2951 Flowers Rd., Suite 119, Atlanta, GA 30341 - PowerPoint PPT Presentation

Health Information Security and Privacy Collaboration (HISPC):
1 / 54

  • Uploaded on
  • Presentation posted in: General

Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State Lines Presented by Alison K. Banger RTI International Presented at HIPAA Collaborative of Wisconsin Fall Meeting September 2008, Sheboygan, WI.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

2951 Flowers Rd., Suite 119, Atlanta, GA 30341

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

2951 flowers rd suite 119 atlanta ga 30341

Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State LinesPresented byAlison K. BangerRTI InternationalPresented atHIPAA Collaborative of Wisconsin Fall MeetingSeptember 2008, Sheboygan, WI

2951 Flowers Rd., Suite 119, Atlanta, GA 30341

Phone: 770-234-5049


E-mail: abanger@rti.org



  • Background on HISPC Phases 1 and 2

  • Phase 3: the 7 Collaborative Work Groups

  • Next steps

Phase 1

Phase 1

Timeline: June 2006 – April 2007

Participation: 33 States and 1 territory

Scope: Assess variation, develop solutions and implementation plans


  • Community-based research model

  • Engage a broad range of stakeholders

  • Follow common methodology

  • Panel of experts

  • National direction with local control

Phase 1 products

Phase 1 Products

Summary reports released

  • Assessment of Variation and Analysis of Solutions

  • Implementation Plans

  • Nationwide Summary

    Reports and presentations publicly available

  • RTI Project site: http://privacysecurity.rti.org

  • AHRQ National Resource Center: http://healthit.ahrq.gov

Key topic areas addressed by solutions

Key topic areas addressed by solutions

  • Harmonize the approach to patient permission for disclosure

  • Simplify the complex interplay among HIPAA privacy and security rules, other federal laws, and state laws.

  • Reduce variation in interpretations of HIPAA

  • Foster trust between providers participating in exchange and among consumers permitting their information to be exchanged

Phase 2

Phase 2

Timeline: May – December 2007

Participation: 42 states and 2 territories


  • Implement 6-month projects

  • Develop plans for collaboration in Phase 3


  • 34 Phase 1 teams implement state-specific solutions

  • All 44 teams contribute to collaborative proposals

Phase 2 products

Phase 2 Products

RTI Products:

  • HISPC Toolkit

  • Impact Analysis report

    State Products:

  • November 2007 Conference Presentations

  • 34 states produce a multitude of state-specific deliverables, including reports, videos, websites, model agreements, model forms and educational toolkits

  • 42 states/territories submit proposals to participate in the Phase 3 collaborative work groups

Phase 3

Phase 3

Phase 31

Phase 3

Timeline: April 2008 – March 2009

Participation: 40 states and 2 territories in 7 collaboratives

Scope: Execute collaborative strategies developed in Phase 2


  • States work both individually and collaboratively to complete project scope

  • Co-chairs of each collaborative form steering committee

  • RTI partners with Georgetown on State and Territory Law Analysis

The 7 collaborative work groups

The 7 Collaborative Work Groups

  • Consent 1, Data Elements

  • Consent 2, Policy Options

  • Harmonizing State Privacy Law

  • Consumer Education and Engagement

  • Provider Education

  • Adoption of Standard Policies

  • Interorganizational Agreements

Consent 1 data elements

Consent 1, Data Elements

11 States participating:

  • IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI


  • To establish a model for identifying and resolving patient consent and information disclosure requirements across states.

  • To develop a foundational reference guide that describes and compares the requirements mandated by state law and any known regional or local consent policies and practices in each participating state.

    Data Elements?

  • What consent information does a state need to reply to a request from another state? Signed consent form? With what information? Any restrictions? Do the answers change depending on the type or source of the information?

Consent 1 progress scenarios and template

Consent 1 Progress: Scenarios and Template


  • Treatment – Non-Emergency

  • Treatment – Emergency

  • Public Health


  • Intricate, detailed set of spreadsheets

  • A battery of general questions with follow up questions for capturing additional detail

  • Completed by the legal work group in each state

General questions

General Questions

  • Does your state regulate the disclosure of PHI based on where the data are created?

  • Does your state regulate the disclosure of PHI based on who holds the data?

  • Does your state regulate the disclosure of PHI based on the type of data disclosed?

  • In the context of your state's disclosure laws, does the type of healthcare provider to whom the PHI is disclosed matter?

General questions continued

General Questions (continued)

  • Does your state regulate the disclosure of PHI by any other factors not listed above?

  • Does your state law distinguish between disclosing the complete medical record and disclosing parts of the record?

  • Does your state law have different disclosure requirements if disclosing within the state versus disclosing to healthcare providers in another state?

  • Does your state law mandate actions following a disclosure of PHI without consent?

Capturing additional detail

Capturing Additional Detail

  • Grid of types of PHI by sources of PHI for recording where consent is required or other disclosure requirements exist

  • Worksheet for adding detail about any of the other disclosure requirements noted

    • EX: Statutes governing mental health records, linked to medication history (type) generated by a mental health facility (source)

  • Worksheet for capturing legal citations

  • Worksheet for answering a battery of questions about any “yes” in the type/source grid.

Grid of types of phi by sources of phi

Grid of Types of PHI by Sources of PHI

Impact of consent 1

Impact of Consent 1

  • A guide to navigating cross-state variation in consent requirements

  • A comparative analysis that will allow individuals in different states to see areas where change might be required to better align with their neighbors to facilitate exchange

Consent 2 policy options

Consent 2, Policy Options

4 States participating:

  • CA, IL, NC and OH


  • To identify the different consent approaches within and between states

  • To propose policy approaches for consent that facilitate interstate electronic health information exchange

Consent 2 progress

Consent 2 Progress

Formed 2 subgroups:

Interstate consent (OH and IL)

  • Explore the viability of four specific legal mechanisms that states could use to resolve barriers to the exchange of protected health information among states that have conflicting state laws governing consent

    Intrastate consent (NC and CA)

  • Identify and describe model approaches to consent

  • Test model approaches against scenarios (use cases) and pilot projects.

  • Allow other states to consider the risks and benefits of each approach as they evaluate policies and decide which approach to use

Interstate consent mechanisms

Interstate Consent Mechanisms

Uniform state law

  • Offers states the option to enact the same law governing consent, which would supersede any conflicting laws between adopting states.

    Model Act

  • Similar to uniform law, except that it may or may not be adopted in its entirety. States frequently modify a model act to meet their own needs, or adopt only a portion of the model act.

Interstate consent mechanisms1

Interstate Consent Mechanisms

Choice of law

  • A provision that states could adopt to specify which state’s law governs consent when PHI is requested to be exchanged between states with conflicting laws.

    Interstate compact

  • A voluntary agreement between two or more states, designed to meet common problems of the parties concerned. Would supersede conflicting laws between states that join the compact.

Interstate consent subgroup result

Interstate Consent Subgroup Result

  • The collaborative will provide other states a systematic process for evaluating and selecting one of these mechanisms to align consent requirements for exchanging PHI between states that have conflicting privacy laws.

Intrastate consent model approaches

Intrastate Consent Model Approaches

  • Opt out: Patients’ records are automatically placed into the HIE system and exchanged unless patient chooses to remove records.

  • Opt out with exceptions: Patients’ records are automatically placed into the HIE system and exchange is allowed. However, patients have the right to opt out of having their records being shared with specified providers or other entities.

  • No consent: Patients’ records are automatically placed into the HIE system, regardless of patient preferences.

  • Opt in with restrictions: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient. Restrictions allowed.

  • Opt in unless otherwise required by law: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient.



  • Lab Results

  • Outpatient Care Coordination

  • Reportable Disease

  • Minor Seeking Birth Control

  • Substance Abuse Consultation

  • Data Warehouse/Decision Support

Intrastate consent subgroup result

Intrastate Consent Subgroup Result

  • By systematically testing these options using the scenarios, the intrastate subgroup will:

    • Generate a list of issues

    • Describe alternative solutions available through the various models

    • Critically analyze the alternatives and make recommendations.

Harmonizing state privacy law

Harmonizing State Privacy Law

7 States participating:

  • FL, KY, KS, MI, MO, NM and TX


  • To advance the ability of states and territories to analyze and reform, if appropriate, existing laws to facilitate health information exchange

  • Primary deliverable is a framework for legislative action

Harmonizing state privacy law progress

Harmonizing State Privacy Law Progress

Updated State Law Report

  • 2 types of recent legislative successes:

    • Incremental approaches addressing specific barriers

    • Process-oriented approaches such as creation of a standard patient authorization form

  • Less successful:

    • Attempts at enacting comprehensive detailed health information exchange legislation

Subject matter guide

Subject Matter Guide

Tabular result of legislative scan

  • Sort legislation into subject matter categories and indicate states that have legislation in each area

Comparative analysis worksheet

Comparative Analysis Worksheet

Create expanded version of Subject Matter Guide

Harmonizing state privacy law impact

Harmonizing State Privacy Law Impact

  • States outside of the collaborative enter their data, identify gaps and set priorities for legislative action by determining if legislation is needed, feasible and compatible with other states.

  • Enables states to identify legislation that is critical for development.

Consumer education and engagement

Consumer Education and Engagement

8 States participating:

  • CO, GA, KS, MA, NY, OR, WA and WV


  • To develop a series of coordinated state-specific projects that focus on targeted population groups to describe the risks and benefits of health information exchange, educate consumers about privacy and security, and develop messaging to address consumer privacy and security concerns.

Consumer engagement

Consumer Engagement

  • States are currently working on their state-specific projects, which address priority education needs and often target specific populations

  • States have started to share their products with others in the collaborative

  • Websites are going live

  • Ultimately they will develop collaborative level products and guidelines for consumer education

State specific draft deliverables

State-specific draft deliverables

  • OR: Revised the video produced under phase 2, soon to be publicly available

  • CO: Fact sheet

  • GA: Brochure

  • KS: Rural consumer education needs assessment

West virginia

West Virginia

  • Background document on benefits of health IT, electronic health records, interoperability

  • Consumer FAQs

  • Public Service Announcements for radio and TV

  • Posters

  • Brochures for physicians to distribute to consumers

  • Brochures for consumers

West virginia benefits of ehr brochure

West Virginia Benefits of EHR Brochure

West virginia privacy and security brochure

West Virginia Privacy and Security Brochure

West virginia seniors brochure

West Virginia Seniors Brochure

Consumer education impact

Consumer Education Impact

  • States educate and engage their consumers, addressing the topic or target population that is most important to them

  • States share their results with the collaborative (materials, dissemination plan, lessons learned) so that final “sharable” versions can made available.

Provider education

Provider Education

8 States Participating:

  • FL, KY, LA, MI, MO, MS, TN and WY


  • To create a toolkit to introduce electronic health information exchange to providers

  • To increase provider awareness of the privacy and security benefits and challenges of electronic health information exchange

Provider education approach

Provider Education Approach

  • Conduct baseline assessment: Contact state and national provider associations; gauge level of interest in and adoption of health IT and HIE. Capture preferred method of communication between each organization and its membership

  • Select one provider type and one communication channel for pilot study

  • Develop content: core message with universal tag line

Baseline assessment

Baseline Assessment

Contacted approximately 300 organizations; conducted structured conversations

  • Organizational information:

    • Organization type (e.g. member advocacy, research, gov’t agency)

    • Affiliate (physicians, nurses researchers, legislators)

  • Observations about members’ perceptions of HIT and HIE:

    • Privacy and security concerns

    • Readiness for adoption

    • Acceptance of an educational campaign

    • Perceived barriers to exchange

    • Preferred communication channel

Selecting provider type for pilot campaign

Selecting Provider Type for Pilot Campaign

Developed process:

  • Assign score for each evaluation factor to each provider type

    • Manageable population – appropriate size for state

    • Targeted or well-defined population

    • Population with impact and importance

    • Similar learning style/communication channel

    • Engaged partner for pilot (ready and willing)

  • Select provider type with highest weighted average

  • Communication matrix

    Communication Matrix

    Completed preliminary work

    Provider education impact

    Provider Education Impact

    • After testing core message on one provider type using one communication channel, refine approach based on lessons learned and deploy campaign to additional types/channels

    • Enhance awareness

    • Address perceived barriers

    • Encourage adoption and participation in private and secure exchange to improve the quality of care

    Adoption of standard policies

    Adoption of Standard Policies

    10 States participating:

    • AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA


    • To develop a set of basic policy requirements for authentication and audit

    • To define an implementation strategy to help states and territories adopt agreed-upon policies

    Adoption of standard policies progress

    Adoption of Standard Policies Progress

    • Developed a standard process for capturing current requirements for authentication and audit

    • Captured current requirements in 6 modeling states that have HIOs:

      • AZ, CO and OK: Federated models

      • WA: Centralized health record banking model

      • CT: Hybrid

      • NE (3): 1 Federated, 1 Banking, and 1 Hybrid

    Adoption of standard policies progress1

    Adoption of Standard Policies Progress

    • Selected AHIC use cases for Medication Management and Laboratory EHR as scenarios for testing minimum authentication and audit requirements

    • Developed intricate, detailed, multipart template for capturing results

    • Will use data to expand reports on requirements

    Adoption of standard policies results

    Adoption of Standard Policies Results

    • All states will begin to address any authentication and audit gaps they identify

    • States that have less stringent policies will know where they need to strengthen them to be on par with other exchanges

    • States that are in the process of forming HIOs and establishing authentication and audit policies will know what requirements they’ll need to meet

    Adoption of standard policies result

    Adoption of Standard Policies Result

    • Final report will be a guide to other states so they can understand the minimum authentication and audit policies for exchanging data.

    Interorganizational agreements

    Interorganizational Agreements

    7 states participating:

    • AK, GU, IA, NJ, NC, PR and SD


    • To develop a standardized core set of privacy and security components to include in interorganizational agreements

    • To execute interorganizational agreements and exchange data through cross-state pilots wherever possible

    Interorganizational agreements progress

    Interorganizational Agreements Progress

    • Collected library of data use agreements

    • Developed classification scheme for all provisions in a data use agreement.

    • Applied classification scheme to every document in library

    • Generated master document of all provisions sorted by type of provision

    • Ranked provisions from “most preferred” to “least preferred” by type.

    • Identified provisions that would present a conflict, breach or issue with state laws, regulations, or case law.

    Interorganizational agreements next steps

    Interorganizational Agreements Next Steps

    • Create model agreements

    • Coordinate with DURSA and others

    • Sign agreements

    • Exchange data in pilot studies

    Current and future activities

    Current and Future Activities

    • ONC currently considering suggestions for follow-up projects solicited from HISPC collaboratives and states

    • ONC continues to manage intersections between HISPC and their other initiatives

    • Nationwide Conference tentatively scheduled for March 2009 in Washington DC







    Identifiable information in this report or presentation is protected by federal law, Section 924(c) of the Public Health Service Act, 42 U.S.C. 299c-3(c). Any confidential identifiable information in this report or presentation that is knowingly disclosed is disclosed solely for the purpose for which it was provided

  • Login