1 / 12

RTI International is a trade name of Research Triangle Institute

Privacy and Security Solutions For Interoperable Health Information Exchange Presented by Linda Dimitropoulos, PhD RTI International Presented at AHRQ Annual Meeting • September 27, 2007. 3040 Cornwallis Road ■ P.O. Box 12194 ■ Research Triangle Park, NC 27709.

Download Presentation

RTI International is a trade name of Research Triangle Institute

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy and Security Solutions For Interoperable Health Information ExchangePresented byLinda Dimitropoulos, PhDRTI InternationalPresented atAHRQ Annual Meeting • September 27, 2007 3040 Cornwallis Road ■ P.O. Box 12194 ■ Research Triangle Park, NC 27709 Phone 312-456-5246 Fax 312-456-5250 E-mail lld@rti.org RTI International is a trade name of Research Triangle Institute

  2. Background • Variation in privacy and security business practices, policies, and state laws creates a barrier to electronic clinical health information exchange • Consumers, organizations, and state and federal entities share concerns related to maintaining the privacy and security of health information • The existing paradigm for privacy and security protections does not fully accommodate active consumer participation in health information exchange

  3. Assumptions • Decisions about how to protect the privacy and security of health information should be made at the local level • Stakeholders at the state and community levels, including patients and consumers, must be involved in identifying the challenges and developing solutions to achieve broad-based acceptance • Discussions need to take place to develop an understanding of the current landscape and the variation that exists between organizations within each state, and ultimately across the nation

  4. Methodology • Community-based participatory research model where state teams identify and “own” the issues and outcomes • Engaged broad range of stakeholders to identify challenges to privacy and security and develop solutions • Followed a “core” methodology that framed discussions in terms of purposes for the exchange and the type of health information being exchanged within 9 domains of privacy and security

  5. Stakeholder Participation in Assessment of Variation Total Participants 3,811 112 Stakeholder Group N AVG Providers 1,630 48 Technology and Health Information Experts 582 17 Consumers 458 13 Other Government 243 7 Public Health Agencies/Departments 213 6 Employers 198 6 Legal Counsel/Attorneys 181 5 Medical & Public Health Schools/Research 140 4 Payers 122 4 Law Enforcement and Correctional Facilities 37 1 Foundations/Other Policy Consultants 4 <1

  6. Challenges/Solutions Challenge: Lack of awareness among stakeholders Stakeholders lack sufficient knowledge of HIT/HIE to understand implications for privacy and security; Consumers are unaware of legal protections under state law; Providers frequently do not understand state law requirements Solution:14 states are developing model outreach and education programs • Consumer and provider outreach and education • State and multistate privacy and security summits • Consumer advisory councils/committees • Toolkits for educating stakeholders

  7. Challenges/Solutions (continued) Challenge: Variation created by state privacy and security laws State law governing privacy and security is scattered, fragmented, sometimes inconsistent or contradictory within a state, and frequently does not apply sensibly to electronic exchange. Solution:9 states implementing solutions related to state law • Producing a catalog of existing relevant statutes and administrative regulations • Developing a road map of current P&S laws/statutes • Developing model legislation to harmonize on multistate issues such as consent • Completing a legal analysis to determine what changes need to be made to ensure privacy and security • Reforming state privacy laws to address electronic HIE • Drafting legislation for 2008 session

  8. Challenges/Solutions (continued) Challenge: Obtaining and Managing Patient Consent Broad variation in the requirements for obtaining and managing patient consent and authorization for information disclosures Solution:8 states are working on reducing variation related to consent management • Standardize patient consent process • Harmonize consent language that addresses opt-in/opt-out issues across the state • Implement consent management process; develop use cases that drive HIE transactions • Create guiding principles for consent that can be used to update state law • Model consent forms

  9. Challenges/Solutions (continued) Challenge: Variation in Methods of Implementing 4 A’s Need for consensus on standards for authentication, authorization, access controls and information audits to reduce mistrust between entities Solution:4 states are working on issues related to the 4A’s • Defining minimum standards for authentication acceptable to individuals or entities participating in an HIE • Defining P&S requirements for providers' role-based access and authentication • Developing “solutions building block” i.e., trusted digital identities for authentication, authorization, access control, data integrity, and digital signatures

  10. Challenges/Solutions (continued) Challenge: Privacy and Security Oversight Lack of state-level authoritative governing bodies to oversee the development, adoption and enforcement of common privacy policies and security practices for HIE Solution: 6 states working on governance and oversight • Establish Governor’s eHealth taskforce on Privacy and Security • Create a Privacy and Security Advisory Board • Establish formal work group to formulate and review P&S policy • Create an umbrella organization to operationalize P&S strategies and interact with Governor's HIE Commission and the state Health Policy Authority.

  11. Moving Forward • Moving to multi-state collaboration • Enlisting the remaining states and territories into the process • Providing the technical assistance needed to foster the multi-state collaborative work • 2nd National Meeting November 1-2 in Washington, DC

  12. Thank You http://Healthit.ahrq.gov/privacyandsecurity www.rti.org/hispc

More Related