STATEWIDE COLLABORATION PROCESS
PRIVACY AND SECURITY WORKGROUP
Conference Call Meeting Summary
May 12, 2011, 9-11am
TOPIC: Patient Electronic Access to Their Information
The Work Group (WG) began the meeting by approving the meeting summary from April 28, 2011.
Status Update on the Work Group’s Prioritized Projects for 2011:
Adira Siman (NYeC) provided the update:
Project 1: Analyze the implementation of privacy and security policies and document where policies
need to be harmonized in order for exchange between RHIOs/QHITEs. Status: Issues are still being
discussed by NYC/LI RHIO group; it is not yet determined what issues, if any, will need to be worked
on by the Privacy and Security WG.
Project 2: Review and update existing policies and procedures to ensure compliance with federal
and state law. Status: RFP was released on April 11 and proposals were submitted on April 29, 2011.
Proposals were reviewed by NYeC staff and the WG Co-chairs and we are in the process of
contacting and interviewing the top candidates.
o Corinne Carey (NYCLU) asked if NYeC could share the names of the firms that responded to
the RFP. Adira responded that NYeC would provide the name of the firm that is selected.
o Wayne McNulty asked about the rationale behind not sharing the names of the candidates
before making the selection. Adira responded that NYeC is responsible for staffing the WG
and selecting the consultant. The WG chairs also participated in the process.
o Nance Shatzkin (Bronx RHIO) and Irene Koch (BHIX) agreed that the WG members should be
informed about the names of the firms that submitted proposals.
o Wayne McNulty (HHC) asked if any members of the WG outside of the WG co-chairs would
be part of the selection committee and Adira responded that they would not. Wayne stated
that we should have formed an outside group to manage the process. Irene Koch (BHIX)
responded that it would have been unwieldy to have the entire WG review the RFP.
Project 3: Re-disclosure of sensitive health information. Status: Same as federal/state review.
Project 4: Policies on electronic patient access to their own health information. Status: WG heard
update on developments at the federal level and presentations of some models of how patients can
be given access to their information. WG is currently developing the list of potential issues around
which it will consider developing policy. Next Steps: Once the WG has completed work on the list of
issues that may need to be addressed in policy, NYeC will engage a Consultant to advise the WG on
how to address each issue.
Project 5: Review of SAMHSA issue. Status: Project not started.
o Ted Kremer (Rochester RHIO): Question for State DOH - Have we heard anything back from
the letter the State sent to SAMHSA asking for guidance? Ellen Flink (NYS DOH): No. We got
a response that they were working on the response as soon as possible, but haven’t gotten
Project 6: Policies that facilitate secondary uses of data. Status: Project not started.
Possible issues to be addressed around
Ted Kremer (Rochester RHIO): Markle Foundation work on personal health information should be
distributed to the group
o Ensuring that EMPI is used properly
Obligation to inform patient where the record is improperly linked or where data is
improperly included in the patient record?
Patient ability to change demographic data in their record and impact on patient
What is the RHIO's obligation to help manage or clarify EMPI questions?
Nance Shatzkin (Bronx RHIO): Is there an obligation for a RHIO to be actively
engaged in improving the quality of patient identity matching?
Ted Kremer (Rochester RHIO): How is this different from what we should be
different in terms of clinical matching? Nance responded that the issue is
not specific just to patient access, although it may become more acute in
that context. She was raising it in a RHIO policy context.
Irene Koch (BHIX): There is issue of what is the RHIO’s responsibility and
what is the RHIO’s responsibility to have its participants do certain things?
What would provider’s obligations?
Wayne McNulty (HHC): Would a patient be allowed to amend a record held by a
RHIO for a hospital? That could significantly affect health care and would be
problematic. Irene Koch (BHIX) agreed with Wayne and distinguished between a
patient requesting an amendment to a RHIO/hospital record and a patient directly
amending their own PHR.
Corinne Carey (NYCLU) assumed that a patient seeking to make a change in his/her
record would have to go through the same procedure as for paper records
Irene Koch: it might be helpful to have a flow chart to set out the decision points,
but many of the decisions depends on the patient access tool being used/how the
RHIO is making the info available to the patient and how the RHIO is making the
linkages between the patient access tool and the RHIO data.
Wayne McNulty (HHC): physicians are required to provide patient’s with access to
all of their records, but something must make clear that whatever the patient gets
to access through the RHIO is not the entire records/is not same as what the
physician is required to the give the patient (so that physician does not face
sanction). Patient should be notified about where they can go to get their complete
Ted Kremer (Rochester RHIO): We need to add to the list the issue of what notification requirements
the RHIO should be providing to the patients/consumers. Notifications vary depending on whether
RHIO is providing a PHR or linking to other PHRs. Look at the Markle recommendations. Fair
information practice issues, how information will be used, etc.
o Level of authentication
o Password security
Electronic management of consent
o Logging of RHIO-wide consent
o Irene Koch (BHIX): Consent to share data the patient enters in his/her own PHR. Should
there be additional consent rules for the patient to upload the data into the RHIO and then
have it shared? Ted Kremer (Rochester RHIO) responded that it is unclear how technically
this would be done.
o Wayne McNulty (HHC): Would providers be able to distinguish patient-provided records?
This would be important to ensure.
o Nance Shatzkin (Bronx RHIO): there is no current requirement that data sources be
identified in any circumstance (not just for patient records), although everyone does it.
o Nance Shatzkin (Bronx RHIO): if a patient is choosing to send the data to the HIE, then access
to that data is controlled by the patient’s general consent to access choice in the RHIO. It
would be problematic if the patient were to be able to set any other kinds of restrictions.
Corinne Carey (NYCLU): Notification of patients when a provider joins a RHIO (so that patients can
proactively deny consent)
o Irene Koch: The current RHIO consent relies on the list of currently participating providers.
What is the recommended policy of how patients ought to be informed proactively about
changes in those components.
o Corinne: Also, what about just notifying a patient that their doctor has joined a network and
therefore their data would be uploaded into a network so that the patient could take action
on that knowledge.
o Wayne McNulty (HHC) expressed his disagreement with the legality of uploading without
consent and Corinne agreed.
o Ted Kremer (Rochester RHIO): This is more than just a PHR issue and fits in with our review
of policies. Corinne agreed.
Patient's ability to designate a proxy
o Danielle Craighead (LIPIX): Want to ensure that other policies we put in place don’t prevent
patients from being able to designate a proxy.
o Wayne McNulty (HHC): What is the proxy procedure? If you are not a personal
representative under HIPAA, how do you get access?
Irene: if we are talking about in a PHR, where the patient owns and manages the
data, the issue of being a personal representative doesn’t apply. If we are talking
about a patient portal, that may be different.
Patient access challenges (e.g., language barriers and low general, health and technological literacy)
o Laura Alfredo (Lutheran Medical Center): We can think of this as the same as any other
services that a provider is offering and all of the same type of public accommodation
requirements would apply.
o Wayne McNulty (HHC): Would have to come up with policy that all providers could agree on
o Ted Kremer (Rochester RHIO): There is potentially a significant cost issue here.
o Irene Koch (BHIX): There are also some potentially significant liability issues.
o Deb Brown (GNYHA): The point of access by the patient is likely going to be the provider
site, so it may be possible to create some flexibility where providers are meeting existing
o Nance Shatzkin (Bronx RHIO): This issue has the potential to hijack the entire topic of PHRs.
We need to prioritize.
o Nance: We also need to be concerned about actual accessibility. John Maese agreed and
noted that the poorest New Yorkers may not have access to computers.
Patient ability to annotate or add their own data and make it available to clinicians
o When should patients be able to access their data?
Under what circumstances should patients have or not have access to their data?
Should there be standardized data release schedules (eg, lab data becomes available
after X days )?
o What and how much data should be available?
Should a doctor (or another individual) ever be required to review the data or
review the data with the patient before the patient can access it?
o Corinne Carey (NYCLU): We shouldn’t be reinventing the wheel. There are regulations that
exist and we have to make sure that the Policies and Procedures reflect current law. If
current law doesn’t mesh with what RHIOs and EHRs can do, then we should recommend to
the legislature that the law be amended. Wayne McNulty (HHC) agreed.
o Julie Rodak (NYS Office of Mental Health): Mental Health law requires physician review
before patient can access their clinical record (defined as anything that can be used to make
o Nance Shatzkin (Bronx RHIO): We need to do a review of the law here before we do
anything. Technology has concepts of control valves, but whether they match the concepts
of the law, she doesn’t know.
o Corinne: The capability to granularize the data would solve so many problems by allowing
providers and patients to determine what each and the other couldn’t see. Nance
responded that this is not likely feasible soon, but maybe way down the road.
o John Maese (American College of Physicians): Health care is not a rule-based business and
you can’t develop a rule for every scenario, so you need to have some level of doctor input
into the process.
Parent access to minor's information
o Nance Shatzkin (Bronx RHIO): we are really only talking about minor-consented services.
o Wayne McNulty (HHC): You have to handle things the same way you would in a medical
records department; you need a gatekeeper.
o Corinne Carey (NYCLU): Everyone agrees that it shouldn’t be any different, but it’s a matter
of finding the technological solution.
o Ted Kremer (Rochester RHIO): Should there be additional physician controls relating to the
minor release? Julie Rodak agreed this is a good idea.
o Julie also indicated that 42 CFR Part 2 providers have different consent requirements.
Wayne also noted that the public health law has some additional issues concerning what a
minor can consent to let a parent see.
o Irene: what is discretionary vs required
o Ted: What about a separate minor consent process for parental access to PHRs? Irene
responded that this would have to be associated with some kind of notification to the minor
about new data being added.
Handling of sensitive information
Ensuring privacy and security in commercial PHR products
o Should we compel RHIOs to offer patients an option for access to their data other than
commercial PHRs? (ie, should we allow RHIOs to only allow patients to access their
information through commercial PHRs).
RHIO's responsibility to respond to patient request to amend records (see above)
Audit trails and patient access to them
o Irene Koch (BHIX): This includes audit trails of who through a RHIO has accessed a patient’s
data whether it came from the PHR or not, audits to make sure any transactions with the
PHR that may be facilitated by the RHIO are logged and can be audited; what are
requirements about patient access to audits
o Wayne McNulty (HHC): How does the note about the release of a patient record get into the
o Stacey Gulick (NYCLIX): This will be affected whenever OCR publishes its rule on accounting
o Wayne: if an article 28 facility with a mental hygiene unit within discloses info to a RHIO,
shouldn’t there be a way to tag where the record came from? Irene indicated that this is
probably part of the re-disclosure review that we are going to do.
Use of PHRs and patient portals to satisfy Meaningful Use and/or Patient-Centered Medical Home
o Need for additional procedures (in addition to existing)?
o Mechanisms to ensure that providers are not blamed for patient's misuse of data
o What are the RHIO's responsibilities vs. the PHR provider's responsibilities around breach?
o Issue of ensuring access to the information by the patient vs ensuring preventing or dealing
o May want to separate intentional vs accidental breach
o Ted Kremer (Rochester RHIO): Once a patient has their own information, does the breach
concept even apply?
o Wayne McNulty (HHC): we also have to discuss breach in the case where a patient accesses
data that is not theirs.
o Ted: the breach issue has 2 components – the potential breach/disclosure facilitated by the
HIE passing data to the patient inappropriately and also where does the liability end for the
HIE in terms of release to the patient. We should define where breach is a valid mechanism.
o Wayne: interstate breach laws?
Nance Shatzkin (Bronx RHIO): Can we conduct a similar process to this one on re-disclosure
o Wayne McNulty (HHC) asked if we could form a legal subcommittee to do this and Adira
responded that it would be better to tap the expertise of the entire WG in this task.
Wayne McNulty (HHC): How is the decision made on what is shared with all of the Work Group
members? Adira responded that we are making available meeting slides and summary notes on the
website and distributing materials that are relevant to the current topic under discussion by the WG.
Amy S Warner
Corinne A Carey
Lori La Salle
Ted Kremer MPH
Wayne A McNulty