1. Organizational and Legal Issues -- Developing organization and governance models for HIE Day 2 -Track 5 – SECOND SESSION – PRIVACY AND SECURITY CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning Forum and Exhibition WALTER SUAREZ, MD, MPH PRESIDENT, PUBLIC HEALTH DATA STANDARDS CONSORTIUM

2. Privacy and Public Trust in Regional Networks Establish a Strong Privacy Policy Framework Build framework upon 5 HIPAA privacy principles –Patient privacy rights –Boundaries to use and disclosure –Balance privacy rights with public responsibility (i.e. public health) –Security –Accountability Add more stringent state privacy components –State-by-state differences create some additional challenges across the National Health Information Network Consider establishing a privacy board to create overall framework, oversee compliance across system

3. Enforcing Privacy and Security Across Network Participants Five Principles: Agreed-upon framework for both privacy and security standards Education of each component Chain of Trust Agreements Liability boundaries (where does my responsibility ends and the other trading partner responsibility begins) Internally policed

4. Addressing Variability in Adoption and Use of Privacy and Security Standards Across Network Participants Difference between Privacy and Security: Privacy: Might not have a significant variability in how various organizations are implementing privacy (both HIPAA and State privacy standards might not leave much room for variability) Security Will have a much significant variability in the policies, procedures and methods used to protect the data Network participants will need to: Agree to comply with minimum security standards common across all participants

5. Cross-State Data Sharing Issues Cross-state data sharing might be guided by: HIPAA Privacy standard: Regulating the use and disclosure of PHI generally State laws from the originating state In many cases restricting or requiring additional steps to allow disclosure Although most state laws do not necessarily make distinctions whether a disclosure is within or outside state boundaries State laws from receiving state Data at the receiving state might now have to follow that state’s additional protections Current data exchanges happen across states: Many administrative transactions (claims) go from a provider to a payer passing through various clearinghouses in various states without becoming an issue

6. Role of ONCHIT and Standard Setting Organizations in Establishing Privacy and Security Baseline for Regional Networks Limited Role if Any: Would add a third layer of ‘standards’ (federal-HIPAA, state, and federal- OCHIT) Standard setting organizations not set to address security standards, except for those related to security features embedded into the electronic standard per-se Would a change in HIPAA be needed? It might be premature to address this issue, not knowing what are the characteristics of RHIOs and of Regional Networks of the future At least those that exist today where able to continue to operate and perform within the framework set by HIPAA….

7. Cross-State Data Sharing Issues Cross-state data sharing might be guided by: HIPAA Privacy standard: Regulating the use and disclosure of PHI generally State laws from the originating state In many cases restricting or requiring additional steps to allow disclosure Although most state laws do not necessarily make distinctions whether a disclosure is within or outside state boundaries State laws from receiving state Data at the receiving state might now have to follow that state’s additional protections Current data exchanges happen across states: Many administrative transactions (claims) go from a provider to a payer passing through various clearinghouses in various states without becoming an issue