October 22, 20091

To dramatically improve safe and secure patient and provider access to personal health information and decision-making processes, benefiting the health and wellbeing, safety, efficiency, and quality of care for all Californians.

California HHS - HIT Mission

October 22, 20092

Today’s CA eHealth Environment• HIE has traditionally been poorly funded – only communities with

uncommon commitment and a forceful champion have succeeded

• EHR adoption has required large investments from organizations capable of making them, and has created a “digital divide” for clinical sites not able to aggressively fund EHR adoption

• ARRA brings large dollars, and with it a large number of “experts” in HIE and EHR adoption

If it was easy to organize communities, it would have been done with CHINs – and most CHINs did not succeed

Leverage HIE and EHR adoption experiences and resources already present in the State (20 HIEs; 70 provider orgs with EHR adoption projects)

• ARRA implementation is moving quickly – it is our collective job to ensure that the related investments are made thoughtfully and can produce the desired health care outcomes

October 22, 20093

CA Health Information Exchanges

October 22, 20094

Providers

• 90,000 Physicians

• 65,000 Active in Patient Care

• 400 Hospitals

• 1,200 Nursing Homes

Underserved Providers

• 7,500 – 11,000 “Medi-Cal oriented” physician practices

• 890 Community Clinic sites (~180 corporations)

• 28 Critical Access Hospitals

• 16 Public Hospitals

• 62 Public Health Departments & affiliated clinics

California’s Unique Challenges -- 1

October 22, 20095

California’s Unique Challenges -- 2

States with Regional HIEs

State Population

# of HIEs Equivalent California Counties

County Population

New York 19,400,000 14 Los Angeles + Orange + San Diego + Riverside + San Bernardino

20,749,000

Massachusetts 6,500,000 6 Los Angeles 10,364,000

Indiana 6,300,000 3 San Diego + Orange 6,270,000

State HIE State Population Equivalent California County

County Population

Delaware 873,000 Fresno County 931,000

Idaho 1,500,000 Alameda County 1,543,000

Maine 1,300,000 Sacramento County 1,424,000

Nebraska 1,800,000 Santa Clara County 1,820,000

Utah 2,700,000 Orange County 3,121,000

Vermont 621,000 San Joaquin County 685,000

October 22, 20096

• California has a unique opportunity to create a world-class health information highway for the benefit of all of its citizens

• The distinction between “HIE” and “EHR” should be merged into “eHealth” because they are facets of the larger subject

• California should have one entity that coordinates all organized eHealth activities in order to ensure maximizing value, leveraging scarce resources, and providing best return for Californians

This entity will become the place where eHealth activity throughout the State is coordinated and tracked

This organization will be charged with communicating best practices and acceleration methodologies

• Meaningful Use will ultimately be determined by the number of patients with improved outcomes, not the amount of incentive dollars received

The CA Vision

October 22, 20097

1. To ensure patients have safe, secure access to their personal health information and the ability to share that information with others involved in their care

2. To engage in an open, inclusive, collaborative, public-private process that supports widespread EHR adoption and a robust, sustainable statewide health information exchange

3. To maximize California’s access to critical ARRA stimulus funds4. To integrate and synchronize the planning and implementation of HIE,

HIT, telehealth and provider incentive program components of the federal stimulus act

5. To improve health care outcomes and reduce costs6. To ensure accountability in the expenditure of public funds7. To improve public health through stronger public health program

integration, bio-surveillance and emergency response capabilities

CA HIT&E Objectives

October 22, 20098

• December 2007, Governor forms the Privacy & Security Advisory Board (PSAB) reporting to the Secretary of CHHS

• April, 2009: Jonah Frohlich appointed to position of Deputy Secretary, Health IT, California Health & Human Services Agency

• April 2009, CHHS convened the California Health Information Exchange Advisory Board, a 19 member board to provide oversight of HIE.

• May 2009, State Planning Workgroups organized• May-June, 2009, 20 regional town hall meetings• July, 2009, 3 statewide town hall meetings• July 20, 2009, Statewide HIT&E Planning Summit• August, 2009, CA State Plan for HIT&E released; RFI for SDGE released• September, 2009, RFI proposals due; Oct, decision due on SDGE• Nov-Dec, 2009, Ramp up SDGE process and coordination with REC

designees, Broadband, Training, and other federal funded projects.

CA Timeline

October 22, 20099

The CA Plan:• Includes public and private sector joint oversight• Expands existing HIOs and EHR networks• Partners with communities to implement “shovel-ready” projects• Avoids potential conflicts of interest in distribution of ARRA funds,

by being open to participation by all HIOs and does not itself act as an HIO.

CA Governance Model

October 22, 200910

California PSAB Status

• California’s Privacy & Security Advisory Board and its 5 Committees creating P&S guidelines and implementation frameworks for ARRA HITECH funding

• Guideline process is collaborative and transparent and includes:– Participation of All Committee Members & Stakeholders &

Interested Parties

– Development of Draft Privacy & Security Guidelines

– Use of Survey Monkey to Compile All Comments

– Use of Open Teleconference to Respond to Comments

– Use of CalOHII Hosted Website to Post All Documents (with comments and responses)

– Vetted through Privacy, Security and HIE Committees

October 22, 200911

HIE Consent Recommendations fromthe HIO Committee

1. The HIE development in California does not have enough trust mechanisms in place to allow a less conservative consent approach to be adopted.

2. As more trust mechanisms are adopted by stakeholders involved in the exchange, the consent approach should be changed to reflect the level of security and privacy of the information.

3. Direct treatment relationships should not be hampered by the consent approach.

4. A safety net (break-the-glass) option in emergency circumstances be adopted.

5. The consent approach should not impact the quality of care.

6. Details need to be worked out by the Committee.

October 22, 200912

PSAB Operational Plan Factors Incorporates:

• ARRA• HIPAA• Alcohol and Drug Abuse Patient Records• HHS Framework• Potential Additional ONC Requirements

May also incorporate:• NIST and portions of FIPS• NHIN Core Services• Department of Veterans Affairs• Department of Defense• Indian Health Services

October 22, 200913

Coordination with Federal Programs• Medicare• Epidemiology and Lab Capacity Coop. Agreement• Assistance for Integrating Long Term care Population into State

Grants to Promote HIT• Implementation (CMS/ASPE)• HIV Care Grant Program• Maternal and Child Health State Systems• State Offices of Rural Health Policy• State Offices of Primary Care• State Mental Health Data Infrastructure Grants• State Medicaid/CHIP Programs• IHS and Tribal Activities• Emergency Medical Services for Children Program

October 22, 200914

Coordination with Other ARRA Programs

• Health Information Exchange

• Regional Extension Centers

• EHR Loan Fund

• Workforce Development Initiatives

• Broadband Mapping

• Broadband Access

• Research & New Technology

October 22, 200915

PSAB Key Implementation Focus• Access Control

• NIST-2 & NIST-3 Authentication

• P/ABAC Authorization (attribute-based, policy enforced authorization, with preference to authorization arbitration at data requestor location (“ZBAC”)

• Collection Limitation & Other CA Law vs Federal Law

• Use and Disclosure • Provision of health care services vs all other secondary uses

• Sensitive Information

• HIE consent• Opt In/Out

• Consent options & usage

October 22, 200916

PSAB Access Control

• Authentication• Single Entity can use AD, OID, or other secured directory

services for identity assertion.

• Must adhere to NIST Level 2 requirement for establishment of identity

• May use single factor with strong passwords and strong password management controls

• Must use NIST-3 dual factor for any access that is from outside of the physical entity boundaries (will become a requirement for accessing data through an HIE)

• Authorization across entity domains may be accomplished using federated authentication, but must abide by CA OCIO standard for federated identity management.

October 22, 200917

CA OCIO Fed Auth Standard• The solution must support OASIS WS-Security including a Secure Token

Service (STS).

• The solution must support OASIS WS-SecurityPolicy which states the conditions of a given security policy.

• The solution must support WS-Trust which states the conditions of the trust relationship.

• If federation across security realms is required, then the solution must use WS-Federation as the framework.

• The solution must support OASIS Security Assertion Markup Language (SAML) as the token profile (profiles are defined in WS-Security) for NIST levels 2 and 3 assurance.

• If the solution requires encryption beyond SSL/TSL, then it must support W3C XML Encryption and IETF PKIX for Public Key Infrastructure (X.509).

• If proof of sender is required, then the solution must support W3C XML DigitalSignature and IETF PKIX for Public Key Infrastructure (X.509).

October 22, 200918

PSAB Authorization• Authorization

• P/ABAC Authorization (attribute-based, policy enforced authorization, with preference to authorization arbitration at data requestor location (“ZBAC”)

• Opt Out for provision of Health Care

• Opt In for all other uses of IHI (Individual Health Data)

• Must include consent attributes [NOTE: while we are only now just getting into the details of consent, we will most likely use the HITSP TP-30 Construct ]

• Approved Attributes as of the 9/16/09 PSAB Board Mtg:• Data Source;• Role of Requestor;• Sensitivity of Data;• Consent Directives of the Data Subject

• Entity of Requestor;• Use of Data;

October 22, 200919

Thank you.

http://www.hie.ca.gov/

http://caehc.org/