Organizational and Legal Issues

-- Addressing Privacy and Security Issues

Day 2 – Track 5CONNECTING COMMUNITIES for BETTER

HEALTH2nd Annual Learning Forum and Exhibition

Track Co-Chairs

• Bill Bernstein – Manatt Phelps & Phillips

• Bruce Fried – Sonnenschein Nath & Rosenthal

• Gerry Hinkley – Davis Wright Tremaine

Distinguished Panel of Experts

• Holt Anderson

• Bruce Henderson

• Vicki Hohner

• Walter Suarez

Goals for this Session

• Understand the “weakest link”

• Identify privacy and security “must haves” for RHIOS

• Address how privacy and security standards will be established and implemented

• Decide if these issues are solvable

Questions 1 and 2

1. What will be required of privacy practices, beyond HIPAA, to ensure public trust in regional networks?

2. How practically, can a network enforce privacy and security requirements across the broad range of network participants?

Question 3

3. While HIPAA or state laws set the standard for privacy or security, all organizations will meet those standards in their own fashion. How will RHIOs facilitate PHI sharing where entities meet the privacy or security standards in different ways and, thus, may be reluctant to share PHI with entities that may be perceived as having a lower, or a different level of protection?

Question 4

4. Also, we can expect to see RHIOs in multi-state markets (Washington DC, Kansas City, Portland, Oregon, Philadelphia). What steps will be required to permit cross border sharing of PHI in these instances?

Questions 5 and 6

5. What role should ONCHIT and standards setting organizations play in establishing the privacy and security baselines for regional networks?

6. Is a change in HIPAA going to be necessary?

Revisiting our Goals

• Understand the “weakest link”

• Identify privacy and security “must haves” for RHIOS

• Address how privacy and security standards will be established and implemented

• Decide if these issues are solvable

Disclaimer

• The NHIN and RHIOs are a new but

important concepts

• Definitions are not firm at this time

• Public input is being sought by the Office

of the National Coordinator for Health

Information Technology (ONCHIT)

NHIN• National Health Information Network

(NHIN)

– A supportive, nation-wide, interoperable

system with the capacity to exchange

conveniently and securely healthcare

information culminating in the improvement

of consumer health and the reduction in

healthcare costs.

RHIO

• Regional Healthcare Information

Organizations (RHIO)

– A collaborative, consumer-centric organization

focused on facilitating the coordination of

existing and proposed e-health initiatives within

a region, state, or other designated local area.

Types of RHIOs• Federations

– Includes large, “self-sufficient” enterprises

– Agreement to network, share, allow

access to information they maintain on

peer to peer basis

– May develop system of indexing and/or

locating data (e.g., state or region-wide

MPI)

Types of RHIOs (cont.)

• Co-ops– Includes mostly smaller enterprises

– Agreement to pool resources and create a combined, common data repository

– May share technology and administrative overhead

Types of RHIOs (cont.)

• Hybrids– Includes combinations of Federations and

Co-ops

– Agreement to network, share, allow access to information they maintain on peer to peer basis

– Allows aggregation across large areas (statewide or regional

RHIO Structure• 501(c)(3) Nonprofit

– Eligible for Federal and State Grants– Contributions may be tax deductible as charitable

• Issue:– Limit of ~20% of total revenues from “unrelated

business” activities (i.e. not charitable and educational)

– May need to subcontract or otherwise handoff operational aspects of activities

Key Allies for a RHIO Include:• Covered Entities (Providers, Health Plans, Clearinghouses)• Medical Society• Hospital Association• Nurses Association• Health Information Management Assn.• Medical Group Managers Association• Healthcare Financial Management Association• Association of Local Health Directors• Association of Pharmacists• Long-term Care Association• Association of Health Plans• Quality Improvement Organizations (QIOs)• Vendors• Etc., Etc.

Privacy and Security Issues• Overwhelming complexity of understanding the

interplay of all state and federal privacy requirements along with mandated requirements for disclosures

• HIPAA requirements too vague and targeted• Lack of understanding by participants and the

public• Invoke privacy when unsure/proprietary concerns• Differing interpretations of what is required and

adequate • Differing abilities to develop and implement strong

protections (expertise)• Differing abilities to fund strong protections

Privacy and Security Goals• Simplicity, uniformity, and transparency• Balance privacy and security with appropriate

access• Involve and communicate with the public but within

the broader framework of care• Appropriately frame issues for public support and

comfort• Use and disclosures within/across networks occur

according to common published criteria • Strong actions on, mitigation of, and penalties for

violations• Work bi-directionally (up and down) to evolve

protections with systems and industry

Privacy and Security Support

• Demonstrate visible benefits to individual care• Aim towards simplicity, specificity, and uniformity• Develop resources and guidance for common use

– Develop practice baselines– Privacy and security “companion guides” – Build rules and protections into system wherever

possible– Work to consolidate and/or converge state privacy laws

• Advocate for federal consolidation/simplification• Consider developing guidance approaches that

can be used in any network setting; test these in real world settings and revise as needed