A State-Based Approach To Privacy And Security For Interoperable Health Information Exchange

Similar documents

The American Legion NATIONAL MEMBERSHIP RECORD

TABLE 3c: Congressional Districts with Number and Percent of Hispanics* Living in Hard-to-Count (HTC) Census Tracts**

TABLE 3b: Congressional Districts Ranked by Percent of Hispanics* Living in Hard-to- Count (HTC) Census Tracts**

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

Unemployment Rate (%) Rank State. Unemployment

2016 INCOME EARNED BY STATE INFORMATION

Current Medicare Advantage Enrollment Penetration: State and County-Level Tabulations

MAP 1: Seriously Delinquent Rate by State for Q3, 2008

5 x 7 Notecards $1.50 with Envelopes - MOQ - 12

Interstate Pay Differential

Sentinel Event Data. General Information Copyright, The Joint Commission

Is this consistent with other jurisdictions or do you allow some mechanism to reinstate?

Sentinel Event Data. General Information Q Copyright, The Joint Commission

Statutory change to name availability standard. Jurisdiction. Date: April 8, [Statutory change to name availability standard] [April 8, 2015]

Department of Defense INSTRUCTION

Index of religiosity, by state

2015 State Hospice Report 2013 Medicare Information 1/1/15

national assembly of state arts agencies

EXHIBIT A. List of Public Entities Participating in FEDES Project

Interstate Turbine Advisory Council (CESA-ITAC)

PRESS RELEASE Media Contact: Joseph Stefko, Director of Public Finance, ;

STATE ARTS AGENCY GRANT MAKING AND FUNDING

STATE INDUSTRY ASSOCIATIONS $ - LISTED NEXT PAGE. TOTAL $ 88,000 * for each contribution of $500 for Board Meeting sponsorship

Introduction. Current Law Distribution of Funds. MEMORANDUM May 8, Subject:

Voter Registration and Absentee Ballot Deadlines by State 2018 General Election: Tuesday, November 6. Saturday, Oct 27 (postal ballot)

NMLS Mortgage Industry Report 2016 Q1 Update

Rutgers Revenue Sources

Table 8 Online and Telephone Medicaid Applications for Children, Pregnant Women, Parents, and Expansion Adults, January 2017

NMLS Mortgage Industry Report 2017Q2 Update

FY 2014 Per Capita Federal Spending on Major Grant Programs Curtis Smith, Nick Jacobs, and Trinity Tomsic

NMLS Mortgage Industry Report 2017Q4 Update

NMLS Mortgage Industry Report 2018Q1 Update

HOME HEALTH AIDE TRAINING REQUIREMENTS, DECEMBER 2016

Table 6 Medicaid Eligibility Systems for Children, Pregnant Women, Parents, and Expansion Adults, January Share of Determinations

Estimated Economic Impacts of the Small Business Jobs and Tax Relief Act National Report

2014 ACEP URGENT CARE POLL RESULTS

Senior American Access to Care Grant

CRMRI White Paper #3 August 2017 State Refugee Services Indicators of Integration: How are the states doing?

Military Representative to State Council of the Military Interstate Children s Compact Resource Guide

Child & Adult Care Food Program: Participation Trends 2016

Child & Adult Care Food Program: Participation Trends 2017

Percentage of Enrolled Students by Program Type, 2016

YOUTH MENTAL HEALTH IS WORSENING AND ACCESS TO CARE IS LIMITED THERE IS A SHORTAGE OF PROVIDERS HEALTHCARE REFORM IS HELPING

Rankings of the States 2017 and Estimates of School Statistics 2018

U.S. Army Civilian Personnel Evaluation Agency

National Collegiate Soils Contest Rules

Weights and Measures Training Registration

How North Carolina Compares

FORTIETH TRIENNIAL ASSEMBLY

Child & Adult Care Food Program: Participation Trends 2014

States Ranked by Annual Nonagricultural Employment Change October 2017, Seasonally Adjusted

THE METHODIST CHURCH (U.S.)

*ALWAYS KEEP A COPY OF THE CERTIFICATE OF ATTENDANCE FOR YOUR RECORDS IN CASE OF AUDIT

How North Carolina Compares

STATUTORY/REGULATORY NURSE ANESTHETIST RECOGNITION

Critical Access Hospitals and HCAHPS

Food Stamp Program State Options Report

Help America Vote Act. Help America Vote Act

State Authority for Hazardous Materials Transportation

Supplemental Nutrition Assistance Program. STATE ACTIVITY REPORT Fiscal Year 2016

FINANCING BRIEF. Implementation of Health Reform for Children s Mental Health HEALTH REFORM PROVISIONS EXPLORED

Pipeline Safety Regulations and the Effects on Operator Qualification Programs. March 28, 2017

FOOD STAMP PROGRAM STATE ACTIVITY REPORT

Telehealth and Nutrition Law and Regulations Holistic Nutrition Coalition

The Training and Certification of Emergency Medical Services Personnel

Food Stamp Program State Options Report

W.K. Kellogg Foundation Community Engagement Scholarship Awards and C. Peter Magrath Community Engagement Scholarship Award

HIGH SCHOOL ATHLETICS PARTICIPATION SURVEY

Percent of Population Under Age 65 Uninsured, 2013, 2014, and 2015

All Approved Insurance Providers All Risk Management Agency Field Offices All Other Interested Parties

OPT OPTIONAL PRACTICAL TRAINING

TENNESSEE TEXAS UTAH VERMONT VIRGINIA WASHINGTON WEST VIRGINIA WISCONSIN WYOMING ALABAMA ALASKA ARIZONA ARKANSAS

RECERTIFICATION REQUIREMENTS

Use of Medicaid to Support Early Intervention Services

NAFCC Accreditation Annual Update

CONNECTICUT: ECONOMIC FUTURE WITH EDUCATIONAL REFORM

Alabama Okay No Any recruiting or advertising without authorization is considered out of compliance. Not authorized

2015 Community-University Engagement Awards Program

Table 1 Elementary and Secondary Education. (in millions)

National Joint TERT Initiative Overview

Federal Funding for Health Insurance Exchanges

Colorado River Basin. Source: U.S. Department of the Interior, Bureau of Reclamation

International Treaty Law, decrees, & rulings

F O R E S T R I V E R M A R I N E

NURSING HOME STATISTICAL YEARBOOK, 2015

Fiscal Research Center

VOCA Assistance for Crime Victims

Students Serving on Local School Boards February 2009 (39 Responding State Associations)

Fiscal Research Center

Revenues, Expenses, and Operating Profits of U. S. Lotteries, FY 2002

Christopher W. Blackwell, Ph.D., ARNP, ANP-BC, AGACNP-BC, CNE, FAANP Associate Professor & Coordinator

Transcription:

A State-Based Approach To Privacy And Security For Interoperable Health Information Exchange A consortium of states is making progress in coordinating an array of health information privacy and security laws, to establish trust. by Linda Dimitropoulos and Stephanie Rizk ABSTRACT: For the past three years, a collaboration of states and territories has examined the variation in organization-level practices, policies, and state laws governing the privacy and security of health information. An interoperable system of health information exchange (HIE) will have difficulty accommodating the current variation in policy requirements; therefore, it is important for organizations to come to agreement on a common set of widely shared policies. The project has created a lasting, coordinated network of state-level stakeholders that work together to reduce variation and propose common policies to protect health information and facilitate electronic HIE. [Health Affairs 28, no. 2 (2009): 428 434; 10.1377/hlthaff.28.2.428] Ensuring the privacy and security of electronic health information is a key challenge for organizations that collect, store, and exchange such information. 1 Organizations need to assure those who provide their information that the information it is private and secure. In turn, organizations that seek to exchange information expect assurances that the information will be appropriately protected. Developing these relationships of trust is essential for organizations that exchange electronic health information which is easier said than done. Health organizations must navigate a complex array of federal and state privacy and security laws to develop policy; this in turn creates a challenging environment for establishing trust. Based on internal requirements and how laws are identified and interpreted, organizations generally take different approaches to developing privacy and security policies. The resulting variation presents a challenge to widespread electronic health information exchange (HIE). An interoperable system of HIE that is, one in which various parties can share and exchange data among Linda Dimitropoulos (lld@rti.org) is director, Health Services Program, in RTI International s Survey Research Division in Chicago, Illinois. Stephanie Rizk is survey manager, Health Services Research, in the same division. 428 March/April 2009 DOI 10.1377/hlthaff.28.2.428 2009 Project HOPE The People-to-People Health Foundation, Inc.

State Approach them will have difficulty accommodating the current range of variation in policy requirements. Therefore, it is important for organizations to agree on a common set of shared policies. In 2005 the Agency for Healthcare Research and Quality (AHRQ) and the Office of the National Coordinator for Health Information Technology (ONC) launched the Privacy and Security Solutions for Interoperable Health Information Exchange project. One purpose of the project was to assess variation in organization-level business practices, policies, and state laws, to help policymakers identify common practices and reduce variation. The project initially engaged organizations in thirty-four states and territories and later expanded to forty-two jurisdictions. 2 This collaborative work is commonly referred to as the Health Information Security and Privacy Collaboration (HISPC). In this paper we trace the development of this project and draw some lessons for privacy and security assurances in the electronic exchange of health information. Assessment Of Variation The HISPC project found that health information is protected by a patchwork of practices, policies, and state laws that has evolved over time, state by state and organization by organization, without a comprehensive plan or approach. 3 This has resulted in state privacy and security laws that are scattered throughout many chapters of code and that sometimes conflict with one another. Most of these laws were written for paper-based systems, and many have failed to anticipate electronic HIE. In some cases, this failure has resulted in state laws that directly impede electronic HIE (for example, requirements for handwritten signatures on paper forms). 4 More frequently, however, we identified gaps in state law and policy that warrant attention as the shift to electronic systems continues. Consent and permission. Theprojectfoundthatbroadvariationexistsinthe need for (perceived or otherwise) and the actual process of obtaining appropriate patient consent or authorization to disclose identifiable health information. This variation is attributable to a number of factors: (1) a basic misunderstanding of whether and when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires patients permission for certain disclosures and a misconception that such permission is required to disclose information for treatment; (2) differing state laws, some of which require consent to disclose health information either in all circumstances or only in some circumstances; (3) professional ethical obligations to obtain patients consent to disclose information; and (4) organizational decisions to require patients consent as an added protection, to reduce the risk of liability for wrongful disclosure. There is also confusion about the terms used for obtaining patients permission. This is partly a result of the HIPAA Privacy Rule s use of different terms and requirements for permissions that are related to different purposes: the term consent applies to a patient s written permission to use and disclose health information for HEALTH AFFAIRS ~ Volume 28, Number 2 429

treatment, payment, and health care operations, while the term authorization is used to describe a patient s permission to use and disclose health information for purposes not otherwise permitted or required by the rule. 5 Adding to the confusion is the variance in state laws of terms such as consent, authorization, and release, to describe a patient s written permission to disclose health information. Privacy and security. Many of the business practice variations the HIE project identified were based on different interpretations and applications of the HIPAA Privacy and Security Rules. Stakeholders reported a general lack of understanding about the Privacy Rule s premise to generally allow for uses and disclosures of health information for treatment, payment, and health care operations. Some organizations understood the basic provisions of the Privacy Rule but did not understand how and when state law applied. Additional variation appears in organizational policies, many of which predate the HIPAA Privacy Rule. The primary causes of variation in security policies identified were attributable to a general misunderstanding about appropriate security practices, including what is technically available and can be applied more broadly ( scalable ). For the most part, state laws did not pose challenges to the development of sound security policies, and neither did the HIPAA Security Rule. However, some organizations voiced concern related to liability when one organization that sought to exchange health information with another organization believed that its own security program was more secure than the recipient s program. The different types of security required by the HIPAA Security Rule were also not well understood by participating organizations. The Security Rule addresses administrative, physical, and technical security. 6 Even though more than one-third of the rule addresses administrative security requirements, many organizations focused disproportionately on technology rather than on administrative safeguards. Authentication and authorization. Organizations reported the need to develop standard authentication and authorization protocols to address the shift to electronic systems. The variation in how organizations authenticate individuals has created a sense of mistrust between organizations and has prevented them from electronically exchanging or providing access to health information. Linking data to one person. The lack of a standard, reliable way to accurately match records to patients introduces the potential for inappropriate use or disclosure of personal health information from the wrong patient, which presents both a clinical and a privacy risk. This risk is particularly acute when information is shared across institutions that use different methods of patient and record identification. Recent developments in personal health records (PHRs) have also advanced the need to establish a consistent and reliable method for linking patients so that providers can exchange health information with the right patient s PHR. 7 Correctly identifying patients and providers not only is critical in the delivery of highquality care and for electronic HIE, but also is a fundamental issue in other information security domains, such as authentication and authorization. 430 March/April 2009

State Approach Developing Common Solutions: Multistate Collaboration Following HISPC s assessment of variation, the focus shifted to exploring common, replicable solutions to challenges that affect interstate electronic HIE. HISPC subsequently formed seven multistate collaboratives to develop solutions in priority areas identified during its first phase that could reduce variation and fill policy gaps (Exhibit 1). Patient consent for disclosure. The development of a common approach to obtaining and managing patient consent for disclosure is critical. Two collaboratives are each exploring a distinct approach to resolving this issue. The first is focused on documenting the consent data elements that are required by state law and local policy to disclose health information. Although the HIPAA Privacy Rule provides a federal floor of privacy requirements that certain health care entities must meet to use and disclose protected health information, it did not preempt or preclude state laws that were more protective. 8 As a result, many states have laws that provide greater privacy protections or rights than those required by the Privacy Rule. The resulting variation has made it difficult for organizations to determine in the context of interstate electronic HIE when appropriate disclosure requirements have been met at both the requesting and the providing organization. The collaborative focusing on interstate disclosure and patient consent requirements was formed to document the state law requirements for disclosure of health information for treatment purposes within states and across state lines. The second approach to patient consent focuses on both interstate and intrastate consent policy options. The collaborative focusing on the intrastate aspects EXHIBIT 1 States And Territories Participation In Multistate Collaboratives For Electronic Health Information Exchange Collaborative focus Consent data elements Consent policy options Harmonizing state privacy law Adoption of standard authentication and audit policies Model interorganizational agreements Consumer education and engagement Provider education State/territory Indiana, Maine, Massachusetts, Minnesota, New Hampshire, New York, Oklahoma, Rhode Island, Utah, Vermont, Wisconsin California, Ohio, North Carolina, Illinois Florida, Kentucky, Kansas, Michigan, Missouri, New Mexico, Texas Colorado, Connecticut, Maryland, Nebraska, Ohio, Oklahoma, Utah, Virginia, Washington Alaska, Guam, Iowa, New Jersey, North Carolina, Puerto Rico, South Dakota Colorado, Georgia, Kansas, Massachusetts, New York, Oregon, Washington, West Virginia Florida, Kentucky, Louisiana, Mississippi, Missouri, Michigan, Tennessee, Wyoming SOURCE: Authors analysis. HEALTH AFFAIRS ~ Volume 28, Number 2 431

of consent is analyzing five consent alternatives that can be used to establish the accessibility of or ability to electronically exchange health information: opt out; opt out with exceptions; no consent; opt in with restrictions; and opt in unless otherwise required by law. Each consent alternative is being analyzed using specific scenarios to identify its pros and cons. This collaborative is also looking into the viability of four high-level policy options that could be used to permit organizations to exchange information across state lines: uniform laws, model acts, choice of law provisions, and interstate compacts. The collaborative is identifying the pros and cons of each policy option, specifically addressing how long it would take to implement, implementation requirements, feasibility, liability concerns, ramifications of acceptance/rejection of the option, potential conflict with state or federal laws, process for withdrawal, state responsibilities, state rights, and enforcement. Harmonizing state privacy laws. The assessment of variation, for many states, brought home the need to legislate changes in current laws to enable private and secure electronic HIE. However, it is important that there be a coordinated effort among states to help prevent the codification of policies that could make nationwide electronic HIE more difficult. The Harmonizing State Privacy Law Collaborative was formed to develop processes and tools for states to use to work toward harmonizing disparate state laws, and to provide a framework for a coordinated approach to developing legislation that does not codify new or current variations. Standard authentication and audit policies. Regional or state-level efforts to exchange health information also will have to reconcile the differences among participants in how security policies are implemented. Organizations in ten states are working to develop and test a set of model policy requirements to bridge policy gaps for authentication and audit across these organizations. The participating states are in various stages of implementing six different HIE models (for example, variants of federated, hybrid, and health record banking models). 9 The collaborative will also produce an implementation strategy manual to guide other organizations through the consensus approach to adoption of the policies. Model Interorganizational Agreements (IOAs). IOAs are at the heart of the trusted partnerships necessary for HIE to succeed. Getting consensus from partners on legal language can be tedious and time-consuming. The IOA Collaborative has developed a core set of privacy and security provisions and plans to pilot-test two model agreements for interstate electronic HIE one agreement for a public health setting and the other for exchange among private entities. Consumer education and engagement. At the outset of the project, it was difficult to get consumers to engage in discussions of privacy and HIE because they felt that they did not know enough and, in some cases, that their information was already held electronically. Recognizing that electronic HIE and health information technology (IT) in general may be new concepts to many consumers in their states, the Consumer Education and Engagement Collaborative was formed to develop a 432 March/April 2009

State Approach series of coordinated, state-specific projects to educate consumers about privacy and security and to help them become more effective participants in policy discussions. Provider education. One of the key findings in the assessment of variation was that many health care providers misunderstand the capabilities and benefits of electronic HIE and have concerns about the security of electronic health record (EHR) systems. The Provider Education Collaborative was formed to create a toolkit for providers to use in increasing their awareness of the privacy and security requirements for and benefits of using electronic HIE. Using information gathered through discussions with 124 provider organizations (such as the American Medical Association and American Nurses Association), to understand current perceptions of health IT adoption, the eight members of this collaborative are developing and pilot-testing a joint education and public relations campaign for health care providers. 10 When they are done, this collaborative plans to disseminate consistent educational information to providers about the benefits of EHRs and electronic HIE, with a focus on privacy and security, to help encourage their participation in electronic HIE. Future Directions The work of the privacy and security solutions project is to conclude in spring 2009. The main challenge ahead is to continue work toward a common set of privacy and security policies and practices that respect local preferences in each state yet facilitate nationwide electronic HIE. The project is unique in that the process is as important as the content of the discussions. A key objective for the project was for the representatives of the forty-two participating jurisdictions to create a broad base of support among stakeholders within their own state to develop consensus-based policies that could be widely adopted and shared. The opportunity to work in collaboration with the other states and territories proved valuable to understanding state-specific challenges for HIE within a larger nationwide framework for example, the need to share health information because their citizens frequently traveled for vacations or health care. 11 The challenge ahead is in gaining widespread adoption of the solutions developed throughout this process. With the new administration and health care reform on the horizon, the work developed by the HISPC project offers a wealth of information in a practical form that will assist organizations in developing privacy and security policies using widely shared and tested concepts that will facilitate their participation in the nationwide exchange of electronic health information. Portions of this paper were presented with Alison Banger and Amoke Alakoye at the annual meeting of the American Medical Informatics Association (AMIA) in November 2008 and with William O Byrne and Chris Apgar at the annual Workgroup for Electronic Data Interchange (WEDI) conference in May 2008. The authors acknowledge the efforts of the many staffers at the Agency for Healthcare Research and Quality (AHRQ) and the HEALTH AFFAIRS ~ Volume 28, Number 2 433

Office of the National Coordinator for Health Information Technology (ONC) who provided support and guidance on this work. They especially thank Jon White at AHRQ and Jodi Daniel and Steve Posnack from the ONC Office of Policy Research for their efforts. They also acknowledge all of the participants on the state teams and the technical expert panel who contributed countless hours to ensure the privacy and security of electronic health information exchange. This project was funded by AHRQ through Contract no. 290-05-0015 and by the ONC through Contract no. HHSP233 2008 4100EC to RTI International. The views expressed herein are those of the authors and do not represent the position of AHRQ, the ONC, or the U.S. Department of Health and Human Services. NOTES 1. Office of the National Coordinator for Health Information Technology, SummaryofNationwideHealth Information Network (NHIN) Request for Information (RFI) Responses, June 2005, http://www.hhs.gov/healthit/ rfisummaryreport.pdf (accessed 19 December 2008). 2. The governor in each jurisdiction designated a single organization to represent the state or territory in the project. In turn, each designated organization enlisted a broad range of stakeholder organizations. Stakeholder organizations were defined as entities that collect, store, or exchange health information, including clinicians, physician groups and other providers, federal health facilities (such as the Department of Defense, Indian Health Service, and Department of Veterans Affairs), hospitals, payers, public health agencies, community clinics and health centers, laboratories, pharmacies, long-term care facilities and nursing homes, home care and hospice, correctional facilities, professional associations and societies, medical and public health schools that undertake research, quality improvement organizations, consumers or consumer organizations, and state government (Medicaid, public health departments, and so forth). See L.L. Dimitropoulos, Privacy and Security Solutions for Interoperable Health Information Exchange: Assessment of Variation and Analysis of Solutions, Pub. no. 07-0080-1-EF, June 2007, http://healthit.ahrq.gov/portal/server.pt/gateway/ PTARGS_0_1248_661882_0_0_18/AVAS.pdf (accessed 23 December 2008). 3. Ibid. 4. West Virginia Medical Institute, Privacy and Security Solutions Interim Assessment of Variation from West Virginia, December 2007, http://www.wvhima.org/hispc_privacyandsecurity012007.doc (accessed 29 December 2008). 5. See 45 C.F.R., sec. 164.506, which covers consent for uses or disclosures to carry out treatment, payment, or operation; and 45 C.F.R., sec. 164.508, which covers uses and disclosures for which an authorization is required. U.S. Department of Health and Human Services, Office for Civil Rights HIPAA, Medical Privacy National Standards to Protect the Privacy of Personal Health Information, 16 May 2006, http:// www.hhs.gov/ocr/hipaa/finalreg.html (accessed 29 December 2008). 6. For the final rule adopting the HIPAA standards for the security of electronic health information, see Federal Register 68, no. 34 (20 February 2003). http://www.cms.hhs.gov/securitystandard/downloads/ securityfinalrule.pdf (accessed 29 December 2008). For the Proposed Rule, see Federal Register 63, no. 155 (12 August 1998), http://www.cms.hhs.gov/securitystandard/downloads/securityproposedrule.pdf (accessed 29 December 2008). 7. L. Fernandez and M. O Connor, The Future of Patient Identification, Journal of AHIMA 77, no. 1 (2006): 36 40, http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_029033.hcsp?ddocname= bok1_029033 (accessed 29 December 2008). 8. See 45 CFR 160(b), for the section of the rule describing federal preemption of state privacy law. Federal Register 65, no. 250 (28 December 2000), http://www.hhs.gov/ocr/part1.pdf (accessed 29 December 2008). 9. For a description of these models, see the online Supplement at http://content.healthaffairs.org/cgi/ content/full/28/2/428/dc1. 10. Ibid., for details about the organizations participating in the development of these tools. 11. L.L. Dimitropoulos, Privacy and Security Solutions for Interoperable Health Information Exchange: Impact Analysis, 20 December 2007, http://healthit.ahrq.gov/portal/server.pt/gateway/ptargs_0_1248_815829_0_0_18/ PrivacyandSecuritySolutionsProject_ImpactAnalysis.pdf (accessed 23 December 2008). This report provides a detailed discussion of the impacts of Phases 1 and 2 of the Privacy and Security Solutions project, including state legislative activity. 434 March/April 2009

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback