizes the key accomplishments and privacy challenges of the New Mexico Health Information Collaborative (NMHIC). It discusses how NMHIC was established in 2004 with funding from government agencies and community matching funds to create a statewide health information exchange. It describes the major privacy issues encountered, including balancing data sharing for treatment while respecting patient privacy and developing a hybrid consent model. It also outlines lessons learned around the importance of stakeholder engagement, education, and public trust for a sustainable health information exchange.

1. Maggie Gunter, PhD
President, LCF Research
iHT2 Health IT Summit
January 18, 2012
Phoenix, Arizona

2.  New Mexico Health Information Collaborative
◦ Key Accomplishments/Current Status
 Privacy and Security Issues Encountered
◦ Federal vs. State Privacy Laws
◦ The Patient Consent Model
◦ Engaging and educating consumers and stakeholders
about privacy
◦ What about interstate health information exchange?
◦ Security—how to protect patient data
◦ What about other HIE uses than treatment?
◦ Lessons learned and future privacy policy
2

3.  Created by LCF Research in 2004 to establish a health
information exchange
 AHRQ funding with community matching funds
 LCF Research
◦ non-profit applied health research and innovation institute
created in 1990
◦ Key interest in designing, implementing, and evaluating
interventions to improve health care
◦ History of innovation in provider-based disease mgt.
 Impetus to HIT Involvement
◦ Major barrier to health care improvement/cost reduction
◦ Lack of use and exchange of electronic medical records
◦ Hence, LCF’s interest in creating the health information exchange
(HIE)
3

4. Clinician Requests Access to Patient Records with Patient Consent
EHR Gateway
State Public
Health Depts.
Hospital
Locates
the Patient’s
Records
Patient NMHIC Clinician
Office
HIE Network
Gathers & Lab
Assembles
the Patient’s
Records
Clinician Emergency
Room
Nationwide Health Information Network (NwHIN)
4

5.  Funding
◦ primarily federal (AHRQ, ONC, SSA)
◦ some state and community match in development phase
 State-designated entity for HIE and lead agency for HIT
Regional Extension Center
 Current funding
◦ State HIE (ONC)
◦ NM Regional Extension Center (ONC)
◦ Soc. Sec. Admin. Disability Claims submission using HIE
 Sustainability Task Force
◦ 2011-2012-federal requirement-community match
◦ Funding framework for 2013-2014 and after federal funding ends
5

6.  $15 million funding invested to date (more funding
awarded through 2014)
 One of 9 HIEs awarded ONC NwHIN Trial Implementation
Contract (2007-2010)
 Designated by State of NM to lead the Health Information
Security and Privacy Collaborative (2006-2009)
◦ Initiated legislation to update state privacy laws and enact NM
Electronic Medical Record Act 2009
 Designated by Governor as NM’s Statewide HIE Network—
May, 2009
 First state to have its HIE plan approved by ONC
 Recognized by ONC as a national leader in public health
reporting using the HIE
 Awarded NM HIT Regional Extension Ctr.-2010
6

7.  Statewide health information exchange
 Established broadly representative statewide Board-2010
 Data suppliers: all major Albuquerque area health systems
and hospitals, all the large medical groups, 2 largest testing
labs (70% of state’s population), a number of rural hospitals
(total participating hospitals:15)
 1.3 million unique patients in the Master Patient Index (NM
pop.—2 million)
 Live public health reporting to NM DOH (mandated lab results,
ED syndromic surveillance, immunizations)
 Live clinical use underway—large cancer center
 ED clinical use in 2 major hospitals in early 2012
 Statewide HIE use by 2014
7

8.  Innovation is exciting but “messy”
◦ NOT a linear process
 Building an HIE network requires “persistence beyond
all reason” (to quote a participant)
 The Big HIE Challenges
◦ Community Engagement
 Sharing data across competing organizations was new and
threatening
 Early years—HIE had great promise, but was new concept, so
limited hard evidence of impact on cost/quality
◦ Adequate funding for development
◦ Short and long-term sustainability
◦ PRIVACY AND SECURITY!
8

9.  Much more difficult than anticipated, even though team
had much privacy experience
 HIPAA standards were not sufficient
 Much complexity beyond HIPAA (more restrictive state
laws in NM and other states)
 HITECH privacy regs. (“HIPAA on steroids”)
 What do the laws say—but also how do community
stakeholders feel about privacy?
 What model of consent will be compatible with both legal
and community standards/concerns?
 How to best engage community in addressing privacy
challenges?
9

10.  Tricky to balance important HIE benefits to patients vs.
patients’ right to privacy and control of disclosures
 Providers concerned about liability
 Patients want a system to “filter” their data (share only
certain data or only with certain providers)
 Technical barriers to such filtering
 Clinical barriers to filtering (“illusion of completeness”)
 What about use of HIE data for non-treatment purposes
(e.g., public health reporting, quality reporting, research,
health plan use)?
10

11.  Researched NM state laws and health data laws in
other states
 Found NM laws outdated, oriented to paper records,
and did not address HIE disclosure
 NM laws stricter than HIPAA
◦ Written patient consent required for disclosure of
sensitive conditions, even for treatment (e.g. AIDs,
behavioral health, substance abuse, genetic tests)
 Impediment to sharing of data between HIEs across
state lines if state laws differ (despite the national
DURSA agreement developed to facilitate such
exchange)
11

12.  Identified stakeholders with different frames of reference to
help draft privacy legislation
◦ Attorneys, compliance officers, consumer advocacy groups,
providers, hospitals, public health entities, legislators, HIE advocates
 Iterative and political process requiring two years
 Provider concerns about sharing data with competitors and
liability if data incorrect or unavailable due to opting out
 Consumer concerns about inadvertent disclosure of sensitive
information and desire to decide which data should be
shared
 Issue of all data being shared with the HIE, but only disclosed
by HIE to providers with patient consent
 What security measures would ease consumer fears
12

13.  Recognizes electronic patient records as legal
 Allows disclosure to HIE for development and
operations
 Requires written patient consent for sensitive
information disclosure
◦ Except for “break the glass” override in medical emergencies
 Requires HIE to maintain an audit log of access
 HIE must provide an opt-out capability
 Provides liability protection for HIE and provider if
patient chooses to opt out
13

14.  A hybrid model
 Patients have three consent options
1) Provide written consent for HIE to disclose data to
providers for treatment purposes (all data or no data—
no filtering capability)
2) No written consent to disclose data (exception only in
medical emergencies—”break the glass”)
3) Opt-out—no data shared by the HIE with anyone, even
in a medical emergency
 No technical ability to “filter out” sensitive
information, so patient consent is “all or nothing”
today
14

15.  Data security very important to both patients
and providers, given publicized breaches
 User authorization and authentication
 Encryption of data “in motion and at rest”
 System includes detailed audit log
documentation
 Patient review of audit logs (upon request)
15

16.  Cumbersome consent process can undermine HIE use
and benefits—still working on this one
 How to obtain consent quickly in emergency
department setting for non-emergent patients
 What about use of and access to HIE for purposes
other than treatment?
◦ Health plan access
◦ Public health reporting
◦ Quality reporting
◦ Public reporting to guide consumer choice
◦ Research
 NM has created two important community task
forces, one for non-treatment access and another for
sustainability
16

17.  Broad representation on decision making Board for
HIE is essential
 Communication plan is critical for patients,
providers, and other community stakeholders
◦ Must educate all groups
◦ Must emphasize HIE benefits and security protections as
well as patient right to consent/opt out
 Must understand that “what is legal and what is
wise” are often two different things
 Public trust is critical—so stakeholder engagement
and ownership is essential
17

18.  Privacy and security will continue to be hard, time-consuming issues
for the foreseeable future—shortcuts won’t work. Often must ”go
slow to go fast”
 Be sure to understand your state’s health data laws, the local culture
concerning privacy, and attitudes of influential stakeholders
 Community “ownership” of the HIE is essential, as is community trust
 Be willing to invest the time and expertise needed to communicate
carefully and extensively with providers and consumers
 Public trust is a fragile thing but essential to an HIE’s success and
sustainability
 A major factor is trust in the privacy and security of the HIE network
and its leaders
18

19. Contact Information
Maggie Gunter, PhD
President, LCF Research
2309 Renard Place SE, Suite 103
Albuquerque, NM 87106
Maggie@LCFresearch.org
505-938-9900
19