Privacy and Security Solutions for Interoperable Health by miutGQ7Z

VIEWS: 0 PAGES: 47

									NC HISPC
North Carolina Health Information Security and Privacy Collaboration


                                                                       Privacy and Security Solutions for Interoperable Health Information Exchange



                                                                                         North Carolina HISPC Interim Analysis of Solutions Report

                                                                                                                                      Subcontract No.
                                                                                                                                      37-321-0209825
                                                                                                                                  RTI Project No. 9825




                                                                                                                                        Prepared by:
                                                                                                                                  Angie M. Santiago
                                                                                                                            TM Floyd & Company for
                                                                                                                                      Holt Anderson,
                                                                                                                                       NCHICA, Inc.
                                                                                                                                      PO Box 13048
                                                                                                                   Research Triangle Park, NC 27709

                                                                                                                                          Submitted to:

                                                                                                                 Linda Dimitropoulos, Project Director
                                                                                                                    Privacy and Security Solutions for
                                                                                                           Interoperable Health Information Exchange

                                                                                                                          Research Triangle Institute
                                                                                                                                    P. O. Box 12194
                                                                                                                               3040 Cornwallis Road
                                                                                                             Research Triangle Park, NC 27709-2194


                                                                                                                                      January 15, 2006




                                                                                                   - 1-     NC HISPC Interim Analysis of Solutions Report
Executive Summary .................................................................................................................................... 3
Background ................................................................................................................................................. 2
Summary of Interim Assessment Variations ............................................................................................ 5
        Interim Assessment Findings ............................................................................................................... 7
Proposed Solutions Methodology ............................................................................................................. 8
Analysis of Proposed Solutions ................................................................................................................ 9
        Group 1 Recommendations ................................................................................................................ 10
        Group 2 Recommendations ................................................................................................................ 12
        Group 3 Recommendations ................................................................................................................ 13
        Group 4 Recommendations ................................................................................................................ 14
        Comments for Group 4 – per Domain ............................................................................................... 17
State and National – level Recommendations ....................................................................................... 26
        National Recommendations ............................................................................................................... 28
Appendix I. ................................................................................................................................................. 32
                                       Acknowledgements

NCHICA would like to acknowledge the following members of the North Carolina Health Information
Privacy and Security Collaboration team for their contributions to the North Carolina HISPC Interim
Solutions Report:


                                         Project Director
                                       Angie M. Santiago,
                                    TM Floyd & Company, Inc.

                                      Interim Solutions Chair
                                            David Kirby,
                                  Kirby Information Management

                                           Contributors
                                 James Murphy, NC DHHS MMIS
                                      Mike Voltero, BCBSNC
                                Vincent Carrasco M.D., Radarfind
                                Patricia Markus, Smith Moore Law

                                      Solutions Work Group
                                       Legal Work Group

                                             Editors
                                Diana Gildea, Project Coordinator

                                  NC HISPC Steering Committee
                                       Holt Anderson, NCHICA
                                  Phil Telfer, NC Governor’s Office
                    Linda Attarian, NC DHHS Division of Medical Assistance
            Wesley G. Byerly, Pharm.D., Wake Forest University Baptist Medical Center
                            Fred Eckel, NC Association of Pharmacists
                      Jean Foster, NCHIMA / Pitt County Memorial Hospital
                                   Donald E. Horton, Jr., LabCorp
                        Eileen Kohlenberg, Ph.D., NC Nurses Association
                               Mark Holmes, NC Institute of Medicine
                              Linwood Jones, NC Hospital Association
                           David Kirby, Kirby Information Management
                      Patricia MacTaggart, Health Management Association
                                 Patricia Markus, Smith Moore Law
                 Lawrence H. Muhlbaier, Ph.D., Duke University Health System
                             James Murphy, NC DHHS Office of MMIS
                      David Potenziani, M.D., UNC School of Public Health
                                Melanie Phelps, NC Medical Society
                                     N. King Prather, BCBSNC
                               Angie Santiago, TM Floyd & Company
                                     Morgan Tackett, BCBSNC
                                       Mike Voltero, BCBSNC
                                  Roy Wyman, Maupin Taylor Law




                                               - 2-     NC HISPC Interim Analysis of Solutions Report
Disclaimer

While the information and recommendations contained in the North Carolina Health Information
Security and Privacy Collaboration (NC HISPC) documents and website have been compiled from
sources believed to be reliable, NC HISPC makes no guarantee as to, and assumes no
responsibility for, the accuracy, sufficiency, or completeness of such information or
recommendations.

Links made from the reference documents submitted shall not represent an endorsement by the
State of North Carolina, NC HISPC, NCHICA, or by its members, board of directors, committees, or
staff.

The views and opinions of authors expressed within the documents and website do not necessarily
state or reflect those of the State of North Carolina, NC HISPC, NCHICA, or by its members, board
of directors, committees, or staff, and they may not be used for endorsement purposes.

The information provided is not intended to constitute an "authoritative statement" under the State
of North Carolina’s policies, general statutes, and regulations.

Website Readers
During your visit to our Web site, your Web browser may produce pop-up advertisements. These
advertisements were most likely produced by other Web sites you visited or by third party software
installed on your computer. NCHICA does not endorse or recommend products or services that
may appear as pop-up advertisements on your computer screen while visiting our site.

Commercial Products or Services
Any mention of commercial products within the NC HISPC documents or web pages is for
information only; it does not imply recommendation or endorsement of any commercial products,
processes, or services by the members of NC HISPC, NCHICA, or the State of North Carolina.




                                               - 3-      NC HISPC Interim Analysis of Solutions Report
1    Executive Summary

 2   This NC HISPC interim analysis of solutions report contains the first round of ideas for solutions to
 3   the problems and/or ways to utilize opportunities associated with the appropriate and routine
 4   exchange of individual health information in electronic form in support of healthcare treatment,
 5   payment, operations, and other uses of electronic health information. The Project Team used the
 6   HISPC scenarios as a basis for formulating these ideas. And too, the ideas for solutions and useful
 7   opportunities expressed herein address classes of exchange that are broader than those given in
 8   the scenarios.
 9
10   Key Solution Findings:
11
12   Address Complexity Risk in the release process: Solutions need to address the complexity of the
13   current rule set for releasing information. Two techniques have dominated the work to date: 1)
14   simplify the rule set (at least from the releaser’s point of view) and 2) improve the level of training
15   for health information releasers and requestors about the rule set.
16
17   Consider non-privacy/security barriers: In order for privacy and security solutions to be feasible
18   they must at least not raise business barriers, ideally should lower them, and should support other
19   broad health-related goals. Today business motive to carry out many exchanges is low enough that
20   almost any barrier (de minimus liability, minor labor costs, small transaction friction) is considered
21   high enough to deter appropriate and routine health data exchange.
22
23   Consider entity-centered and person-centered perspectives: Much of the history of electronic health
24   data exchange has focused on direct exchanges between healthcare enterprises. The patient’s
25   involvement in these entity-centered exchanges has been either non-existent or marginal. These
26   entity-centered exchange models have focused on managing privacy through laws, regulations,
27   and policies that applied to populations of persons whose data might be exchanged. The focus has
28   been the management of security in an environment where the entities attempted to act as a proxy
29   for the person at most risk in the exchange process ( i.e. the patient). Providing adequate privacy
30   and security while maintaining adequate data flow has been challenging for these types of
31   exchanges. The existence of the HISPC project itself is an outgrowth of the generality and
32   seriousness of the privacy and security challenge in these traditional entity-centered exchanges.
33
34   In the last couple of years considerations of the value of a health data exchange that puts the
35   consumer/patient at the center of the exchange process have emerged in the form of private and
36   public activities (e.g. products, conferences, whitepapers, and projects). The key idea in a person-
37   controlled health data exchange is that the provider of the data sends the data (along with a
38   request to transmit the data) to a person-controlled software agent. The agent, as configured by the
39   person who is the subject of the data permits and completes appropriate exchanges and rejects
40   others. This approach draws the patient into their healthcare process, eases the creation of
41   personal health records and their associated applications, permits individual flexibility related to
42   privacy, and returns the issue of who is included in the information flow related to a patient’s care
43   back to a dialogue between the patient and his/her healthcare provider(s).
44
45   Both of these general methods of healthcare exchange have characteristics that can aid routine
46   and appropriate health data exchange. In seeking solutions, the Project Team has therefore
47   included ideas from both of these models.
48
49    Background

 50   In April 2004, President George W. Bush issued an Executive Order articulating a vision for the
 51   future of healthcare in the United States. The President's plan included the formation of the
 52   American Health Information Community (AHIC), a federally-chartered advisory committee that
 53   provides input and recommendations to HHS on how to make health records digital and
 54   interoperable, and assure that the privacy and security of those records are protected in a smooth
 55   market-led way. The AHIC organized the Privacy and Security Workgroup that established the
 56   Health Information Security and Privacy Collaboration (HISPC) project in 33 states and Puerto
 57   Rico. In November 2006, the NC HISPC completed an assessment that identified variations in
 58   privacy and security practices and laws affecting electronic health information exchange among
 59   various healthcare stakeholders in North Carolina. The initial findings may be found in the
 60   Assessment of Variations Report at the NCHICA website.
 61
 62   The purpose of Interim Analysis of Solutions Report is to document policy, technology and legal
 63   solutions to the barriers or obstacles identified in Assessment of Variations Report. The Interim
 64   Analysis of Solutions Report will also document each of the identified potential solutions, their HIE
 65   context, privacy and security domains affected, stakeholders involved, HIE barriers being
 66   addressed, stage of development and use of solution and possible barriers to adoption.
 67
 68   Legal and Solutions Workgroups Composition
 69   The Legal and Solutions Workgroups are comprised of practice managers; clinicians; professionals
 70   in public health policy, health information management, and information security attorneys who
 71   represent healthcare stakeholders or organizations specializing in privacy and security,
 72   laboratories, healthcare software vendors, and public health agencies.
 73
 74   With the exception of the PMO, all project participants have contributed their time and expertise to
 75   this project.
 76
 77   Scope of the Interim Analysis of Solutions Report
 78
 79   This initial report contains the un-vetted findings and proposed solutions of the Variations, Legal,
 80   and Solutions Workgroups.
 81
 82   NC HISPC attempted to include the stakeholders from the Pharmacy Benefit community; however,
 83   they were already participating in the HISPC project with other states. This report will not address
 84   the health information exchange among Pharmacy Benefit Managers.
 85
 86   Due to limited time constraints and resources, this report does not contain interim solutions that
 87   address the secondary use of health information in research, healthcare operations, and marketing
 88   (Scenarios 7, 11, 12, and 14). The Legal and Solutions Workgroups will include the solution
 89   findings for secondary use of health information during the next iteration of the Analysis of Solutions
 90   Report.
 91
 92   Health Information Initiatives within North Carolina
 93
 94   Several strategic health information technology (HIT) initiatives currently are underway in North
 95   Carolina. The North Carolina Healthcare Quality Initiative (NCHQI) is a multiple-stakeholder project
 96   designed to automate medication, laboratory and radiology data. The first phase of the project
 97   involves providing a list of patient medications to the patient’s healthcare provider at the point of
 98   contact, so that the provider can evaluate possible drug-to-drug interactions and prescribe correct
 99   dosages. This medication management initiative will provide important data quickly in emergency
100   cases, save clinician time that otherwise would be spent pulling charts and calling other care sites,
101   improve patient safety by reducing prescribing errors, lower costs by reducing duplication of orders
102   and tests, provide a single repository or access point for this information, and lead to automating
103   medication refills and e-prescribing. The electronic information will be accessible by health plans,



                                                       - 2-      NC HISPC Interim Analysis of Solutions Report
104   pharmacy benefit managers, pharmacies and healthcare providers. The second phase of the
105   project contemplates the electronic exchange of laboratory and radiology data to further improve
106   care and save time. Consumers will receive all of the above-noted benefits of the project while
107   simultaneously receiving assurance that the privacy and security of their health information is being
108   maintained. Later phases encourage a broader use of electronic health and personal records.
109
110   Another ongoing initiative is the Automated Adverse Drug Events Detection and Intervention
111   project, underway at Duke University, which establishes an automated surveillance system for
112   detecting, reporting, intervening in and measuring the incidence and nature of adverse drug events
113   suffered by patients. The system is designed to alert physicians about critical detected events, and
114   certain triggers will result in automated reports that will be evaluated on a daily basis by
115   pharmacists trained in adverse drug event investigation.
116
117   The North Carolina Emergency Department Database (NCEDD) project, begun in 1999, created an
118   emergency department data repository for the North Carolina Division of Public Health. NCEDD
119   collected, standardized and analyzed timely and secure emergency department data. The NCEDD
120   led to the 2005 launch of the North Carolina Hospital Emergency Surveillance System (NCHESS),
121   a mandated emergency department collection system that is expected to assist the state in early
122   detection of and response to public health emergencies or potential biological or chemical terrorist
123   attacks. A related venture is the North Carolina Disease Event Tracking and Epidemiologic
124   Collection Tool (NC DETECT), an early event detection system allowing authorized users to view
125   data from NCEDD and the Carolinas Poison Center, NC Wildlife Center and other data sources for
126   a variety of public health surveillance needs.
127
128   The University of North Carolina Hospital System is implementing a Perinatal EMR project,
129   involving an electronic version of prenatal medical records integrated into software that will facilitate
130   the input, storage, retrieval and modification of prenatal medical records. The software also will
131   allow patient access to medical data through a wireless LAN. The data will be transferred to and
132   from a centralized database and can be shared with others over the Internet for clinical and
133   research purposes. Another initiative focusing on children’s healthcare was the Provider Access to
134   Immunization Registry Securely Project (PAiRS) system. Begun in 1998, PAiRS was an early,
135   critical component in North Carolina’s development of a statewide immunization registry, which was
136   implemented in 2005.
137
138   North Carolina also is home to a collaborative project with IBM, under a contract with the Office of
139   the National Coordinator for Health Information Technology, to develop a Nationwide Health
140   Information Network (NHIN) architecture prototype. Communities in the Research Triangle, NC and
141   Rockingham County, NC/Danville, VA areas are engaged in this prototype work.
142
143   In the private sector, various healthcare stakeholders are discussing and taking action to create
144   and participate in regional health information organizations (RHIOs). The Western North Carolina
145   Health Network, Inc., a consortium of 16 hospitals in the Blue Ridge mountains, is one of the first
146   RHIOs in North Carolina. Four hospitals currently are connected and the remaining hospitals
147   should be connected by the end of 2006 or early 2007. The participants currently can view patient
148   data from each of the other participating hospitals through a virtual electronic medical records
149   system, and each authorized user has a standardized view of the data. The second phase of the
150   project contemplates including physician offices and clinics within the network for additional
151   efficiencies.




                                                       - 3-       NC HISPC Interim Analysis of Solutions Report
                                        152
                                        153




- 4-   NC HISPC Interim Analysis of Solutions Report
154   Summary of Interim Assessment Variations

155   The objective of the first phase was to assess the variations in organization-level business policies
156   and state laws that get in the way of health information exchange in North Carolina and its
157   bordering states. The NC HISPC Variations Work Group (VWG) developed a simple assessment
158   methodology to identify the stakeholders’ current practices for sharing patient information, the
159   reason for those practices, if those practices caused any barriers to the exchange of health
160   information, and whether those barriers were appropriate to safeguard the patient’s information or
161   were inappropriate.
162
163   The interviews and surveys from the assessment resulted in a vast collection of policies,
164   procedures, barriers, and relevant state or federal laws which has been analyzed by the Legal and
165   Solutions Work Groups.

166   Most of the barriers identified during this phase were because of:

167                   o    Range within organizations of both interpretation and application of laws.

168                   o    Lack of awareness of an organization’s policy on uses and disclosures of
169                        health information.

170                   o    Lack of policy standards within an organization.

171                   o    Lack of interoperability, most often between paper and electronic records.

172                   o    Lack of incentive to share information with third parties.

173                   o    Lack of definition of Regional Health Information Organization (RHIO) or Health
174                        Information Exchange (HIE) and lack of standards for same.
175
176   In addition to the barriers mentioned above, there were significant legal barriers that should be
177   brought to the attention of the General Assembly.

178   The first, which applied to all levels of health information exchange, is NCGS §8 – 53, a North
179   Carolina statute that establishes the physician-patient privilege, which protects information patients
180   share with their physicians from release to third parties without the patient’s consent or a court
181   order. This state statute was designed originally to encourage patients to share freely their
182   healthcare information with physicians. This law states, “No person, duly authorized to practice
183   physic or surgery, shall be required to disclose any information which he may have acquired in
184   attending a patient in a professional character, and which information was necessary to enable him
185   to prescribe for such patient as a physician, or to do any act for him as a surgeon, and no such
186   information shall be considered public records under G.S. 132-1. Confidential information obtained
187   in medical records shall be furnished only on the authorization of the patient, or if deceased, the
188   executor, administrator, or, in the case of unadministered estates, the next of kin.” However, the
189   HIPAA Privacy Rule states, “A covered healthcare provider may, without consent, use or disclose
190   protected health information to carry out treatment, payment, or healthcare operations,” 45 CFR
191   §164.506 (2).
192
193   Generally, NCGS §8 – 53 has been interpreted as requiring the physician to obtain a patient’s
194   consent before releasing the patient’s health information for purposes of treatment, payment, and
195   healthcare operations. It seems to be the state statute that most frequently acts as a legal barrier to
196   the exchange of health information among healthcare stakeholders for treatment and operations.
197   Virtually all providers who do third-party billing get prior written consent for sharing information
198   needed for payment.




                                                       - 5-      NC HISPC Interim Analysis of Solutions Report
199   Second, the federal Clinical Laboratory Information Amendments (CLIA) regulations, 42 CFR
200   §1291(f), currently provide that “Test results must be released only to authorized persons and, if
201   applicable, the individual responsible for using the test results and the laboratory that initially
202   requested the test.” The term “authorized person” is defined in 42 CFR §493.2 as “an individual
203   authorized under State law to order tests or receive test results, or both.” The term “individual
204   responsible for using the test results” is not defined in the CLIA regulations, and there is
205   considerable uncertainty as to its meaning.

206   This CLIA provision poses a barrier to laboratories’ exchanging healthcare information directly with
207   the patient, with RHIOs, or with other similar organizations who may participate in electronic health
208   information exchange.

209   This report presents the first round of Privacy and Security Solutions to the policy, technology, and
210   legal obstacles identified in the Assessment of Variations Report.

211




                                                      - 6-       NC HISPC Interim Analysis of Solutions Report
                                                                                                                                                                                                                                                                       NC HISPC Interim Analysis of Solutions Report
      Interim Assessment Findings
                                                                                                                                 Domains Represented in Each Scenario
                                                                 1                       2                      3                     4                     5                     6                       7                      8                      9
                                                                                                                                                                                                                              Data
                                                         Authentication          Authorization          Identity Matching      Transmission             Integrity            Event Audit            Safeguards            Classification            Policies
                                                                                                                                                       Protection of                             Enterprise security -
                                                                                Permitted access - of    Unique identity of      Protection of      data/information in      Monitoring logs          Physical,                                   Documented
                                                       Verification of Identity, person/process, to     persons/processes     data/information in     use, at rest, in    tracking events from     Administrative,       Classification based practices based on
                                           Scenarios    person or process         data/information      among enterprises            transit             archives             Domains 1-5            Continuity             on State law      regulations, standards
      Group 1
      1. Patient Care A (Emergency Transfer)
                                                                 X                       X                      X                     X                                                                                                                 X
      2. Patient Care B (Substance Abuse)                                                X                      X                     X                                                                                                                 X
      3. Patient Care C (Access Security)                        X                       X                      X                     X                     X                     X                       X                                             X
      4. Patient Care D (HIV and Genetics)                                               X                      X                     X                                           X                                              X                      X
      6. RHIO (Data Access)                                                              X                      X                     X                     X                     X                       X                                             X
      7. Law Enforcement (Test Results)                                                  X                                                                                        X                                              X                      X
      Group 2
      5. Payment (EHR Access)                                    X                       X                      X                     X                                           X                                                                     X




                                                                                                                                                                                                                                                                       - 7-
      7. Research (Data Usage)                                                                                                        X                     X                     X                                              X                      X
      9. Pharmacy Benefit A (Mail Order)                                                                        X                     X                                                                                          X                      X
      10. Pharmacy Benefit B (Claims
                                                                                         X                                            X                                           X
      Savings)
      Group 3
      11. Operations and Marketing A (Rehab
                                                                 X                       X                                            X                                           X                                              X                      X
      Center)
      12. Operations and Marketing B (Birthing
                                                                                         X                      X                     X                                                                                          X                      X
      PHI)
      14. Employment Information (Return to
                                                                                         X                                            X                     X                     X                       X                                             X
       Interim Assessment Findings




      Work)
      Group 4
      13. Bioterrorism Event (Anthrax Spread)
                                                                                         X                      X                                           X                     X                                              X                      X
      15. Public Health A (Active TB Carrier)                                            X                      X                     X                     X                                                                    X                      X
      16. Public Health B (Newborn Screening)
                                                                 X                       X                      X                     X                     X                                                                    X                      X
      17. Public Health C (Homeless Shelters)
                                                                                         X                      X                     X                                           X                                              X                      X
      18. Health Oversight (Legal Compliance)
                                                                 X                       X                      X                     X                     X                     X                       X                      X                      X
212

       213

                                     214

                                            215
216   Proposed Solutions Methodology

217   The NC HISPC Steering Committee (SC) developed a methodology to allowed for flexibility of the
218   team members, allowed team members to draw on their natural strengths, and provided enough
219   stability for the PMO that the project would be completed successfully and within deadlines.
220
221   Team members were constituted from responses to a call for volunteers that was included as part
222   of the overall call for volunteers for the other HISPC groups. The Project Team is structured into
223   four sub-groups that correspond to four scenario clusters each of which represent a general area of
224   concern (e.g. payer issues). Each sub-group member accepts a specialty role, (e.g. facilitator,
225   writer, analyst, researcher). This workgroup structure was accepted by the team members, the NC
226   HISPC SC and the Project Manager:
227
228   Team members come from a wide variety of healthcare entity stakeholders including physician
229   practices, hospitals, state government, consultancies, academic medical centers, payers, quality
230   improvement groups, and laboratories. The degree of involvement of each volunteer varies. Some
231   volunteers provide a significant number of hours, some provide a minimal amount of labor time, and
232   others do not visibly participate. The agreed upon work process is designed to function in this type
233   of environment.
234
235   The Interim Solutions Work Group (ISWG) Chair workplan includes weekly goals to allow members
236   to understand first the problems and issues, and then to formulate candidate solution outlines,
237   followed by an opportunity to add commentary to those solution outlines that is then analyzed and
238   commented upon by other project participants. This last element takes the form of written sub-
239   group reports. The workplan allows each subgroup to work simultaneously. This design feature
240   reduces the risk of missing the large project milestones because of a single group’s delay. The plan
241   calls for the sub-groups to vet the various solutions and is structured to allow every viewpoint to be
242   represented in the interim and final report along with group views of the applicability of each
243   solution offered. This part of the plan anticipates an environment in which there is sufficient risk to
244   each barrier and sufficient urgency in finding solutions that each offered solution would be pressed
245   forward in some venue in NC at least to the point that it is field-tested. The ISWG Chair correlates
246   and consolidates the various inputs and develops an interim report.
247
248   Each sub-group has access to a library of articles, provided by the ISWG Chair, related to privacy
249   and security in health data exchange. This briefing book is designed to aid their research.
250   Members are urged to contribute additions to the book. Sub-groups are provided initial drafts of
251   VWG findings as they become available.
252
253   The ISWG commentary on solutions in this report leads directly into a vetting and documentation of
254   key traits of each solution in the final report. Most solutions are expected to be pursued
255   concurrently in NC. Prioritizing solutions is not part of the Team’s initial process.
256
257   Solutions are organized by a characterization of the scope of the practice of information exchange
258   to which each solution would apply, along with organizations that indicate the traits of various
259   solutions related to historical issues of electronic health data exchange. See the list in section 4
260   below.
261
262   The feasibility of identified solutions is incorporated into the vetting process noted above. The
263   process calls for interested parties to comment on the draft (this interim report especially) and have
264   their comments included.
265




                                                       - 8-      NC HISPC Interim Analysis of Solutions Report
266   Analysis of Proposed Solutions

267   Each of our sub-groups has contributed solutions and solution elements along with analyses that
268   relate to the scenario cluster that defined each group. The sub-groups are:
269                 Sub-group 1: Direct Patient Care / Release of Information (scenarios 1-4, 6, 8)
270                 Sub-group 2 : Payment / PBM / Pharmaceutical Research (scenarios 5, 7, 9, 10)
271                 Sub-group 3: HC Operations, Marketing and HR Information (scenarios 11, 12, 14)
272                 Sub-group 4: State Government Centric (scenarios 13, 15-18)
273
274   Each sub-group organizes comments on their solutions per domain in textual form and in a tabular
275   format. These are complemented by a synthesizes of all of the sub-group solution proposals that
276   makes apparent different and common traits. Each group also provides a list of key observations
277   that should motivate future progress related to health data exchange in NC. This structure allows
278   the emergence of a variety of ideas, illuminates useful comparisons among those ideas, and
279   provides guidance for future work in this area.
280




                                                    - 9-      NC HISPC Interim Analysis of Solutions Report
281   Group 1 Recommendations

282   Direct Patient care and General Release of Information
283
284   The current system of exchange of PHI is generally requested via telephone and fax.
285   Authentication and verification process typically consists of return telephone calls whereby the
286   telephone number was obtained independent from the request. Healthcare information is usually
287   transmitted via mail or fax to addresses and numbers listed in phone books, web sites or
288   institutional contact listings. Methodologies of authorization of individuals are established at each
289   entity based on their interpretation of existing privacy and security regulations.
290
291   By mail: the request is provided on letterhead or form with accompanying patient consent (typically
292   derived from general consent to treat and obtain necessary information). It is the receiving
293   institution’s “responsibility” to receive the request and secure it in such a way to conform to privacy
294   and security regulations. Verification and authentication in both directions is difficult. The records
295   are in turn are faxed or mailed to the requestor based on the information provided from the request
296   document.
297
298   By Fax: the requesting fax is provided on letterhead or form with accompanying patient consent
299   (typically derived from general consent to treat and obtain necessary information). It is the receiving
300   institutions “responsibility” to have the fax machine secured in such a way to conform to privacy and
301   security regulations. In some entities the fax is followed by a phone call to verify receipt of
302   documents by an “authorized” individual. The records are in turn are faxed or mailed.
303
304   By telephone: the request is made by telephone and the authentication is typically based on if the
305   “caller sounds right” – uses customary vocabulary, phrasing, and tone in describing a plausible
306   scenario of need. In many settings entity protocol (derived from entity interpretation of privacy and
307   security regulations) requires that the entity return a telephone call to the requestor’s stated
308   institution, through the institution’s published phone number, in order to verify the request. In this
309   setting, especially with the level of risk involved with a potential security and privacy breach, the
310   transmission of records become more of a courtesy and less of a component of a justifiable
311   business case. The expenditure of labor costs coupled with exposure provide a very low return on
312   investment.
313
314   Entity to Entity Model
315   In the entity to entity model, if an electronic system consisting of secure automated request,
316   authentication, verification and transmission of PHI existed, a justifiable business case to support
317   this activity would be easier to build based on reduced risk and a positive return on investments. An
318   interoperable electronic medical records (EMR) system at both institutions would facilitate
319   successful exchange of PHI. A unified system of authentication and verification (standards based)
320   adopted by all entities would be a key component, This would solve a considerable number of
321   problems and would, most importantly, foster legitimate trust relationships between institutions.
322   Business cases for transfer of PHI are easier to support with a significant reduction in the risk of
323   security and privacy breaches. When an entity is then contacted by another entity through such a
324   system the confidence that the "right institution, right individual" to handle the request is much
325   higher and the benefits of mutual cooperation become more apparent.
326
327   Patient Controlled Model
328
329   The “trusted third party” agent/agency (RHIO, Health Insurance Carrier) acts as the patient’s health
330   information broker. In addition to serving as a clearing house for distribution of the PHI, maintain
331   logs of request a “repository” could maintain a master copy of the patient’s PHI. They could also
332   serve as the clearing house for distribution of the PHI, maintain logs of requests for information and
333   maintain the integrity and validity of the record by monitoring and mediating changes or corrections.
334   They are also responsible for providing healthcare record security physical and electronic formats.
335   They are contacted by requestors who are authenticated and verified (by ID and password, or other



                                                      - 10-      NC HISPC Interim Analysis of Solutions Report
336   similar means) again using a unified system of authentication and verification (standards based).
337   The individual patient establishes a rule set to determine who has access and under what
338   circumstances PHI is to be released. The patient’s healthcare providers and treating hospitals
339   maintain their copies of the records and based on the patients rule set contribute to and have
340   access to the patients master PHI. The activities of authentication, verification and rule set
341   management as well as possession of the actual PHI may exist within the same organization or
342   may be divided amongst 2 entities.
343
344   In the person controlled model if an entity was requesting a patient's PHI the entity to repository
345   interaction would function the same as in the entity to entity model (using a common standard's
346   based authentication and verification system and an interoperable EMR) guided by the parameters
347   established by the patient. The patient could interact with the repository through a secure web
348   portal using the same standards based authentication and verification system or through agents
349   similar to interactions performed at insurance carriers.
350




                                                    - 11-      NC HISPC Interim Analysis of Solutions Report
351   Group 2 Recommendations
352   Payer and Research Information Exchange
353
354   Exchanges between these two entity types are permissible in nearly every case, if performed for
355   the purpose of Payment or the Healthcare Operations, of either entity, with appropriate relation to,
356   and for the benefit of, the individual whose health information in the subject of the use or disclosure.
357   There are no known legal barriers to this exchange.
358
359   Most of these types of transactions or exchanges differ from that in the scenario because they take
360   place manually, using telephones, facsimile machines, and mail services to send paper and other
361   hard-copy records between the entities that maintain the records and those who request them.
362
363   The primary goal of the solution is to further develop web-based “portals” currently in use by many
364   providers and payers. Portals provide self-service solutions to customers and business partners.
365   Portal capability could be expanded to administer more complex requests and document types and
366   to share healthcare information with approved users.
367
368   Information portals are currently organized as a “provider-site” or “payer-site”. The steps below
369   represent steps of a solution recommendation that will result in a more robust Health Information
370   Network (HIN). This could be structured at regional or national levels. It would require coordination
371   and cooperation of all stakeholders.
372
373   A provider-site may grant access to these stakeholders to obtain the following information:
374        Patients and/or their legal agents may access lab/test results, billing and administrative
375           information, appointments and scheduling, copies of medical records, prescription
376           requests, pharmacy information, secure email to providers, and such.
377        Payers may access medical record requests and other patient encounter information
378           (labs/tests), provider directory with NPI listings, and such.
379        Providers may access medical records requests and other patient encounter information,
380           prescription information (current and past), provider directory with NPI listings, and such.
381
382   A payer-site may grant access to these stakeholders to obtain the following information:
383        Providers may access eligibility status, benefits, claim submission, claim status, payment
384           status, and such.
385        Individuals/Members/Patients/Legal Agents may access, benefit eligibility, claim
386           submission, claim status, claims history, payment status, and such.
387        Payers may access eligibility/benefits for coordination of benefits, and such.
388
389   The portal could be a user-friendly web interface from which information can be requested by
390   various entity types, including patients or their legal representatives.
391
392   A benefit to this solution is that it does not require direct access to a provider’s EHR systems, a
393   payer’s claims payment system, or any other of primary operating system.
394
395
396   Solution(s) Recommendation:
397
398   The Project Team recommends that NC adequately fund a pilot to explore the capabilities of
399   developing an information portal system to access and exchange healthcare information.
400




                                                      - 12-      NC HISPC Interim Analysis of Solutions Report
401   Group 3 Recommendations
402   Healthcare Operations and Marketing Information Exchange
403
404   Report for group 3 HC Operations, Marketing and HR Information Scenarios
405
406   None provided.




                                                 - 13-     NC HISPC Interim Analysis of Solutions Report
407   Group 4 Recommendations
408   State Government and Public Health Information Exchange
409
410   Group 4 barriers are summarized in three categories: Legal/Regulatory/Policy, Reluctance Barriers,
411   and Technology/Process.
412
413   Legal/Regulatory/Policy barriers – Many legal barriers serve to protect personal information and are
414   appropriate. Most organizations have internal policy statements that reflect state and national
415   regulations. There are inconsistencies among the regulations at the state and federal levels. The
416   bulk of these regulations are directed toward entities involved in the exchange of health information
417   rather than healthcare consumers. Business and workforce agreements are important at the levels
418   of the entity and the individual. Entity employees involved in the exchange of personal health
419   information are at least made aware of personal responsibility from deliberate and/or accidental
420   disclosure.
421
422   As stated in the Assessment of Variation Report, there is inconsistency between mental
423   health/substance abuse information and other health information in how often disclosure
424   authorizations are required. HIPAA, with some exceptions, permits patient consent at the initiation
425   of treatment to cover use within and disclosure without the initial provider organization for
426   treatment, payment, and operations. However, mental health/substance abuse regulations require
427   separate authorizations for each exchange of information from the initial provider organization to
428   another entity.
429
430   Some regulations require formal confidentiality agreements between entities for sharing data, and
431   include provisions requiring protection of the data at each location. HIPAA details a Business
432   Associate Agreement between entities for exchange of PHI. 42 CFR Parts 2 and 433 require
433   written agreements between entities exchanging PHI which define local entity data protection
434   safeguards. However, apart from HIPAA Security many of the other federal regulations, such as 42
435   CFR Parts 2, 51, 431, and 433, make no requirements for protecting personal health data in transit
436   across networks. State regulations are inconsistent in their requirements for protecting data in
437   transit, but State (ITS) and (DHHS) policies assert requirements for encrypting “confidential” data in
438   transit.
439
440   Because current regulations and public policy are based on paper methods of information
441   exchange, processes for validating authentication of healthcare consumers seeking access to their
442   personal health information via electronic exchange is not addressed. Many organizational policies
443   address these issues. There are no federal or NC statutes that specify any responsibilities of an
444   individual healthcare consumer to protect personal health information. There seems to be a tacit
445   understanding that, once obtained, an individual can use, disclose, and modify her/his copy of
446   her/his personal health information at her/his discretion.
447
448           Group recommendations:
449           Smooth the differences among state and federal regulations. The HIPPA foundation could
450           be expanded to include the adoption of accepted security standards to aid in the
451           implementation of information security management. The expansion would need define
452           terms and clarify all aspects of data protection, including business agreements,
453           authentication, authorization of all individuals and their delegates, protection of data at rest
454           in each party of an exchange, and protection of data in transit. This should also clarify the
455           responsibilities of individuals who gain access to and are in possession of their own data,
456           including prohibitions against making inaccurate or fraudulent changes in the records.
457
458           Initiate a concepts of “original” and “copy” of each set of personal health information. The
459           “original” set will be retained and made essentially inaccessible by the provider
460           organization or data repository. Only a “copy” will be made available to requestors of such
461           information, even to the subject of the records. Each “copy” will always be clearly identified
462           as such. This allows for a comparison between the “original” and any subsequent variations



                                                      - 14-       NC HISPC Interim Analysis of Solutions Report
463           in different “copies” for the purposes of fraud reduction and detection. Corrections of
464           legitimate errors to the existing data can be appended to the “original” set.
465
466           Establish a pilot project with adequate funding to explore the Person-Controlled Health
467           Data Exchange (PCHDX) concept. The PCHDX, because it would reduce an entity’s
468           responsibility for controlling the elements of an exchange of health information, may
469           provide a solution to some of the disparities among state and federal regulations. If the
470           healthcare consumer, or her/his authorized delegate, is the gatekeeper to personal
471           information then each instance of exchange would be pre-authorized or made in a pre-
472           defined manner. Potentially this may reduce the need for some regulatory changes. The
473           process(es) for defining access authentication and delegation of authorization would need
474           to be strict. The PCHDX could also work well with the “original” and “copy” concepts. The
475           pilot would have to address all data protection issues, contingencies for emergent
476           circumstances whereby the healthcare consumer is unable to grant access to healthcare
477           information, the possibility of access barriers for indirect providers such as laboratories, and
478           the impact upon legitimate secondary uses and disclosures that are permissible under
479           existing law.
480
481   Reluctance barriers – These barriers relate to the reluctance to share information in the case that a
482   law existed which would prevent the sharing, or reluctance to share because there was no
483   precedent or existing process to do so. In some cases unnecessary barriers reflected an unclear
484   understanding of the requirements of certain laws.
485
486   Reluctance barriers reflect that many healthcare organizations – public and private, large and small
487   – have mixed success within the areas of training and awareness for privacy and security
488   responsibilities. There may be a perception that the general patient population has a lack of
489   confidence in efforts to implement privacy and security requirements; perhaps based on a general
490   misunderstanding of technology.
491
492           Solution recommendation:
493           Initiate the PCHDX concept for awareness purposes. Many healthcare consumers are
494           unaware of the implications of access to personal health information and the consequences
495           of unauthorized access and misuse of that information. Initiating a process that places the
496           individual or delegate as the primary agent responsible for granting access would increase
497           a sense of ownership and control to the consumers, and could provide an opportunity to
498           educate individuals about privacy and security issues and responsibilities. The PCHDX
499           concept could be the centerpiece in a comprehensive awareness strategy. Organizational
500           and entity level awareness programs would serve to reinforce the information.
501
502   Technology/Process barriers – Technology and process barriers reflect a lack of coordination
503   and/or interoperability among agencies who share information. This is especially relevant among
504   entities in different states. Technological solutions for this type of barrier may be successful when
505   coupled with clear understandings of implementation and management of such technologies.
506   Additionally, it is vital to assess the vulnerabilities of any proposed technology.
507
508   To ensure that policy, process, and technology are consistently implement across state lines, State
509   agencies would have to arrive at a centrally administered solution for exchanging data.
510
511           Group Recommendations:
512           Clearly define and document business drivers and business uses for data exchange.
513           Clear definitions of business drivers and uses for data exchange would ease the
514           incorporation of appropriate technological solutions. Many early efforts at automation are
515           based on vague goals with an unclear definition as to how these goals may change
516           healthcare operations at all levels. Clearly defined goals would maximize the
517           implementation of successful technological solutions.




                                                      - 15-      NC HISPC Interim Analysis of Solutions Report
518
519           Introduce the concept of technology/process standard thresholds. A standard threshold
520           differs from a barrier in that it specifies a minimum set of capabilities for eliminating
521           technology/process barriers. Initiating a nation-wide network from the top down would be
522           overwhelmingly expensive and would perpetuate the current set of network and process
523           vulnerabilities that exist across the local organizational technologies throughout the larger
524           network (“a chain is only as strong as its weakest link”). Since all organizations are not
525           equal, a defined set of technology/process thresholds would identify the minimum
526           connectivity requirements for each organization. This would also be important for RHIOs
527           which may play a role as an information broker/clearinghouse/trading partner for smaller
528           organizations.
529
530           Develop standard exchange network policies, beginning at local/regional levels. Develop
531           standard policies for data exchange that build upon current efforts. In this case policy
532           standardization is more important than the technology standardization. As hardware and
533           software technologies converge towards common capabilities, ensuring the appropriate
534           exchange of data is more important than specifying common vendors.
535
536
537   Critical Observations
538            The PCHDX concept is one model that would address and has the potential to resolve a
539            number of barriers identified in the Variations Report. Individual consumer involvement at
540            the center of the healthcare information exchange may result in an enhanced awareness of
541            privacy and security issues across the general population. The model would need to be
542            supported by carefully defined policies for authentication, authorization (especially for
543            personal delegates), protecting data in transit and at rest, and responsibilities of the
544            individual for the care of their own records (see discussions above).
545
546           The HISPC assessment has sought to identify barriers to sharing healthcare information
547           with the expectation that at least some of the barriers can be reduced to facilitate sharing
548           among facilities and across State boundaries. The Project Team maintains that some
549           barriers are appropriate. Some of the identified barriers are necessary as privacy or
550           security risk controls.
551




                                                     - 16-       NC HISPC Interim Analysis of Solutions Report
552   Comments for Group 4 – per Domain

553   1. User and entity authentication to verify that a person or entity seeking access to electronic
554   personal health information is who they claim to be.
555       Entity-centered models
556       Entity networks must verify and validate the identity of connecting persons. A National Provider
557       ID (NPID) will assist in this process. The NC State registry of providers and the NC Identity
558       Management (NCID) project provide a consistent identity scheme for individual providers and
559       entities doing business with the State. Remote access users need to be under a contractual
560       relationship to ensure appropriate use of an organization’s accounts.
561       Person-centered models
562       Healthcare consumers and their delegates must be authenticated and authorized reliably to the
563       patient agent or agency. The agent/agency must be authenticated and authorized with the
564       provider organization. Personal Health Records (PHR) may be a solution, but would require
565       control polices regarding id, password, static encryption, and such in order to ensure protection
566       while with the healthcare consumer.
567       Other models/comments
568       In a PCHDX an intermediary agent/agency will make connections with healthcare providers. As
569       such PCHDX could help to relieve concerns about direct access to provider networks by other
570       providers. Each endpoint entity will have to be confident of the agent/agency connection.

571   2. Information authorization and access controls to allow access only to people or software
572   programs that have been granted access rights to electronic personal health information.
573        Entity-centered models
574        Entity networks must verify and validate the identity of connecting persons. The NPID will assist
575        in this process. The NC State registry of providers and the NC project provide a consistent
576        identity scheme for individual providers and entities doing business with the State. Remote
577        access users need to be under a contractual relationship to ensure appropriate use of an
578        organization’s accounts.
579        Person-centered models
580        Healthcare consumers and their delegates must be authenticated and authorized reliably to the
581        patient agent or agency. The agent/agency must be authenticated and authorized with the
582        provider organization. PHR may be a solution, but would require control polices regarding id,
583        password, static encryption, and such in order to ensure protection while with the healthcare
584        consumer.
585        Other models/comments
586        In a PCHDX an intermediary agent/agency will make connections with healthcare providers. As
587        such, a PCHDX could help to relieve concerns about direct access to provider networks by
588        other providers. Each endpoint entity will have to be confident of the agent/agency connection.
589        Technical solutions and policy definitions are necessary go ensure isolated access to
590        authorized information.
591        Domains 1 and 2 characteristically are combined in the generalized access control process.
592        Authentication and authorization are not implemented separately.

593   3. Patient and provider identification to match identities across multiple information systems and
594   locate electronic personal health information across enterprises.
595       Entity-centered models
596       Policy needs to define and clarify the process by which a healthcare consumer’s identity is
597       confirmed among separate provider organizations. NCID identity management may result in
598       identity consistency among State agencies. However, State-to-private entities will require
599       standardization.
600       Person-centered models


                                                     - 17-      NC HISPC Interim Analysis of Solutions Report
601       Because the healthcare consumer is responsible for the exchange, the agent/agency will need
602       to be authenticated and/or authorized with all necessary entities, including State agencies.

603       Other models/comments
604       The NCID may help with agency and provider organization and patient identities within State
605       agencies.

606   4. Information transmission security or exchange protocols (i.e., encryption, etc.) for information
607   that is being exchanged over an electronic communications network.
608        Entity-centered models
609        Entities are required by HIPAA to protect data in storage and in transit.
610        Person-centered models
611        Will need ways to ensure the secure storage and transmission of PHR. If PHR is not involved,
612        the agent/agency has the responsibility for protection.
613        Other models/comments
614        The requirement of encryption standards must be considered, such as IPv6.

615       NC State ITS and DHHS policies do assert that confidential information must be encrypted in
616       transit. Actual procedures are still being drafted and documented to define the actual encryption
617       technologies to be used. The State-established (VPN) encrypt information in transit. Currently,
618       all state network traffic conforms to IP version 4, which has been standard for several years. IP
619       version 6 has been available for use for several years, but the transition is not simple, and to
620       date, the State has no defined plans for migration. IP v 6 includes a type of encryption for all
621       data/information transmitted, the IPSec family of protocols. This would obviate the need for
622       specific state policies and procedures for data encryption. Therefore, until the time healthcare
623       information is transferred, specific procedures will still be required to ensure protection of
624       confidential data by encryption technologies.

625   5. Information protections so that electronic personal health information cannot be improperly
626   modified.
627        Entity-centered models
628        Vendors of EHRs and HIE technology need to incorporate proper access controls into their
629        software (this seems to be in place currently). Entities also need to include access control
630        processes for internal use and updates of PHI.
631        Person-centered models
632        Something should be in place to ensure that healthcare consumers are not allowed to modify
633        their PHI. This could be provide by the implementation of “original” and “copy” concepts. In this
634        case a duplicate “copy’ would be made from a provider’s internal network “original”. Thereby
635        making the “original” available for comparison at a later date in order to verify the integrity of
636        this and subsequent copies.
637        Other models/comments
638
639   6. Information audits that record and monitor the activity of health information systems.
640        Entity-centered models
641        Vendors of EHRs and HIE technology should provide detailed audit trails as to who, how, and
642        what access has been provided for a medical record. This seems to be in place currently, and
643        perhaps the main concern would be giving that information to the patient so that they may see
644        who has had access. Logs should include failed attempts to access the information to aid in
645        distinguishing accidental or deliberate unauthorized attempts, and all exchange activities in and
646        out of the entity. State DHHS policies require audit trails for health information activity.
647        Person-centered models



                                                      - 18-      NC HISPC Interim Analysis of Solutions Report
648       A PHR should indicate when a record has been changed, by whom, and what changes have
649       been made. Healthcare consumers should be able to access this information through their
650       PHR. Agent/agency responsibilities will include the same requirements on behalf of the
651       consumers. Entities should continue to track exchange activity data.
652       Other models/comments
653       This relates to and backs up Domains 1-5. Each of these domains would be incomplete or
654       inadequate without audit trails.

655   7. Administrative or physical security safeguards required to implement a comprehensive security
656   platform for health IT.
657        Entity-centered models
658        Most large-medium Healthcare Organizations (HCOs) already have a comprehensive security
659        structure, smaller HCOs do not. RHIOs may offer outsourcing technology services to the
660        smaller HCOs. The State ITS and DHHS follow the HIPAA requirements for policies for
661        enterprise security.
662        Person-centered models
663        An agent/agency for the healthcare consumer would have to comply with the same security
664        requirements when exchanging information with other entities.
665        Other models/comments
666        None

667   8. State law restrictions about information types and classes, and the solutions by which electronic
668   personal health information can be viewed and exchanged.
669       Entity-centered models
670       State and federal regulations have different requirements for certain information, e.g., mental
671       health and substance abuse information. Entity to entity exchange requires patient (or
672       representative) permission for each exchange. When a patient has records in both categories –
673       general health information and more restricted information – some State agencies are not sure
674       how to restrict the complete health record of such a patient. State policies need to be clear
675       about such exchanges among different State agencies, and from State to Private entities. Once
676       policies are clarified, better training and awareness can be disseminated.
677       State law (GS 130A.22) allows for the exchange of information in a ‘bioterrorism’ incident
678       without penalty, but also restricts the sharing of personally identifiable information. This process
679       needs to be addressed specifically in ITS and DHHS policies.
680       Person-centered models
681       Clarification would be needed to describe healthcare consumer responsibilities for information
682       exchange during emergency situations, e.g., bioterrorism or quarantines. Public Health
683       agencies must be able to disseminate certain information quickly in emergencies.
684       Other models/comments
685       The SWG and Project Team recommend the introduction of a state Health Data Exchange Act
686       that would serve to clarify authorization requirements and inconsistencies. Possible
687       authorization requirements can include:
688            Characterizations and delimitations of the actual healthcare records and information and/or
689            subsets that will be made available for exchange
690                 Restriction categories (if necessary)
691                 ‘Original’ vs. ‘copy’
692                 De-identified records
693                 Research-appropriate subsets (ad-hoc, based on research protocols)
694                 Local record (entity-specific) vs. complete PHI
695                 Time limitations (e.g., regulatory requirements allowing destruction/disposal)
696            Clear identification of the participants and their roles and responsibilities with PHI exchange



                                                      - 19-      NC HISPC Interim Analysis of Solutions Report
697                  Provider entity and representatives
698                  Provider and alternates (staff, assistants, referrals, etc.)
699                  Patient
700                  Person-agent (e.g., parent, guardian, spouse, etc.)
701                  Entity-agency and representatives
702                  Responsibilities, e.g.: protection, ownership, ability to consent, delegate, exchange,
703                   destroy
704           Clearly defined processes, rules, and use cases that enable appropriate access to and
705           exchange of PHI
706                PHI lifecycle access restrictions
707                Protection at rest, in use, and during exchange
708                Treatment, payment and operation practices and processes
709                Create, update, modify, view, disseminate, consent, delegate, delete/destroy

710   9. Information use and disclosure policies that arise as healthcare entities share clinical health
711   information electronically.
712        Entity-centered models
713        Definitions of ‘blanket use’ and opt-in/opt-out for all or part of information exchange need to be
714        clarified. Continuity of care needs to have the highest emphasis. Policies can also be built
715        around the bullets in Domain 9 Comments.
716        Person-centered models
717        Policies and procedures will still be needed for the exchange of healthcare information between
718        entity and person or agent/agency.
719        Other models/comments
720        Policies and procedures need to be made consistent. Comprehensive training and awareness
721        that covers all policies and workforce is needed.

722       Issues of research, biosurveillance, and such must be considered when educating providers
723       and patients in the exchange/potential for exchange of information. It will be necessary for
724       State DHHS to leadership to give directives requesting a clarification of regulations (or towards
725       the suggested “Health Data Exchange Act”). Expanded training and awareness of
726       responsibilities and permissions also require leadership support.

727   10. Other: Laws, regulations, and practices affecting the exchange of PHI between entities through
728   an exchange mechanism controlled by the subject of the information.
729       Entity-centered models
730       Setting up a Person Controlled Exchange process may not completely eliminate entity-to-entity
731       exchanges, so the existing entity-to-entity regulations would still need to be emphasized.
732       Although an entity’s responsibility is reduced once the healthcare information is released to the
733       healthcare consumer’s agent/agency, regulations will still be necessary in regards to the issues
734       of validating the request for healthcare information and protecting the information up to the
735       point of release.
736       Person-centered models
737       The PCHDX model will need to be clearly defined by either regulation or policy.
738       Other models/comments
739       This could be a means to improve healthcare consumer awareness around health information
740       security and privacy. Implementation of a PCHDX model would require significant instruction
741       and training for users to clarify regulatory requirements and the consequences of unauthorized
742       disclosures.
743




                                                     - 20-       NC HISPC Interim Analysis of Solutions Report
744   Combined Solutions Commentary
745
746   Below are the common findings from all four sub-groups followed by a few key observations.
747
748   Common solutions:
749   Each sub-group can envision the use of a person-controlled health data exchange as a way to
750   avoid potential complexities and limits of an entity-centered exchange. How a health data exchange
751   (of either type) would work at a point in time when the person is not competent to manage their
752   health decisions deserves more attention.
753
754   Despite the barriers to any method of electronic exchange, all of the sub-groups see electronic
755   exchange as offering systemic health advantages that are an improvement over paper or voice
756   data exchange for routine exchanges.
757
758   The HIPAA Privacy Rule forms a sound basis for managing the disclosure of PHI. Because it can
759   be augmented by state law(s) which express the viewpoint of varying publics and their preferences
760   of how disclosure should be managed between entities. The HIPAA Privacy Rule also provides a
761   good basis for expressing patient rights to access records held by various covered entities. The
762   HIPAA Security Rule is a sound basis for managing security of health records held by covered
763   entities. Its principles need to be extended to managing security in health data.
764
765   Key Observations:
766   1) Explore PCHDXs: Person-controlled health data exchanges could assure high flow in a health
767   data exchange while preserving privacy. It shows the low potential to interfere with care to which
768   the patient has consented and may speed appropriate care in cases where legal barriers to
769   information release today are significant.
770
771   2) Address Complexity and Ambiguity: Two techniques to simplify and clarify current rule sets for
772   the release of information are 1) simplify the rule set (at least from the releaser’s point of view)
773   without increasing privacy risk or eliminating releases that patients want to occur and 2) improve
774   the level of training for health information releasers and requestors about the rule set.
775
776   3) Consider non-privacy/security barriers: In order for privacy and security solutions to be feasible
777   they must not raise business barriers, should lower them, and should offer support to other broad
778   health-related goals. Frequently the business motive to carry out many health information
779   exchanges is low enough that almost any barrier (de minimus liability, minor labor costs, small
780   transaction friction) may be considered high enough to deter appropriate and routine health data
781   exchange.
782
783   4) Encourage greater collaboration between policy makers and technical experts: Overcoming the
784   barriers related to privacy and security needs to involve an integrated collaboration between policy
785   makers and technical experts at every level of analysis, planning, and implementation.
786
787   5) Address business process and technical interoperability. Overcoming the privacy and security
788   barriers to routine electronic health data exchange includes developing business and technical
789   processes and policies related to data exchange that can interoperate. For example, to assure that
790   the two entities have the same person in mind requires technical, business process similarities.
791
792   Combined Commentary for Each Domain
793
794   1. User and entity authentication to verify that a person or entity seeking access to electronic
795   personal health information is who they claim to be.
796   Authenticating individuals involved with a health information exchange vital to managing risk of
797   inappropriate access to PHI. The frequent change of authorized accessor populations must be
798   considered.



                                                     - 21-      NC HISPC Interim Analysis of Solutions Report
799       Entity-centered models
800   A process to monitor and manage the frequently changing authorized accessor populations must
801   be in place. While the new NPI will help at the national level and the NC IMP will help in NC, a more
802   comprehensive solution would require more study.
803       Person-centered models
804   This model adds the need to authenticate persons who are subjects of the exchanges.
805       Other models/comments
806
807   2. Information authorization and access controls to allow access only to people or software
808   programs that have been granted access rights to electronic personal health information.
809   Once the authenticity of an accessor is established (in #1 above), what that accessor is authorized
810   to do must be known and enforced within the health data exchange.
811        Entity-centered model
812   The entity sourcing the data in a given exchange must know whether disclosing the data is
813   consistent with existing state and federal privacy laws, regulations. This task is very complex.
814   Security measures must reasonably support exchanges that do occur.
815
816        Person-centered models
817   The person who is the subject of the records decides who may release information. This is typically
818   done using a software agent configured by the person. Various forms of inappropriate access (e.g.
819   for claims fraud) could be discovered and thwarted by the patient’s software agent and potentially
820   the patient.
821
822       Other models/comments
823
824   3. Patient and provider identification to match identities across multiple information systems and
825   locate electronic personal health information across enterprises.
826       Entity-centered models
827       As noted in #1 and #2, this is a complex process with the costs and risks forming a barrier for
828       the entities to what are typically exchanges that a patient would permit.
829
830       Person-centered models
831       Patients establish an identifier that source and target entities can use to refer to the patient.
832       Web-of-trust identification models could be used assure patient identity and to match these
833       identities with the correct providers and health plans.

834       Other models/comments
835       The NCID may help with organization (agency and provider) and patient identities with State
836       agencies.

837   4. Information transmission security or exchange protocols (i.e., encryption, etc.) for information
838   that is being exchanged over an electronic communications network.
839        A security program is the result of a risk management process where risks to confidentiality,
840        data integrity, and data availability are managed. In the case of a thriving health data exchange,
841        the risks are higher than the risks at any single user of the health data exchange. Security
842        measures can be expected to be more stringent in some ways for a health data exchange than
843        for a single health data exchange participant. Further, health data exchange usage involves
844        risks to the sender, the person who is the subject of the exchange, and the recipient.
845



                                                      - 22-       NC HISPC Interim Analysis of Solutions Report
846       Entity-centered models
847       Entities are required by HIPAA and in some cases, state law, to protect data in storage and in
848       transit. HIPAA’s Security Rule has the obligation to assess and manage the risks to
849       confidentiality, integrity, and availability as a core requirement. The entity-centered model
850       depends on entities to manage the risk of data exchange for the person/patient. The willingness
851       to take up this risk is a potent barrier to data exchange today.
852
853       Person-centered models
854       This model focuses the exchange risk to the patient in the patient’s hands. This aids in aligning
855       the risks with the person at risk. Ordinary encryption and digital signature (of the sender) can
856       assure the confidentiality and integrity of the data. Assuring availability in this model has similar
857       challenges to those found in the entity-centered model.
858
859       Other models/comments
860
861   5. Information protections so that electronic personal health information cannot be improperly
862   modified.
863   For both the entity-centered and person-centered models the chief solution to improperly modified
864   data is the use of digital signature based on public/private key technology. Any system that reduces
865   the risk of improper modification increases the originator’s risk if data is in error and decreases risk
866   for the recipient of using errant data. Solutions should make use of this factor in forming deterrents
867   to improper modification.
868   Secondary deterrents to improper modification of data can be obtained by stringent security
869   measures that assure that the risk of improper access to data is kept at an acceptable level.
870   Lastly, those who source information can keep copies of data that is sent and that can be produced
871   if some event calls into question the authenticity of received data.
872
873       Entity-centered models
874       Person-centered models
875
876   6. Information audits that record and monitor the activity of health information systems.
877   Audit records of data exchange attempts in combination with a robust and routine analysis of those
878   records can reduce risk of improper disclosure without imposing stringent prior restraints on
879   disclosure policies. Such audit trails could also serve as the disclosure history required by the
880   HIPAA Privacy Rule.
881
882       Entity-centered models
883       Vendors of EHRs and HIE technology should provide detailed audit trails as to who, how, and
884       what access has been provided for a medical record. This seems to be in place currently. Logs
885       should include failed attempts to access the information, to aid in distinguishing accidental or
886       deliberate unauthorized attempts, and all exchange activities in and out of the entity. State
887       DHHS policies require audit trails for health information activity.
888
889       Person-centered models
890       Vendors of patient-centered health information exchange technologies should provide detailed
891       audit trails as to who, how, and what access has been provided for a medical record. Logs
892       should include failed attempts to access the information, to aid in distinguishing accidental or
893       deliberate unauthorized attempts, and all exchange activities in and out of the entity. State
894       DHHS policies require audit trails for health information activity.
895


                                                      - 23-       NC HISPC Interim Analysis of Solutions Report
896       Other models/comments
897       Each of Domains 1-5 would be incomplete or inadequate without audit trails.

898   7. Administrative or physical security safeguards required to implement a comprehensive security
899   platform for health IT.
900    Many aspects of administrative and physical security are similar between the two models. An
901   important difference in designing the risk management in this area is that the person-centered
902   model places more obligation on the person (i.e. the party most at risk in the exchange).
903
904       Entity-centered models
905       Most large-medium healthcare organizations already have a comprehensive security structure,
906       smaller ones do not. This may be opportunity for RHIOs to offer outsourcing technology
907       services to the smaller organizations. The State ITS and DHHS policies are clear in their
908       expectation for enterprise security.
909       Person-centered models
910       The Patient "Agency/Agent" would have to comply with the same security requirements when
911       exchanging information with other entities.
912       Other models/comments

913   8. State law restrictions about information types and classes, and the solutions by which electronic
914   personal health information can be viewed and exchanged.
915       Entity-centered models:
916       The entity-centered model aligns its disclosure rules with privacy law and regulation and with
917       the sourcing entity’s view of risk in releasing information. The complexity and vagueness of the
918       aggregation of these laws and regulations is a barrier in this model.
919
920       Person-centered models
921       In the person-centered model, the person (i.e. their software agent) decides which releases to
922       permit based on their own sense of the tradeoff between his/her privacy and the value of
923       exchange.
924
925       Other models/comments
926       One sub-group has suggested that an overarching Health Data Exchange Act be introduced to
927       eliminate the differences and clarifies the authorization requirements in support of an entity-
928       centered model. Possible authorization requirements can include:
929       Characterizations and delimitations of the actual healthcare records and information and/or
930       subsets that will be made available for exchange
931            Restriction categories (if necessary)
932            ‘Original’ vs. ‘copy’
933            De-identified records
934            Research-appropriate subsets (ad-hoc, based on research protocols)
935            Local record (entity-specific) vs. complete PHI
936            Time limitations (e.g., regulatory requirements allowing destruction/disposal)
937       Clear identification of the participants and their roles and responsibilities with PHI exchange
938            Provider entity and representatives
939            Provider and alternates (staff, assistants, referrals, etc.)
940            Patient
941            Person-agent (e.g., parent, guardian, spouse, etc.)
942            Entity-agency and representatives
943            Responsibilities, e.g.: protection, ownership, ability to consent, delegate, exchange,
944               destroy



                                                    - 24-      NC HISPC Interim Analysis of Solutions Report
945       Clearly defined processes, rules, and use cases that enable appropriate access to and
946       exchange of PHI
947            PHI lifecycle access restrictions
948            Protection at rest, in use, and during exchange
949            Treatment, payment and operation practices and processes
950            Create, update, modify, view, disseminate, consent, delegate, delete/destroy

951   9. Information use and disclosure policies that arise as healthcare entities share clinical health
952   information electronically.
953        Entity-centered models
954        Definitions of ‘blanket use’ and opt-in/opt-out for all or part of information exchange need to be
955        clarified.
956
957       Person-centered models
958       In this model the intra-entity policy is simplified. The patient’s software agent decides whether a
959       disclosure offered by a sourcing entity is permitted.
960
961       Other models/comments
962       For entity-centered models: Policies and procedures in general need to be made consistent,
963       also training and awareness needs to be comprehensive - coverage of all policies and
964       coverage of all workforce. They also need to consider issues of research, bio-surveillance, etc.
965       when education providers and patients in the exchange/potential for exchange of information.
966       Directives from organizations towards clarification of regulations (or towards the suggested
967       “Health Data Exchange Act”) will be necessary to support expanded training and awareness of
968       responsibilities and permissions.

969   See the Appendix of NC ISWG Briefing Articles for background on all to the points addressed in
970   this interim report.
971




                                                      - 25-      NC HISPC Interim Analysis of Solutions Report
 972
 973   Group Recommendations to Address State and National Issues

 974   As stated in the Assessment of Variations Report, there are significant legal barriers preventing the
 975   timely exchange of electronic health information that require the immediate attention of the North
 976   Carolina General Assembly and federal legislators.

 977   This Interim Analysis of Legal Solutions Report will include draft model legislation, business
 978   agreements, and uniform patient consent / authorization forms to be considered.
 979
 980   Group Recommendations to Address State Issues
 981
 982   LWG Solution 1: Prepare or revise statutes to minimize perceived conflicts between NCGS §8 – 53
 983   and HIPAA with respect to sharing health information for treatment, payment, and operations and
 984   other uses or disclosures for which patient authorization is not required under HIPAA.
 985
 986   General Context: NCGS §8 – 53. Communications between physician and patient.
 987   This North Carolina statute resides in the evidentiary provisions, but it has been interpreted to
 988   prohibit uses and disclosures of patient information in other contexts without patient authorization or
 989   a court order. This statute has emerged as the most often-cited barrier to exchange of health
 990   information in the State.
 991
 992   Privacy & security domain addressed: State law restrictions.
 993   Types of HIE (clinical, public health, research) addressed: All types.
 994   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
 995   HIE barrier(s) addressed: Prohibitive state laws.
 996   Stage of development (planning, implementation): Early stage of drafting legislation
 997   Extent to which solution is in use: Currently not in use
 998   Applicability of solution: All covered entities under HIPAA and other stakeholders
 999   Extent of barriers or opposition: Opposition to specific changes is possible. Need to assess
1000   potential unintended consequences of a broad amendment. For those who interpret NCGS §8 – 53
1001   to be a barrier for uses and disclosures of health information, the extent of this barrier is pervasive.
1002
1003   LWG Solution 2: Recodify NC healthcare related statutes and regulations so that all statutes
1004   regarding release of healthcare information may be found within a single section or several
1005   consecutive sections of the General Statutes and the Administrative Code.
1006
1007   LWG Solution 3: Expand communicable disease and bio-surveillance reporting beyond North
1008   Carolina’s emergency room. Initiate an Internet repository of directions for providers that will
1009   answer questions as to who is responsible for reporting what information, to whom reports must be
1010   made, the periodicity of such reports, and the appropriate reporting mechanism(s). Training must
1011   be offered to all persons or entities required to make reports regarding where to find the repository
1012   and how to use it.
1013
1014   General Context: Because statutes and regulations regarding information that must be reported to
1015   various state oversight agencies (e.g., cancer, communicable disease information) is located in a
1016   variety of statutes and regulations throughout the North Carolina General Statutes and the North
1017   Carolina Administrative Code, healthcare providers often do not know that they have an obligation
1018   to report certain information.
1019   Privacy & security domain addressed: State law restrictions.
1020   Types of HIE (clinical, public health, research) addressed: All types.
1021   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1022   HIE barrier(s) addressed: Lack of awareness of what providers are required to report; Lack of
1023   technology
1024   Stage of development (planning, implementation): Planning


                                                       - 26-      NC HISPC Interim Analysis of Solutions Report
1025   Extent to which solution is in use: The solution is currently implemented through the North
1026   Carolina Public Health Information Network (NPHIN).
1027   Applicability of solution: All healthcare providers, NC Public Health
1028   Extent of barriers or opposition: Opposition to specific changes is possible.
1029
1030   LWG Solution 4: Seek legislative clarification of provision NCGS § 130A.-143 (3)
1031
1032   General Context: Confidentiality of Records NCGS § 130A.-143 (3) Is not clear whether or not this
1033   statute covers the release of information regarding HIV to another entity or only the release of
1034   information within an entity for treatment of the patient.
1035
1036   Privacy & security domain addressed: State law restrictions.
1037   Types of HIE (clinical, public health, research) addressed: All types.
1038   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1039   HIE barrier(s) addressed: Lack of policy standardization
1040   Stage of development (planning, implementation): none
1041   Extent to which solution is in use: none
1042   Applicability of solution: All covered entities under HIPAA and other stakeholders
1043   Extent of barriers or opposition: Opposition to specific changes is possible.
1044
1045   LWG Solution 5: Seek legislative assistance in clarifying such an order, perhaps relying on “pecking
1046   order” contained in Do Not Resuscitate or other enumerated provisions.
1047
1048   General Context: There is no “pecking order” for determining which of several persons may consent
1049   to treatment for a patient in the event the patient experiences an emergency.
1050
1051   Privacy & security domain addressed: State law restrictions.
1052   Types of HIE (clinical, public health, research) addressed: All types.
1053   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1054   HIE barrier(s) addressed: Lack of policy standardization
1055   Stage of development (planning, implementation): Proposed solution to be vetted by NC HISPC
1056   Steering Committee prior to planning implementation.
1057   Extent to which solution is in use: Currently not in use.
1058   Applicability of solution: All covered entities under HIPAA and other stakeholders
1059   Extent of barriers or opposition: Opposition to specific changes is possible.
1060
1061   LWG Solution 6: Pass national/state laws requiring such organizations to implement such policies
1062   and specific standards for same. Adopt standards to support HIPAA Privacy and Security
1063   requirements.
1064
1065   General Context: Healthcare related organizations may not have policies or procedures related to
1066   appropriate uses and disclosures of health information.
1067
1068   Privacy & security domain addressed: State law restrictions.
1069   Types of HIE (clinical, public health, research) addressed: All types.
1070   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1071   HIE barrier(s) addressed: Lack of policy standardization. Lack of information security standards.
1072   Stage of development (planning, implementation): Planning
1073   Extent to which solution is in use: Currently not in use.
1074   Applicability of solution: All covered entities under HIPAA and other stakeholders
1075   Extent of barriers or opposition: Opposition to specific changes is possible.
1076




                                                     - 27-      NC HISPC Interim Analysis of Solutions Report
1077   LWG Solution 7: Consider revising NCGS § 122C-55(i) to permit disclosure of this information to all
1078   providers treating the patient, recognizing that the effectiveness of the amendment may depend
1079   upon revision to the federal regulations regarding substance abuse treatment information,
1080   addressed below (42 CFR §§ 2.1 and 2.2).
1081
1082   General Context: NCGS § 122C-55. Re-disclosure of Mental Health Information. NCGS § 122C-
1083   55(i) allows for release of mental health and substance abuse information to the physician or
1084   psychologist who referred a patient to the facility, but it fails to provide for release of this information
1085   to any other physician (such as a primary care provider or specialist).
1086
1087   Privacy & security domain addressed: State law restrictions.
1088   Types of HIE (clinical, public health, research) addressed: All types.
1089   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1090   HIE barrier(s) addressed: Prohibitive state laws.
1091   Stage of development (planning, implementation): Planning.
1092   Extent to which solution is in use: Currently not in use.
1093   Applicability of solution: All covered entities under HIPAA and other stakeholders
1094   Extent of barriers or opposition: Opposition to specific changes is possible.
1095
1096   Group Recommendations to Address National Issues

1097   LWG Solution 8: Amend 42 CFR §§ 2.1 and 2.2. Federal Mental Health and Substance Abuse
1098   Information, the Substance Abuse treatment provisions to allow for re-release of such information
1099   to healthcare providers without limitation for purposes of treatment.
1100
1101   General Context 1: For release or re-release of substance abuse treatment information to third
1102   parties, federal law requires patient authorization or a court order, and it further requires the
1103   releasing party to provide notice of these restrictions upon any re-disclosure of such information (42
1104   CFR § 2.32).
1105
1106   Due to the requirements within 42 CFR §§ 2.1 and 2.2 for additional authorization from the patient
1107   to re-disclose substance abuse treatment information, the treating physician often may treat the
1108   patient with incomplete information (i.e., without knowledge that the patient has been or is in
1109   treatment for substance abuse).
1110
1111   General Context 2: For facilities that receive federal funding, 42 CFR §§ 2.1 and 2.2 pre-empt
1112   NCGS § 122C-55(i). Substance abuse information is specially protected, so a consent for release
1113   must specify release of this information. Some hospitals include a space on their general consent
1114   forms for patients to initial in the event that the patient agrees to allow the hospital to release health
1115   information regarding the patient’s substance abuse. Because substance abuse information is
1116   specially protected, it also needs to be segregated in the medical record in order to maintain such
1117   special protection, whether the record is maintained in paper or electronic format. Some facilities
1118   have policies specifying that substance abuse information must be maintained separately in the
1119   patient’s medical record.
1120
1121   Privacy & security domain addressed: Federal law restrictions.
1122   Types of HIE (clinical, public health, research) addressed: All types.
1123   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1124   HIE barrier(s) addressed: Prohibitive federal laws.
1125   Stage of development (planning, implementation): Planning.
1126   Extent to which solution is in use: To be determined.
1127   Applicability of solution: To be determined.
1128   Extent of barriers or opposition: To be determined.
1129



                                                         - 28-       NC HISPC Interim Analysis of Solutions Report
1130
1131   LWG Solution 9: Implement state-wide HIPAA conformance requirements including implementation
1132   standards.
1133
1134   General Context: To be determined by Legal Work Group.
1135   Privacy & security domain addressed: State law restrictions.
1136   Types of HIE (clinical, public health, research) addressed: All types.
1137   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders.
1138   HIE barrier(s) addressed: Lack of policy standardization; Misinterpretation of law.
1139   Stage of development (planning, implementation): Planning.
1140   Extent to which solution is in use: Currently not in use.
1141   Applicability of solution: All covered entities under HIPAA
1142   Extent of barriers or opposition: Opposition to specific changes is possible.
1143
1144
1145   LWG Solution 10: NC HISPC Proposed CLIA Amendment
1146
1147   Alternative 1: Revision of 42 CFR §493.1291(f)
1148   Test results must be released to the authorized person who ordered the test. In addition,
1149   notwithstanding any contrary State law defining who is an individual authorized to order tests or
1150   receive test results or both, test results may be released to:
1151            (1) The laboratory that initially requested the test, if applicable;
1152            (2) Any person designated to receive the test results by the authorized person who ordered
1153            the test;
1154            (3) A “covered entity”, as defined in 45 C.F.R. §160.103; and
1155            (4) A “business associate” of a covered entity, as defined in 45 C.F.R. §160.103.
1156   This section shall not be construed to permit the disclosure of any specific type of test result to any
1157   of the persons or entities named herein where the disclosure of test results of that type is otherwise
1158   prohibited by State or Federal law.
1159
1160   Alternative 2: Addition to 42 CFR §493.2
1161   Individual responsible for using the test results means, notwithstanding any contrary State law
1162   defining who is an individual authorized to order tests or receive test results or both:
1163            (a) Any person designated to receive the test results by the authorized person who ordered
1164            the test;
1165            (b) A “covered entity”, as defined in 45 C.F.R. §160.103; and
1166            (c) A “business associate” of a covered entity, as defined in 45 C.F.R. §160.103.
1167   This definition shall not be construed to permit the disclosure of any specific type of test result to
1168   any of the persons or entities named herein where the disclosure of test results of that type is
1169   otherwise prohibited by State or Federal law.
1170
1171   Alternative 3: Addition to 42 CFR §493.2
1172   Authorized person means an individual authorized under State law to order tests or receive test
1173   results or both. In addition, notwithstanding any contrary State law defining who is an individual
1174   authorized to order tests or receive test results or both, authorized person means:
1175            (a) Any person designated to receive the test results by the authorized person who ordered
1176            the test;
1177            (b) A “covered entity”, as defined in 45 C.F.R. §160.103; and
1178            (c) A “business associate” of a covered entity, as defined in 45 C.F.R. §160.103.
1179   This definition shall not be construed to permit the disclosure of any specific type of test result to
1180   any of the persons or entities named herein where the disclosure of test results of that type is
1181   otherwise prohibited by State or Federal law.
1182




                                                      - 29-       NC HISPC Interim Analysis of Solutions Report
1183   General Context: The federal Clinical Laboratory Improvement Amendments (CLIA) regulations
1184   currently provide that “Test results must be released only to authorized persons and, if applicable,
1185   the individual responsible for using the test results and the laboratory that initially requested the
1186   test,” 42 CFR §1291 (f). The term “authorized person” is defined in 42 CFR §493.2 as “an individual
1187   authorized under State law to order tests or receive test results, or both.” The term “individual
1188   responsible for using the test results” is not defined in the CLIA regulations, and there is
1189   considerable uncertainty as to its meaning.

1190   These CLIA provisions pose a barrier to laboratories’ exchanging test results directly with the non-
1191   ordering providers to whom patients are referred, RHIOs, and other stakeholders who may desire
1192   to participate in electronic health information exchange for legitimate purposes otherwise permitted
1193   by HIPAA but are not identified as “authorized persons” for receipt of test results under state law.

1194   Privacy & security domain addressed: State law restrictions.
1195   Types of HIE (clinical, public health, research) addressed: All types.
1196   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1197   HIE barrier(s) addressed: Prohibitive state laws.
1198   Stage of development (planning, implementation): Planning.
1199   Extent to which solution is in use: Not currently in use.
1200   Applicability of solution: All covered entities under HIPAA and other stakeholders
1201   Extent of barriers or opposition: Opposition to specific changes is possible.
1202
1203   Non – legal Solutions
1204
1205   LWG Solution 11: In addition to potential revisions to General Statutes and Administrative Code to
1206   conform state law restrictions on release of information to existing federal restrictions, North
1207   Carolina should provide for education of all entities involved in the exchange of healthcare
1208   information—including providers, payers, vendors, and consultants—to ensure that both requestors
1209   and releasors of information are familiar with circumstances under which health information may be
1210   used and released.
1211
1212   General Context: From organization to organization, there is a broad range in the manner in which
1213   laws related to appropriate use and disclosure of information are interpreted and applied.
1214
1215   Privacy & security domain addressed: State law restrictions.
1216   Types of HIE (clinical, public health, research) addressed: All types.
1217   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders.
1218   HIE barrier(s) addressed: Lack of awareness or training.
1219   Stage of development (planning, implementation): Planning.
1220   Extent to which solution is in use: Partially implemented throughout healthcare community.
1221   Applicability of solution: All healthcare stakeholders.
1222   Extent of barriers or opposition: Opposition to specific changes is possible.
1223
1224   LWG Solution 12: Following above-noted revisions to State laws regarding appropriate uses and
1225   releases of health information, healthcare stakeholders must train employees on such appropriate
1226   uses and releases. Proposed Internet repository also may be expanded to assist in this regard.
1227
1228   General Context: Employees often are not aware of their employer’s policies or procedures related
1229   to appropriate uses and disclosures of health information.
1230
1231   Privacy & security domain addressed: State law restrictions.
1232   Types of HIE (clinical, public health, research) addressed: All types.
1233   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders.
1234   HIE barrier(s) addressed: Lack of policy standardization, Lack of awareness.



                                                     - 30-      NC HISPC Interim Analysis of Solutions Report
1235   Stage of development (planning, implementation): Planning.
1236   Extent to which solution is in use: Intermittently in use.
1237   Applicability of solution: All covered entities under HIPAA and other stakeholders.
1238   Extent of barriers or opposition: Opposition to specific changes is possible.
1239
1240   LWG Solution 13: Establish and fund a task force to address the interoperability challenges facing
1241   the healthcare stakeholders who desire to participate in the Nationwide Health Information Network.
1242
1243   General Context: Health information exchange often does not occur because some organizations
1244   have electronic records and some have limited or no electronic records, and there are
1245   interoperability challenges involved in exchanging information with incompatible systems and where
1246
1247   Privacy & security domain addressed: State law restrictions.
1248   Types of HIE (clinical, public health, research) addressed: All types.
1249   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders
1250   HIE barrier(s) addressed: Lack of policy standardization
1251   Stage of development (planning, implementation):
1252   Extent to which solution is in use:
1253   Applicability of solution:
1254   Extent of barriers or opposition: Opposition to specific changes is possible.
1255
1256   LWG Solution 13: Adopt generally accepted models and terms when referring to RHIOs or similar
1257   entities that engage in the electronic health information exchange.
1258
1259   Privacy & security domain addressed: State law restrictions.
1260   Types of HIE (clinical, public health, research) addressed: All types.
1261   Stakeholders primarily affected: All covered entities under HIPAA and other stakeholders.
1262   HIE barrier(s) addressed: Lack of policy standardization
1263   Stage of development (planning, implementation): Planning.
1264   Extent to which solution is in use: Currently none in use.
1265   Applicability of solution: All covered entities under HIPAA and other stakeholders.
1266   Extent of barriers or opposition: Opposition to specific changes is possible.




                                                     - 31-      NC HISPC Interim Analysis of Solutions Report
1267     Appendix I.
Solution Table for Sub-group 1 - Direct Patient Care / Release of Information Scenarios

Domain                                       Entity-entity model comments          Person-controlled comments

1. User and entity authentication to         A unified system of authentication    Trusted Third Party (RHIO, Health
verify that a person or entity seeking       and verification (standards based)    Insurance Carrier, "Repository")
access to electronic personal health         adopted by all entities               mediates PHI requests using a
information is who they claim to be.                                               standards based formal
                                                                                   authentication and verification
                                                                                   process.

2. Information authorization and access      A unified system of authentication    Trusted Third Party (RHIO, Health
controls to allow access only to people      and verification (standards based)    Insurance Carrier, "Repository")
or software programs that have been          adopted by all entities               mediates PHI requests using a
granted access rights to electronic                                                standards based formal
personal health information.                                                       authentication and verification
                                                                                   process. The individual
                                                                                   establishes a rule set of who has
                                                                                   access and under what
                                                                                   circumstances that PHI is to be
                                                                                   released.

3. Patient and provider identification to    A unified system of authentication    A unified system of authentication
match identities across multiple             and verification (standards based)    and verification (standards based)
information systems and locate               adopted by all entities               adopted by all entities
electronic personal health information
across enterprises.


4. Information transmission security or      Standards based system of data        Standards based system of data
exchange protocols (i.e., encryption,        exchange (HL7) and encryption         exchange (HL7) and encryption
etc.) for information that is being          resulting in interoperable            resulting in interoperable
exchanged over an electronic                 electronic medical records (EMR)      electronic medical records (EMR)
communications network.                      system                                system

5. Information protections so that           The patient’s healthcare providers    The “trusted third party” (RHIO,
electronic personal health information       and treating hospitals maintain       Health Insurance Carrier) acts as
cannot be improperly modified.               their copies of the records.          the patient’s health information
                                             Entities are entrusted with storing   broker and maintains a master
                                             and transmitting records as well      copy of the patient’s PHI. They
                                             as maintaining logs of requests       serve as the clearing house for
                                             for information, and maintaining      distribution of the PHI, maintain
                                             the integrity and validity of the     logs of requests for information
                                             record by monitoring and              and also maintain the integrity
                                             mediating changes or corrections.     and validity of the record by
                                             They are also responsible for         monitoring and mediating
                                             providing health record security      changes or corrections.
                                             for physical and electronic
                                             formats.

6. Information audits that record and        Entities maintain logs of requests    Entities maintain logs of requests
monitor the activity of health information   for information                       for information
systems.




                                                         - 32-      NC HISPC Interim Analysis of Solutions Report
7. Administrative or physical security
safeguards required to implement a
comprehensive security platform for
health IT

8. State law restrictions about              Well documented in HIPAA             Well documented in HIPAA
information types and classes, and the       regulations and state DHHS           regulations and state DHHS
solutions by which electronic personal
health information can be viewed and
exchanged.

9. Information use and disclosure            Dictated by current privacy and      Dictated by current privacy and
policies that arise as healthcare entities   security regulations both on the     security regulations both on the
share clinical health information            state and federal level              state and federal level. In addition
electronically.                                                                   the patient establishes a rule set
                                                                                  that determines access and
                                                                                  distribution of their PHI

10. NC HISPC Only: Laws, regulations,
and practices affecting the exchange of
PHI between entities through an
exchange mechanism controlled by the
subject of the information

Other comments
1268
1269




                                                         - 33-      NC HISPC Interim Analysis of Solutions Report
1270   Attachment: Group 1 Scenario-centric Analysis

1271
1272   Group A interactions:
1273      1. Emergent transfer of information between two hospitals in different states:
1274
1275   Group B interactions:
1276      1. The elective referral of a patient from a facility (substance abuse treatment) to a primary
1277          care facility for evaluation and treatment of suspected medical problem.
1278
1279   Group C interactions:
1280      Interactions:
1281          1. Non-emergent transfer of information from the hospital psychiatric unit to the skilled
1282               nursing facility.
1283          2. Non-emergent transfer of information by the physician to an outsourced transcription
1284               service (in a foreign country).
1285          3. Viewing of patient health information on an outsourced transcription service’s (in a
1286               foreign country) on a web portal and providing an electronic signature.
1287          4. Non-emergent transfer of information by an outsourced transcription service (in a
1288               foreign country) and the physician.
1289          5. Non-emergent transfer of information by an agent of the physician to the skilled nursing
1290               facility.
1291
1292   Group D interactions:
1293      1. Non-emergent transfer of information between a hospital and an outpatient clinic in
1294          different states:
1295
1296
                                                                                            = need for info
1297   Group A Interaction requires:
1298      1. Consent for request of information as defined by circumstances. (release of information)
1299      2. Determination of patient’s ability to provide consent
1300               a. “Time of consent” circumstances that may change ability of individual to provide
1301                   authorization. (impairment secondary to new condition requiring ED visit)
1302               b. Chronic health impairment (dementia)
1303      3. Communication of health record request from one institution to another.
1304               a. Verification that appropriate party contacted (right institution, right individual to
1305                   handle request)
1306               b. Verification of identity of requesting party
1307               c. Verification of valid patient consent by hospital holding records
1308               d. Determining pertinence of entire health record (i.e.; Mental health information)
1309               e. Transmission of health record information from possessing institution to requesting
1310                   institution.
1311      4. Verification of secure receipt of information (sending hospital)
1312      5. Securing received health information (the releasing hospital (B) should be assured that the
1313          receiving hospital will secure the information adequately, before B can release it
1314          responsibly).
                                                                   = method of gaining info (vs other source, like
1315
                                                                   patient’s copy of records, or local diagnosis)
1316   Group B interaction requires:
1317      1. Patient consent for referral for medical evaluation
1318      2. Patient consent (release of information) for request of information (medical records)
1319      3. Determination of patients ability to provide consent
1320      4. Communication of health record request from one institution to another.
1321               a. Verification that appropriate party contacted (right institution, right individual to
1322                   handle request)
1323               b. Verification of identity of requesting party




                                                      - 34-      NC HISPC Interim Analysis of Solutions Report
1324               c.  Verification of valid consent to transfer health information (including mental
1325                   health/substance abuse data)
1326              d. Determining pertinence of entire health record
1327              e. Transmission of health record information from possessing institution to requesting
1328                   institution.
1329       5. Verification of secure receipt of information (sending hospital)
1330       6. Transmission of evaluation and treatment information back to referring facility/healthcare
1331          provider
1332
1333   Group C interaction requires:
1334      1. Determination of patient’s ability to provide consent
1335               a. Patient consent for referral to skilled nursing facility
1336               b. Patient consent for release of information (medical records) to skilled nursing
1337                   facility.
1338      2. Transfer of patient from the hospital psychiatric unit to the skilled nursing facility
1339               a. Contact facility and notify of intention to transfer.
1340               b. Determine willingness of institution to accept transfer (has capacity to
1341                   accommodate patient) and accept responsibility of patient.
1342               c. Communicate discharge documents
1343               d. Communication of request for complete health records from accepting institution to
1344                   transferring institution.
1345               e. Verification that appropriate party contacted (right institution, right individual to
1346                   handle request)
1347               f. Verification of identity of requesting party
1348               g. Verification of valid consent to transfer health information (including mental
1349                   health/substance abuse data)
1350               h. Determining pertinence of entire health record (if consent not clearly defined)
1351               i. Transmission of health record information from possessing institution to requesting
1352                   institution.
1353      3. Verification of secure receipt of information (sending hospital)
1354      4. Dr X evaluates patient
1355               a. Facility accepts Dr X’s credentials, and provides physical access to the patient
1356               b. Facility gives Dr X access to the content of the patient’s electronic health record
1357                   (EHR), but does not allow direct update
1358               c. Dr X prepares his assessment using his practice’s technical facilities (including the
1359                   off-shoe dictation service)
1360               d. Dr X delivers the assessment through a secure means, for inclusion in the Facility’s
1361                   EHR
1362
1363   Group D interaction requires:
1364       1. Consent for request of information as defined by circumstances. (release of information)
1365       2. Communication of health record request from one institution to another.
1366                a. Verification that appropriate party contacted (right institution, right individual to
1367                    handle request)
1368                b. Verification of identity of requesting party
1369                c. Verification of valid consent by hospital holding records
1370                d. Determining pertinence of entire health record (i.e.; HIV status)
1371                e. Transmission of health record information from possessing institution to requesting
1372                    institution.
1373       3. Verification of secure receipt of information (sending hospital)
1374       4. Securing received health information.
1375   Mitigating factors:
1376       1. Group A
1377                a. Law enforcement involvement of potential crime
1378                b. Patient impaired from three potential viewpoints:
1379                          i. “Confused” either acutely (head injury?) or



                                                      - 35-      NC HISPC Interim Analysis of Solutions Report
1380                        ii. Medication induced (newly Rx medication in elderly) or
1381                       iii. Mental health issue (“psychosis”)
1382       2. Group B
1383             a. Patient referred from substance abuse facility
1384             b. Any impairment issues?
1385             c. Substance abuse or related conditions (mental health issues
1386       3. Group C
1387             a. Patient referred from substance abuse facility
1388             b. Any impairment issues?
1389             c. Substance abuse or related conditions (mental health issues)
1390             d. Dr. X : Physical access to facility
1391             e. Dr. X: Access to EHR (facility he has no privileges? Verification of credentials?)
1392             f. Dr.X’s: Dictation of health care note to transcription service in foreign country.
1393             g. Dr. X: Accesses note on server at transcription service, “electronic signature”
1394             h. Note downloaded by Dr. X employee and emailed (encrypted) to nursing home
1395             i. Nursing home can’t decode note.
1396       4. Group D
1397             a. Patient x is HIV positive
1398             b. Obtaining BrCa genetic test results of another individual
1399             c. The other individual is deceased.
1400
1401   Group A barriers:
1402        1. Knowledge of acceptable procedures (hospital, state and federal policies)
1403                   a. Definitions of impairment
1404                   b. Rules /laws regarding next of kin providing consent (living will?)
1405                   c. Rules/laws for interstate transfer of health information
1406                   d. Rules/laws for transfer of all healthcare information (i.e.; Mental health
1407                        information). Differ from transfer of “non-sensitive” data?
1408                   e. Rules/laws for methods of transmission of health record information from
1409                        possessing institution to requesting institution. (Electronic?)
1410                   f. Rules/laws for verification of secure receipt of information (sending hospital)
1411                   g. Verification of identities
1412                   h. Rules /laws regarding institutional responsibilities towards transfer of
1413                        information to law enforcement
1414        2. Secure verifiable technology for acquisition and transmission of protected health
1415            information in a sufficiently timely manner (registered US Mail is secure and verifiable,
1416            but is not fast enough).
1417   Group B barriers:
1418      1. Knowledge of acceptable procedures (hospital, state and federal policies), or previously
1419          established methods
1420              a. Rules/laws for transfer of all healthcare information (i.e.; substance abuse and/or
1421                   mental health information). Differ from transfer of “non-sensitive” data?
1422              b. Rules/laws for methods of transmission of health information (HI) from possessing
1423                   institution to requesting institution. (Electronic?)
1424              c. Verification of identities
1425              d. Rules/laws for verification of secure receipt of information (sending hospital)
1426
1427      2. Secure verifiable technology for acquisition and transmission of protected health
1428          information
1429   Group C barriers:
1430      1. Knowledge of acceptable procedures (hospital, state and federal policies)
1431               a. Rules /laws regarding providing consent (release of information)
1432               b. Rules/laws for transfer of all healthcare information (i.e.; substance abuse and/or
1433                   mental health information). Does the transfer of mental health information differ
1434                   from transfer of “non-sensitive” data? (yes)




                                                     - 36-      NC HISPC Interim Analysis of Solutions Report
1435               c.   Rules/laws for methods of transmission of health record information from
1436                    possessing institution to requesting institution. (Electronic?)
1437               d.   Verification of identities
1438               e.   Rules/laws for verification of secure receipt of information (sending hospital)
1439               f.   Rules /laws regarding outsourcing of dictation transcription to third party company
1440                    in a foreign country
1441               g.   Rules /laws and security issues regarding use of portal website for posting of
1442                    health information
1443               h.   Rules /laws regarding electronic signature
1444               i.   Standards for encryption and transmission of health information
1445
1446       2. Secure verifiable technology for acquisition and transmission of protected health
1447          information
1448               a. The technical means exist in this case, but are not sufficiently coordinated (Dr did
1449                  not give Facility his decryption key, and they were not equipped to look it up
1450                  elsewhere)
1451
1452   Group D Barriers:
1453      1. Knowledge of acceptable procedures (hospital, state and federal policies)
1454             a. Rules /laws regarding providing consent (release of information)
1455             b. Rules/laws for transfer of all healthcare information (i.e.; HIV results). Does the
1456                  elective transfer of HIV status health information differ from transfer of “non-
1457                  sensitive” data? (yes)
1458             c. Does the elective transfer of genetic health information differ from transfer of “non-
1459                  sensitive” data?
1460             d. Rules/laws for methods of transmission of health record information from
1461                  possessing institution to requesting institution. (Electronic?)
1462             e. Verification of identities
1463             f. Rules/laws for verification of secure receipt of information (sending hospital)
1464
1465   Group 1 Scenario A Barrier Diagram
                                             Securing data
                                              Exchange
                         Consent
                  Patient Impaired                                 Mental Health Protection
        Mental Health Protection                                   Verify Identity Requesting party

1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476   Group 1 Scenario B Barrier Diagram
1477




                                                      - 37-      NC HISPC Interim Analysis of Solutions Report
                                            Securing data
                                             Exchange
                                                                   Consent
                Patient                                          Mental Health
                Impaired                                         Issue
            Mental Health                                         (Substance
            Issue                                                abuse)
             (Substance
            abuse)
1478
1479
1480   Group 1 Scenario C Barrier Diagram
                                            Securing data
          Consent for referral                Exchange
                                                               Consent (Mental Health record)

           Consent for                                         Mental Health Issues
           release of HI                                       (Substance abuse)
         Competent for consent?
                                                               Verify Identity Requesting
                                                               party

          Foreign transcription
             WEB Portal


1481
1482
1483   Group 1 Scenario D Barrier Diagram
1484
                                      Securing data
                                       Exchange
                  Consent                                   Consent release HIV Status
           HIV POS                                          Verify Identity Requesting party
        Tx digital data
                                                            Consent release BrCa Status
                                                            Deceased relative
1485
1486
1487
1488




                                                   - 38-    NC HISPC Interim Analysis of Solutions Report
1489
Solution Table for Group 2 – Payer and Research Information Exchange Scenarios

Domain                                       Entity-entity model comments           Person-controlled comments

1. User and entity authentication to         Create/define uniform standards of     Create/define uniform standards of
verify that a person or entity seeking       verification of identity and user      verification of identity and user
access to electronic personal health         authentication across each of the      authentication across each of the
information is who they claim to be.         possible entity types requesting       possible entity types requesting
                                             electronic information.                electronic information.

2. Information authorization and access      Create/define uniform standards of     Create/define uniform standards of
controls to allow access only to people      verification of identity and user      verification of identity and user
or software programs that have been          authentication across each of the      authentication across each of the
granted access rights to electronic          possible entity types requesting       possible entity types requesting
personal health information.                 electronic information.                electronic information.

3. Patient and provider identification to    Create/define uniform standards of     Create/define uniform standards of
match identities across multiple             verification of identity and user      verification of identity and user
information systems and locate               authentication across each of the      authentication across each of the
electronic personal health information       possible entity types requesting       possible entity types requesting
across enterprises.                          electronic information.                electronic information.

4. Information transmission security or      Web-based applications with their      Web-based applications with their
exchange protocols (i.e., encryption,        information security protocols         information security protocols provide
etc.) for information that is being          provide various controls, or           various controls, or combinations of
exchanged over an electronic                 combinations of controls, to satisfy   controls, to satisfy the types of
communications network.                      the types of exchanges being           exchanges being discussed.
                                             discussed.

5. Information protections so that           Appropriate access controls, based     Appropriate access controls, based
electronic personal health information       upon Domains 1-3. Read-only            upon Domains 1-3. Read-only
cannot be improperly modified.               access. Date/time stamped and          access. Date/time stamped and
                                             digitally signed electronic records    digitally signed electronic records may
                                             may be extracted from applications,    be extracted from applications, as
                                             as appropriate.                        appropriate.

6. Information audits that record and        Appropriate system activity reviews    Appropriate system activity reviews
monitor the activity of health               and audits of activity on web-based    and audits of activity on web-based
information systems.                         applications to monitor request        applications to monitor request types
                                             types and information disclosures.     and information disclosures.

7. Administrative or physical security
safeguards required to implement a
comprehensive security platform for
health IT

8. State law restrictions about
information types and classes, and the
solutions by which electronic personal
health information can be viewed and
exchanged.

9. Information use and disclosure
policies that arise as healthcare entities
share clinical health information
electronically.



                                                           - 39-      NC HISPC Interim Analysis of Solutions Report
 1490
Solution Table for Group 3 – Healthcare Operations and Marketing Information Exchange


Domain                                       Entity-entity model comments         Person-controlled comments

1. User and entity authentication to
verify that a person or entity seeking
access to electronic personal health
information is who they claim to be.

2. Information authorization and access
controls to allow access only to people
or software programs that have been
granted access rights to electronic
personal health information.

3. Patient and provider identification to
match identities across multiple
information systems and locate
electronic personal health information
across enterprises.

4. Information transmission security or
exchange protocols (i.e., encryption,
etc.) for information that is being
exchanged over an electronic
communications network.

5. Information protections so that
electronic personal health information
cannot be improperly modified.

6. Information audits that record and
monitor the activity of health
information systems.

7. Administrative or physical security
safeguards required to implement a
comprehensive security platform for
health IT

8. State law restrictions about
information types and classes, and the
solutions by which electronic personal
health information can be viewed and
exchanged.

9. Information use and disclosure
policies that arise as healthcare entities
share clinical health information
electronically.
1491
1492




                                                         - 40-      NC HISPC Interim Analysis of Solutions Report
 1493
Solution Table for Group 4 – State Government and Public Health Information Exchange
 1494


Domain                                        Entity-entity model comments         Person-controlled comments

1. User and entity authentication to verify
that a person or entity seeking access to
electronic personal health information is
who they claim to be.

2. Information authorization and access
controls to allow access only to people or
software programs that have been
granted access rights to electronic
personal health information.

3. Patient and provider identification to
match identities across multiple
information systems and locate electronic
personal health information across
enterprises.

4. Information transmission security or
exchange protocols (i.e., encryption, etc.)
for information that is being exchanged
over an electronic communications
network.

5. Information protections so that
electronic personal health information
cannot be improperly modified.

6. Information audits that record and
monitor the activity of health information
systems.

7. Administrative or physical security
safeguards required to implement a
comprehensive security platform for
health IT

8. State law restrictions about information
types and classes, and the solutions by
which electronic personal health
information can be viewed and
exchanged.

9. Information use and disclosure policies
that arise as healthcare entities share
clinical health information electronically.




                                                          - 41-     NC HISPC Interim Analysis of Solutions Report
1495   Preliminary Considerations for “Original” and “Copy” Record Designation.
1496
1497   The EHR for a given patient at a given provider organization is defined at a particular date
1498   sequence – this is known as a Unit Record.
1499
1500   During treatment at a provider organization, the accumulated data is designated as the Treatment
1501   Unit Record. As long as data is being changed and added, the Treatment Unit Record stays in the
1502   provider organization. The end of treatment is a situational decision made by the attending
1503   provider, the providing organization, and the patient or patient’s representatives. This dated Unit
1504   Record can then be forwarded to a Data Repository, which may be within the provider organization
1505   or at a regional location such as a RHIO.
1506
1507   Patients and/or patient representatives have several options as the Treatment Unit Record is
1508   prepared for transfer to the Repository. At this point of transfer (or perhaps at the initiation of
1509   treatment), patients can designate opt-in or opt-out in participation within the larger HIN; they can
1510   designate authorized family members who have permission to view and request access to the
1511   patient’s PHI; they can select the method of notice of access, either notification at each access or
1512   notification in a periodic summary statement.
1513
1514   When a Unit Record enters the Repository – four things happen:
1515        1. The Unit Record is designated as the Original, and it is associated with a resident Global
1516            Patient Identifier (GPID), if a Record Set for the patient exists, if not, a GPID is generated.
1517        2. The Original Unit Record is duplicated to form the Copy Unit Record.
1518        3. The Original Unit Record is de-identified into a Research Unit Record.
1519        4. The Account Log for the patient is updated (or a new Log is created) with the addition of the
1520            Original Unit Record and the creation of the Copy Unit Record and the Research Unit
1521            Record.
1522   The Global Patient Identifier is a large (e.g., 30+ characters) sequence of numbers, letters and
1523   characters, not for identification, but only for validation of identity. It is unique to the patient for all
1524   times (even after death) within the Repository, and is never to be used as a login ID! This GPID
1525   links the Original, Copy, and Research Sets; and the Account Log with an individual patient.
1526
1527   The Original version of the Unit Record is appended to the existing Original Record Set (collection
1528   of Original Unit Records) for a given patient, if present. If no Original Record Set exists, the initial
1529   Unit Record establishes the Original Record Set. The complete Original Record Set is never
1530   accessed by any outside connection (not on any external network connection), and is only
1531   accessed indirectly inside the Repository (multi-tier architecture). It is only used for verification and
1532   validation of Unit Record Copies (transformed into an un-changeable format, e.g., PDF).
1533
1534   The Copy Unit Record will be transformed appropriately appended to the existing Copy Record Set
1535   for the given patient. If no Copy Record Set exists, the initial Copy Unit Record establishes the
1536   Copy Record Set. This Copy Record Set will be the only set of data available for authorized
1537   searches, and any output from it will always be labeled as a copy (watermark?). The Copy Record
1538   Set is still EPHI, and therefore deserves appropriate protection and access control, and requires
1539   appropriate use and disclosure practices.
1540
1541   The Research Unit Record will still retain the date sequence and the necessary characterization of
1542   the patient to allow proper appending with the Research Record Set for that given patient. This
1543   association will be facilitated by a randomized key, linked to the GPID, which will not be part of the
1544   Research Unit Record. The Account Log captures every transaction with any of the Record Sets
1545   with date, time, access requests, exchanges, and other necessary information. This can then be
1546   used to generate periodic reports for the patient or patient representatives.
1547




                                                         - 42-       NC HISPC Interim Analysis of Solutions Report
1548                                     NC HISPC Reference Library
1549
1550   The NC HISPC team found the following websites and documents to be insightful.
1551
1552
1553
1554   Federal Health Information Technology Sites
1555
1556          US Department of Health and Human Services
1557          http://www.hhs.gov/healthit/
1558
1559          American Health Information Community
1560          http://www.hhs.gov/healthit/community/background/
1561
1562   Privacy and Security
1563
1564          HIPAA
1565          http://www.cms.hhs.gov/HIPAAGenInfo/
1566
1567          HIMSS HIPAA Compliance Survey
1568          http://www.hipaadvisory.com/action/surveynew/results/summer2006.htm
1569
1570          North Carolina General Statutes
1571          http://www.ncleg.net/gascripts/Statutes/StatutesTOC.pl
1572
1573   Community Health Information Exchanges, RHIOs
1574
1575          E Health Initiative
1576          http://www.ehealthinitiative.org/
1577
1578   Nationwide Information Network (NHIN)
1579
1580          US Department of Health and Human Services NHIN
1581          http://www.hhs.gov/healthit/healthnetwork/
1582
1583          NHIN Watch
1584          http://nhinwatch.com/
1585
1586   Personal Health Records (PHR)
1587
1588          Markle Foundation Report on Consumers and PHR
1589          http://www.connectingforhealth.org/resources/phwg_survey.pdf
1590
1591




                                                   - 43-      NC HISPC Interim Analysis of Solutions Report

								
To top