WVHIN: Public Comment Period on Proposed Privacy and Security Policies

The West Virginia Health Information Network (WVHIN), West Virginia's health information exchange, has issued proposed privacy and security policies and is seeking public comments on the proposed policies from December 3, 2010 through January 3, 2011. The WVHIN is a public/private partnership created in 2006 under W.Va. Code 16-29G-1 et seq. and is charged with building a secure electronic health information system for the exchange of patient data among physicians, hospitals, diagnostic laboratories, other care providers, and other stakeholders.

The proposed privacy and security policies that are available for review and comment are as follows:

• Patient Consent - General
• Patient Consent - Permissible Purpose
• Patient Consent - Sensitive Health Information
• User Authorization
• User Authentication
• Patient Amendment of Protected Health Information
• Patient Access to Protected Health Information
• Minimum Necessary
• Breach Notification

Pursuant to a press release from the WVHIN on the proposed privacy and security policies:

“WVHIN has been developing our core privacy and security policies that will guide us in our initial health information exchange implementation and pilot for 2011. We expect to have changes to the policies as a result of learning how to improve our operations through testing in the pilot period.“

“The policies have been developed over the past few months by the WVHIN Privacy and Security Committee and legal counsel, and are based upon an established WVHIN Privacy Framework and national best practices recommendations in Health Information Exchange (HIE). The committee is made up of stakeholder organizations including provider groups, state government, and consumer groups. The committee followed a cycle of reviewing and vetting the policies that have resulted in our drafts.”

“We have established a public comment period for the draft policies and would like to invite any member of the public to comments on these policies. Thus, we would like to request your assistance in forwarding this e-mail to any parties you may feel would like to comment on the policies. We welcome all feedback”, according to Business Development Manager Samantha Stamper.

Written comments on the proposed privacy and security policies may be submitted to Samantha Stamper, Business Development Manager by January 3, 2011 at sstamper@wvhin.org.

SAMHSA and ONC: FAQs on Substance Abuse Confidentiality Regulations for HIEs

The Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office of the National Coordinator for Health Information Technology (ONC) announced last week the release of FAQs for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges (HIEs).

Cover letter regarding the FAQs by Pamela S. Hyde, the Administrator of SAMHSA, and David Blumenthal, National Coordinator for ONC. The letter describes that the the Substance Abuse Confidentiality Regulations under 42 CFR Part 2 were enacted years ago (circa 1975). Due to the age of the regulations SAMHSA and ONC created the FAQs to provide guidance and understanding of the scope of these regulations in the context of today's move toward an electronic health information system.

The FAQs outline the general requirements under 42 CFR Part 2, provide guidance on its application to HIEs, and identify methods for including substance abuse related health information into HIEs that is consistent with the Federal statute.

As a follow-up to the release of the FAQs, SAMHSA and ONC will convene a meeting of concerned or interested parties from both the Behavioral Health and Information Technology (BH-IT) communities on August 4, 2010. The meeting will be an opportunity for SAMHSA and ONC to receive questions and comments on the FAQs.

The FAQs for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges (HIEs) provide information on the following 37 questions:

1. Does the federal law that protects the confidentiality of alcohol and drug abuse patient records allow information about patients with substance use disorders to be included in electronic health information exchange systems?
2. What types of providers are covered programs under 42 CFR Part 2 (“Part 2”)?
3. What patients, and which records and information, are protected by 42 C.F.R Part 2?
4. For the purposes of the applicability of 42 CFR Part 2, does it matter how HIOs are structured?
5. Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?
6. Under Part 2, can a Qualified Service Organization Agreement (QSOA) be used to facilitate communication between a Part 2 program and an HIO?
7. May information protected by Part 2 be made available to an HIO for electronic exchange?
8. If Part 2 information has been disclosed to the HIO, either pursuant to a Part 2- compliant consent form authorizing such disclosure or under a QSOA, may the HIO then make that Part 2 information available to HIO-affiliated members?
9. How do different HIO patient choice models regarding whether general clinical health information may be disclosed to or through an HIO (e.g., no consent, opt in or opt out) affect the requirements of 42 CFR Part 2?
10. If an HIO is holding or storing Part 2 patient data through a QSOA, can the HIO redisclose the data coming from the Part 2 program to a third party without patient consent?
11. What are the required elements of a patient consent under Part 2?
12. What must a Part 2 program do to notify the HIO, or any other recipient of Part 2 protected information, that it may not redisclose Part 2 information without patient consent?
13. Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties, such as HIO affiliated members?
14. Does Part 2 allow the use of multiple-party consent forms?
15. Does Part 2 require the use of original signed consents?
16. Under Part 2, may an HIO release demographic information about Part 2 patients without patient consent?
17. Under Part 2, can an HIO reveal that a patient had an encounter at a mixed use facility (or “general medical” facility – see FAQ #2) as long as the HIO does not reveal that the patient was in the mixed use facility’s Part 2 program? A mixed use facility can be defined as a service provider organization that provides substance abuse treatment services as well as other health services such as primary care, dental care, mental health services, social services, etc.
18. Under Part 2, can an HIO use a consent form that provides for disclosure to “HIO members” and refers to the HIO’s website for a list of those members?
19. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to future HIO affiliated health care providers?
20. Can an HIO use a consent form under Part 2 to allow for the disclosure of information to health care providers who are providing on-call coverage for HIO affiliated health care providers or with whom those affiliated providers consult?
21. Can a Part 2 patient consent be used to enable multiple disclosures?
22. Can a Part 2 program or HIO use a consent form that has no specific expiration date but rather states that disclosure is permitted until consent is revoked by the patient?
23. Is “treatment” a sufficient description of the intended purpose of a disclosure on a Part 2 consent?
24. Under Part 2, can any health care provider make the determination that a medical emergency exists, or must a Part 2 provider make that determination?
25. May a computer system be used to automatically determine whether a medical emergency exists and whether a disclosure of Part 2 data can be made without the patient’s consent?
26. If a medical emergency exists, can the entire Part 2 record be released?
27. For documentation purposes, if a medical emergency is present, would it be permissible under Part 2 to have treating providers simply check a drop down box signifying the existence of such a medical emergency?
28. Under Part 2, may an HIO system make clinical decision support functions (such as showing a patient’s medications to clinicians when they write prescriptions, automatically ordering medications, and/or alerting clinicians about potential drug interactions) available to HIO affiliated health care providers in a medical emergency?
29. Does the Part 2 definition of medical emergency also include mental health emergencies?
30. When the HIO keeps an electronic record of a medical emergency, does that fully meet Part 2’s requirement to document disclosures made in a medical emergencies in the patient’s record?
31. If an HIO’s electronic system makes a disclosure in a medical emergency, would documenting the name of the discloser as “electronically disclosed through the system administered by HIO” meet Part 2’s requirement that the name of the person who made the disclosure be documented in the patient’s record?
32. If an HIO’s electronic system sends Part 2 data in a medical emergency to a printer or fax machine in the emergency room, can “the printer in the emergency department” meet Part 2’s requirement to document in the patient’s record the name of the person to whom the disclosure was made?
33. Once Part 2 information is disclosed in a medical emergency, can that information be redisclosed without obtaining patient consent?
34. If a patient has previously refused to consent to the release of his/her Part 2 record to a particular HIO affiliated health care provider, and then the patient is brought to that provider in a bona fide medical emergency situation, can that provider gain access through the HIO to the information without the patient’s consent under Part 2?
35. Can an HIO disclose data for Disease Management purposes under Part 2 without patient consent?
36. Under Part 2, would an HIO be permitted to disclose to an HIO affiliated payer the data of several patients held by the HIO, which may include Part 2 data, in order for the payer to target where interventions could be made with particular patients to improve care and management of disease?
37. If an HIO affiliated health care provider wishes to gain access to a minor’s Part 2 record held by the HIO, may the HIO or provider obtain only the consent of a parent or guardian, or must the minor’s consent also be obtained?

WV HIT Funding Under HITECH: WVHIN Gets $7.8M and WV REC gets $6M

Health and Human Services Secretary Sebelius and the National Coordinator for Health Information Technology, David Blumenthal, announced the HITECH funding under the ARRA for State Health Information Exchanges (HIEs) and Regional Extension Center (RECs) across the country.

The White House Press Release provides a detailed list of HIEs and RECs receiving grants. Inormation is also available via the HHS News Release, Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investments in Advancing Use of Health IT, Training Works for Health Jobs of the Future.

West Virginia will receive the following funding:

• West Virginia Department of Health and Human Resources in conjunction with the West Virginia Health Information Network HIE Award: $7,819,000

• West Virginia Health Improvement Institute, Inc. REC ward:$6,000,000

More information about the health information technology programs and awards can be found on the Office of National Coordinator HIT Website.

• State Health Information Exchange Cooperative Agreement Program

• Health Information Technology Extension Program

WVHIN Releases RFP for West Virginia Health Information Exchange

Today the West Virginia Health Information Network released a Request for Proposal (RFP) for a statewide Health Information Exchange. More information, including the deadlines, bidder worksheets and a full copy of the RFP are available on the WVHIN website.

Following are sections from the RFP that provide a general overview of the proposed West Virginia Health Information Exchange and a general scope of the RFP:

The West Virginia Health Information Network (WVHIN) is soliciting proposals to provide a statewide Health Information Exchange (HIE) infrastructure platform for physicians, hospitals, other health care organizations, and consumers. The purpose of this Request for Proposal (RFP) is to obtain vendor services and expertise in support of the WVHIN. Details on the scope of work, requirements and deliverables are contained in this RFP. WVHIN reserves the right to use the results of this RFP to obtain services for additional and related work should the need arise throughout the course of this project . . .

. . . According to the eHealth Initiative’s Sixth Annual Survey of Health Information Exchange 2009, there are almost 200 self‐reported HIE initiatives across the country with a substantially increased number of organizations that reported being operational. The impetus for HIEs has increased as a result of the passage of the American Recovery and Reinvestment Act (ARRA) of 2009 and specifically key provisions from the Health Information Technology for Economic and Clinical Health (HITECH) Act. These provisions called for the Office of the National Coordinator (ONC) to create a program to engage in collaborative agreements with states or “qualified” state‐designated non‐profit, multistakeholder partnerships to “conduct activities to facilitate and expand the electronic movement and use of health information among organizations according to nationally recognized standards.” . . .

. . . There are 1.8 million people in the very rural state of West Virginia with a high level of elderly and low‐income people in many of the rural areas. With a geographically dispersed population, access to and coordination of care is a critical issue. To serve this rural population, there is a relatively high number of hospitals with less than 100 beds and a high level of clinics serving the underserved making access and care coordination both difficult and essential. Based on the population profile and the number of small providers, a strong case was made for the need for a statewide HIE, which will help providers overcome communication and geographic barriers to access and coordination of care.

The WVHIN was established in July 2006 by the West Virginia Legislature at the request of the Governor. The WVHIN is a sub‐agency under the West Virginia Health Care Authority. The intent of the legislation was for the WVHIN “to promote the design, implementation, operation and maintenance of a fully interoperable statewide network to facilitate public and private use of health care information in the state”. With this authority, the WVHIN established a multi‐stakeholder board and has been working with stakeholders to develop and implement a state‐level HIE. . .

. . . With this mandate, the WVHIN established a vision to enable “high quality, patient centered care facilitated by health information technology”. The WVHIN mission is as follows: “The West Virginia Health Information Network provides the health care community a trusted, integrated and seamless electronic structure enabling medical data exchange necessary for high quality, patient‐centered care.” Guiding principles have been established around collaboration, facilitation of patient‐centric care, enabled participation by all providers, quality improvement, patient participation, privacy and security, and sustainability.

The WVHIN, along with health systems, physicians, other providers, payers, and consumers, has a unique opportunity to establish a state‐level HIE infrastructure that helps communities and regions share data across organizations. The WVHIN is well positioned to provide a cost‐effective HIE infrastructure that benefits from economies of scale while enabling communities to develop their own unique solutions. As a convener and collaborator, the WVHIN will build bridges between health care stakeholders to launch and fund HIEs. It will help communities address complex issues such as setting standards for interoperable data exchange, addressing liability, setting policies for privacy and security, and exchanging data across state lines. It will collaborate with other health information technology (HIT) and HIE initiatives such as the Regional Extension Center (REC) to be initiated, public health, Medicaid, and others, to leverage collective resources. WVHIN activities are being pursued within the parameters of the West Virginia Statewide Health Information Technology Strategic Plan. WVHIN is one of several participating entities that jointly developed the strategic plan.

Update On HIT Policy and Standards Committees

Last week the Federal Register (April 29, 2009) contained a Notification of the Establishment of the HIT Policy Committee and HIT Standards Committee. I had previously posted about the creation of these committee and recommended suggested members.

More information will be made available via the "new" Health Information Technology website of the Office of the National Coordinator.

The summary of the notice on establishing the HIT Policy Committee states:

This notice announces the establishment of the HIT Policy Committee. The American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), section 13101, directs the establishment of the HIT Policy Committee.

The HIT Policy Committee (also referred to as the "Committee'') is charged with recommending to the National Coordinator a policy framework for the development and adoption of a nationwide health information technology infrastructure that permits the electronic exchange and use of health information as is consistent with the Federal Health IT Strategic Plan and that includes recommendations on the areas in which standards, implementation specifications, and certification criteria are needed. The HIT Policy Committee is also charged with recommending to the National Coordinator an order of priority for the development, harmonization, and recognition of such standards, specifications, and certification criteria.

The notice outlines the criteria for members of the HIT Policy Commitee and states that the appointments shall be made in the following manner:

• 1 member shall be appointed by the majority leader of the Senate;
• 1 member shall be appointed by the minority leader of the Senate;
• 1 member shall be appointed by the Speaker of the House of Representatives;
• 1 member shall be appointed by the minority leader of the House of Representatives;
• Such other members as shall be appointed by the President as representatives of other relevant Federal agencies;
• 13 members shall be appointed by the Comptroller General of the United States of whom-
• 3 members shall be advocates for patients or consumers;
• 2 members shall represent health care providers, one of which shall be a physician;
• 1 member shall be from a labor organization representing health care workers;
• 1 member shall have expertise in health information privacy and security;
• 1 member shall have expertise in improving the health of vulnerable populations;
• 1 member shall be from the research community;
• 1 member shall represent health plans or other third-party payers;
• 1 member shall represent information technology vendors;
• 1 member shall represent purchasers or employers; and
• 1 member shall have expertise in health care quality measurement and reporting.
• Non-federal members of the Committee shall be Special Government
• Employees, unless classified as representatives.

The summary of the notice on establishing the HIT Standards Committee states:

This notice announces the establishment of the HIT Standards Committee. The American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5), section 13101, directs the establishment of the HIT Standards Committee. The HIT Standards Committee (also referred to as the "Committee'') is charged with making recommendations to the National Coordinator on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information for purposes of adoption, consistent with the implementation of the Federal Health IT Strategic Plan, and in accordance with policies developed by the HIT Policy Committee.

The notice outlines the criteria for members of the HIT Standards Commitee and states that the appointments shall be made in the following manner:

The HIT Standards Committee shall not exceed thirty (30) voting members, including a Chair and Vice Chair, and members are appointed by the Secretary with input from the National Coordinator. Membership of the Committee shall at least reflect providers, ancillary healthcare workers, consumers, purchasers, health plans, technology vendors, researchers, relevant Federal agencies, and individuals with technical expertise on health care quality, privacy and security, and on the electronic exchange and use of health information and shall represent a balance among various sectors of the health care system so that no single sector unduly influences the recommendations of the Committee. Non-Federal members of the Committee shall be Special Government Employees, unless classified as representatives.

Thanks for the tip on the issuance of the notice to John Halamka at Life as a Healthcare CIO: Next Steps on the HIT Policy and Standards Committees.



UPDATE (5/7/09): Brian Ahier (@ahier) provides the latest update on with information on the first meetings of the HIT Policy Committee on May 11 and HIT Standards Committee meeting on May 15. Brian also provides links to the announcment by the GAO of 13 of the members of the HIT Policy Committee.

The announcment includes a list of the 13 members appointed by the Acting Comptroller General covering 10 different categories:

Advocates for Patients or Consumers

1. Christine Bechtel, Washington, D.C. (3 year term)
Vice President, National Partnership for Women & Families

2. Arthur Davidson, M.D., Denver Colorado (2 year term)
Denver Public Health Department; Director, Public Health Informatics; Director, Denver Center for Public Health Preparedness; Medical epidemiologist; Director, HIV/AIDS Surveillance, City and County of Denver

3. Adam Clark, Ph.D., Austin, Texas (1 year term)
Director of Research and Policy, Lance Armstrong Foundation

Representatives of Health Care Providers, including 1 physician

4. Marc Probst, Salt Lake City, Utah (3 year term)
Chief Information Officer, Intermountain Healthcare

5. Paul Tang, M.D., Mountain View, California (2 year term)
Vice President and Chief Medical Information Officer, Palo Alto Medical Foundation

Labor Organization Representing Health Care Workers

6. Scott White, New York City, New York (1 year term)
Assistant Director, Technology Project Director, 1199 SEIU Training and Employment Fund

Expert in Health Information Privacy & Security

7. LaTanya Sweeney, Ph.D., Pittsburgh, Pennsylvania (3 year term)
Director, Data Privacy Lab, Associate Professor of Computer Science, Technology and Policy, Carnegie Mellon University

Expert in Improving the Health of Vulnerable Populations

8. Neil Calman, M.D., New York City, New York (2 year term)
President and CEO, The Institute for Family Health, Inc.
Research Community

9. Connie Delaney, R.N., Ph.D., Minneapolis, Minnesota (1 year term)
Dean, School of Nursing, University of Minnesota

Representative of Health Plans or Other Third-Party Payers

10. Charles Kennedy, M.D., Camarillo, California (3 year term)
Vice President, Health Information Technology, Wellpoint, Inc.
Representative of Information Technology Vendors

11. Judith Faulkner, Verona, Wisconsin (2 year term)
Founder, CEO, President, Chairman of the Board, Epic Systems Corporation
Representative of Purchasers or Employers

12. David Lansky, Ph.D., San Francisco, California (1 year term)
President and CEO, Pacific Business Group on Health

Expert in Health Care Quality Measurement and Reporting

13. David Bates, M.D., Boston, Massachusetts (3 year term)
Medical Director for Clinical and Quality Analysis, Chief of General Internal Medicine, Partners HealthCare/Brigham & Women’s Hospital

More information on the upcoming meetings:

• HIT Standards Commitee - Federal Register (May 6, 2009) announcement of meeting.
• HIT Policy Committee - Federal Register (May 6, 2009) announcement of meeting.
  

ONCHIT Issues Nationwide Privacy and Security Framework for Electronic Exchange of Health Information

Today the Office of the National Coordinator for Health Information Technology (ONCHIT) issued The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The summary states that the framework creates a set of consistent principles to:

". . .address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation's adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network."

Along with the Nationwide Privacy and Security Framework the Department of Health and Human Services (HHS) has issued The Health IT Privacy and Security Toolkit. The Toolkit includes new HIPAA Privacy Rule guidance documents developed by the ONCHIT and the Office for Civil Rights (OCR) to help facilitate the electronic exchange of health information.

Of particular interest to many interested in PHRs will be the OCR's guidance on Personal Health Records and the HIPAA Privacy Rule and the draft Draft Model Personal Health Record (PHR) Privacy Notice & Facts-At-A-Glance (the "Leavitt Label").

The Toolkit provides information and guidance focused around these key areas:

• Individual Access Principle - Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
• Correction Principle - Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
• Openness and Transparency Principle - There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
• Individual Choice Principle - Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
• Collection, Use, and Disclosure Limitation Principle - Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.
• Data Quality and Integrity Principle - Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
• Safeguards Principle - Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
• Accountability Principle - These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

I have only made an initial pass though the information and guidance documents. There is a lot to read and digest over the holidays. Please post in the comments your thoughts on the new federal principles and guidelines.

EHealth Initiative: The State of HIEs

EHealth Initiative has released the results of the 2008 Fifth Annual Survey of Health Information Exchanges (HIE) at the State and Local Level.

The survey included responses from 130 community based initiatives from 48 states. Here is a summary of the key findings.

eHealthWV: West Virginia EHR Public Service Announcement

As a part of West Virginia's participation in the Health Information Security and Privacy Collaborative (HISPC), West Virginia Medical Institute and its partners launch the eHealthWV website focused on educating consumers about electronic health records and health information exchange.

West Virginia was one of a number of states awarded a grant by RTI International to participate in the HISPC, a national collaborative effort to study health information security and privacy. To learn more about EHRs and HIEs check out the website. They also have a toolkit of brochures for physician practices to use.

Project Director, Patty Ruddick, notified me last week that they had filmed a new EHR/HIT public service announcement that will start airing across West Virginia over the next few months. I thought I would upload the PSA to YouTube and share a copy (click below to watch).

Better Understanding of Key Health Information Technology Terms

On April 28, 2008, the National Alliance for Health Information Technology released its Report, "Defining Key Health Information Technology Terms," to the Office of the National Coordinator for Health Information Technology.

The report is an effort to get everyone working in health information technology to have a common understanding of and differences between EMRs, EHRs, PHRs, HIEs, HIOs and RHIOs. If you don't know what each of these are or are interested in better understanding these key health tech terms check out the report.

An article by Health Data Management indicates that the Report will be "presented on June 3 to the American Health Information Community, a Department of Health and Human Services advisory body, for final approval."