FIU Privacy and Security Panel

8/8/2019 FIU Privacy and Security Panel

1/15

FIU Health Information Technology Initiative

http://hit.fiu.edu

April 28, 2010

NSF FIU-FAU Industry / University Cooperative Research Center

Tom M. GomezFIU HIT Initiative

Privacy & Security Considerations forHealth Information Exchange

Moderator Dan Russler, M.D.
http://hit.fiu.edu/http://hit.fiu.edu/


2/15

Page 2 of 15

Health Information Exchange (HIE)

HIEConcept

A Transparent and i n t e rope rab le hea lthcare ec osystem

HIEPractice

State HIE awards will also strongly encouragesta tes to consider partic ipating in theNationwide Health Information Network as anapproach to HIE. This would c rea te a pathwaytowa rd seamless, nationwide hea lth informa tion

exchange. 12Feb2010 - Dr. David Blumenthal, The NationalCoordinator for Hea lth Informa tion Tec hnolog y

Dan Russler, MD


3/15

Page 3 of 15

Nationwide Health Information Network(NHIN)

NHIN A set of standards, services a nd polic ies that enable

sec ure Hea lth Informa tion Exchange (HIE) over theInternet

Pro vid e a fo und a tio n fo r the e xc h a ng e o f he a lth

information across diverse entities in communities acrossthe c ountry; critic a l pa rt of Na tiona l Hea lth ITAg end a

CONNECT Implements NHIN standa rds and governanc e Built by 20 federal agencies - managed by Federal

Health Architec ture (FHA) Open source software ga tewa y Supports Hea lth Information Exc hange (loc al & nationa l). Ensures HIEs are c om patible with other exc hanges

Steve Steffensen, MD & David Riley


4/15

Page 4 of 15

Data Use & Reciprocal Support Agreement (DURSA)

DURSA

Develop ed by NHIN Cooperative Essentia l too l for trust in NHIN Single multi-p arty ag reement for NHIN partic ipants Based on existing body of law (fed eral, state, loc al) Consensus between federal, state & private entities Mandatory non-binding d ispute resolution

Alloc ation of liability risk

DURSA & HIPAA

DURSA meets requirements and has meaning of HIPAARegulations and other applicab le laws

Not meant to be used as HIPAA or other CE/ BAagreement.

NHIN Lim ite d Pro d uc tion Exc ha ng e (LPE) Participants

Suc cess StoriesSteve Steffensen, MD & David Riley


5/15

Page 5 of 15

Sta ke Hold e rs

DoD

VA Kaiser Permanente Oversight from IPO and FHA

C urre nt Sta tus NHIN Produc tion since January 2010

Opportunitiesfor Quality Improvements Expand type of content Integration of Virtua l Lifetime Elec tronic Record (VLER) Speed and Scalability of available OSBUS

Priva c y & Se c urity C o nsid e ra tions

Digital Consent (TP 20 with XSPA/ XACML) DIACAP, NIST, HIPAA, and FISMA complianc e Service level coordination within DoD (Army, Navy, AF).

DoD/VA Sharing with Private Sector

Steve Steffensen, MD


6/15

Page 6 of 15

Sta ke Hold e rs

Soc ial Sec urity Administration MedVirginia

C urre nt Sta tus NHIN Produc tion sinc e February 2009

Opportunitiesfor Quality Improvements Limit range of information Expand type of content Directed Query

Priva c y & Se c urity Co nsid e ra tions

Patient Authorization

SSA and MedVirginia

Marty Prahl


7/15

Page 7 of 15

Au tho rized Re le a se o f Info rm a tion t o a Truste d Entity

SSA Disa b ility Sta tistic s

Sta ke ho ld er Be ne fits

Expanding from MedVirginia to Multiple Locations

SSA Generalized Use Case

Marty Prahl


8/15

Page 8 of 15

Sta ke Ho ld e rs

140 individual physic ians, group prac tic es, and hospita ls A nine-county servic e area

Curre nt Sta tus Providing patient c are

Op p ortunities for Qua lity Im p rov em ents in p rog ress

Improve ava ilab ility o f lab results, d ig ita l images,med ications, history & physicals, discharge summaries,

transcriptions Crea te a framework of c linic al quality improvement HITEC consortium evaluating e-presc ribing and MD

behaviors Priva c y & Se c urity Co nsid e ra tions

Only authorized medical professionals can access patientinformation

Doctors will not see patient information unless patient givesconsent

Patient signs a paper consent form when visiting a doctorwho uses Rochester RHIO

Greater Rochester RHIO

Sreedhar Potarazu, MD


9/15

Page 9 of 15

Sta ke Hold e rs Hartford Healthcare Corporation THICC Ca re p rovider based HIO eHealth Connec ticut existing HIO

Curre nt Sta tus

Dep artment of Soc ial Services Pilot Department of Public Health State Designated Entity

Looking at ways to extend to ambulatory settings

Opportunitiesfor Quality Improvements

HIEis expec ted to improve EHRadoption Prem ier translationa l resea rch fac ilities/ resouc es

Improve rea l and perc eived quality of care

Priva c y & Se c urity Co nsid e ra tions

Sec ure patient consent at every visit What if there is no c entra l entity (529 contrac ts)

How will THICC shoulder risk and mitigation

Transforming Healthcare in Connecticut Communities

Alesha Adamson


10/15

Page 10 of 15

Sta ke Hold e rs

CMS AHRQ NIH All insurance c ompanies The Americ an people

Goals Crea te systems for the effic ient reuse of HIGH QUALITY c linical

da ta cap tured for c linical c are Answer questions that ethical ly or pract ical ly are not

amendable to patient level RCTs

Create a system for prospec t CERstudies Translate and d issem inate resea rc h find ings to c linic al setting Crea te a learning c ommunity

National Infrastructure for Clinical Translational Research

Wilson Pace, MD


11/15

Page 11 of 15

Opportunitiesfor Quality Improvements

HIGH QUALITY data for resea rc h requires high qualitycare through CDSdrive for guideline c onc ordant c are

Demonstrate how new data can improve care whileimp roving data for CER

Obliterate the line between Step 3 translation anddissemination

Priva c y & Se c urity C o nsid e ra tions

Large volume of highly sensitive data potentiallyavailable

Federated nature of the system mea ns data prima rily

stays with in each organization Organizations op t in or op t out study by study Data transformations easily conducted to decrease re-

identification risk Patient leve l inc lusion is com plex no c onsent, opt-out,

opt-in

National Infrastructure for Clinical Translational Research

Wilson Pace, MD


12/15

Page 12 of 15

Sta ke Hold e rs

Patients (individually)

Providers (inc l. a ll levels of prac titioner) Payers (pub lic , private) Researchers (inc l. public health) Citizens (pa tients collec tively, taxpayers, voters)

Programsand ExogenousFactors

NHIN, ARRA/ HITECH, HIPAA/ HITECH Hea lth c are reform (pub lic ) Hea lth sec tor reo rganization (priva te)

Priva c y & Se c urity C o nsid e ra tio ns Ethic a l vie w p o int Transparenc y about goals about benefits

about costs and risks Op p o rtun ities for inc o rp o ra ting HIE / DURSA

[S]tand ards, services and trust fab ric [s] like DURSA Intra-HC education beyond the NPP Extra-HC c itizen ed ucation

Ethics Programs

Reid Cushman, PhD


13/15

Page 13 of 15

Se le c te d Co nse nt Po lic y Mo d e ls

No c onsent (HIPAA Trea tment, Paym ent, Operations only) Opt-out (patient allowed to dec line all op tiona l permissions) Opt-out with exc ep tions Opt-in (patient allowed to ac c ep t a ll op tiona l permissions) Opt-in with restrictions

Sa m p le Im p lem enta tions Delaware* & Indiana - No consent Delaware*, Maryland, Tennessee , Virg inia - Opt out New York, Rhode Island , Massac husetts - Opt-in

Exe m p la rs - Ca re Sp a rk (Virg inia & Te nne sse e ) Educate community Opt-out with notice

Consent

Panel

P 14 f 15


14/15

Page 14 of 15

What isthe role of the Chief Privacy Officer (CPO)?

Who should be represented in HIO privacy policy decisions?

Who should rev iew p ot ential HIO p riva c y p olic y b rea c hes?

Ho w sho uld the CPO m a na g e HIE / NHIN c o nsid e ra tio ns?

Ho w sho uld the CPO m a na g e HIE / NHIN c o nsid e ra tio ns?

Considerations for the Chief Privacy Officer

Panel

P g 15 f 15


15/15

Page 15 of 15

Next Steps

Lets continue the discussion in ourSouth Florida Community!!

http://hit.fiu.eduTom M. GomezFIU HIT Initiative
http://hit.fiu.edu/http://hit.fiu.edu/

Documents

FIU Privacy and Security Panel