Skip this Video
Download Presentation
2951 Flowers Rd., Suite 119, Atlanta, GA 30341

Loading in 2 Seconds...

play fullscreen
1 / 54

2951 Flowers Rd., Suite 119, Atlanta, GA 30341 - PowerPoint PPT Presentation

  • Uploaded on

Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State Lines Presented by Alison K. Banger RTI International Presented at HIPAA Collaborative of Wisconsin Fall Meeting September 2008, Sheboygan, WI.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '2951 Flowers Rd., Suite 119, Atlanta, GA 30341' - joben

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Health Information Security and Privacy Collaboration (HISPC): Calming the Waters Across State LinesPresented byAlison K. BangerRTI InternationalPresented atHIPAA Collaborative of Wisconsin Fall MeetingSeptember 2008, Sheboygan, WI

2951 Flowers Rd., Suite 119, Atlanta, GA 30341

Phone: 770-234-5049


E-mail: [email protected]

  • Background on HISPC Phases 1 and 2
  • Phase 3: the 7 Collaborative Work Groups
  • Next steps
phase 1
Phase 1

Timeline: June 2006 – April 2007

Participation: 33 States and 1 territory

Scope: Assess variation, develop solutions and implementation plans


  • Community-based research model
  • Engage a broad range of stakeholders
  • Follow common methodology
  • Panel of experts
  • National direction with local control
phase 1 products
Phase 1 Products

Summary reports released

  • Assessment of Variation and Analysis of Solutions
  • Implementation Plans
  • Nationwide Summary

Reports and presentations publicly available

  • RTI Project site:
  • AHRQ National Resource Center:
key topic areas addressed by solutions
Key topic areas addressed by solutions
  • Harmonize the approach to patient permission for disclosure
  • Simplify the complex interplay among HIPAA privacy and security rules, other federal laws, and state laws.
  • Reduce variation in interpretations of HIPAA
  • Foster trust between providers participating in exchange and among consumers permitting their information to be exchanged
phase 2
Phase 2

Timeline: May – December 2007

Participation: 42 states and 2 territories


  • Implement 6-month projects
  • Develop plans for collaboration in Phase 3


  • 34 Phase 1 teams implement state-specific solutions
  • All 44 teams contribute to collaborative proposals
phase 2 products
Phase 2 Products

RTI Products:

  • HISPC Toolkit
  • Impact Analysis report

State Products:

  • November 2007 Conference Presentations
  • 34 states produce a multitude of state-specific deliverables, including reports, videos, websites, model agreements, model forms and educational toolkits
  • 42 states/territories submit proposals to participate in the Phase 3 collaborative work groups
phase 31
Phase 3

Timeline: April 2008 – March 2009

Participation: 40 states and 2 territories in 7 collaboratives

Scope: Execute collaborative strategies developed in Phase 2


  • States work both individually and collaboratively to complete project scope
  • Co-chairs of each collaborative form steering committee
  • RTI partners with Georgetown on State and Territory Law Analysis
the 7 collaborative work groups
The 7 Collaborative Work Groups
  • Consent 1, Data Elements
  • Consent 2, Policy Options
  • Harmonizing State Privacy Law
  • Consumer Education and Engagement
  • Provider Education
  • Adoption of Standard Policies
  • Interorganizational Agreements
consent 1 data elements
Consent 1, Data Elements

11 States participating:

  • IN, ME, MA, MN, NH, NY, OK, RI, UT, VT and WI


  • To establish a model for identifying and resolving patient consent and information disclosure requirements across states.
  • To develop a foundational reference guide that describes and compares the requirements mandated by state law and any known regional or local consent policies and practices in each participating state.

Data Elements?

  • What consent information does a state need to reply to a request from another state? Signed consent form? With what information? Any restrictions? Do the answers change depending on the type or source of the information?
consent 1 progress scenarios and template
Consent 1 Progress: Scenarios and Template


  • Treatment – Non-Emergency
  • Treatment – Emergency
  • Public Health


  • Intricate, detailed set of spreadsheets
  • A battery of general questions with follow up questions for capturing additional detail
  • Completed by the legal work group in each state
general questions
General Questions
  • Does your state regulate the disclosure of PHI based on where the data are created?
  • Does your state regulate the disclosure of PHI based on who holds the data?
  • Does your state regulate the disclosure of PHI based on the type of data disclosed?
  • In the context of your state's disclosure laws, does the type of healthcare provider to whom the PHI is disclosed matter?
general questions continued
General Questions (continued)
  • Does your state regulate the disclosure of PHI by any other factors not listed above?
  • Does your state law distinguish between disclosing the complete medical record and disclosing parts of the record?
  • Does your state law have different disclosure requirements if disclosing within the state versus disclosing to healthcare providers in another state?
  • Does your state law mandate actions following a disclosure of PHI without consent?
capturing additional detail
Capturing Additional Detail
  • Grid of types of PHI by sources of PHI for recording where consent is required or other disclosure requirements exist
  • Worksheet for adding detail about any of the other disclosure requirements noted
    • EX: Statutes governing mental health records, linked to medication history (type) generated by a mental health facility (source)
  • Worksheet for capturing legal citations
  • Worksheet for answering a battery of questions about any “yes” in the type/source grid.
impact of consent 1
Impact of Consent 1
  • A guide to navigating cross-state variation in consent requirements
  • A comparative analysis that will allow individuals in different states to see areas where change might be required to better align with their neighbors to facilitate exchange
consent 2 policy options
Consent 2, Policy Options

4 States participating:

  • CA, IL, NC and OH


  • To identify the different consent approaches within and between states
  • To propose policy approaches for consent that facilitate interstate electronic health information exchange
consent 2 progress
Consent 2 Progress

Formed 2 subgroups:

Interstate consent (OH and IL)

  • Explore the viability of four specific legal mechanisms that states could use to resolve barriers to the exchange of protected health information among states that have conflicting state laws governing consent

Intrastate consent (NC and CA)

  • Identify and describe model approaches to consent
  • Test model approaches against scenarios (use cases) and pilot projects.
  • Allow other states to consider the risks and benefits of each approach as they evaluate policies and decide which approach to use
interstate consent mechanisms
Interstate Consent Mechanisms

Uniform state law

  • Offers states the option to enact the same law governing consent, which would supersede any conflicting laws between adopting states.

Model Act

  • Similar to uniform law, except that it may or may not be adopted in its entirety. States frequently modify a model act to meet their own needs, or adopt only a portion of the model act.
interstate consent mechanisms1
Interstate Consent Mechanisms

Choice of law

  • A provision that states could adopt to specify which state’s law governs consent when PHI is requested to be exchanged between states with conflicting laws.

Interstate compact

  • A voluntary agreement between two or more states, designed to meet common problems of the parties concerned. Would supersede conflicting laws between states that join the compact.
interstate consent subgroup result
Interstate Consent Subgroup Result
  • The collaborative will provide other states a systematic process for evaluating and selecting one of these mechanisms to align consent requirements for exchanging PHI between states that have conflicting privacy laws.
intrastate consent model approaches
Intrastate Consent Model Approaches
  • Opt out: Patients’ records are automatically placed into the HIE system and exchanged unless patient chooses to remove records.
  • Opt out with exceptions: Patients’ records are automatically placed into the HIE system and exchange is allowed. However, patients have the right to opt out of having their records being shared with specified providers or other entities.
  • No consent: Patients’ records are automatically placed into the HIE system, regardless of patient preferences.
  • Opt in with restrictions: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient. Restrictions allowed.
  • Opt in unless otherwise required by law: Patients’ records are not automatically placed into the HIE system and exchange is not allowed without prior permission provided by the patient.
  • Lab Results
  • Outpatient Care Coordination
  • Reportable Disease
  • Minor Seeking Birth Control
  • Substance Abuse Consultation
  • Data Warehouse/Decision Support
intrastate consent subgroup result
Intrastate Consent Subgroup Result
  • By systematically testing these options using the scenarios, the intrastate subgroup will:
    • Generate a list of issues
    • Describe alternative solutions available through the various models
    • Critically analyze the alternatives and make recommendations.
harmonizing state privacy law
Harmonizing State Privacy Law

7 States participating:

  • FL, KY, KS, MI, MO, NM and TX


  • To advance the ability of states and territories to analyze and reform, if appropriate, existing laws to facilitate health information exchange
  • Primary deliverable is a framework for legislative action
harmonizing state privacy law progress
Harmonizing State Privacy Law Progress

Updated State Law Report

  • 2 types of recent legislative successes:
    • Incremental approaches addressing specific barriers
    • Process-oriented approaches such as creation of a standard patient authorization form
  • Less successful:
    • Attempts at enacting comprehensive detailed health information exchange legislation
subject matter guide
Subject Matter Guide

Tabular result of legislative scan

  • Sort legislation into subject matter categories and indicate states that have legislation in each area
comparative analysis worksheet
Comparative Analysis Worksheet

Create expanded version of Subject Matter Guide

harmonizing state privacy law impact
Harmonizing State Privacy Law Impact
  • States outside of the collaborative enter their data, identify gaps and set priorities for legislative action by determining if legislation is needed, feasible and compatible with other states.
  • Enables states to identify legislation that is critical for development.
consumer education and engagement
Consumer Education and Engagement

8 States participating:

  • CO, GA, KS, MA, NY, OR, WA and WV


  • To develop a series of coordinated state-specific projects that focus on targeted population groups to describe the risks and benefits of health information exchange, educate consumers about privacy and security, and develop messaging to address consumer privacy and security concerns.
consumer engagement
Consumer Engagement
  • States are currently working on their state-specific projects, which address priority education needs and often target specific populations
  • States have started to share their products with others in the collaborative
  • Websites are going live
  • Ultimately they will develop collaborative level products and guidelines for consumer education
state specific draft deliverables
State-specific draft deliverables
  • OR: Revised the video produced under phase 2, soon to be publicly available
  • CO: Fact sheet
  • GA: Brochure
  • KS: Rural consumer education needs assessment
west virginia
West Virginia
  • Background document on benefits of health IT, electronic health records, interoperability
  • Consumer FAQs
  • Public Service Announcements for radio and TV
  • Posters
  • Brochures for physicians to distribute to consumers
  • Brochures for consumers
consumer education impact
Consumer Education Impact
  • States educate and engage their consumers, addressing the topic or target population that is most important to them
  • States share their results with the collaborative (materials, dissemination plan, lessons learned) so that final “sharable” versions can made available.
provider education
Provider Education

8 States Participating:

  • FL, KY, LA, MI, MO, MS, TN and WY


  • To create a toolkit to introduce electronic health information exchange to providers
  • To increase provider awareness of the privacy and security benefits and challenges of electronic health information exchange
provider education approach
Provider Education Approach
  • Conduct baseline assessment: Contact state and national provider associations; gauge level of interest in and adoption of health IT and HIE. Capture preferred method of communication between each organization and its membership
  • Select one provider type and one communication channel for pilot study
  • Develop content: core message with universal tag line
baseline assessment
Baseline Assessment

Contacted approximately 300 organizations; conducted structured conversations

  • Organizational information:
    • Organization type (e.g. member advocacy, research, gov’t agency)
    • Affiliate (physicians, nurses researchers, legislators)
  • Observations about members’ perceptions of HIT and HIE:
    • Privacy and security concerns
    • Readiness for adoption
    • Acceptance of an educational campaign
    • Perceived barriers to exchange
    • Preferred communication channel
selecting provider type for pilot campaign
Selecting Provider Type for Pilot Campaign

Developed process:

  • Assign score for each evaluation factor to each provider type
      • Manageable population – appropriate size for state
      • Targeted or well-defined population
      • Population with impact and importance
      • Similar learning style/communication channel
      • Engaged partner for pilot (ready and willing)
  • Select provider type with highest weighted average
communication matrix
Communication Matrix

Completed preliminary work

provider education impact
Provider Education Impact
  • After testing core message on one provider type using one communication channel, refine approach based on lessons learned and deploy campaign to additional types/channels
  • Enhance awareness
  • Address perceived barriers
  • Encourage adoption and participation in private and secure exchange to improve the quality of care
adoption of standard policies
Adoption of Standard Policies

10 States participating:

  • AZ, CO, CT, MD, NE, OH, OK, UT, VA and WA


  • To develop a set of basic policy requirements for authentication and audit
  • To define an implementation strategy to help states and territories adopt agreed-upon policies
adoption of standard policies progress
Adoption of Standard Policies Progress
  • Developed a standard process for capturing current requirements for authentication and audit
  • Captured current requirements in 6 modeling states that have HIOs:
    • AZ, CO and OK: Federated models
    • WA: Centralized health record banking model
    • CT: Hybrid
    • NE (3): 1 Federated, 1 Banking, and 1 Hybrid
adoption of standard policies progress1
Adoption of Standard Policies Progress
  • Selected AHIC use cases for Medication Management and Laboratory EHR as scenarios for testing minimum authentication and audit requirements
  • Developed intricate, detailed, multipart template for capturing results
  • Will use data to expand reports on requirements
adoption of standard policies results
Adoption of Standard Policies Results
  • All states will begin to address any authentication and audit gaps they identify
  • States that have less stringent policies will know where they need to strengthen them to be on par with other exchanges
  • States that are in the process of forming HIOs and establishing authentication and audit policies will know what requirements they’ll need to meet
adoption of standard policies result
Adoption of Standard Policies Result
  • Final report will be a guide to other states so they can understand the minimum authentication and audit policies for exchanging data.
interorganizational agreements
Interorganizational Agreements

7 states participating:

  • AK, GU, IA, NJ, NC, PR and SD


  • To develop a standardized core set of privacy and security components to include in interorganizational agreements
  • To execute interorganizational agreements and exchange data through cross-state pilots wherever possible
interorganizational agreements progress
Interorganizational Agreements Progress
  • Collected library of data use agreements
  • Developed classification scheme for all provisions in a data use agreement.
  • Applied classification scheme to every document in library
  • Generated master document of all provisions sorted by type of provision
  • Ranked provisions from “most preferred” to “least preferred” by type.
  • Identified provisions that would present a conflict, breach or issue with state laws, regulations, or case law.
interorganizational agreements next steps
Interorganizational Agreements Next Steps
  • Create model agreements
  • Coordinate with DURSA and others
  • Sign agreements
  • Exchange data in pilot studies
current and future activities
Current and Future Activities
  • ONC currently considering suggestions for follow-up projects solicited from HISPC collaboratives and states
  • ONC continues to manage intersections between HISPC and their other initiatives
  • Nationwide Conference tentatively scheduled for March 2009 in Washington DC

Identifiable information in this report or presentation is protected by federal law, Section 924(c) of the Public Health Service Act, 42 U.S.C. 299c-3(c). Any confidential identifiable information in this report or presentation that is knowingly disclosed is disclosed solely for the purpose for which it was provided