PSWG_Mtg-Summary__5.12.11.docx - FDRHPO

Document Sample
PSWG_Mtg-Summary__5.12.11.docx - FDRHPO Powered By Docstoc
					                               STATEWIDE COLLABORATION PROCESS
                                PRIVACY AND SECURITY WORKGROUP
                                 Conference Call Meeting Summary
                                        May 12, 2011, 9-11am
                         TOPIC: Patient Electronic Access to Their Information

   The Work Group (WG) began the meeting by approving the meeting summary from April 28, 2011.

Status Update on the Work Group’s Prioritized Projects for 2011:
 Adira Siman (NYeC) provided the update:
 Project 1: Analyze the implementation of privacy and security policies and document where policies
    need to be harmonized in order for exchange between RHIOs/QHITEs. Status: Issues are still being
    discussed by NYC/LI RHIO group; it is not yet determined what issues, if any, will need to be worked
    on by the Privacy and Security WG.
 Project 2: Review and update existing policies and procedures to ensure compliance with federal
    and state law. Status: RFP was released on April 11 and proposals were submitted on April 29, 2011.
    Proposals were reviewed by NYeC staff and the WG Co-chairs and we are in the process of
    contacting and interviewing the top candidates.
        o Corinne Carey (NYCLU) asked if NYeC could share the names of the firms that responded to
             the RFP. Adira responded that NYeC would provide the name of the firm that is selected.
        o Wayne McNulty asked about the rationale behind not sharing the names of the candidates
             before making the selection. Adira responded that NYeC is responsible for staffing the WG
             and selecting the consultant. The WG chairs also participated in the process.
        o Nance Shatzkin (Bronx RHIO) and Irene Koch (BHIX) agreed that the WG members should be
             informed about the names of the firms that submitted proposals.
        o Wayne McNulty (HHC) asked if any members of the WG outside of the WG co-chairs would
             be part of the selection committee and Adira responded that they would not. Wayne stated
             that we should have formed an outside group to manage the process. Irene Koch (BHIX)
             responded that it would have been unwieldy to have the entire WG review the RFP.
 Project 3: Re-disclosure of sensitive health information. Status: Same as federal/state review.
 Project 4: Policies on electronic patient access to their own health information. Status: WG heard
    update on developments at the federal level and presentations of some models of how patients can
    be given access to their information. WG is currently developing the list of potential issues around
    which it will consider developing policy. Next Steps: Once the WG has completed work on the list of
    issues that may need to be addressed in policy, NYeC will engage a Consultant to advise the WG on
    how to address each issue.
 Project 5: Review of SAMHSA issue. Status: Project not started.
        o Ted Kremer (Rochester RHIO): Question for State DOH - Have we heard anything back from
             the letter the State sent to SAMHSA asking for guidance? Ellen Flink (NYS DOH): No. We got
             a response that they were working on the response as soon as possible, but haven’t gotten

   Project 6: Policies that facilitate secondary uses of data. Status: Project not started.

Possible issues to be addressed around
 Ted Kremer (Rochester RHIO): Markle Foundation work on personal health information should be
    distributed to the group
 Identity issues:
        o Ensuring that EMPI is used properly
                  Obligation to inform patient where the record is improperly linked or where data is
                     improperly included in the patient record?
                  Patient ability to change demographic data in their record and impact on patient
                  What is the RHIO's obligation to help manage or clarify EMPI questions?
                  Nance Shatzkin (Bronx RHIO): Is there an obligation for a RHIO to be actively
                     engaged in improving the quality of patient identity matching?
                           Ted Kremer (Rochester RHIO): How is this different from what we should be
                              different in terms of clinical matching? Nance responded that the issue is
                              not specific just to patient access, although it may become more acute in
                              that context. She was raising it in a RHIO policy context.
                           Irene Koch (BHIX): There is issue of what is the RHIO’s responsibility and
                              what is the RHIO’s responsibility to have its participants do certain things?
                              What would provider’s obligations?
                  Wayne McNulty (HHC): Would a patient be allowed to amend a record held by a
                     RHIO for a hospital? That could significantly affect health care and would be
                     problematic. Irene Koch (BHIX) agreed with Wayne and distinguished between a
                     patient requesting an amendment to a RHIO/hospital record and a patient directly
                     amending their own PHR.
                  Corinne Carey (NYCLU) assumed that a patient seeking to make a change in his/her
                     record would have to go through the same procedure as for paper records
                  Irene Koch: it might be helpful to have a flow chart to set out the decision points,
                     but many of the decisions depends on the patient access tool being used/how the
                     RHIO is making the info available to the patient and how the RHIO is making the
                     linkages between the patient access tool and the RHIO data.
                  Wayne McNulty (HHC): physicians are required to provide patient’s with access to
                     all of their records, but something must make clear that whatever the patient gets
                     to access through the RHIO is not the entire records/is not same as what the
                     physician is required to the give the patient (so that physician does not face
                     sanction). Patient should be notified about where they can go to get their complete
 Ted Kremer (Rochester RHIO): We need to add to the list the issue of what notification requirements
    the RHIO should be providing to the patients/consumers. Notifications vary depending on whether

    RHIO is providing a PHR or linking to other PHRs. Look at the Markle recommendations. Fair
    information practice issues, how information will be used, etc.
   Authentication issues:
        o Level of authentication
        o Password security
   Electronic management of consent
        o Logging of RHIO-wide consent
        o Irene Koch (BHIX): Consent to share data the patient enters in his/her own PHR. Should
            there be additional consent rules for the patient to upload the data into the RHIO and then
            have it shared? Ted Kremer (Rochester RHIO) responded that it is unclear how technically
            this would be done.
        o Wayne McNulty (HHC): Would providers be able to distinguish patient-provided records?
            This would be important to ensure.
        o Nance Shatzkin (Bronx RHIO): there is no current requirement that data sources be
            identified in any circumstance (not just for patient records), although everyone does it.
        o Nance Shatzkin (Bronx RHIO): if a patient is choosing to send the data to the HIE, then access
            to that data is controlled by the patient’s general consent to access choice in the RHIO. It
            would be problematic if the patient were to be able to set any other kinds of restrictions.
   Corinne Carey (NYCLU): Notification of patients when a provider joins a RHIO (so that patients can
    proactively deny consent)
        o Irene Koch: The current RHIO consent relies on the list of currently participating providers.
            What is the recommended policy of how patients ought to be informed proactively about
            changes in those components.
        o Corinne: Also, what about just notifying a patient that their doctor has joined a network and
            therefore their data would be uploaded into a network so that the patient could take action
            on that knowledge.
        o Wayne McNulty (HHC) expressed his disagreement with the legality of uploading without
            consent and Corinne agreed.
        o Ted Kremer (Rochester RHIO): This is more than just a PHR issue and fits in with our review
            of policies. Corinne agreed.
   Patient's ability to designate a proxy
        o Danielle Craighead (LIPIX): Want to ensure that other policies we put in place don’t prevent
            patients from being able to designate a proxy.
        o Wayne McNulty (HHC): What is the proxy procedure? If you are not a personal
            representative under HIPAA, how do you get access?
                  Irene: if we are talking about in a PHR, where the patient owns and manages the
                      data, the issue of being a personal representative doesn’t apply. If we are talking
                      about a patient portal, that may be different.
   Patient access challenges (e.g., language barriers and low general, health and technological literacy)

        o   Laura Alfredo (Lutheran Medical Center): We can think of this as the same as any other
            services that a provider is offering and all of the same type of public accommodation
            requirements would apply.
        o Wayne McNulty (HHC): Would have to come up with policy that all providers could agree on
        o Ted Kremer (Rochester RHIO): There is potentially a significant cost issue here.
        o Irene Koch (BHIX): There are also some potentially significant liability issues.
        o Deb Brown (GNYHA): The point of access by the patient is likely going to be the provider
            site, so it may be possible to create some flexibility where providers are meeting existing
        o Nance Shatzkin (Bronx RHIO): This issue has the potential to hijack the entire topic of PHRs.
            We need to prioritize.
        o Nance: We also need to be concerned about actual accessibility. John Maese agreed and
            noted that the poorest New Yorkers may not have access to computers.
   Patient ability to annotate or add their own data and make it available to clinicians
   Data availability
        o When should patients be able to access their data?
                  Under what circumstances should patients have or not have access to their data?
                  Should there be standardized data release schedules (eg, lab data becomes available
                      after X days )?
        o What and how much data should be available?
                  Should a doctor (or another individual) ever be required to review the data or
                      review the data with the patient before the patient can access it?
        o Corinne Carey (NYCLU): We shouldn’t be reinventing the wheel. There are regulations that
            exist and we have to make sure that the Policies and Procedures reflect current law. If
            current law doesn’t mesh with what RHIOs and EHRs can do, then we should recommend to
            the legislature that the law be amended. Wayne McNulty (HHC) agreed.
        o Julie Rodak (NYS Office of Mental Health): Mental Health law requires physician review
            before patient can access their clinical record (defined as anything that can be used to make
        o Nance Shatzkin (Bronx RHIO): We need to do a review of the law here before we do
            anything. Technology has concepts of control valves, but whether they match the concepts
            of the law, she doesn’t know.
        o Corinne: The capability to granularize the data would solve so many problems by allowing
            providers and patients to determine what each and the other couldn’t see. Nance
            responded that this is not likely feasible soon, but maybe way down the road.
        o John Maese (American College of Physicians): Health care is not a rule-based business and
            you can’t develop a rule for every scenario, so you need to have some level of doctor input
            into the process.
   Parent access to minor's information
        o Nance Shatzkin (Bronx RHIO): we are really only talking about minor-consented services.
        o Wayne McNulty (HHC): You have to handle things the same way you would in a medical
            records department; you need a gatekeeper.

        o   Corinne Carey (NYCLU): Everyone agrees that it shouldn’t be any different, but it’s a matter
            of finding the technological solution.
       o Ted Kremer (Rochester RHIO): Should there be additional physician controls relating to the
            minor release? Julie Rodak agreed this is a good idea.
       o Julie also indicated that 42 CFR Part 2 providers have different consent requirements.
            Wayne also noted that the public health law has some additional issues concerning what a
            minor can consent to let a parent see.
       o Irene: what is discretionary vs required
       o Ted: What about a separate minor consent process for parental access to PHRs? Irene
            responded that this would have to be associated with some kind of notification to the minor
            about new data being added.
   Handling of sensitive information
   Ensuring privacy and security in commercial PHR products
       o Should we compel RHIOs to offer patients an option for access to their data other than
            commercial PHRs? (ie, should we allow RHIOs to only allow patients to access their
            information through commercial PHRs).
   RHIO's responsibility to respond to patient request to amend records (see above)
   Audit trails and patient access to them
       o Irene Koch (BHIX): This includes audit trails of who through a RHIO has accessed a patient’s
            data whether it came from the PHR or not, audits to make sure any transactions with the
            PHR that may be facilitated by the RHIO are logged and can be audited; what are
            requirements about patient access to audits
       o Wayne McNulty (HHC): How does the note about the release of a patient record get into the
            patient record?
       o Stacey Gulick (NYCLIX): This will be affected whenever OCR publishes its rule on accounting
       o Wayne: if an article 28 facility with a mental hygiene unit within discloses info to a RHIO,
            shouldn’t there be a way to tag where the record came from? Irene indicated that this is
            probably part of the re-disclosure review that we are going to do.
   Use of PHRs and patient portals to satisfy Meaningful Use and/or Patient-Centered Medical Home
   Breach policies:
       o Need for additional procedures (in addition to existing)?
       o Mechanisms to ensure that providers are not blamed for patient's misuse of data
       o What are the RHIO's responsibilities vs. the PHR provider's responsibilities around breach?
       o Issue of ensuring access to the information by the patient vs ensuring preventing or dealing
            with breach.
       o May want to separate intentional vs accidental breach
       o Ted Kremer (Rochester RHIO): Once a patient has their own information, does the breach
            concept even apply?
       o Wayne McNulty (HHC): we also have to discuss breach in the case where a patient accesses
            data that is not theirs.

        o   Ted: the breach issue has 2 components – the potential breach/disclosure facilitated by the
            HIE passing data to the patient inappropriately and also where does the liability end for the
            HIE in terms of release to the patient. We should define where breach is a valid mechanism.
        o   Wayne: interstate breach laws?

Misc. Issues
 Nance Shatzkin (Bronx RHIO): Can we conduct a similar process to this one on re-disclosure
         o Wayne McNulty (HHC) asked if we could form a legal subcommittee to do this and Adira
             responded that it would be better to tap the expertise of the entire WG in this task.
 Wayne McNulty (HHC): How is the decision made on what is shared with all of the Work Group
   members? Adira responded that we are making available meeting slides and summary notes on the
   website and distributing materials that are relevant to the current topic under discussion by the WG.


Aileen Chu
Alex Low
Alissa D'Amelio
Allen Briskin
Amelia Shapiro
Amy S Warner
Barbara O'Donnell
Carla Novak
Charles Feldman
Cheryl Parham
Chris Stanley
Corinne A Carey
Danielle Craighead
Deborah Brown
Elizabeth Herries
Ellen Flink
Emily Pape
Gina Dolan
Irene Koch
John Wheeler
Julie Rodak
Laura Alfredo
Lisa Busby
Lori La Salle
Manuel Amaez
Michael Mittleman
Nance Shatzkin
Nancy Pawlowicz
Ray Murphy
Raymond Shelton
Richard Corcoran
Rosemary Miller
Sally O’Brien
Scott Strozyk
Stacey Gulick
Stephanie Musso
Steve Allen
Ted Kremer MPH
Wayne A McNulty
Zebulon Taintor


Shared By: