1 vha health information access (hia) program mr. shawn hardenbrook health information access...
TRANSCRIPT
1
VHAHealth Information
Access (HIA) Program
VHAHealth Information
Access (HIA) Program
Mr. Shawn Hardenbrook
Health Information Access Project Coordinator
[email protected] May 19, 2008
2
HIA ProgramHIA Program
Health Info Access (HIA) Office under the HDI Information Access & Privacy Office formed in 1Q FY08
Health Info Access Supervisor’s VA background:• Social Work Intern• Master Social Worker • Research Software Developer• Clinical Application Coordinator @ 3 sites• Class III Software Developer• CAPRI Developer (yes, it’s a VHA product)• OI&T Developer• VHA Health Information Access & Privacy Office
HIA Project Coordinator
3
HIA ProgramHIA Program
Health Info Access Team Composition:• 1 Government manager• 5 Contractors – Washington DC, Bay Pines, and
Salt Lake City• 3 Government staff – Richmond, Bay Pines,
Memphis• 1 Additional Contractor to be added in 3Q 2008• More positions to be added later as team
responsibility grows…
Background of employees includes DoD, IBM, Research Compliance, Software Quality Assurance, Policy and Planning, Direct Patient Care…
4
HIA ProgramHIA Program
Program Objectives:
• HIA’s current focus is on “special user” access to VHA EHR data as well as providing easier, more efficient access to EHR data while maintaining proper compliance with VHA privacy and security.
• The team performs privacy reviews on research studies seeking approval through ORD (real SSN requests and non-de-identified data, for example).
Cont’d…
5
HIA ProgramHIA Program
Program Objectives (cont’d):
• The team reviews/manages Data Transfer Agreements (DTA’s), Data Use Agreements (DUA’s), and MOU’s with agencies external to VA.
• The team provides consultation for those seeking EHR data and aren’t sure how to get it.
6
HIA ProgramHIA Program
So why does VHA need yet another Central Office program when field sites already control access to EHR data through their ISO?...
7
HIA ProgramHIA Program
Not every data requestor falls under a local VA Medical Center…
8
EHR Access IssuesEHR Access Issues
• A variety of “special users” both in and outside VA have a need to access electronic health records at one or more sites.
• Access at multiple sites has traditionally required a separate access/verify code at each site along with maintaining education requirements and logging in every 90 days to prevent expiration of accounts.
(HRC in Kansas will eventually need direct access to all 120+ VistA systems, for example)
Cont’d…
9
EHR Access Issues (cont’d)EHR Access Issues (cont’d)
• “Access” can mean various levels of functionalities and restrictions – difficult to apply consistently when being managed by multiple sites.
• Users may need to be restricted to just specific site(s).
• Users may need to be restricted to just specific patient(s) – “Need to know” rule.
• Users may or may not need to be prevented from changing or entering data into the record.
10
Special UsersSpecial Users
“Special users” include:
•General Counsel•Researchers*•External reviewers*•Peer Reviewers•VSO’s*•VBA•Board of Veterans Appeals
* = May be non-VA staff
•Inspector General•MPI Data Quality Team•Federal Recovery Coordinators•Health Revenue Center•Suicide Prevention Team
…and others
11
Available options for EHR AccessAvailable options for EHR Access
• CPRS: Traditional award-winning GUI interface for EHR data. Highly complicated for users who need read-only access. No ability to block entry of EHR data. Somewhat limited ability to control patient-level access. No ability to synchronize limited patient lists and privileges between sites.
• CAPRI: Provides CPRS-like access to EHR data without entry options and with simplified pre-defined reports. Provides access to all VHA sites through a single access/verify code. Provides a national-level audit trail for all patients accessed by a user.
Cont’d…
12
Available options for EHR Access (cont’d)Available options for EHR Access (cont’d)
• VistAWeb: Slow, but very pretty interface. Easy to access from Internet browser without installation of software. Many search options. Detailed audit trail, but difficult to access audit reports for compliance monitoring. Access to patients is limited to local site unless user is granted national-level VW access. (Hurricane Katrina example)
• CPRS Read-Only: Extremely stripped-down version of CPRS missing most of the features for which users like CPRS.
13
CAPRI OverviewCAPRI Overview
• Still lots of confusion in VHA about the purpose of the CAPRI product. YES, it’s a VHA product!
• Designed initially for VBA as GUI replacement for AMIE roll-n-scroll.
• VBA was not having success getting direct CPRS GUI access at sites in the 1990’s.
• 2nd largest VistA application code-base.• Grassroots Class III turned Class I in 2001.• Has been modified over the years to meet VA
needs.
Cont’d…
14
CAPRI Overview (cont’d)CAPRI Overview (cont’d)
• Used by multiple “special user” groups.• Has contained single sign-on capability for over 5
years.• Contains C&P functionality, but also EHR read-
only functionality. • C&P exam functions for VHA providers are under
active development. • Approximately 1/4 to 1/3 of monthly C&P exams
are entered by VHA providers in CAPRI.• 99%+ of C&P exams are processed by VBA using
CAPRI
15
VistAWeb OverviewVistAWeb Overview
• Grassroots Class III turned Class I.• Designed to replace Remote Data Views in
CPRS.• Built off of CAPRI single sign-on
functionality.• Used primarily by VHA clinicians but also
by some “special user” groups who need access to patients at multiple sites.
Cont’d…
16
VistAWeb OverviewVistAWeb Overview
• Is integrated inside CAPRI. All CAPRI users have VistAWeb by default.
• Local sites have provided a link to VistAWeb on the CPRS Tools Menu for access to local patients.
• There is also a direct interface through Internet Explorer – CPRS access not required.
17
CAPRI/VistAWeb ComparisonCAPRI/VistAWeb Comparison
CAPRI•Single sign-on through VistA account or local site management•Client-Server (Delphi)•Ability to limit patient lists•Ability to limit site lists•Complex restricted list options•Multiple administrators can manage accounts
VistAWeb•Access controlled through application server•Web-based (Java)•No ability to limit patient lists at national level•Ability to limit site lists•Sort-of uses local CPRS restricted list setting•OI&T management of accounts
18
CAPRI VistAWeb Comparison (cont’d)CAPRI VistAWeb Comparison (cont’d)
CAPRI•Provides CPRS Read-Only access•Looks like CPRS•Uses CPRS Broker Calls•Audits stored in VistA database•Provides VistA data entry functions•Detailed C&P reports and displays•VistA Imaging can be added relatively easily
VistAWeb•Provides CPRS Read-Only access•Has own look and feel•Uses CPRS Broker Calls•Audits stored on application server•Strictly read-only, no entry options•No C&P functionality
•VistA Imaging not web-based
19
CAPRI Data Entry FunctionsCAPRI Data Entry Functions
• Basic new patient registration in VistA• Ordering/management of C&P Exams• Requests for paper documentation• Change of address (currently disabled)• VHA Provider C&P Exam templates• Roll-n-scroll access to non-GUI functions• CAPRI does have a read-only mode which
is controlled through security key assignment. (EHR data is always read-only, despite security keys.)
20
VistAWeb Data Entry FunctionsVistAWeb Data Entry Functions
(Yes, this screen is blank on purpose.)
21
CPRS Read-OnlyCPRS Read-Only
• CPRS Read-Only functionality released 2002 as rapidly-developed reactionary measure to immediate business need.
• High user satisfaction with traditional interface, which is extremely scaled-back for CPRS read-only.
• Does NOT contain single-sign on capability• No central management of patient lists – a
problem with VA Form 2122 (POA) , VA Form 2122a, and general user management
Cont’d…
22
CPRS Read-Only (cont’d)CPRS Read-Only (cont’d)
• CPRS Read Only Access Directive released 2002, now expired.
• General Access Directive written, never released.• Access Handbook not yet written.• HIA is finalizing a VHA Access Directive, with
Access Handbook to follow.• HIA prefers CAPRI/VistAWeb to CPRS Read Only
due to central management capabilities and more CPRS-like interface in CAPRI than is available in CPRS read-only.
• Does everyone know CPRS Read-Only exists?
23
CPRS Screen ShotCPRS Screen Shot
24
CPRS Read-Only Screen ShotCPRS Read-Only Screen Shot
25
CAPRI Screen ShotCAPRI Screen Shot
26
VistAWeb Screen ShotVistAWeb Screen Shot
27
Health Info Access (HIA)Health Info Access (HIA)
Health Info Access Program Functions:• Manages national requests for CAPRI and
VistAWeb access• Creates/revokes single sign-on accounts• Audits accounts for privacy/security
requirements• Assists users in determining right solution for
their needs
Cont’d…
28
Health Info Access (cont’d)Health Info Access (cont’d)
• Manages national-level restricted site lists• Manages national restricted patient lists• DUA/DTA Liaison
• Actively developing tracking/registry system for user access, research (real SSN, protocol reviews involving access to national databases), and DUA/DTA’s.
• …Will be adding more functions as they’re identified over time…
29
Requesting Access Through HIA Requesting Access Through HIA
Users interested in access should visit the HIA Homepage for detailed instructions and an access request form:
http://vaww.vhaco.va.gov/privacy/HIA.htm
Requirements:• Proof of Cybersecurity Training within past year• Proof of VHA Privacy Training within past year• Signed HIA Rules of Behavior• Signed Access Request Form
30
Requesting Access Through HIA Requesting Access Through HIA
Once paperwork is gathered, it can be:• Mailed by snail mail• If user has PKI -- scanned and emailed to [email protected]• Submitted to secure fax server via the number found on
the HIA homepage
Approval paperwork is kept electronically and is available in PDF form, should there be a question about a user’s access. A central “registry” is being developed which may eventually be provided to field sites. That’s a bit down the road.
Certain user groups have different approval processes which can be custom tailored (to be faster) when these user communities are identified as repeat customers.
31
Requesting Access Through HIA Requesting Access Through HIA
Local ISO name and email is required. But access forms do not need to be processed through the ISO for VHA users.
HIA will remove access at expiration of training requirements, until proof is re-submitted. Users will be notified in advance of impending shut-off.
All access is ultimately at the discretion of the Director, Health Data & Informatics
32
CPRS, VistAWeb or CPRSCPRS, VistAWeb or CPRS
There is not ONE solution for all needs.
• Users who need restricted patient lists for multiple sites (such as VSO’s) must use CAPRI
• Users who don’t need data entry can use VW
• Users without restricted patient lists can use VW
• Users who need to register new patients (Federal Recovery Coordinators) must use CAPRI
Cont’d…
33
CPRS, VistAWeb or CPRS cont’d…CPRS, VistAWeb or CPRS cont’d…
There is not ONE solution for all needs.
• Users who need access at only 1 site can use CPRS read-only at a local level
• Users who need auditing regularly should use CAPRI
• Users who need to see C&P activity should use CAPRI
• Users who’s access changes frequently (EPRP) should use CAPRI
• GUI management tools for restricted lists exist for CAPRI but not CPRS – VBA manages over 8,000 of their own national accounts.
34
HIA can be contacted at:• [email protected]• VHA OI HDI HIA• [email protected] (HIA Manager)
Questions?