1. North Carolina Health Information Exchange Governance Workgroup Date: April 26, 2011 Time: 1:00 pm – 3:00 pm Location: NC Hospital Association 2400 Weston Parkway, Cary, NC Dial in: 1-866-922-3257; Participant Code: 654 032 36#

2. 2 Agenda TopicLeadsTime Welcome Roll call Review progress to date and today’s objectives Co-Chairs1:00 – 1:10 Finalization of Recommendations Related to Qualified Organizations (QOs) Selection Criteria Co-Chairs & Manatt 1:10 – 2:45 Next StepsCo-Chairs & Manatt 2:45 – 2:50 Public CommentN/A2:50 – 3:00

3. 3 Statewide HIE Governance...Primary Tasks 1. Who Will Participate in Statewide HIEStatus 1. Participation Model Board determined participation to be voluntary Board determined that participation would be through “Qualified Organizations” 2. Definition of Qualified Organization Board approved definition of a Qualified Organization Board approved principles for Qualified Organizations 3. Candidates for Qualified Organizations Workgroup and Board identified candidate types of organizations 4. Criteria for Qualified Organizations  To be developed 2. Rules and Policies for ParticipationStatus 1. Participation Mechanism Board determined that Qualified Organizations must sign a participation agreement with NC HIE 2. Terms and Conditions  To be developed and informed by Governance, Legal/Policy and Clinical/Technical Operations Workgroups 3. Enforcement and OversightStatus 1. Enforcement Approach Board determined that there will be a process and policies established for ongoing oversight 2. Enforcement and Oversight Roles and Responsibilities  To be developed 3. Enforcement and Oversight Mechanisms  To be developed

4. 44 Updates on NC HIE Operations and Workgroups Operations –New CEO, Jeff Miller –Communications Firm Selection (CapSTRAT) Legal and Policy –Update on legislation –Currently refining privacy & security policies –Next Meeting: May 13, 1:00–3:00 pm Financing –Building prepayment model and terms –Next Meeting: May 26, 2:00–4:00 pm Clinical & Technical Operations –Finalized RFP requirements –RFP Evaluation Committee being formed

5. 5 Statewide HIE Governance...Today’s Objectives Continue Process of Developing Recommendations for QO Approach  Finalize Selection Criteria (today’s primary focus)  Revisit Fair Information Principles Criterion  Revisit QO Insurance Requirements Criterion  Revisit QO Financial Viability Criterion  Discuss Application/Selection Process  Oversight and Enforcement of Obligations

6. 6 Criteria for Qualified Organizations

7. 7 Proposed Selection Criteria for Qualified Organizations (STRAWMAN - FOR DISCUSSION ONLY) 1.Organized as a non-profit or for-profit corporation whose articles of incorporation have been filed with the North Carolina Department of the Secretary of State (or that has a certificate of good standing if incorporated in a state other than North Carolina). 2.Agree to comply with Statewide Policy Guidance (including technical specifications and privacy and security requirements) and ensure QO participants comply with them. 3.Agree to comply with “fair information” policy principles and require that QO participants comply with them. 4.Provide list of current NC HIE participants (as defined by the NC HIE Board), updated on a quarterly basis in compliance with the process established by the NC HIE Board, and plan for adding more participants. 5.Annually submit a Program Plan that describes specific activities in which the QO will engage. 6.Demonstrate financial viability as required by the NC HIE Board. Includes demonstration of adequate and appropriate insurance coverage. Important Topics to Consider in Selection of Criteria  Extent to which criteria limit entities that could serve as QOs  Establishing and maintaining overall system efficiency & integrity  Understanding the administrative implications of compliance Important Topics to Consider in Selection of Criteria  Extent to which criteria limit entities that could serve as QOs  Establishing and maintaining overall system efficiency & integrity  Understanding the administrative implications of compliance Red/italicized text indicates edits to proposed criteria that have not been approved by the Workgroup.

8. 8 Remaining Criteria for Finalization

9. 9 3. Agree to comply with “fair information” policy principles and require that QO participants comply with them Implementation Considerations NC HIE will need to define “fair information” policy principles. Workgroup Recommendation: QOs should be required to comply with fair information policy principles as well as ensure the compliance of QO participants with whom they have contracts; however, principles must be refined and carefully crafted so that they explicitly state related obligations. Work Group Preliminary Recommendation AcceptRejectFurther Development Required XX

10. 10 Fair Information Principles Fair Information Principles (FIPs) form the basis of information laws and policies in the US and globally and are the result of a series of reports, guidelines and model codes developed by government agencies in the US, Canada and Europe over the past 25 years. The five core guiding principles of privacy protection that serve as the foundation of FIPs are: Notice/Awareness Choice/Consent Access/Participation Integrity/Security Enforcement/Redress * Federal Trade Commission, Fair Information Practice Principles

11. 11 Core Principles of Privacy Protection as Foundation for FIPs Notice/Awareness – Consumers should be given notice of an entity’s information practices before any personal information is collected from them. Notice of some or all of the following have been recognized as essential to notice, including: Choice/Consent – Consumers should be given options as to how any personal information collected from her or him may be used (allows for opt-in or opt- out consent model). Access/Participation – Consumers should be able to both access data about themselves and contest that data’s accuracy or completeness. Integrity/Success – Data must be accurate and security. Enforcement/Redress – The core principles of privacy protection are only effective if enforcement/redress mechanisms are in place (includes self- regulation, private remedies and government enforcement). * Federal Trade Commission, Fair Information Practice Principles Identification of the entity collecting the data Uses of the data Any potential recipients of the data Means by which data is collected Whether provision of the data is voluntary or required and the consequences of refusal Steps taken by the data collector to ensure the confidentiality, integrity and quality of the data

12. 12 ONC’s Fair Information Principles for HIE Individual Access – Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format. Correction – Individuals should be provided with a timely means to dispute the accuracy or integrity or their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. Openness & Transparency – There should be openness and transparency about policies, procedures and technologies that directly affect individuals and/or their individually identifiable health information. Individual Choice – Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information. Adopted by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information In December 2008, ONC adopted the following FIPs in its “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” as guidance for all entities involved in health information exchange:

13. 13 ONC’s Fair Information Principles for HIE (cont.) Collection, Use, and Disclosure Limitation – Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately. Data Quality and Integrity – Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner. Safeguards – Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure. Accountability – These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches. Adopted by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health information

14. 14 Fair Information Principles: Key Questions for Discussion Fair Information Principles tend to serve as overarching policy guidance and are supported by actionable procedure requirements. –Do we want to include Fair Information Principles as a guiding policy requirement for NC HIE QOs? Fair Information Principles are closely related to information security and patient consent considerations. –If we adopt Fair Information Principles as a part of our statement of criteria, should they be explicitly included as an individual “line item” or should they be subsumed in criterion addressing compliance with Statewide Policy Guidance/privacy & security policies?

15. 15 6. Demonstrate financial viability as required by the NC HIE Board. Implementation Considerations Establishing a reasonable threshold will be essential to ensure that this criterion isn’t overly restrictive. Options include: –Require that QO submit a financial statement showing net worth [ WG members did not endorse this option based on concern that it would exclude entities with modest resources] –Require that QO submit a plan for financial sustainability –Require that the QO submit an annual financial audit report from an independent audit firm Work Group Preliminary Recommendation AcceptRejectFurther Development Required X Progress to Date At the March 31 Workgroup meeting, members agreed that the NC HIE should establish a criterion to determine a QO’s financial viability to perform services required of a QO but requested additional information from NC HIE staff regarding varying approaches to verifying financial viability.

16. 16 State Approaches to Financial Viability Criteria Participants must submit an annual audit report from an independent audit firm without a “going concern” qualification, disclaimer or adverse opinion(s) reflecting on the QO’s accounting procedure. If an audit report does reflect any of the above, the QO must submit an action plan/timeline to remediate the issues and the plan must be approved by HIP TN. Participants must provide MiHIN with an annual report of its financial position. Participants must: –Submit a schedule of proposed charges and a detailed business plan, including a three-year projection of expenses and income and other sources of future capital –Submit a rate plan outlining fee structures for HIE services (rates reviewed and approved) –Submit results of annual independent financial audit

17. 17 Obtain insurance in amounts specified by the NC HIE Board Implementation Considerations Insurance products could include: –Directors & Officers insurance –Errors & Omission insurance –Cyber-liability insurance Work Group Preliminary Recommendation AcceptRejectFurther Development Required XX Progress to date: At the March 31 Workgroup meeting, members agreed that the NC HIE should require that QOs obtain insurance coverage in amounts specified by the NC HIE Board, but requested additional information from NC HIE staff regarding other states’ approaches to insurance requirements (specifically, the types of insurance being required and coverage amounts) before finalizing the recommendation.

18. 18 Liability Insurance –Directors & Officers (D&O) insurance: provides financial protection for the directors and officers of an organization in the event they are sued in conjunction with the performance of their duties as they relate to the organization –Errors & Omissions (E&O) insurance and Cyberliability: protects the organization from claims if a participant holds it responsible for errors or for failure to perform as promised in the contract. This coverage is concerned with performance failures and negligence with respect to products and services. –Product Liability (for IT vendors): indemnifies a manufacturer, supplier, or retailer from liability to a purchaser or user caused by a foreseeable defect in the product. –Malpractice insurance (for care providers): indemnifies a provider for negligence (conduct that falls below the customary standard of care) related to professional medical decisions. Liability insurance relevant to HIEs and their partners include the following types: Agency for Healthcare Research and Quality (AHRQ), Liability Coverage for Regional Health Information Organizations In addition to other considerations, type of insurance and coverage amounts are impacted by technical model, data use policies and state law considerations.

19. 19 Liability Insurance (cont.) The importance and weight of liability issues varies among HIEs. –In some instances, liability concerns determined the legal and governing status of an HIE (e.g., Delaware HIN) where in others the ability to leverage existing liability practices of larger governing entities reduced liability concerns (e.g., Indiana Network for Patient Care). In other settings, some HIEs believe that electronic exchange of health information should not add any more substantial liability than paper-based exchange. Obtaining liability coverage takes a considerable amount of time. –Identifying risks and accountability of various participants, looking for and settling on an underwriter and educating the underwriter on HIE are time-intensive activities. High degree of legal uncertainty remains. –Lack of precedent regarding how courts would approach a privacy and security breach, little clarity about who would be held liable. –Uncertainties have wide range of effects on insurance policies, including increased premiums and overlapping liability coverage among participants. A June 2009 study found that at a minimum, most HIEs obtain D&O and E&O insurance and, in some cases, employers’ insurance and privacy & security liability policies. The study also concluded that: Agency for Healthcare Research and Quality (AHRQ), Liability Coverage for Regional Health Information Organizations

20. 20 Liability Insurance (cont.) Insurance policy options are growing but remain limited. –Underwriter’s traditional model is based on entity’s assets and risk quantification; for HIEs underwriters must consider other factors such as technical architecture, services provided, types of data exchanged and security controls. There is wide variability in liability insurance practices across HIEs. –Variability is a reflection of both the emerging landscape of HIE and the unique local and regional communities from which HIEs emerge. Sovereign immunity has advantages and disadvantages. –Operational HIEs are divided on the role of the state or federal government in offering immunity to HIEs and their partners. Some feel that benefits include increased stakeholder participation, decreased start- up costs and long-term sustainability; others posit that if immunity is available, HIEs may not be sufficiently rigorous in establishing privacy and security controls. Agency for Healthcare Research and Quality (AHRQ), Liability Coverage for Regional Health Information Organizations Key findings on liability insurance continued:

21. 21 Liability Insurance: Key Questions for Discussion Who are the entities that take on liabilities because of participation in an HIE? May include: –NC HIE organization and board of directors –NC HIE employees –IT vendors –Partnering organizations / Qualified Organization – data sources –Partnering organizations / Qualified Organization– data users –State agencies that participate in the HIE –Physicians (connecting through a QO or through an alternate provider connection point) Are all emerging categories of HIE liability coverage relevant to all QOs (e.g., directors’ and officers’ liability, data theft, data mismanagement, data generation errors, data misuse, etc.)? What circumstances specific to North Carolina may impact liability coverage (e.g., state law considerations, HIE technical models, data use policies, etc.)?

22. 22 Liability Insurance: Key Questions for Discussion Can we come to consensus on whether or not demonstration of insurance coverage should be a requirement for QOs? If so, do we have enough information to make a specific recommendation as to type, amount, etc.? –If not, Workgroup options could include continuing research and discussion in future meeting, asking staff to make a recommendation for review, adopting a policy that adequate insurance coverage should be required but partnering with early adopters / initial QOs to determine what appropriate parameters might be so that coverage is adequate but requirement is not onerous, etc.

23. 23 QO Criteria: Additional Issues for Consideration

24. 24 Should there be exceptions? Mandatory –One set of mandatory criteria for all QOs –State example: Maryland Establishment of “Optional” Criteria –One set of mandatory criteria that all QOs (or categories of QOs) must meet; additional “optional” criteria –State example: Tennessee Creation of an Exceptions Process –One set of mandatory criteria for all QOs, ability to appeal for exceptions on a case- by-case basis or by stakeholder category –State example: Tennessee Tiering of Qualified Organizations –Data sharing partners are grouped by size, service level, and organization type, among other factors. Different criteria are applied to each group (or tier). For instance, small provider groups may be required to meet different criteria than large IDNs. –State example: Oregon

25. 25 Criteria Exceptions: Key Questions for Discussion Should all criteria be mandatory or should their be flexibility in selection process? –If so, should flexibility be based on type of organization? Mission of organization (e.g., focus on connecting rural or underserved providers to network)? Other factors? –If not, does this limit the participation of entities who may bring value to the statewide network? If flexibility is built into selection process, how should it be structured? –Limit on number or type of criteria that can waived? –Some mandatory in all circumstances, others optional? –Justification required for waiving criteria and how assessed?

26. 26 Renewal Process: Key Questions for Discussion Should entities be required to renew their QO status on a regular basis? –If so, how often should QOs be required to reapply for QO status? –Should the renewal process differ from the first-time application process and how? –Should QOs be required to meet new selection criteria established since last application? –Should first-time QOs receive only provisional designation for a certain period of time before receiving ongoing designation?

27. 27 Next Steps

28. 28 Governance Workgroup – Next Steps Develop recommendations related to application process, including review of application process in other states. High level overview of steps might include: –NC HIE establishes application process for interested entities. –NC HIE establishes application review process. –NC HIE establishes process to notify applicant and the public that an organization has been deemed as a QO. –NC HIE establishes ongoing re-qualification process. Develop recommendations related to enforcement and oversight: –Define Metrics –Create evaluation process (ongoing compliance) –Establish processes for Dispute resolution Organizations seeking to voluntarily rescind QO status Expulsion of non-compliant QOs

29. 29 NC HIE Workgroups...Working Timelines JanFebMarAprMayJunJul Develop Qualified Org Criteria Qualified Organizations Participation Agreements Develop Participation Agreement Tasks Legal/Policy Workstream Finalize draft legislation 2011 Enforcement and Oversight Define Oversight Roles and Enforcement Mechanisms Develop RFPReview, Negotiate, Award Core Services Deploy Services Develop Privacy and Security Policy and Procedures

30. 30 Public Comment

31. 31 Attachments

32. 32 Principles to Guide Development of Qualified Organizations 1.Workgroup recommends a Qualified Organization approach to participation in the NC statewide HIE. 2.The NCHIE should establish an application process for organizations that wish to participate as a Qualified Organizations. The Statewide HIE will need to verify Qualified Organizations (through a structured review or accreditation process). 3.Qualified Organizations will have a participation agreement/contract with the Statewide HIE, binding participants to compliance with the Statewide HIE’s policy guidance and rules and there will also be policies and processes in place to identify “bad actors” and terminate their participation. Accountability and enforcement of policies must be central in implementing this model. 4.Accepted Qualified Organizations would be able to connect to the Statewide HIE to access core and value-added services. The following principles were developed by the Work Group and endorsed by the NC HIE Board at its July 2010 meeting to guide the development of Qualified Organizations:

33. 33 5.Participation in the Statewide HIE will be voluntary. If an organization elects to withdraw its participation, they will be subject to reasonable withdrawal rules and processes. 6.Statewide policy would include application process, privacy and security rules, technical rules, financial rules, vendor contract requirements, ongoing governance structure and participation and enforcement mechanisms. 7.The Statewide HIE should have a commitment to a principle of “ No Provider Left Behind ” and provide reasonable alternate pathways for eligible providers that are not part of a Qualified Organization to be able to participate. 8.The Workgroup recommends that the Clinical/Technical Operations and Finance Workgroups explore including an internet-based connection portal that clinicians could access in cases where participating through another Qualified Organization is not a possibility and suggested that the NCHIE should consider partnering with the Regional Extension Center for identification and outreach of those providers. Principles to Guide Development of Qualified Organizations

34. 34 Qualified Organizations Business, Technical & Legal Relationships

35. 35 Statewide HIE Components North Carolina Health Information Exchange (NC HIE) –NC HIE is North Carolina’s public-private partnership that supports an open and transparent, statewide, collaborative process which creates statewide policy guidance (i.e., “rules of the road”) for the statewide HIE network –NC HIE provides core technology services and selected “value-added” services accessible via the statewide HIE network. State of North Carolina –The State of North Carolina, working through the NC State HIT Coordinator and its various Departments, (1) identifies and protects the public interest through its regulatory roles, (2) collects, stores, and provides access to health information in support of its various missions, such as Medicaid and public health, and (3) supports efforts to obtain public funds for HIE. NC HIE Policy Guidance –Statewide Policy Guidance, developed by the NC HIE through the Workgroup process and with Board approval, provides a common and consistent technical, privacy, security, and legal framework for participants in HIE and ensures the secure, interoperable exchange of data through the statewide network. –Statewide Policy Guidance typically includes: (1) detailed rules for privacy and security, technical interoperability, and financial obligations; (2) vendor contract requirements; (3) ongoing governance structure and participation; and (4) enforcement mechanisms.

36. 36 Qualified Organization (QO)* –QOs are entities that have permission to access, consume and make available HIE services on the statewide HIE network. –QOs meet a set of established criteria, have gone through an approval process, and have signed agreements to abide by Statewide Policy Guidance. –QOs ensure that participants and vendors with which they have contracts meet the requirements to carry out statewide policies. Qualified Organization Participant –A provider or entity that participates in the statewide network through a QO. Statewide HIE Components (continued) *Note: As the Work Group develops criteria and requirements for QOs, it will be important to consider access to the statewide HIE network through means other than Qualified Organizations.

37. 37 Policy/Contractual Relationships: Interconnecting Participants State of North Carolina Provides Input Manages Work Groups Statewide Policy Guidance* * Statewide Policy Guidance will be approved by NC HIE Board Governance Clinical/Tech Ops Finance Legal/Policy NC HIE Qualified Organization QO Participant HIE Vendor EHR Vendor Provides access to data Contract for access to HIE services Contracts for Technical services Abide Statewide Policy Guidance Contract for technical services Output Abide Statewide Policy Guidance HIE Vendor Contract for technical services Abide Statewide Policy Guidance Contracts for access to HIE services, with reciprocating agreement to abide by Statewide Policy Guidance