Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Privacy and Security Solutions for Interoperable Health Information Exchange Florida Solutions Work Group October 5, 2006 Tampa, FL
  2. 2. Privacy and Security Project Background <ul><li>Step 1: Variations Work Group identifies Business Practices that pose barriers to health information exchange (HIE). </li></ul><ul><li>Step 2: Legal Work Group analyzes the barriers and outlines the legal issues and policy constraints . </li></ul><ul><li>Step 3: Solutions Work Group outlines solutions to the legal and other challenges related to HIE. </li></ul><ul><li>Step 4: Implementation Planning Work Group devises a strategy for implementing the proposed solutions. </li></ul><ul><li>Step 5: Florida submits final reports to RTI to create a comprehensive national report . </li></ul>
  3. 3. Observations from VWG Analysis <ul><li>The barriers encountered by VWG during data collection were a reflection of the barriers identified during the policy and legal analysis: </li></ul><ul><ul><li>Concerns from stakeholders over releasing what appeared to be proprietary information when outlining business policies </li></ul></ul><ul><ul><li>Inconsistencies between written policies and actual business practices </li></ul></ul><ul><ul><li>Concerns about the ability to report anonymously </li></ul></ul><ul><ul><li>Distrust of the motives of various stakeholders </li></ul></ul><ul><ul><li>Limited or lack of use of electronic health information in their health care environment </li></ul></ul>
  4. 4. Our Goal for Today <ul><li>Discuss the major solutions we have proposed </li></ul><ul><li>Develop a very clear and concise description of each solution </li></ul><ul><li>Identify “big issues” and “urgent matters” </li></ul><ul><li>If time permits, provide support for IPWG, so that they can build out proposed solutions into a workable strategy for Florida by discussing: </li></ul><ul><ul><li>Feasibility </li></ul></ul><ul><ul><li>Challenges </li></ul></ul><ul><ul><li>Priorities. </li></ul></ul>
  5. 5. Some Specific Variations findings <ul><li>Identity verification (accessing or sending) </li></ul><ul><li>Verification of authority to send or accessing information </li></ul><ul><li>Verification of durable power of attorney or other proxy methods for consent </li></ul><ul><li>Ability or willingness to transmit urgent or non-urgent data using a fax machine </li></ul><ul><li>Need for secure encryption of data transmitted between all entities (not just HIPAA covered entity) </li></ul><ul><li>Provider need to verify consent is authentic </li></ul><ul><li>Use of administrative and physical security safeguards to protect medical records (paper and electronic) </li></ul><ul><li>Perceived variation in laws between states when seeking information across state lines </li></ul><ul><li>Perceived and true variation in how different providers interpret the health information laws </li></ul>
  6. 6. What we learned from the Legal Group <ul><li>Inconsistent state laws </li></ul><ul><ul><li>§395.3025 (hospitals) </li></ul></ul><ul><ul><li>§ 456/057 (providers) – broader approach to permitting consent </li></ul></ul><ul><ul><li>§458 and §459 (Medicine and Osteopathy) </li></ul></ul><ul><li>Inconsistent federal laws </li></ul><ul><ul><li>42 CFR Part 164 less stringent than </li></ul></ul><ul><ul><li>42 CFR Part 2 (substance abuse) </li></ul></ul><ul><li>Lack of education at every level of health care </li></ul><ul><li>Misconception that HIPAA is the only HIE law </li></ul><ul><li>Need for a single comprehensive statutory resource </li></ul>
  7. 7. Solution Categories: Legislative/Legal Action <ul><li>Description: Review, revise, amend, and promulgate state or federal laws which impact the exchange of health information, the privacy and security of health information, and the related healthcare diagnosis and treatment activity. For example: Establish a process for resolving differences in laws at the state and federal level and within the state and within the federal statutes. </li></ul><ul><ul><li>IMPACT: </li></ul></ul><ul><ul><ul><li>Protect Patient Consent and Information </li></ul></ul></ul><ul><ul><ul><li>Define legal authorization </li></ul></ul></ul><ul><ul><ul><li>Clarify opt-in and opt-out usage </li></ul></ul></ul><ul><ul><ul><li>Improve understanding of HIPAA </li></ul></ul></ul>
  8. 8. Solution Categories: Regulatory Action <ul><li>Description: Identify areas where existing rules and regulations may be relaxed, modified, expanded, or better explained to facilitate HIE without the need for legislative action. For example: Examine, revise, and execute rules that fall within the jurisdiction of AHCA and the other health related agencies. </li></ul><ul><ul><li>IMPACT: </li></ul></ul><ul><ul><ul><li>Coordination and consistency in rules and policy between state organizations </li></ul></ul></ul>
  9. 9. Solution Categories: Technology Solutions <ul><li>Description: Identify ways in which technology can be used as a solution to the barriers posed by HIE. How can health information technology improve the secure transmission of health information? What technological tools, skills or training may address the barriers to HIE? For example: Establish the Florida Health Information Network with creating the technological infrastructure that will allow standardized exchanges of health information between providers. </li></ul><ul><ul><li>IMPACT ON: </li></ul></ul><ul><ul><ul><li>Verifying patient and provider identity </li></ul></ul></ul><ul><ul><ul><li>Auditing information </li></ul></ul></ul><ul><ul><ul><li>Improve quality of data </li></ul></ul></ul><ul><ul><ul><li>Securing patient information </li></ul></ul></ul>
  10. 10. Solution Categories: Administrative/Organizational <ul><li>Description : Identify, amend, create, and standardize administrative actions, business policies and practices to facilitate HIE. Establish uniform codes and policies that will stimulate electronic HIE activity. For example: Work with trade associations to develop models or best practices that can be emulated by others across the state. </li></ul><ul><ul><li>IMPACT ON: </li></ul></ul><ul><ul><ul><li>Verification of patient and provider identity and authorization </li></ul></ul></ul><ul><ul><ul><li>Utilizing Opt-in and Opt-out appropriately </li></ul></ul></ul>
  11. 11. Solution Categories: Public Awareness & Education <ul><li>Public Awareness and Education: Increase public awareness through training and education of consumers, health care providers, government officials, professional associations, employers, public officials, researchers, and educators about the rules governing HIE, the benefits to electronic HIE, and their respective rights and obligations regarding enhanced quality of care. For example: Sponsor an education campaign on the future of HIE targeting hospital administrators; Establish and publicize a website that provides information on HIPAA. </li></ul><ul><ul><li>IMPACT ON: </li></ul></ul><ul><ul><ul><li>Eliminate HIPAA Folklore </li></ul></ul></ul>
  12. 12. Legislative/legal solutions <ul><li>Develop a three-year plan for consolidated statues (Isham, Siegel, Bell) </li></ul><ul><li>Omnibus interim legislative exemptions for greater use of HIE with sunset provisions (Isham) </li></ul><ul><li>Create Florida corporation to implement FHIN, establish standards, etc. (Isham) </li></ul><ul><li>Create a new type of “durable power of attorney” (Isham) </li></ul><ul><li>Clarify who may speak on behalf of an individual and when (Frisse) </li></ul><ul><li>Create a system for validating security along the lines of FDA systems enforcing clinical research data (Kolkman) </li></ul>
  13. 13. Legislative/legal solutions <ul><li>Summarize key conflicts between Florida laws and create a process for reconciliation (Frisse) </li></ul><ul><li>Identify and recommend ways to reconcile differences between state and federal laws along the lines of pre-emption and interpretation (Frisse) </li></ul><ul><li>Use uniform state consumer banking laws as a template for structuring HIE policies (Freedman) </li></ul><ul><li>New health information definitions section to reframe language related to HIE (Bell) </li></ul>
  14. 14. Regulatory solutions <ul><li>Inter-state task force for waivers, etc. (Isham) </li></ul><ul><li>Florida Executive and Agency task force or advisory group (Bell, Isham) </li></ul><ul><li>Florida regulatory task force (Isham) </li></ul><ul><li>Create a Florida HIPAA task force to both clarify understanding and interpretation as well as foster complete technical implementation (Frisse) </li></ul><ul><li>Establish guidelines/rules that will facilitate the flow of health information between Florida Medicaid providers and non-Medicaid providers (Edwards) </li></ul>
  15. 15. Organization / administration solutions <ul><li>Task force to identify research opportunities reimbursable by Medicaid (Isham) </li></ul><ul><li>Support regional RHIO activities (Isham) </li></ul><ul><li>Pursue grant funding strategically with top fund-raisers (Isham) </li></ul><ul><li>Produce and distribute model contracts, BAAs, etc. (Isham) </li></ul><ul><li>Authorize “break the glass” for emergency settings (Isham) </li></ul><ul><li>Document and standardize consent process (Frisse) </li></ul><ul><li>Define minimal criteria for verifying identity (Frisse) </li></ul>
  16. 16. Organization / administration solutions <ul><li>Define minimal criteria for authorization of access and use of information (Frisse) </li></ul><ul><li>Develop interim approaches where standards for policy and procedures do not exist (Frisse) </li></ul><ul><li>Develop a “six sigma” culture for privacy and security; include anonymous reporting if required (Frisse) </li></ul><ul><li>Create a Health Information Security Banking Account that allows transactions to occur in a manner similar to ATM transactions (Freedman) </li></ul>
  17. 17. Technology solutions <ul><li>Identify talent within the state to foster technology (Isham) </li></ul><ul><li>FHIN summit on HIE (Isham) </li></ul><ul><li>Tax-exempt and other state-supported financing mechanisms (Isham) </li></ul><ul><li>Support data capture that will enhance emergency care (Siegel) </li></ul><ul><li>Standards – especially in ED (Siegel) </li></ul><ul><li>Medication management and e-Rx in ED (Siegel) </li></ul><ul><li>Address image transmission to ED (Siegel) </li></ul>
  18. 18. Technology solutions (2) <ul><li>Authentication (Kolkman) </li></ul><ul><li>Merge / Match technologies (Kolkman) </li></ul><ul><li>Proactive auditing of digital records (Kolkman) </li></ul><ul><li>Address digital signature issues (Kolkman) </li></ul><ul><li>Standardized encryption methods (Kolkman) </li></ul><ul><li>Re-examine audit mechanisms in a data-exchange era. They are deemed consistent by Variations group but requirements may change in digital era (Frisse) </li></ul><ul><li>Guidelines for “incidental disclosure” when using merge algorithms (Frisse) </li></ul>
  19. 19. Education and public awareness solutions <ul><li>Define “ownership” in terms of patients rather than providers. This eliminates need for “super-secret” information. (Isham) </li></ul><ul><li>Provide accurate information about misuse of paper (Isham, Frisse) </li></ul><ul><li>Create a cadre of FHIN spokespeople to advocate for HIE (Isham) </li></ul><ul><li>Appoint HIN Awareness Committee to raise awareness among influential stakeholders (Isham) </li></ul><ul><li>Host focus groups to advance HIE (Isham) </li></ul><ul><li>Establish web site or blog site to provide updates on state activities (Isham) </li></ul>
  20. 20. Education and public awareness solutions <ul><li>Broad approach to education (Roberts) </li></ul><ul><li>Clarify and consistently interpret HIPAA (Roberts) </li></ul><ul><li>Re-examine basic terms (e.g., transmit, carry, record) in light of a digital environment (Frisse) </li></ul><ul><li>Turn “confidentiality” into a positive message (Frisse) </li></ul><ul><li>Encourage RHIOs and local communities to develop legislative briefs and agendas that raise the awareness of electronic HIE (Edwards). </li></ul>
  21. 21. Solutions Discussion <ul><li>As we discuss each solution in the context of the framework, it is important to note the following: </li></ul><ul><li>The barrier or business practice that is addressed </li></ul><ul><li>What will change as a result of the solution </li></ul><ul><li>The benefits of solution for HIE </li></ul><ul><li>Statutes/regulations affected by solution </li></ul><ul><li>The stakeholders involved and impacted </li></ul><ul><li>The present status of solution </li></ul><ul><li>Cost of proposed solution and who will bear the cost </li></ul><ul><li>Barriers to implementing solution </li></ul>