1. Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning Forum and Exhibition

2. Track Co-Chairs Bill Bernstein – Manatt Phelps & Phillips Bruce Fried – Sonnenschein Nath & Rosenthal Gerry Hinkley – Davis Wright Tremaine

3. Distinguished Panel of Experts Holt Anderson Bruce Henderson Vicki Hohner Walter Suarez

4. Goals for this Session Understand the “weakest link” Identify privacy and security “must haves” for RHIOS Address how privacy and security standards will be established and implemented Decide if these issues are solvable

5. Questions 1 and 2 1.What will be required of privacy practices, beyond HIPAA, to ensure public trust in regional networks? 2.How practically, can a network enforce privacy and security requirements across the broad range of network participants?

6. Question 3 3.While HIPAA or state laws set the standard for privacy or security, all organizations will meet those standards in their own fashion. How will RHIOs facilitate PHI sharing where entities meet the privacy or security standards in different ways and, thus, may be reluctant to share PHI with entities that may be perceived as having a lower, or a different level of protection?

7. Question 4 4.Also, we can expect to see RHIOs in multi-state markets (Washington DC, Kansas City, Portland, Oregon, Philadelphia). What steps will be required to permit cross border sharing of PHI in these instances?

8. Questions 5 and 6 5.What role should ONCHIT and standards setting organizations play in establishing the privacy and security baselines for regional networks? 6.Is a change in HIPAA going to be necessary?

9. Revisiting our Goals Understand the “weakest link” Identify privacy and security “must haves” for RHIOS Address how privacy and security standards will be established and implemented Decide if these issues are solvable

10. Disclaimer The NHIN and RHIOs are a new but important concepts Definitions are not firm at this time Public input is being sought by the Office of the National Coordinator for Health Information Technology (ONCHIT)

11. NHIN National Health Information Network (NHIN) –A supportive, nation-wide, interoperable system with the capacity to exchange conveniently and securely healthcare information culminating in the improvement of consumer health and the reduction in healthcare costs.

12. RHIO Regional Healthcare Information Organizations (RHIO) –A collaborative, consumer-centric organization focused on facilitating the coordination of existing and proposed e-health initiatives within a region, state, or other designated local area.

13. Types of RHIOs Federations –Includes large, “self-sufficient” enterprises –Agreement to network, share, allow access to information they maintain on peer to peer basis –May develop system of indexing and/or locating data (e.g., state or region-wide MPI)

14. Types of RHIOs (cont.) Co-ops –Includes mostly smaller enterprises –Agreement to pool resources and create a combined, common data repository –May share technology and administrative overhead

15. Types of RHIOs (cont.) Hybrids –Includes combinations of Federations and Co-ops –Agreement to network, share, allow access to information they maintain on peer to peer basis –Allows aggregation across large areas (statewide or regional

16. RHIO Structure 501(c)(3) Nonprofit –Eligible for Federal and State Grants –Contributions may be tax deductible as charitable Issue: –Limit of ~20% of total revenues from “unrelated business” activities (i.e. not charitable and educational) –May need to subcontract or otherwise handoff operational aspects of activities

17. Key Allies for a RHIO Include: Covered Entities (Providers, Health Plans, Clearinghouses) Medical Society Hospital Association Nurses Association Health Information Management Assn. Medical Group Managers Association Healthcare Financial Management Association Association of Local Health Directors Association of Pharmacists Long-term Care Association Association of Health Plans Quality Improvement Organizations (QIOs) Vendors Etc., Etc.

18. Privacy and Security Issues Overwhelming complexity of understanding the interplay of all state and federal privacy requirements along with mandated requirements for disclosures HIPAA requirements too vague and targeted Lack of understanding by participants and the public Invoke privacy when unsure/proprietary concerns Differing interpretations of what is required and adequate Differing abilities to develop and implement strong protections (expertise) Differing abilities to fund strong protections

19. Privacy and Security Goals Simplicity, uniformity, and transparency Balance privacy and security with appropriate access Involve and communicate with the public but within the broader framework of care Appropriately frame issues for public support and comfort Use and disclosures within/across networks occur according to common published criteria Strong actions on, mitigation of, and penalties for violations Work bi-directionally (up and down) to evolve protections with systems and industry

20. Privacy and Security Support Demonstrate visible benefits to individual care Aim towards simplicity, specificity, and uniformity Develop resources and guidance for common use –Develop practice baselines –Privacy and security “companion guides” –Build rules and protections into system wherever possible –Work to consolidate and/or converge state privacy laws Advocate for federal consolidation/simplification Consider developing guidance approaches that can be used in any network setting; test these in real world settings and revise as needed