1. New York Health Information Security and Privacy Collaboration (NY HISPC) AHRQ Annual Meeting September 27, 2007 Ellen Flink Project Director NYS DOH

2. 2 Opportunity  Rapidly expanding capacity for electronic health information exchanges through RHIOs Challenge  Current State and Federal laws governing health information exchange written in paper-based world and do not contemplate RHIOs Goal of NY HISPC  Create policy guidance governing the exchange of personally identifiable health information through RHIOs in NY that will support improvements in patient care while earning and maintaining patient trust New York State Environment General Context

3. 3 Coordinated leadership in public and private sectors  NYS DOH’s Office of Health Information Technology Transformation  New York e-Health Collaborative (NYeC) Significant funding for state and regional initiatives  HEAL NY grants designed to improve quality and efficiency by providing capital funds to support health care restructuring and health IT adoption  Phase 1 totaled ~ $53 million for 26 projects – many are RHIOs and a handful are EMR focused  Phase 5 combines funding from Phase 3 and totals $105.75 million for RHIOs and CHITAs  External evaluator partnering with stakeholders and RHIOs to standardize evaluation metrics (quality and ROI) and methodologies Collaborative policy framework  NY HISPC forging stakeholder consensus on policies and procedures to protect privacy and security, assuring consumer access and engagement New York State Environment Health IT Activities

4. 4 New York State Laws Health Information Exchange New York Law Public Health Insurance Mental Hygiene Education Civil Rights Civil Service Executive Public Officers Current legal framework for HIE in NY is fragmented

5. 5 Unlike HIPAA, New York law requires consent related to treatment, payment or health care operations General consent acceptable for most disclosures  State law permits one-time, broadly worded consent for routine disclosures among covered entities  Oral or implied consent is permissible; written consent provides a paper trail in the event of potential disputes General consent insufficient for  HIV/AIDS: Authorization must reference the nature of the information being disclosed, parties receiving the information and the purpose of the disclosure.  Mental Health: Limited disclosure rules for state-licensed facilities likely result in special consent requirements  Genetic Testing: Written consent required; must specifically reference fact that genetic testing results will be disclosed. New York State Laws Consent

6. 6 Patient Engagement Consent Security/Access/Use Leadership Entity Accreditation Process Clarification of Laws New Laws Patient Identification Identify or establish an independent, statewide, public- private group to: Convene stakeholders Align HIE policies Identify best practices Publish recommendations Provide technical, business practice and policy guidance Establish a private sector accreditation process for RHIOs that ensures a minimum level of privacy and security practices across the state. Evaluate whether accreditation would qualify for certain benefits such as eligibility for state funding, access to Medicaid data, etc. Establish a shared interpretation of relevant state and federal regulations that impact HIE. Create new law where necessary to govern the electronic exchange of health information. New York State Laws HISPC Part 1 Solutions & Implementation Approach Priority Solutions Areas Implementation Approach

7. 7 Diverse interpretations of State consent laws lead to multiple approaches to patient consent across RHIOs in NYS Consumer participation in patient consent practices vary across RHIOs Strong support within consumer advocacy community for existing state law protections that exceed HIPAA standards Little statewide dialogue has taken place on a standardized patient consent form and process for RHIOs New York HISPC Part 2 Background

8. 8 New York HISPC Part 2 Goal and Timeline JulyAugustSeptemberOctoberNovemberDecember Project Kickoff and Planning Phase I: Assessment and Consensus Building Phase II: Recommendation and Legislative Proposal Phase III: Standardized Consent Form and Process and Educational Plan Goal Implement trusted patient centered consent policies to protect privacy in an interoperable HIE environment Timeline

9. 9 Phase I: Assessment and Consensus Building  Three stakeholder meetings  Inter-agency workgroup meeting  Engagement of neighboring states Phase II: Recommendation and Legislative Proposal  White paper outlining the affirmative standardized consent form & process  Legislative proposal for a new consent law governing electronic, interoperable health information exchange  Operational plan for the new consent law Phase III: Standardized Consent Form and Process & Education Plan  Model standardized consent form and/or outline associated processes  Patient/consumer educational plan New York HISPC Part 2 Deliverables

10. 10 1.Affirmative consent is necessary for the exchange of all health information through a RHIO.  Opinions vary about whether this is necessary under state law.  Conclusion based on belief by state officials that this is necessary public policy to earn patient trust and therefore, for the success of RHIOs. 2.New policies are necessary to provide clear rules in the marketplace for the benefit of consumers, providers and other RHIO stakeholders. 3.New policies should specifically govern HIE conducted among participants in RHIOs. 4.The policies must co-exist with HIPAA. 5.The policies may update, expand or strengthen state law. New York HISPC Part 2 Starting Assumptions

11. 11 To what extent should consumers have the ability to direct what information is/is not included in the exchange?  Option 1: No filters – all in or all out.  Option 2: Filtering at provider level.  Option 3: Filtering at medical record level. What characteristics should a standardized consent process have?  What is necessary to ensure the information is clear and the consumer exercises informed consent?  In what format can consent be obtained – electronic, written, oral, implied?  Durability and revocation How should current administrative requirements be adapted to be meaningful in the new electronic environment? How should RHIOs be defined? What are the parameters of consumers’ right to access and control electronic personal health information? New York HISPC Part 2 Key Questions for Stakeholder Meetings

12. 12 Findings and Next Steps Observations from First Stakeholder Meeting Definitional Issues Uses of information Exchange of sensitive information Standardized, meaningful consent process Enforcement and transparency Consumer engagement Key Questions for RHIO Consent Rules Activities: What are the preferred activities with respect to electronic health information exchange are we seeking to govern and support? Obligations: What are the obligations of participating in the activities defined above?  Uses of information  Exchange of sensitive information  Standardized, meaningful consent process Benefits/Penalties: What are the consequences, including benefits and penalties, of meeting the obligations defined above? Enforcement: How and by whom will these benefits/penalties be enforced?

13. 13 New Policy Framework Mechanism for New Policy Framework LegislationRegulationContracts Benefits/Penalties State funds (e.g. HEAL) Medicaid data Safe harbor protections Obligations Adhere to consent policies regarding uses of information, exchange of sensitive information, patient engagement, etc. ENFORCEMENT Accreditation

14. 14 What Activities Do We Want to Support and Govern: Defining RHIOs for the Purposes of Consent Community-wide Health Information Exchange Provider to Provider Exchange Consumer Access HISPC PROJECT FOCUS

15. 15 Key Questions: RHIO Activities What type of information exchange is governed by your RHIO? What makes this information exchange different than paper-based exchange? How do implications of information exchange through RHIO change for patients? What are the risks of this type of exchange?

16. 16 Standardized Consent Process Current State law: Does not specify requirements for a consent form or process New law: What needs to be explicitly referenced in a consent form?  Purposes of disclosure  Names of providers involved in exchange  Special protections for certain information  Durability  Revocability At what point is consent obtained?  Provider level  Facility level

17. 17 Next Steps Meeting 3: October 24 th (NYC)  Present and discuss options for standardized consent process  Discuss parameters of consumer engagement in consent process White Paper  DOH will post a white paper summarizing stakeholder meeting discussions for public comment  White paper will summarize pros and cons discussed at meeting for each topic area