Maggie Gunter, PhD President, LCF Research

iHT2 Health IT Summit

January 18, 2012 Phoenix, Arizona

New Mexico Health Information Collaborative ◦ Key Accomplishments/Current Status

Privacy and Security Issues Encountered ◦ Federal vs. State Privacy Laws

◦ The Patient Consent Model

◦ Engaging and educating consumers and stakeholders about privacy

◦ What about interstate health information exchange?

◦ Security—how to protect patient data

◦ What about other HIE uses than treatment?

◦ Lessons learned and future privacy policy

2

Created by LCF Research in 2004 to establish a health information exchange

AHRQ funding with community matching funds

LCF Research ◦ non-profit applied health research and innovation institute

created in 1990 ◦ Key interest in designing, implementing, and evaluating

interventions to improve health care ◦ History of innovation in provider-based disease mgt.

Impetus to HIT Involvement ◦ Major barrier to health care improvement/cost reduction ◦ Lack of use and exchange of electronic medical records ◦ Hence, LCF’s interest in creating the health information exchange

(HIE)

3

Clinician Requests Access to Patient Records with Patient Consent

Clinician

Hospital

Clinician Office

Lab

Emergency Room

State Public Health Depts.

Patient

Locates the Patient’s

Records

Gathers & Assembles the Patient’s

Records

NMHIC HIE Network

Nationwide Health Information Network (NwHIN)

EHR Gateway

4

Funding ◦ primarily federal (AHRQ, ONC, SSA) ◦ some state and community match in development phase

State-designated entity for HIE and lead agency for HIT Regional Extension Center

Current funding ◦ State HIE (ONC) ◦ NM Regional Extension Center (ONC) ◦ Soc. Sec. Admin. Disability Claims submission using HIE

Sustainability Task Force ◦ 2011-2012-federal requirement-community match ◦ Funding framework for 2013-2014 and after federal funding ends

5

$15 million funding invested to date (more funding awarded through 2014)

One of 9 HIEs awarded ONC NwHIN Trial Implementation Contract (2007-2010)

Designated by State of NM to lead the Health Information Security and Privacy Collaborative (2006-2009)

◦ Initiated legislation to update state privacy laws and enact NM Electronic Medical Record Act 2009

Designated by Governor as NM’s Statewide HIE Network—May, 2009

First state to have its HIE plan approved by ONC

Recognized by ONC as a national leader in public health reporting using the HIE

Awarded NM HIT Regional Extension Ctr.-2010

6

Statewide health information exchange

Established broadly representative statewide Board-2010

Data suppliers: all major Albuquerque area health systems and hospitals, all the large medical groups, 2 largest testing labs (70% of state’s population), a number of rural hospitals (total participating hospitals:15)

1.3 million unique patients in the Master Patient Index (NM pop.—2 million)

Live public health reporting to NM DOH (mandated lab results, ED syndromic surveillance, immunizations)

Live clinical use underway—large cancer center

ED clinical use in 2 major hospitals in early 2012

Statewide HIE use by 2014

7

Innovation is exciting but “messy” ◦ NOT a linear process

Building an HIE network requires “persistence beyond all reason” (to quote a participant)

The Big HIE Challenges ◦ Community Engagement Sharing data across competing organizations was new and

threatening Early years—HIE had great promise, but was new concept, so

limited hard evidence of impact on cost/quality

◦ Adequate funding for development

◦ Short and long-term sustainability

◦ PRIVACY AND SECURITY!

8

Much more difficult than anticipated, even though team had much privacy experience

HIPAA standards were not sufficient

Much complexity beyond HIPAA (more restrictive state laws in NM and other states)

HITECH privacy regs. (“HIPAA on steroids”)

What do the laws say—but also how do community stakeholders feel about privacy?

What model of consent will be compatible with both legal and community standards/concerns?

How to best engage community in addressing privacy challenges?

9

Tricky to balance important HIE benefits to patients vs. patients’ right to privacy and control of disclosures

Providers concerned about liability

Patients want a system to “filter” their data (share only certain data or only with certain providers)

Technical barriers to such filtering

Clinical barriers to filtering (“illusion of completeness”)

What about use of HIE data for non-treatment purposes (e.g., public health reporting, quality reporting, research, health plan use)?

10

Researched NM state laws and health data laws in other states

Found NM laws outdated, oriented to paper records, and did not address HIE disclosure

NM laws stricter than HIPAA ◦ Written patient consent required for disclosure of

sensitive conditions, even for treatment (e.g. AIDs, behavioral health, substance abuse, genetic tests)

Impediment to sharing of data between HIEs across state lines if state laws differ (despite the national DURSA agreement developed to facilitate such exchange)

11

Identified stakeholders with different frames of reference to help draft privacy legislation ◦ Attorneys, compliance officers, consumer advocacy groups,

providers, hospitals, public health entities, legislators, HIE advocates

Iterative and political process requiring two years

Provider concerns about sharing data with competitors and liability if data incorrect or unavailable due to opting out

Consumer concerns about inadvertent disclosure of sensitive information and desire to decide which data should be shared

Issue of all data being shared with the HIE, but only disclosed by HIE to providers with patient consent

What security measures would ease consumer fears

12

Recognizes electronic patient records as legal

Allows disclosure to HIE for development and operations

Requires written patient consent for sensitive information disclosure ◦ Except for “break the glass” override in medical emergencies

Requires HIE to maintain an audit log of access

HIE must provide an opt-out capability

Provides liability protection for HIE and provider if patient chooses to opt out

13

A hybrid model

Patients have three consent options 1) Provide written consent for HIE to disclose data to

providers for treatment purposes (all data or no data—no filtering capability)

2) No written consent to disclose data (exception only in medical emergencies—”break the glass”)

3) Opt-out—no data shared by the HIE with anyone, even in a medical emergency

No technical ability to “filter out” sensitive information, so patient consent is “all or nothing” today

14

Data security very important to both patients and providers, given publicized breaches

User authorization and authentication

Encryption of data “in motion and at rest”

System includes detailed audit log documentation

Patient review of audit logs (upon request)

15

Cumbersome consent process can undermine HIE use and benefits—still working on this one

How to obtain consent quickly in emergency department setting for non-emergent patients

What about use of and access to HIE for purposes other than treatment? ◦ Health plan access ◦ Public health reporting ◦ Quality reporting ◦ Public reporting to guide consumer choice ◦ Research

NM has created two important community task forces, one for non-treatment access and another for sustainability

16

Broad representation on decision making Board for HIE is essential

Communication plan is critical for patients, providers, and other community stakeholders ◦ Must educate all groups ◦ Must emphasize HIE benefits and security protections as

well as patient right to consent/opt out

Must understand that “what is legal and what is wise” are often two different things

Public trust is critical—so stakeholder engagement and ownership is essential

17

Privacy and security will continue to be hard, time-consuming issues for the foreseeable future—shortcuts won’t work. Often must ”go slow to go fast”

Be sure to understand your state’s health data laws, the local culture concerning privacy, and attitudes of influential stakeholders

Community “ownership” of the HIE is essential, as is community trust

Be willing to invest the time and expertise needed to communicate carefully and extensively with providers and consumers

Public trust is a fragile thing but essential to an HIE’s success and sustainability

A major factor is trust in the privacy and security of the HIE network and its leaders

18

Contact Information

Maggie Gunter, PhD

President, LCF Research 2309 Renard Place SE, Suite 103

Albuquerque, NM 87106

Maggie@LCFresearch.org

505-938-9900

19