organizational and legal issues -- addressing privacy and security issues day 2 – track 5...
TRANSCRIPT
Organizational and Legal Issues
-- Addressing Privacy and Security Issues
Day 2 – Track 5CONNECTING COMMUNITIES for BETTER
HEALTH2nd Annual Learning Forum and Exhibition
Track Co-Chairs
• Bill Bernstein – Manatt Phelps & Phillips
• Bruce Fried – Sonnenschein Nath & Rosenthal
• Gerry Hinkley – Davis Wright Tremaine
Distinguished Panel of Experts
• Holt Anderson
• Bruce Henderson
• Vicki Hohner
• Walter Suarez
Goals for this Session
• Understand the “weakest link”
• Identify privacy and security “must haves” for RHIOS
• Address how privacy and security standards will be established and implemented
• Decide if these issues are solvable
Questions 1 and 2
1. What will be required of privacy practices, beyond HIPAA, to ensure public trust in regional networks?
2. How practically, can a network enforce privacy and security requirements across the broad range of network participants?
Question 3
3. While HIPAA or state laws set the standard for privacy or security, all organizations will meet those standards in their own fashion. How will RHIOs facilitate PHI sharing where entities meet the privacy or security standards in different ways and, thus, may be reluctant to share PHI with entities that may be perceived as having a lower, or a different level of protection?
Question 4
4. Also, we can expect to see RHIOs in multi-state markets (Washington DC, Kansas City, Portland, Oregon, Philadelphia). What steps will be required to permit cross border sharing of PHI in these instances?
Questions 5 and 6
5. What role should ONCHIT and standards setting organizations play in establishing the privacy and security baselines for regional networks?
6. Is a change in HIPAA going to be necessary?
Revisiting our Goals
• Understand the “weakest link”
• Identify privacy and security “must haves” for RHIOS
• Address how privacy and security standards will be established and implemented
• Decide if these issues are solvable
Disclaimer
• The NHIN and RHIOs are a new but
important concepts
• Definitions are not firm at this time
• Public input is being sought by the Office
of the National Coordinator for Health
Information Technology (ONCHIT)
NHIN• National Health Information Network
(NHIN)
– A supportive, nation-wide, interoperable
system with the capacity to exchange
conveniently and securely healthcare
information culminating in the improvement
of consumer health and the reduction in
healthcare costs.
RHIO
• Regional Healthcare Information
Organizations (RHIO)
– A collaborative, consumer-centric organization
focused on facilitating the coordination of
existing and proposed e-health initiatives within
a region, state, or other designated local area.
Types of RHIOs• Federations
– Includes large, “self-sufficient” enterprises
– Agreement to network, share, allow
access to information they maintain on
peer to peer basis
– May develop system of indexing and/or
locating data (e.g., state or region-wide
MPI)
Types of RHIOs (cont.)
• Co-ops– Includes mostly smaller enterprises
– Agreement to pool resources and create a combined, common data repository
– May share technology and administrative overhead
Types of RHIOs (cont.)
• Hybrids– Includes combinations of Federations and
Co-ops
– Agreement to network, share, allow access to information they maintain on peer to peer basis
– Allows aggregation across large areas (statewide or regional
RHIO Structure• 501(c)(3) Nonprofit
– Eligible for Federal and State Grants– Contributions may be tax deductible as charitable
• Issue:– Limit of ~20% of total revenues from “unrelated
business” activities (i.e. not charitable and educational)
– May need to subcontract or otherwise handoff operational aspects of activities
Key Allies for a RHIO Include:• Covered Entities (Providers, Health Plans, Clearinghouses)• Medical Society• Hospital Association• Nurses Association• Health Information Management Assn.• Medical Group Managers Association• Healthcare Financial Management Association• Association of Local Health Directors• Association of Pharmacists• Long-term Care Association• Association of Health Plans• Quality Improvement Organizations (QIOs)• Vendors• Etc., Etc.
Privacy and Security Issues• Overwhelming complexity of understanding the
interplay of all state and federal privacy requirements along with mandated requirements for disclosures
• HIPAA requirements too vague and targeted• Lack of understanding by participants and the
public• Invoke privacy when unsure/proprietary concerns• Differing interpretations of what is required and
adequate • Differing abilities to develop and implement strong
protections (expertise)• Differing abilities to fund strong protections
Privacy and Security Goals• Simplicity, uniformity, and transparency• Balance privacy and security with appropriate
access• Involve and communicate with the public but within
the broader framework of care• Appropriately frame issues for public support and
comfort• Use and disclosures within/across networks occur
according to common published criteria • Strong actions on, mitigation of, and penalties for
violations• Work bi-directionally (up and down) to evolve
protections with systems and industry
Privacy and Security Support
• Demonstrate visible benefits to individual care• Aim towards simplicity, specificity, and uniformity• Develop resources and guidance for common use
– Develop practice baselines– Privacy and security “companion guides” – Build rules and protections into system wherever
possible– Work to consolidate and/or converge state privacy laws
• Advocate for federal consolidation/simplification• Consider developing guidance approaches that
can be used in any network setting; test these in real world settings and revise as needed