Docstoc

Privacy and Security Solutions for Interoperable Health

Document Sample
Privacy and Security Solutions for Interoperable Health Powered By Docstoc
					Privacy and Security Solutions for
 Interoperable Health Information
                        Exchange

 Oklahoma Interim Assessment of Variations Report


                                             Subcontract No.
                                         RTI Project No. 9825




                                                  Prepared by:

                                            OKHISPC Team
                                       1000 NE 10th Street,
                             Oklahoma City, Oklahoma 73117


                                                 Submitted to:

                          Linda Dimitropoulos, Project Director
                             Privacy and Security Solutions for
                    Interoperable Health Information Exchange

                                   Research Triangle Institute
                                             P. O. Box 12194
                                        3040 Cornwallis Road
                      Research Triangle Park, NC 27709-2194


                                            November 3, 2006
                                                Table of Contents

Executive Summary.................................................................................................................... 1
1.    Methodology Section .......................................................................................................... 3
2.    Summary of Relevant Findings Purposes for Information Exchange.......................... 10
      2.1      Treatment (Scenarios 1–4)........................................................................................ 21
               2.1.1     Stakeholders..................................................................................................22
               2.1.2     Domains ........................................................................................................23
               2.1.3     Critical Observations .....................................................................................25
      2.2      Payment (Scenario 5)................................................................................................ 25
               2.2.1     Stakeholders..................................................................................................25
               2.2.2     Domains ........................................................................................................26
               2.2.3     Critical Observations .....................................................................................27
      2.3      RHIO (Scenario 6)..................................................................................................... 27
               2.3.1     Stakeholders..................................................................................................28
               2.3.2     Domains ........................................................................................................28
               2.3.3     Critical Observations .....................................................................................29
      2.4.     Research (Scenario 7) .............................................................................................. 29
               2.4.1     Stakeholders..................................................................................................30
               2.4.2     Domains ........................................................................................................30
               2.4.3     Critical Observations .....................................................................................31
      2.5      Law Enforcement (Scenario 8).................................................................................. 31
               2.5.1     Stakeholders..................................................................................................32
               2.5.2     Domains ........................................................................................................32
               2.5.3     Critical Observations .....................................................................................33
      2.6      Prescription Drug Use/Benefit (Scenarios 9 and 10)................................................. 34
               2.6.1     Stakeholders..................................................................................................34
               2.6.2     Domains ........................................................................................................35
               2.6.3     Critical Observations .....................................................................................36
      2.7      Healthcare Operations/Marketing (Scenarios 11 and 12) ......................................... 36
               2.7.1     Stakeholders..................................................................................................38
               2.7.2     Domains ........................................................................................................38
               2.7.3     Critical Observations .....................................................................................39
      2.8.     Public Health/Bioterrorism (Scenario 13) .................................................................. 39
               2.8.1     Stakeholders..................................................................................................40
               2.8.2     Domains ........................................................................................................40
               2.8.3     Critical Observations .....................................................................................41
      2.9.     Employee Health (Scenario 14) ................................................................................ 41
               2.9.1     Stakeholders..................................................................................................42
               2.9.2     Domains ........................................................................................................42
               2.9.3     Critical Observations .....................................................................................44
RTI International                                                  i
Privacy and Security Contract No. 290-05-0015
     2.10. Public Health (Scenarios 15–17)............................................................................... 44
              2.10.1 Stakeholders..................................................................................................45
              2.10.2 Domains ........................................................................................................46
              2.10.3 Critical Observations .....................................................................................47
     2.11. State Government Oversight (Scenario 18) .............................................................. 47
              2.11.1 Stakeholders..................................................................................................48
              2.11.2 Domains ........................................................................................................48
              2.11.3 Critical Observations .....................................................................................49
3.   Summary of Critical Observations and Key Issues ....................................................... 50
4.   Appendices........................................................................................................................ 52




RTI International                                                 ii
Privacy and Security Contract No. 290-05-0015
                                                      Table of Tables

Table 1. Oklahoma HISPC Stakeholder Community Organizations. ............................................ 4
Table 2. Oklahoma HISPC Steering Committee Member Groups. ............................................... 5
Table 3. Oklahoma HISPC Variations Working Group Membership............................................. 6
Table 4. Oklahoma HISPC Legal Working Group Membership. ................................................... 8
Table 5. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization........................................................................ 11
Table 6. Privacy and Security Domains. ..................................................................................... 11
Table 7. Business Practices and Barriers Identified by Domain. ................................................ 13
Table 8. Number of Legal Drivers by Domain for Business Practices Coded as Barriers .......... 16
Table 9. Number and Percent of Business Practices by Category ............................................. 17
Table 10. Patient Care Scenarios. .............................................................................................. 21
Table 11. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Patient Care Scenarios............................. 23
Table 12. Number of Business Practices Identified as Barriers and Business Practices by
Domain for Patient Care Scenarios. ........................................................................................... 23
Table 13. Number of Legal Drivers identified as Barriers by Domain - Patient Care Scenarios.24
Table 14. Scenario 5................................................................................................................... 25
Table 15. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Payment Scenario. ................................... 26
Table 16. Number of Business Practices Identified as Barriers, Business Practices and the
Percentage of Business Practices identified as Barriers by Domain for Payment Scenario....... 26
Table 17. Number of Legal Drivers Identified as Barriers Identified by Domain for Payment
Scenario...................................................................................................................................... 27
Table 18. Scenario 6................................................................................................................... 27
Table 19. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for RHIO Scenario. ........................................ 28
Table 20. Number of Business Practices Identified as Barriers and Business Practices by
Domain for RHIO Scenario. ........................................................................................................ 28
Table 21. Number of Legal Drivers Identified as Barriers by Domain for RHIO Scenario........... 29
Table 22. Scenario 7................................................................................................................... 29
Table 23. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Research Scenario. .................................. 30
Table 24. Number of Business Practices Identified as Barriers and Business Practices by
Domain for Research Scenario................................................................................................... 30
Table 25. Number of Legal Drivers identified as Barriers Identified by Domain for Research
Scenario...................................................................................................................................... 31
Table 26. Scenario 8................................................................................................................... 31
Table 27. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Law Enforcement Scenario. ..................... 32
Table 28. Number of Business Practices Identified as Barriers and Business Practices by
Domain for Law Enforcement Scenario. ..................................................................................... 33

RTI International                                                      i
Privacy and Security Contract No. 290-05-0015
Table 29. Number of Legal Drivers identified as Barriers Identified by Domain for Law
Enforcement Scenario. ............................................................................................................... 33
Table 30. Scenario 9 and Scenario 10........................................................................................ 34
Table 31. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Prescription Drug Use/Benefit Scenarios. 35
Table 32. Business Practices and Barriers Identified by Domain for Prescription Drug
Use/Benefit Scenarios. ............................................................................................................... 35
Table 33. Number of Legal Drivers identified as Barriers Identified by Domain for Prescription
Drug Use/Benefit Scenarios........................................................................................................ 36
Table 34. Scenario 11 and Scenario 12...................................................................................... 37
Table 35. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Healthcare Operations/Marketing
Scenarios. ................................................................................................................................... 38
Table 36. Business Practices and Barriers Identified by Domain for Healthcare
Operations/Marketing Scenarios.................................................................................................38
Table 37. Number of Legal Drivers identified as Barriers Identified by Domain for Healthcare
Operations/Marketing Scenarios................................................................................................. 39
Table 38. Scenario 13................................................................................................................. 39
Table 39. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Public Health/Bioterrorism Scenarios. ...... 40
Table 40. . Business Practices and Barriers Identified by Domain for Public Health/Bioterrorism
Scenarios. ................................................................................................................................... 41
Table 41. Number of Legal Drivers identified as Barriers Identified by Domain for Public
Health/Bioterrorism Scenarios. ................................................................................................... 41
Table 42. Scenario 14................................................................................................................. 42
Table 43. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Employee Health Scenario. ...................... 42
Table 44. Business Practices and Barriers Identified by Domain for Employee Health Scenario.43
Table 45. Number of Legal Drivers identified as Barriers Identified by Domain for Employee
Health Scenario. ......................................................................................................................... 43
Table 46. Scenarios 15-17.......................................................................................................... 44
Table 47. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for Public Health Scenarios. .......................... 45
Table 48. Business Practices and Barriers Identified by Domain for Public Health Scenarios. .. 46
Table 49. Number of Legal Drivers identified as Barriers Identified by Domain for Public Health
Scenarios. ................................................................................................................................... 46
Table 50. Scenario 18................................................................................................................. 47
Table 51. Business Practices Generated, Barriers Identified, and Percent of Business Practices
Coded as Barriers, by Stakeholder Organization for State Government Oversight Scenario..... 48
Table 52. Business Practices and Barriers Identified by Domain for State Government Oversight
Scenario...................................................................................................................................... 48
Table 53. Number of Legal Drivers identified as Barriers Identified by Domain for State
Government Oversight Scenario................................................................................................. 49




RTI International                                                     ii
Privacy and Security Contract No. 290-05-0015
Executive Summary
In 2004, President Bush issued an executive order announcing his commitment to the
use of health information technology to reduce medical errors, lower costs and provide
better information for consumers and physicians. President Bush called for the
widespread adoption of electronic health records and for health information to follow
patients throughout their care in a seamless and secure manner (source: RTI RFP).
Research Triangle Institute International (RTI) and the National Governor’s Association
(NGA) were awarded a contract for a key part of the Health and Human Services health
IT plan referred to as Privacy and Security Solutions for Interoperable Health
Information Exchange. That contract included subcontracting with up to 40 states and
territories to seek practical solutions to privacy and security needs in interoperable
health information technology. The Oklahoma State Department of Health (OSDH) was
designated by Governor Brad Henry to undertake developing a contract proposal in
response to the RTI Health Information Security and Privacy Collaboration (HISPC)
request for proposal.

Oklahoma was one of 34 states and territories selected to participate in this effort to
address privacy and security issues. The contract was awarded to the Oklahoma State
Department of Health by RTI to participate in the Health Information Security and
Privacy Collaboration (HISPC).

The Oklahoma State Department of Health (OSDH) intends to integrate existing
partnerships within the health care infrastructure with emerging nontraditional
partnerships from both the public and private sector to ensure success in the Oklahoma
Health Information Security and Privacy Collaboration (OKHISPC) project. As a
centralized public health department with county health departments in 69 of the 77
counties in Oklahoma, the OSDH has a statewide reach and is recognized as a vital
component in state health and health care initiatives. OSDH intends to initiate a similar
collaborative approach to OKHISPC that will seek to alleviate fragmentation of efforts
and assist the state to begin building a solid foundation that will ultimately support a
statewide system of health information exchange.

As the first step in the process, the variation working group, comprised of a diverse
group of health care professionals from across the state, identified their organization
level business practices of health information exchange as it relates to security and
privacy. RTI structured the collection of this data through the use of 18 scenarios and 9
domains of privacy and security. The business practices collected were grouped in
primary categories of authentication, contractual agreements, consent for service, data
management, release of information, transfer of patient health information (PHI) and
security. The legal working group met concurrently to determine whether or not a legal
driver was one rationale for the business practice to have been put into place.

The research from this project reflects that there is a significant variation in business
practices across organizations in Oklahoma. For example, variation does exist on how
consent is garnered and in the method used to transfer personal health information.
There is also a large discrepancy in how information is verified as received by the
proper entity.


RTI International                             1
Privacy and Security Contract No. 290-05-0015
Although the majority of business practices supported state and federal privacy and
security laws, many entities had business practices in place that were more restrictive
than the law required. This conservative approach was deemed to be based on a
general lack of understanding or misinterpretation of what personal health information
can be released and under what conditions and privacy and security laws in general.

Other underlying root causes were brought to the surface to further enhance the
solution and implementation phases of the project, i.e. liability, cost and standardization.
The data at this stage in the process reflects a variation in practices, but it appears that
the greater barriers are not the manifestations of the problem (business practice), but
rather at the point or source that caused the practice to be put into place.




RTI International                             2
Privacy and Security Contract No. 290-05-0015
1.     Methodology Section

The Oklahoma State Department of Health (OSDH) has subcontracted the project
management of OKHISPC to the University of Oklahoma Center for Public Management
(OUCPM). OUCPM is planning and facilitating all working group meetings through an
objective, non-biased leadership style. By contracting with an objective partner, OSDH
is assuring that individual organization interests are not overriding the work of the
working groups.

Working closely with the Office of the Governor, the OSDH and OUCPM has
encouraged statewide participation by targeting a broad range of stakeholder groups
including operational, clinical, information technology executives, physician groups,
payers, state health officials and government organizations.

Stakeholder Community
The OKHISPC team requested that all interested stakeholders join the Oklahoma
Stakeholder Community by registering on the state supported website. As part of the
registration process, stakeholders were asked to provide their level of experience and
expertise as it relates to health information. OUCPM is continuously working with the
stakeholder groups to ensure that the list of representatives is exhaustive.
Organizations that are known to be undertaking efforts around HIE were contacted and
strongly encouraged to participate in OKHISPC.

Current stakeholders were elicited through press releases, direct letters and personal
phone calls. OUCPM organized and facilitated communication and collaboration
among the stakeholder community. The OKHISPC Team continues to recruit support
from potential stakeholders throughout the state.

OUCPM is utilizing the RTI LISTSERV to provide access to project information and
other news of interest. The Web portal is used to guide discussions, organize and
disseminate information among work groups and stakeholders. Working group meeting
dates and meeting notes are posted for review by the stakeholder community.

The Oklahoma Stakeholder Community has over 160 members and represents the 17
RTI stakeholder groupings (see Table 1).




RTI International                             3
Privacy and Security Contract No. 290-05-0015
Table 1. Oklahoma HISPC Stakeholder Community Organizations.
 Stakeholder Community Member Organizations         #       %
 Public Health Agencies                            36     22%
 Hospitals                                         29     18%
 Professional Associations                         29     18%
 Other:                                            26     16%
 Community Clinics & Health Centers                18     11%
 Physician Groups                                  16     10%
 Medical Education Research                        15      9%
 Consumers                                         13      8%
 State Government                                  13      8%
 Federal Health Facilities                         11      7%
 Clinicians                                        10      6%
 Hospice                                            8      5%
 Pharmacies                                         8      5%
 Laboratories                                       6      4%
 Long Term Care                                     6      4%
 Payers                                             6      4%
 Correctional Facilities                            4      2%
 Quality Improvement Organizations                  3      2%
 Total                                             163

The OSDH maintains a vision of true statewide collaboration where no one group will
dominate the work, and all organizations are able and willing to work together.
Emphasis is placed on the absolute necessity of collaboration to create a functional,
interoperable system of health information exchange.

OUCPM works to continue to increase the awareness among the stakeholders of the
benefits of interoperable HIE, using the necessary tools as provided by RTI. OUCPM
encourages and facilitates utilization of the LISTSERV and Web portal supported by
RTI.

Steering Committee
All members of the OKHISPC Steering Committee were appointed by the Governor’s
Office. The Steering Committee includes two members of the Variation Group, seven
members of the Legal Group, two members of the Solutions Group, four members of
the Implementation Group and three members from state government, including one
representative from the Governor’s Office. The Steering Committee is serving as the
primary leadership body for OKHISPC within the state. OUCPM is acting as liaison with
RTI, NGA, OSDH and the Oklahoma Governor’s Office to provide support to the
Steering Committee. OUCPM is organizing and facilitating meetings and work of the
Steering Committee. The Steering Committee will review and comment on all
deliverable reports.

The Steering Committee is comprised of 15 members representing a diverse group of
health care organizations (see Table 2). In addition, a number of the members span
across multiple stakeholder categories including hospitals, medical and public health
schools and pharmacies. A number of associations are also represented including the



RTI International                             4
Privacy and Security Contract No. 290-05-0015
Oklahoma Hospital Association, Oklahoma Osteopathic Association, Oklahoma Primary
Care Association and the Oklahoma Pharmacists Association.

Table 2. Oklahoma HISPC Steering Committee Member Groups.
 Steering Committee Member Organizations          Count        Working Group
 Consumers                                          1           SWG, IWG
 Payers                                             1              LWG
 Hospitals                                          1              LWG
 Public Health Agencies                             3              LWG
 State Government                                   1
 Professional Associations                          5        VWG, LWG, IWG
 Federal Health Facilities                          1             IWG
 Other: AHRQ Grant                                  1      VWG, LWG, SWG, IWG
 Law Firm                                           1             LWG


Working Groups
OUCPM in conjunction with the OSDH and the liaison from the Governor’s Office
organized the four working groups:

       Variations Working Group (VWG),
       Legal Working Group (LWG),
       Solutions Working Group (SWG), and
       Implementation Plan Working Group (IWG).

OUCPM is facilitating work to ensure timely progression. Members of the working
groups were chosen from the stakeholder community and healthcare organizations
across the state.

Variations Working Group (VWG)
The VWG was tasked with assessing variations in organization-level business policies
and practices and categorizing them as barriers or neutral with respect to
interoperability. RTI provided 18 scenarios for identifying the business policies and
practices related to privacy and security that have an impact on intra- and inter-state
electronic health information exchange. Our diverse Variations Working Group provided
a sufficient representation of organizations and businesses statewide to produce an
accurate picture of the variations in organizational health information technology policy
and procedures.




RTI International                             5
Privacy and Security Contract No. 290-05-0015
The Variations Working Group is comprised of 41 members representing 15 stakeholder
groups (see Table 3).


Table 3. Oklahoma HISPC Variations Working Group Membership.
       VWG Member Organizations              #     %
 Hospitals                                   7    17%
 Public Health Agencies                     7     17%
 Medical Education Research                  6    15%
 Federal Health Facilities                   4    10%
 Referral Network & Health Consultants       4    10%
 Long Term Care                             2      5%
 Payers                                      2     5%
 Professional Associations                   2     5%
 Clinicians                                  1     2%
 Community Clinics & Health Centers          1     2%
 Correctional Facilities                     1     2%
 Hospice                                    1      2%
 Pharmacies                                  1     2%
 Physician Groups                            1     2%
 State Government                            1     2%
 Total                                      41


Variation Working Group (VWG) meetings were held from July through October 2006.
The group was presented with the 18 scenarios and 9 domains of privacy and security
provided by RTI. Different formats were utilized to elicit business practices including
large group discussion and smaller work groups. In order to gather a sufficient number
of business practices from clinicians and physician groups, two variation working group
meetings were held in the evening.

The Stakeholder Community was given an opportunity to add additional business
practices through an online format and confirm that the initial set of business policies
and practices reflect current policies and practices within the nine domains. OUCPM
uploaded the report shells to the Web portal and compiled a report of business policies
and practices and related privacy and security laws, by stakeholder group. An e-mail
invitation was sent to all members of the stakeholder community to review and comment
on the policies and practices specified by the stakeholders. This allowed the broader
Stakeholder Community an opportunity to identify and fill in gaps by adding into the
report shells any practices that were missing.

The VWG used 18 scenarios developed by RTI as the foundation for discussion and
idea generation. The scenarios represented situations that would elicit the exchange of
information with the anticipation that each situation would allow for the documentation of
barriers.




RTI International                             6
Privacy and Security Contract No. 290-05-0015
Scenarios:
   1. Patient Care – Emergent Transfer
   2. Patient Care – Substance Abuse
   3. Patient Care – Access Security
   4. Patient Care – HIV and Genetic
   5. Payment
   6. Regional Health Information Organization (RHIO)
   7. Research
   8. Law Enforcement
   9. Pharmacy Benefit – Prior Authorization
   10. Pharmacy Benefit – Claims Review
   11. Operations and Marketing – Tertiary hospital study
   12. Operations and Marketing – Registration, donations, service
   13. Bioterrorism Event
   14. Employment Information
   15. Public Health – Active carrier, communicable disease notification
   16. Public Health – Newborn screening
   17. Public Health – Homeless shelters
   18. Health Oversight

The VWG was also tasked with assigning each business practice to one or more of the
nine privacy and security domains specified by RTI:

Domains:
  1) User and entity authentication to verify that a person or entity seeking access to
      electronic personal health information is who they claim to be.
  2) Information authorization and access controls to allow access to only people or
      software programs that have been granted access rights to electronic personal
      health information.
  3) Patient and provider identification to match identities across multiple information
      systems and locate electronic personal health information across enterprises.
  4) Information transmission security or exchange protocols (encryption, etc.) for
      information that is being exchanged over an electronic communications network.
  5) Information protections so that electronic personal health information cannot be
      improperly modified
  6) Information audits that record and monitor the activity of health information
      systems.
  7) Administrative or physical security safeguards needed to implement a
      comprehensive security platform for health IT.
  8) State law restrictions about information types and classes, and the solutions by
      which electronic personal health information can be viewed and exchanged.
  9) Information use and disclosure policies that arise as health care entities share
      clinical health information electronically.

For this study, a barrier to health information exchange is defined as practices, policies
or laws that impede, prohibit, or impose conditions on health information exchange. At
this stage in the process no judgments as to the appropriateness of the barrier were
made. Each business practice generated was coded as to whether it was a barrier to
health information exchange or not.


RTI International                             7
Privacy and Security Contract No. 290-05-0015
Legal Working Group (LWG)
The Legal Working Group assessed applicable privacy and security laws, underlying
regulations, court cases, etc. and identified legal drivers of barriers to interoperable
Electronic Health Records (EHRs). LWG began meeting in August and reviewed
barriers uncovered in the VWG during the business policy assessment and mapped
those barriers to applicable state and federal privacy and security laws. Members of the
LWG will work with the Solutions Work Group (SWG) and the Implementation Plan
Work Group (IWG) to ensure that laws are accurately and consistently interpreted
throughout the process of formulating solutions and planning implementation of those
solutions. The LWG meetings were held in rotation with VWG meetings to address
additional barriers as they were identified by the VWG.

The Legal Working Group is comprised of 22 members representing the following
stakeholder groups (see Table 4). A number of members serve as attorneys and
privacy and security officers within their organization.

Table 4. Oklahoma HISPC Legal Working Group Membership.
      LWG Member Organizations         #      %
 Public Health Agencies                           6     30%
 Law Firms                                        3     13%
 Hospitals                                        2      9%
 Payers                                           2      9%
 Professional Associations                        2      9%
 State Government                                 2      9%
 AHRQ Data Sharing Grant                          1      4%
 Correctional Facilities                          1      4%
 Health IT Consultant                             1      4%
 Legislature                                      1      4%
 Quality Improvement Organizations                1      4%
 Total                                            22


Solutions Working Group (SWG)
The SWG held its first meeting in October, 2006 and is tasked with reviewing the
assessment of variation of state laws and business practices identified as barriers by
the VWG and formulating preliminary solutions to the barriers. The SWG with support
from the OKHISPC team will draft the preliminary analysis of solutions report. This work
will be reviewed with stakeholder groups for comments on the feasibility of
implementing the solutions. Once a set of feasible solutions is identified, the Steering
Committee and the OKHISPC team will develop the final deliverable report and submit it
to RTI.

Implementation Plan Working Group (IWG)
The IWG will review the interim analysis of solutions and propose preliminary
implementation plans, documented in the interim implementation plan report. The
Solutions and Implementation Working Group will develop final solutions and plans to


RTI International                             8
Privacy and Security Contract No. 290-05-0015
implement the solutions to variations in state laws and business practices that are
barriers to the adoption of interoperable electronic health information exchange.




RTI International                             9
Privacy and Security Contract No. 290-05-0015
2.      Summary of Relevant Findings Purposes for
        Information Exchange
Two hundred and eighty-two business practices were generated by the variation group
members during the course of meetings and by the larger stakeholder community (see
Table 5). Group members were asked to detail what they would have to do in their
respective organizations for health information exchange to occur under the
circumstances reflected in the scenario. This report summarizes the variations in
business practices elicited. A detailed listing of all business practices identified by
OKHISPC can be found in Appendix A.

Across all scenarios, over two thirds of business practices involved hospitals, physician
groups, federal health facilities and public health agencies. For stakeholders with more
than one business practice listed, the percent of business practices coded as barriers
ranged from 43% of business practices involving state government to a high of 100% of
business practices involving community clinics and health centers.

 Figure 1. Number of Business Practices Identified and Number of Business
 Practices Coded as Barriers, by Stakeholder Organization.

                                    Hospitals
                           Physician Groups
                     Federal Health Facilities
                       Public Health Agency
          Medical and Public Health Schools
                                        Other
                     Homecare and hospice
                                      Payers
                                    Clinicians
      Community Clinics and Health Centers
                           State Government
  Long term care facilities and nursing homes
                                 Pharmacies
                                 Consumers
          Quality Improvement Organizations
                                                                         Barriers
                                Laboratories
                                                                         Business Practices
                       Correctional Facilities

                                                 0   10   20   30   40     50       60        70




RTI International                            10
Privacy and Security Contract No. 290-05-0015
Hospitals identified 64 of the 282 business practices. This represents 23% of business
practices identified across stakeholder organizations. Eighty-three percent or 53 of the
business practices by hospitals were identified as barriers which represents 24% of
barriers identified across stakeholder organizations.

Table 5. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization.
                                                        Business Practices              Barriers               %
            Stakeholder Organization                      #         %                  #        %           Barriers*
 Hospitals                                                  64        23%               53      24%              83%
 Physician Groups                                           56        20%               40      18%              71%
 Federal Health Facilities                                  35        12%               30      14%              86%
 Public Health Agency                                       28        10%               18       8%              64%
 Medical and Public Health Schools                          21          7%              18       8%              86%
 Other                                                      19          7%              18       8%              95%
 Homecare and hospice                                       11          4%               7       3%              64%
 Payers                                                     10          4%               8       4%              80%
 Clinicians                                                  9          3%               8       4%              89%
 Community Clinics and Health Centers **                     8          3%               8       4%            100%
 State Government                                            7          2%               3       1%              43%
 Long term care facilities and nursing homes                 6          2%               3       1%              50%
 Pharmacies                                                  3          1%               2       1%              67%
 Consumers                                                   2          1%               1       0%              50%
 Correctional Facilities                                     1          0%               1       0%            100%
 Laboratories                                                1          0%               1       0%            100%
 Total                                                    282       100%               220     100%              78%
Note: * “% Barriers” is the percent of business practices coded as barriers.
      ** Section 330 – Federally Qualified Health Centers are included with Community
      Clinics and Health Centers


Domains of Privacy and Security

As part of the business practice collection process, the working groups were asked to
identify which security and privacy domains were relevant to each practice. These
domains were provided by RTI (see Table 6).

Table 6. Privacy and Security Domains.
Domain                                                       Dimensions of Business Practices
1 User and entity                     •   Use of digital signatures
   authentication to verify that a    •   User authentication management
   person or entity seeking access    •   Hardware/software authentication of software initiated requests for PHI
   to electronic personal health      •   Current business practices – user authentication
   information is who they claim to   •   Legal documentation related to user authentication
   be.                                •   Entity authentication
2    Information authorization and    •   Technology used to authenticate users/entities
     access controls to allow         •   Technology used to control access to PHI
     access only to people or         •   Business practices implemented to control access to PHI
     software programs that have      •   User/entity validation methodology
     been granted access rights to


RTI International                            11
Privacy and Security Contract No. 290-05-0015
Domain                                                   Dimensions of Business Practices
   electronic personal health          • Legal documentation related to access control
   information.
3 Patient and provider                 •   Types of patient identification used
   identification to match             •   Types of provider identification used
   identities across multiple          •   Common barriers related to different identification systems
   information systems and locate      •   Implementation information related to implementing common identifier systems
   electronic personal health          •   Consumer communication processes using common identifiers
   information across enterprises.     •   Methods used to validate provided identification
4    Information transmission          • Types of transmission protection implemented (i.e., VPN, secure FTP, encrypted e-
     security or exchange protocols      mail, secure web communication, application layer secure communication, etc.)
     (i.e., encryption, etc.) for      • Vendors used to implement secure transmission of data
     information that is being         • Business processes established to ensure secure transmission
     exchanged over an electronic      • Inter-organizational processes/practices implemented to seamlessly communicate
     communications network.             securely between entities
                                       • Secure data transmission processes established between the entity and the
                                         consumer
5    Information protections so        • Established data integrity processes, policies and procedures (within and between
     that electronic personal health     entities)
     information cannot be             • Legal documentation developed to address data integrity
     improperly modified.              • Vendors used to provide software that allows protection from data modification
                                       • Barriers to implementing data integrity processes between organizations (i.e.,
                                         protecting data from improper alteration while allowing modification for appropriate
                                         purposes such as treatment)
                                       • Data integrity validation processes (within and between entities; business processes
                                         and technology)
                                       • Notification processes documenting when data needs to be modified for appropriate
                                         purposes such as treatment
6    Information audits that record    • Types of audit logs currently used by entities to monitor healthcare data activity,
     and monitor the activity of         transmission, etc.
     health information systems.       • Examples of audit programs established to evaluate appropriate privacy and security
                                         practices are being followed
                                       • Inter-organization data access audit logs established
                                       • Use of external audit resources and descriptions of external audit resources
                                       • Audit log data sharing agreements (if available)
                                       • Barriers to creation of and analysis of audit logs (i.e., installed use of legacy software,
                                         lack of software audit log creation capability, etc.)
7    Administrative or physical        • Established business practices to reasonably ensure administrative security
     security safeguards required      • Established business practices to reasonably ensure physical security
     to implement a comprehensive      • Examples of legal documentation developed between entities outlining appropriate
     security platform for health IT     administrative and physical security practices
                                       • Inter-organization established business processes addressing administrative and
                                         physical security
                                       • Legal documentation drafted to reasonably ensure administrative and physical
                                         security between entities
                                       • Administrative and physical security practices at it relates to customer interaction
                                       • Implementation plans developed that address compliance with the HIPAA Security
                                         Rule and applicable state law.
8    State law restrictions about      • State laws that preempt HIPAA
     information types and classes,    • Barriers that hamper data sharing between individuals or entities because of
     and the solutions by which          established state laws


RTI International                            12
Privacy and Security Contract No. 290-05-0015
Domain                                                     Dimensions of Business Practices
   electronic personal health         • Solutions adopted to address data sharing between individuals or entities where state
   information can be viewed and        law is more stringent than HIPAA
   exchanged.                         • Inter-state data exchange barriers and solutions
                                      • Recommended changes at the state and federal level to address conflicting laws
                                      • Legal documentation developed to address more stringent state law (intra and inter-
                                        state)
9    Information use and              • Implemented information use and disclosure policies
     disclosure policies that arise   • Barriers to implementation of information use and disclosure policies between entities
     as health care entities share      and individuals
     clinical health information      • Solutions that address adoption of workable information use and disclosure policies
     electronically.                    between entities and individuals
                                      • Legal documentation created to address appropriate and workable adoption of
                                        information use and disclosure policies
                                      • Business practices related to information use and disclosure between entities
                                      • Business practices related to information use and disclosure between entities and
                                        consumers
                                      • Technology implemented to track appropriate information use and disclosure
                                      • Methods used to track appropriate information use and disclosure


Across all scenarios, 282 business practices were identified. The 282 business
practices had multiple domain assignments resulting in 822 practices across the nine
domains (see Table 7). Across the nine domains, 84% of business practices were
coded as barriers to exchange of health care information. Eighteen percent of business
practices fell in the information use and disclosure policies domain, 17% fell within the
information authorization and access controls domain and 14% fell within the user and
entity authentication domain. Two domains, information authorization and access
controls and information use and disclosure policies had the highest number of
business practices coded as barriers to information exchange (18%) followed by the
user and entity authentication domain (13%).

Table 7. Business Practices and Barriers Identified by Domain.
                                                            Business Practices              Barriers               %
                        Domain                                  #        %                #         %           Barriers*
 1. User and entity authentication                            112        14%                93       13%             83%
 2. Information authorization and access controls             140        17%              126        18%             90%
 3. Patient and provider identification                        94        11%                76       11%             81%
 4. Information transmission security                          91        11%                79       11%             87%
 5. Information protections (modifications)                    50          6%               39        6%             78%
 6. Information audits                                         52          6%               44        6%             85%
 7. Administrative or physical security safeguards            74           9%               60        9%             81%
 8. State law restrictions                                     65          8%               49        7%             75%
 9. Information use and disclosure policies                   144        18%              123        18%             85%
 Total                                                        822       100%              689      100%              84%




RTI International                            13
Privacy and Security Contract No. 290-05-0015
The percent of business practices coded as barriers ranged from a low of 75% of
business practices in the state law restrictions domain to a high of 90% of business
practices in the information authorization and access controls domain.



   Figure 2. Number of Business Practices Identified and Number of Business
   Practices Coded as Barriers, by Domain.

           9. Information use and disclosure policies

     2. Information authorization and access controls

                    1. User and entity authentication

                3. Patient and provider identification

                 4. Information transmission security

    7. Administrative or physical security safeguards

                             8. State law restrictions

                                6. Information audits
                                                                            Barriers
            5. Information protections (modifications)                      Business Practices

                                                         0   25   50   75   100        125       150




The information use and disclosure policies domain had the most business practices
identified (144) and had the second highest proportion of business practices coded as
barriers (85%). The information authentication and access controls domain had the
second highest number of business practices identified (140) and had the highest
proportion of business practices coded as barriers (90%). The user and entity
authentication domain had the third highest number of business practices identified
(112) and had the fourth highest proportion of business practices coded as barriers
(83%). The patient and provider authentication domain had the fourth highest number
of business practices identified (94) and had the fifth highest proportion of business
practices coded as barriers (81%).




RTI International                            14
Privacy and Security Contract No. 290-05-0015
Legal Drivers
There were two federal laws and four state laws identified by stakeholders for business
practices coded to barriers to exchange of health information (see Table 8). Across all
domains, 77% of legal drivers were from federal regulations. Of the federal legal drivers,
78% were from Title 45. The percent of legal drivers that were federal laws, ranged from
53% for Domain 8 state law restrictions to 96% for Domain 5 Information protections
(see Figure 3). The most legal drivers were identified for Domain 2 Information
authorization and access controls (93), followed by Domain 9 information use and
disclosure policies (78), domain 4 Information transmission security (58), and Domain 1
User and entity authentication (57).



Figure 3. Percent of Legal Drivers Cited Within Each Domain Based on
Federal Laws.

                            100%                                            Percent
                            90%                                             Average
 Percent of Legal Drivers




                            80%
                            70%
                            60%
                            50%
                            40%
                            30%
                            20%
                            10%
                             0%

                                   1   2   3   4     5      6   7     8       9
                                                   Domain

Of the sections cited from Title 45, 27% were from 45.164.508 Security and Privacy:
Uses and disclosures for which an authorization is required; 20% were Title 45, section
unspecified and 12% were from 164.512 Security and Privacy: Uses and disclosures for
which an authorization or opportunity to agree or object is not required. Of the state
laws, the most cited was Title 43A. Mental Health (12% of legal drivers), followed by
Title 63. Public Health and Safety and Title 12. Civil Procedure, both represent five
percent of cited legal barriers. The most cited section within Title 43A. Mental Health
was section 1.109 Privileged, Confidential Nature of Medical Records and
Communications Between Physician or Psychotherapist and Patient followed with
unspecified sections of Title 43A.




RTI International                            15
Privacy and Security Contract No. 290-05-0015
Table 8. Number of Legal Drivers by Domain for Business Practices Coded as
Barriers
                                                                                                 Domain
                             Legal Driver                                 1     2    3     4       5      6     7     8     9     Total
Federal                                                                   49    69   36    43       24    29    44    20    57     371
Title 42. Public Health                                                   11    13     7   11        4      9    8     9    11      83
   2.14 Confidentiality Of Alcohol And Drug Abuse Patient Records:          -    1     -     -       -      -     -     -     -       1
   Minor Consent.
   2.31 Confidentiality Of Alcohol And Drug Abuse Patient Records:         5     5    3     6        3     6     5     5     5      43
   Form of written consent.
   2.32 Confidentiality Of Alcohol And Drug Abuse Patient Records:         2     2    1     2        -     2     2     2     2      15
   Prohibition on re-disclosure
   484.2 Home Health Services: Condition of participation: Reporting        -    -     -     -       -      -     -    1      -      1
   OASIS information.
   Unspecified                                                             4     5    3     3        1     1     1     1     4      23
Title 45. Public Welfare                                                  38    56   29    32       20    20    36    11    46     288
   164 Security and Privacy                                                2     2    -     2        -     2     2     -     2      12
   164.312 Security and Privacy: Technical safeguards.                     2     4    -     -        -     -     2     -     4      12
   164.501 Security and Privacy: Definitions                               6     6    5     7        6     3     5     -     7      45
   164.502 Security and Privacy: Uses and disclosures of protected         3     9    5     2        1     2     2     1     6      31
   health information: general rules
   164.504 Security and Privacy: Uses and disclosures: Organizational       -    -     -     -       -      -    1      -     -      1
   requirements.
   164.506 Security and Privacy: Uses and disclosures to carry out          -    1     -     -       -      -     -    1      -      2
   treatment, payment, or health care operations.
   164.508 Security and Privacy: Uses and disclosures for which an        10    10   10    11        9     6     7     3    12      78
   authorization is required.
   164.512 Security and Privacy: Uses and disclosures for which an         6     6    5     3        1     3     3     2     6      35
   authorization or opportunity to agree or object is not required.
   164.522 Security and Privacy: Rights to request privacy protection       -    1     -     -       -      -     -    1     1       3
   for protected health information.
   164.53 Security and Privacy: Administrative requirements.               2     2    -     -       -      -     7     -     -      11
   Unspecified                                                             7    15    4     7       3      4     7     3     8      58
State                                                                      8    24   13    15       1      3     6    18    21     109
Title 12. Civil Procedure                                                  -     1    5     5       -      -     -     6     5      22
   2503 Physician and Psychotherapist-Patient Privilege                    -     1    3     3       -      -     -     4     3      14
   Unspecified                                                             -     -    2     2       -      -     -     2     2       8
Title 43A. Mental Health                                                   4    16    4     7       -      1     4    10    13      59
   1.109 Privileged, Confidential Nature of Medical Records and            3     9    2     3       -      -     3     7     8      35
   Communications Between Physician or Psychotherapist and Patient
   4.107 Correspondence by Patients - Visits - Telephone Privileges -       -    1     -    1        -      -     -     -     -      2
   Sealed Communications
   6.503 Admission for Inpatient Mental Health or Substance Abuse           -    1     -     -       -      -     -     -     -      1
   Treatment
   6.513 Discharge Plan                                                    -    -     2     2       -      -     -     2     2       8
   16 Office, Records and Files.                                           -    1     -     -       -      -     -     -     -       1
   Unspecified                                                             1    4     -     1       -      1     1     1     3      12
Title 63. Public Health and Safety                                         3    5     2     3       1      2     2     2     3      23
   1.401 Definitions                                                       1    1     1     1       1      1     1     -     1       8
   1.502 Confidential Information - Written Consent - Multidisciplinary    1    1     -     1       -      1     1     1     1       7
   Advisory Committee
   Unspecified                                                             1     3    1     1        -      -     -    1     1       8
Title 36. Insurance                                                        1     2    2     -        -      -     -    -     -       5
   1219 Failure to Notify Policyholder of Cause for Delay - Interest on    1     2    2     -        -      -     -    -     -       5
   Late Claims - Proof of Loss - Recovery of Reasonable Attorney's
   Fee
Total                                                                     57    93   49    58       25    32    50    38    78     480


RTI International                            16
Privacy and Security Contract No. 290-05-0015
The process of breaking down business practices into manageable groupings by the
OKHISPC team resulted in generation of categories very similar to the RTI privacy and
security domains. The seven categories identified and their definitions are as follows:

   1. Authentication –verification of user through both onsite and remote access to
      PHI, includes employee, third party and patient verification. Examples of
      authentication practices include log in systems, passwords, pin numbers and
      credentialing.

   2. Contractual Agreements – legally binding documentation of PHI exchange or
      authentication process. Examples of contractual agreements include business
      associate agreements, confidentiality agreements, employer/employee
      contracts.

   3. Consent for Service – practices relating to the act of getting consent from the
      patient or someone on behalf of the patient when needed for treatment or
      payment or determining patient consent not needed. Includes restrictions to
      consent, verbal/written consent, when consent is needed, determining
      competency to consent, referrals and the consent forms themselves.

   4. Data Management – practices relating to the storage and access to data.
      Practices described how data was partitioned, who had access to the data and
      under what circumstances. An example of data management is an office
      manager that has access to billing information, but not test results.

   5. Release of Information – securing patient authorization to release information to
      another party or for another purpose. Includes what documentation is needed
      for release and when securing a release is necessary and when it isn’t.
      Examples include permission to release information for marketing, research, and
      contagious disease outbreaks.

   6. Transfer of PHI – refers to the practices documenting the use and disclosure of
      PHI, whether electronic or not. Practices document exchange by phone, fax,
      mail, courier and electronic exchange (billing and federal/state government).

   7. Security – Practices document the process of securing health information in
      storage and in transit. Examples include pass codes for entry into file room,
      locked cabinets, transfer via trunk one case at a time and encryption.

       Table 9. Number and Percent of Business
       Practices by Category
        Category                            #        %
        Transfer of PHI                    79      28%
        Release of Information             72      26%
        Consent for Service                49      17%
        Authentication                     36      13%
        Data Management                    17      6%
        Contractual Agreements             15       5%
        Security                           14       5%
        Total                              282



RTI International                            17
Privacy and Security Contract No. 290-05-0015
The business practices documented in this report reflect the breakdown of each
category in further detail. However, participation in the variation and legal working
groups demonstrated that the business practices themselves were not necessarily the
root of the problem as it pertains to electronic health information exchange. The
underlying causes made for the most interesting discussion.

Since there is not much health information being exchanged electronically across
organizations other than for billing purposes or within the state/federal government, the
OKHISPC team decided to document the hurdles that are preventing widespread
electronic exchange from taking place in Oklahoma. To help tailor that discussion, the
OKHISPC team used the privacy and security domains provided by RTI and asked for
any issues, problems, or concerns that were not made evident by the scenario based
exercises. Each member of the variation working group was chosen based on their
experience in the health care community. As professionals, they brought to the table
many issues and concerns about HIE both in its current state and with anticipated
technology breakthroughs. In an effort to capture those concerns, one variations
meeting centered upon collecting data as it related to the various domains without
concern for the context of any of the scenarios. It was during this meeting that many of
the underlying causes for current business practices to came to light. While not in and
of themselves business practices, the following section documents issues that will need
to be addressed during the solutions and implementation portions of this project.


Key issues

Domain One: User and Entity Authentication
Most healthcare providers in Oklahoma currently maintain paper-based patient records
systems, however, the idea of electronic exchange is attractive to health care providers.
Photo IDs and letterhead are used predominately as forms of user authentication.
Stakeholders expressed concerns regarding the cumbersome process of credentialing
users and feel that solutions need to be developed to address authentication process
issues. In addition, the cost involved with hardware and software purchases to
establish an electronic system is a barrier for most healthcare providers.

Domain Two: Information Authorization and Access
Information authorization and access generated one of the most intense discussions.
While most participants agree that open, real-time exchange of health information for
treatment purposes is the ideal, how to actually get to that point is difficult. If receiving
information, most would prefer to have full access to review the patient record for the
information that they need. However, those who generated the information prefer to
allow only restricted access to those records. There were numerous concerns
regarding how the exchange would occur: Who determines who has access to what
information? Who monitors how the information is being accessed? How does one
know who has accessed the record, both internally and externally? How does one
know what the patient has authorized for release and to whom?

Currently, concerns regarding liability are inhibiting transfer of information between
health care providers in Oklahoma. Fear of lawsuits, fraud, malicious browsing,


RTI International                            18
Privacy and Security Contract No. 290-05-0015
unintentional HIPAA violations have essentially shut down HIE between organizations
that have the technology in place. Even organizations storing records electronically are
using non-technical solutions internally for fear of releasing information inappropriately,
information falling into the wrong hands, or documentation being used against them.

Domain Three: Patient and Provider Identification
The single largest issue discussed concerning provider and patient identification dealt
with how to distinguish each patient and provider from the next. These include: How
does one keep a patient’s record straight without a unique identifier? What happens if
two providers need to access the system with the same name? How does one
reconcile the different methods that organizations have for identifying patients and
providers?

Domain Four: Encryption protocols
Most HIE in Oklahoma is via fax, mail, telephone or courier. There is a wide disparity in
how information using current technologies is verified as received by the proper
organization. Some organizations call ahead to verify fax number and call back to
confirm receipt, while some simply dial the number and hit send. Again, while electronic
exchange is a desirable outcome, encryption protocols are undefined. Questions about
the encryption process included: Will each institution need encryption software to send
and accept transmissions? Is the current level of encryption adequate? Can we
exchange information securely without encryption and if so, would we be out of HIPAA
compliance? Will we need to enter into third party agreements with each individual
entity to exchange information? How do we exchange information securely via e-mail
and be in compliance with HIPAA?

Domain Five: Protection against improper modification
Copying and storing paper records is expensive and time consuming. Entering changes
into the record are difficult because access to the record is usually limited by time and
space considerations. With electronic records modifying or copying the record becomes
easier, and this increases the need for monitoring and recording changes. Questions
regarding protection against improper modification of records included: How do data
entry errors get corrected? How do you prevent intentional, yet inappropriate changes
from being made to the record? How do you ensure that users of the record are made
aware of appropriate changes to the record that impact their work or decisions? What is
the protocol for changing the record and who has the authority to do it? How do we
standardize how modification of records occurs across organizations?

Domain Six: Information Audits
There are no standards for who or how information audits should be conducted, nor
what information should be audited. Concerns range from computer storage issues
which would require additional hardware expense to consistency across organizations
as to how/what audit trails are conducted. Electronic systems currently in use did not
universally track review of information if no action (save or print) was performed. In
addition, how do we verify that the person using a login is the individual to whom it was
assigned?



RTI International                            19
Privacy and Security Contract No. 290-05-0015
Domain Seven: Administrative and Physical Safeguards
During discussions it was reported that in theory, EHR eliminates 20% of healthcare
procedures by eliminating redundant tests. In addition, ninety-eight thousand people
die every year due to preventable medical errors which is the equivalent of an aircraft
crash every other day. (Institute of Medicine) How do you make the EHR easily
accessible to people who need it, when they need it, but not accessible to those who
don’t? How will information provided by the patient in a non-digital format be
incorporated into the system? While the cost of saving lives cannot be measured by
dollars, the cost of running a business can, especially a small business. For example,
the expense of implementing the electronic system (hardware, software, personnel)
may not be justified by the benefits derived from that system. From our discussions,
physicians may perceive that they receive the least benefit from EHR. The return on
investment for the physician is contingent upon full employment of EHR and the size of
the practice. How do physicians and other organizations know what system to
purchase to prevent rapid obsolescence and how to establish standards that maintain
interoperability with others?

Domain Eight: State Law Restrictions
Underlying most concerns within this domain was the transfer of information to a third
party, especially the transfer of mental health records. How do you train staff to know
which part of the record can/can’t be released especially when they do not know which
record or part of a record contains psychiatric information? How far does liability extend
once information has been transferred to a third party? Can the originator of the
information be held accountable for information they released properly, but which in turn
was released improperly by the organization that received the information? How do we
handle differences in state and federal law to include, but not limited to licensing and
accreditation standards?

Domain Nine: Information Use and Disclosure Policies
Discussion on information use and disclosure policies focused on why the response to
HIPAA and other privacy and security regulations is typically so conservative. The
consensus was that there is a general lack of understanding of HIPAA and what can be
released and under what conditions. In an effort to be sure that they are in compliance,
the most restrictive approach to privacy and security is being applied in most cases.

Other issues that arose were:
How will receiving facilities be made aware of addendums to documents?
How do you know that “your” information is stored in a secured manner on someone
else’s system since there are no standards for security?
If I send unsigned documents to another facility is that considered incomplete or not
final especially considering signed documents do not come in a timely manner?
How do we deal with decrease in research participation or reluctance to participate due
to HIPAA compliance concerns?




RTI International                            20
Privacy and Security Contract No. 290-05-0015
2.1     Treatment (Scenarios 1–4)
The first four scenarios were included by RTI to gather business practices related to
health information exchange to facilitate patient care (see Table 10).

Table 10. Patient Care Scenarios.

Scenario 1: Patient Care - Scenario A (Emergent Transfer)

The emergent transfer of health information between two hospitals that represent the 2
stakeholder organizations (i.e., Hospital A and Hospital B) when the status of the patient is
unsure. The actors are the staff involved in carrying out the request. The ER physician is
requesting the information on behalf of the Hospital A.

Patient X presents to emergency room of General Hospital in State A. She has been in a
serious car accident. The patient is an 89 year old widow who appears very confused. Law
enforcement personnel in the emergency room investigating the accident indicate that the
patient was driving. There are questions concerning her possible impairment due to
medications. Her adult daughter informed the ER staff that her mother has recently undergone
treatment at a hospital in a neighboring state and has a prescription for an antipsychotic drug.
The emergency room physician determines there is a need to obtain information about Patient
X’s prior diagnosis and treatment during the previous inpatient stay.


Scenario 2: Patient Care Scenario B (Substance Abuse)

The scenario involves the non-emergent transfer of records from a specialty substance
treatment provider to a primary care facility for a referral to a specialist.

An inpatient specialty substance abuse treatment facility intends to refer client X to a primary
care facility for a suspected medical problem. The two organizations do not have a previous
relationship. The client has a long history of using various drugs and alcohol that is relevant for
medical diagnosis. The primary care provider has requested that the substance abuse
information be sent by the treatment facility. The primary care provider intends to refer the
patient to a specialist and plans to send all of the patient’s medical information, including the
substance abuse information that was received from the substance abuse treatment facility, to
the specialist.




RTI International                            21
Privacy and Security Contract No. 290-05-0015
Scenario 3: Patient Care - Scenario C (Access Security)

At 5:30 pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient,
recently discharged from the hospital psychiatric unit to the skilled nursing facility. The hospital
and skilled nursing facility are separate entities and do not share electronic record systems. At
the time of the patient's transfer, the discharge summary and other pertinent records and forms
were electronically transmitted to the skilled nursing home.

When Dr. X enters the facility, he seeks assistance locating his patient, gaining entrance to the
locked psychiatric unit, and accessing the patient’s electronic health record to review the
discharge summary, I&O, MAR and progress notes. Dr. X was able to enter the unit by
showing a picture identification badge, but was not able to access the EHR. As it is Dr. X's first
visit, he has no login or password to use their system.

Dr. X completes his visit and prepares to complete his documentation for the nursing home.
Unable to access the skilled nursing facility EHR, Dr. X dictates his initial assessment via
telephone to his outsourced, offshore transcription service. The assessment is transcribed and
posted to a secure web portal.

The next morning, from his home computer, Dr. X checks his e-mail and receives notification
that the assessment is available. Dr. X logs into his office web portal, reviews the assessment,
and applies his electronic signature.

Later that day, Dr X’s Office Manager downloads this assessment from the web portal, saves
the document in the patient’s record in his office and forwards the now encrypted document to
the long-term care facility via e-mail.

The skilled nursing facility notifies Dr. X’s office that they are unable to open the encrypted
document because they do not have the encryption key.


Scenario 4: Patient Care - Scenario D (HIV and Genetic)
The non-emergent transfer of health information

Patient X is HIV positive and is having a complete physical and an outpatient mammogram
done in the Women’s Imaging Center of General Hospital in State A. She had her last physical
and mammogram in an outpatient clinic in a neighboring state. Her physician in State A is
requesting a copy of her complete records and the radiologist at General Hospital would like to
review the digital images of the mammogram performed at the outpatient clinic in State B for
comparison purposes. She also is having a test for the BrCa gene and is requesting the genetic
test results of her deceased aunt who had a history of breast cancer.


        2.1.1    Stakeholders

Physicians and hospital groups contributed 72% of business practices and 66% of
barriers for scenarios one through four (see Table 11). Of the business practices coded
as barriers, 66% were contributed by physicians and hospital groups. Of the business
practices submitted by physician groups, two thirds were coded as barriers. Of the
business practices submitted by hospitals, 86% were coded as barriers.




RTI International                            22
Privacy and Security Contract No. 290-05-0015
Table 11. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Patient
Care Scenarios.
                                           Business Practices        Barriers              %
        Stakeholder Organization             #          %        #              %       Barriers*
Physician Groups                                30       37%         20          30%        67%
Hospitals                                       28       35%         24          36%        86%
Other                                            9       11%          9          14%       100%
Clinicians                                       4         5%         4           6%       100%
Public Health Agency                             3         4%         3           5%       100%
Community Clinics and Health Centers             2         2%         2           3%       100%
State Government                                 2         2%         2           3%       100%
Federal Health Facilities                        1         1%         1           2%       100%
Payers                                           1         1%         0           0%          0%
Quality Improvement Organizations                1         1%         1           2%       100%
Quality Improvement Organizations                1         1%         1           2%       100%
Note: “% Barriers*” is the percent of business practices coded as barriers.



       2.1.2   Domains

There were 81 business practices for scenarios one through four, several of which had
multiple domain assignments resulting in 277 business practices across the nine
domains for scenarios one through four (see Table 12). Of these business practices,
91% (251) were coded as barriers. All domains were represented. Domains with the
highest proportion of barriers were: information audits (96% of business practices were
coded as barriers), information transmission security (94% of business practices were
coded as barriers), and information protections (94% of business practices were coded
as barriers). All of the business practices generated for scenarios two and four were
coded as barriers. The information use and disclosure policies domain had the most
barriers listed (41) followed by the information authorization access controls domain
(38), followed by the user and entity authentication domain (33).

Table 12. Number of Business Practices Identified as Barriers and Business
Practices by Domain for Patient Care Scenarios.
                                                               Scenario                       Total
                       Domain                          1      2        3          4         #          %
1. User and entity authentication                    8/11    9/9    13/15        3/3      33/38       87%
2. Information authorization and access controls    12/15   11/11   12/13        3/3      38/42       90%
3. Patient and provider identification               8/12    7/7      3/3        5/5      23/27       85%
4. Information transmission security                  6/7   14/14   11/12        0/0      31/33       94%
5. Information protections (modifications)            4/4   10/10     1/2        0/0      15/16       94%
6. Information audits                                 4/4   14/14     4/5        0/0      22/23       96%
7. Administrative or physical security safeguards     5/5    8/8    12/15        2/2      27/30       90%
8. State law restrictions                            9/10    7/7      5/6        0/0      21/23       91%
9. Information use and disclosure policies          13/16    9/9    13/14        6/6      41/45       91%
Barriers/Business Practices                         69/84   89/89   74/85       19/19    251/277      91%
Percent Barriers                                    82%     100%     87%        100%      91%



RTI International                            23
Privacy and Security Contract No. 290-05-0015
Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 13). Two federal laws and three state laws were cited. Sixty-three percent of
legal drivers were based on federal laws. Title 45 accounted for 52% of federal laws
cited. The percentage of legal drivers that were based on federal law ranged from a low
of 42% for Domain 8, to a high of 100% for Domain 5. Of the state laws cited, 64% were
derived from Title 43A. Mental Health, 27% were derived from Title 12. Civil Procedure,
and 9% were derived from Title 63. Public Health and Safety.

Table 13. Number of Legal Drivers identified as Barriers by Domain for Patient
Care Scenarios.
                                                                                               Domain
                            Legal Driver                                1    2    3       4      5    6     7    8    9    Total
Federal                                                                 15   20       9   15      5   14    16   10   20     124
  Title 42. Public Health                                                7    8       4    8     3      8    7    7    7      59
      2.31 Confidentiality Of Alcohol And Drug Abuse Patient             5    5       3    6      3     6    5    5    5      43
      Records: Form of written consent.
      2.32 Confidentiality Of Alcohol And Drug Abuse Patient             2    2       1    2            2    2    2    2      15
      Records: Prohibition on re-disclosure
      Unspecified                                                       -     1       -   -      -      -   -    -     -      1
  Title 45. Public Welfare                                              8    12       5   7      2      6   9    3    13     65
      164 Security and Privacy                                          2     2       -   2      -      2   2    -     2     12
      164.312 Security and Privacy: Technical safeguards.               2     2       -   -      -      -   2    -     2      8
      164.508 Security and Privacy: Uses and disclosures for which      1     1       3   2      2      2   2    1     2     16
      an authorization is required.
      164.522 Security and Privacy: Rights to request privacy            -    1       -    -      -     -    -   1     1       3
      protection for protected health information.
      164.506 Security and Privacy: Uses and disclosures to carry out    -    1       -    -      -     -    -    -    -       1
      treatment, payment, or health care operations.
      164.502 Security and Privacy: Uses and disclosures of              -    1       -    -      -     -    -    -   1        2
      protected health information: general rules
      Unspecified                                                       3     4       2    3      -     2   3     1    5     23
State                                                                   5    10       9   13      -     2   5    14   16     74
  Title 12. Civil Procedure                                             -     -       5    5      -     -   -     5    5     20
      2503 Physician and Psychotherapist-Patient Privilege              -     -       3    3      -     -   -     3    3     12
      Unspecified                                                       -     -       2    2      -     -   -     2    2      8
  Title 43A. Mental Health                                              4     9       4    7      -     1   4     8   10     47
      1.109 Privileged, Confidential Nature of Medical Records and      3     7       2    3      -     -   3     5    7     30
      Communications Between Physician or Psychotherapist and
      Patient
      4.107 Correspondence by Patients - Visits - Telephone              -    1       -    1      -     -    -    -    -       2
      Privileges – Sealed Communications
      6.513 Discharge Plan                                              -    -        2   2       -     -   -    2    2       8
      Unspecified                                                       1    1        -   1       -     1   1    1    1       7
  Title 63. Public Health and Safety                                    1    1        -   1       -     1   1    1    1       7
      1.502 Confidential Information - Written Consent -                1    1        -   1       -     1   1    1    1       7
      Multidisciplinary Advisory Committee
Total                                                                   20   30   18      28     5     16   21   24   36     198




RTI International                            24
Privacy and Security Contract No. 290-05-0015
        2.1.3   Critical Observations

    The treatment scenarios elicited a number of business practices regarding how to
    handle mental health and substance abuse records. Verification and authorization
    of the release and transfer of medical records was also a topic of many practices.
    Physicians and hospital groups contributed 72% of business practices and 66% of
    barriers for scenarios one through four. Domains with the highest proportion of
    barriers were information audits (domain 6) accounting for 96%, information
    transmission security (domain 4) accounting for 94%, and information protections
    (domain 5) with 94% of business practices coded as barriers. Over 60% of the legal
    drivers for Scenarios 1-4 were mapped to federal laws. Transfer of PHI represented
    30% of the business practices with information being transferred primarily by
    courier, mail and fax.


2.2     Payment (Scenario 5)
Scenario 5 was included to gather business practices related to payment for patient
care (see Table 14).

Table 14. Scenario 5

Scenario 5: Payment Scenario

X Health Payer (third party, disability insurance, employee assistance programs) provides health
insurance coverage to many subscribers in the region the healthcare provider serves. As part of
the insurance coverage, it is necessary for the health plan case managers to approve/authorize
all inpatient encounters. This requires access to the patient health information (e.g., emergency
department records, clinic notes, etc.).

The health care provider has recently implemented an electronic health record (EHR) system. All
patient information is now maintained in the EHR and is accessible to users who have been
granted access through an approval process. Access to the EHR has been restricted to the
healthcare provider’s workforce members and medical staff members and their office staff.

X Health Payer is requesting access to the EHR for their accredited case management staff to
approve/authorize inpatient encounters.




        2.2.1   Stakeholders

Hospitals and payers contributed 75% of business practices and 80% of barriers for
scenario 5 (see Table 15). Of the business practices submitted by hospitals, 50% were
coded as barriers. Of the business practices submitted by payers, 25% were coded as
barriers.




RTI International                            25
Privacy and Security Contract No. 290-05-0015
Table 15. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Payment
Scenario.
                              Business Practices         Barriers             %
 Stakeholder Organization       #          %         #              %      Barriers*
Hospitals                           6       50%           5          50%       83%
Payers                              3       25%           3          30%     100%
Physician Groups                    2       17%           2          20%     100%
Consumers                           1         8%          0           0%         0%
Total                              12      100%          10         100%       83%
Note: “% Barriers*” is the percent of business practices coded as barriers.



       2.2.2   Domains

There were 12 business practices for scenario 5, several of which had multiple domain
assignments resulting in 27 business practices across the nine domains for scenario 5
(see Table 16). Of these business practices, 93% (25) were coded as barriers. All
domains were represented except for domain six. Domains with more than one
business practice with the highest proportion of barriers were: user and entity
authentication (100% of business practices were coded as barriers), and administrative
and physical security safeguards (100% of business practices were coded as barriers).
The information authorization and access controls domain (8) had the most barriers
listed followed by the patient and provider identification domain (6), followed by the user
and entity authentication domain (4).


Table 16. Number of Business Practices Identified as Barriers, Business Practices
and the Percentage of Business Practices identified as Barriers by Domain for
Payment Scenario.
                                                       Scenario 5
                       Domain                         #          %
1. User and entity authentication                    4/4         100%
2. Information authorization and access controls     8/9          89%
3. Patient and provider identification               6/7          86%
4. Information transmission security                 1/1         100%
5. Information protections (modifications)           1/1         100%
6. Information audits                                0/0             -
7. Administrative or physical security safeguards    3/3         100%
8. State law restrictions                            1/1         100%
9. Information use and disclosure policies           1/1         100%
Barriers/Business Practices                         25/27         93%




RTI International                            26
Privacy and Security Contract No. 290-05-0015
Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 17). One federal law and one state law were cited. Thirty-three percent of
legal drivers were based on federal law (Title 45). Domain 2 Information authorization
and access controls and Domain 3 Patient and provider identification receive the most
citations.

Table 17. Number of Legal Drivers Identified as Barriers Identified by Domain for
Payment Scenario.
                                                                         Domain
                    Legal Driver                       1    2     3    4   5    6      7    8      9    Total
Federal                                                 -    2     1    -   -     -     -    -      -       3
  Title 45. Public Welfare                              -    2     1    -   -     -     -    -      -       3
    164.502 Security and Privacy: Uses and
    disclosures of protected health information:
    general rules                                       -    2     1     -   -     -    -    -      -      3
State                                                   1    2     2     -   -     -    -    -      -      5
  Title 36. Insurance                                   1    2     2     -   -     -    -    -      -      5
    1219 Failure to Notify Policyholder of Cause
    for Delay - Interest on Late Claims - Proof of
    Loss - Recovery of Reasonable Attorney's Fee        1    2     2     -   -     -    -    -      -      5
Total                                                   1    4     3     -   -     -    -    -      -      8


        2.2.3   Critical Observations

Business practices for Scenario 5 focused on ensuring contractual agreements were in
place with payers and limiting the amount of information accessible by payers to the
minimum necessary. Over half of the legal drivers were mapped to state law on
insurance regulations. The categories with the largest proportion of business practices
were authentication and release of information at 33% each.



2.3     RHIO (Scenario 6)
Scenario 6 was included gather business practices related to a Regional Health
Information Organization (see Table 18).

Table 18. Scenario 6

Scenario 6: RHIO Scenario

The RHIO in your region wants to access patient identifiable data from all participating
organizations (and their patients) to monitor the incidence and management of diabetic patients.
The RHIO also intends to monitor participating providers to rank them for the provision of
preventive services to their diabetic patients.




RTI International                            27
Privacy and Security Contract No. 290-05-0015
       2.3.1   Stakeholders

Other entities and physician groups contributed 76% of business practices and 81% of
barriers for scenario 6 (see Table 19). Of the business practices submitted by other
entities, 90% were coded as barriers. Of the business practices submitted by physician
groups, 89% were coded as barriers.

Table 19. Business Practices Generated, Barriers Identified, and Percent of Business
Practices Coded as Barriers, by Stakeholder Organization for RHIO Scenario.
                                      Business Practices       Barriers         %
       Stakeholder Organization         #          %         #          %    Barriers*
 Other                                     10       40%         9        43%     90%
 Physician Groups                           9       36%         8        38%     89%
 Hospitals                                  2         8%        2        10%   100%
 Medical and Public Health Schools          2         8%        2        10%   100%
 Public Health Agency                       1         4%        0         0%       0%
 State Government                           1         4%        0         0%       0%
 Total                                     25      100%        21       100%     84%
Note: “% Barriers*” is the percent of business practices coded as barriers.

       2.3.2   Domains

There were 25 business practices for scenario 6, several of which had multiple domain
assignments resulting in 53 business practices across the nine domains for scenario 6
(see Table 20). Of these business practices, 87% (46) were coded as barriers. All
domains were represented. Domain 2 Information authorization and access controls
had the most business practices listed (13), followed by Domain 9 Information use and
disclosure policies (10), and Domain 4 Information transmission security. Domains with
more than one business practice with the highest proportion of barriers were:
information authorization and access controls (100% of business practices were coded
as barriers), and information use and disclosure policies (90% of business practices
were coded as barriers). The information authorization and access controls domain (13)
had the most barriers listed followed by the Information use and disclosure policies
domain (9), followed by the Information transmission security domain (8).

Table 20. Number of Business Practices Identified as Barriers and Business
Practices by Domain for RHIO Scenario.
                                                       Scenario 6
                       Domain                         #           %
1. User and entity authentication                    5/6           83%
2. Information authorization and access controls    13/13         100%
3. Patient and provider identification               1/1          100%
4. Information transmission security                 8/9           89%
5. Information protections (modifications)           4/5           80%
6. Information audits                                2/3           67%
7. Administrative or physical security safeguards    2/3           67%
8. State law restrictions                            2/3           67%
9. Information use and disclosure policies          9/10           90%
Barriers/Business Practices                         46/53          87%


RTI International                            28
Privacy and Security Contract No. 290-05-0015
Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 21). Two federal laws were cited. Title 45 accounted for 76% of federal laws
cited.

Table 21. Number of Legal Drivers Identified as Barriers by Domain for RHIO
Scenario.
                                                                             Domain
                    Legal Driver                        1    2     3       4   5    6     7    8     9    Total
Federal                                                  2    5        -    3 2      1     2    1     1     17
  Title 42. Public Health Unspecified                    1    1        -    -   -     -    -    1     1       4
  Title 45. Public Welfare                               1    4        -    3 2      1     2    -     -     13
    164.504 Security and Privacy: Uses and               -    -        -    -   -     -    1    -     -       1
    disclosures: Organizational requirements.
    Unspecified                                          1    4        -   3   2     1    1    -     -      12
Total                                                    2    5        -   3   2     1    2    1     1      17


        2.3.3   Critical Observations

Scenario 6 focused on utilizing patient medical records to monitor disease
management. Business practices focused around requirements for release of
information including opt in/opt out clauses and a refusal to provide data unless it was
for treatment purposes. Release of information accounted for 36% of the business
practices. Each business practice listed under scenario 6 was determined to be a
barrier to interoperable health information exchange due to requirements set by Federal
law.



2.4.    Research (Scenario 7)
Scenario 7 was included gather business practices related to research (see Table 22).

Table 22. Scenario 7

Scenario 7: Research Data Use

A research project on children younger than age 13 is being conducted in a double blind study
for a new drug for ADD/ADHD. The research is being sponsored by a major drug manufacturer
conducting a double blind study approved by the medical center’s IRB where the research
investigators are located. The data being collected is all electronic and all responses from the
subjects are completed electronically on the same centralized and shared data base file.

The principle investigator was asked by one of the investigators if they could use the raw data to
extend the tracking of the patients over an additional six months and/or use the raw data
collected for a white paper that is not part of the research protocols final document for his post
doctoral fellow program.




RTI International                            29
Privacy and Security Contract No. 290-05-0015
       2.4.1   Stakeholders

Medical and public health schools and public health agencies contributed 88% of
business practices and 88% of barriers for scenario 7 (see Table 23). All business
practices for this scenario were coded as barriers.

Table 23. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Research
Scenario.
                                             Business Practices         Barriers             %
        Stakeholder Organization               #          %         #              %      Barriers*
Medical and Public Health Schools                  4       50%            4         50%     100%
Public Health Agency                               3       38%            3         38%     100%
Consumers                                          1       13%            1         13%     100%
Total                                              8      100%            8        100%     100%
Note: “% Barriers*” is the percent of business practices coded as barriers.



       2.4.2   Domains

There were 8 business practices for scenario 7, several of which had multiple domain
assignments resulting in 27 business practices across the nine domains for scenario 7.
Of these business practices, 100% were coded as barriers. All domains were
represented. The information authorization and access controls domain (5) and the
information use and disclosure policies domain (5) had the most barriers listed followed
by the user and entity authentication domain (4), and the patient and provider
identification (4).

Table 24. Number of Business Practices Identified as Barriers and Business
Practices by Domain for Research Scenario.
                                                         Scenario 7
                       Domain                           #          %
1. User and entity authentication                      4/4         100%
2. Information authorization and access controls       5/5         100%
3. Patient and provider identification                 4/4         100%
4. Information transmission security                   1/1         100%
5. Information protections (modifications)             3/3         100%
6. Information audits                                  2/2         100%
7. Administrative or physical security safeguards      2/2         100%
8. State law restrictions                              1/1         100%
9. Information use and disclosure policies             5/5         100%
Barriers/Business Practices                           27/27        100%




RTI International                            30
Privacy and Security Contract No. 290-05-0015
Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 25). One federal law and one state law were cited. Across all domains, Title
45 accounted for 80% of laws cited.

Table 25. Number of Legal Drivers identified as Barriers Identified by Domain for
Research Scenario.
                                                                           Domain
                     Legal Driver                        1    2     3    4   5    6      7     8      9    Total
Federal                                                   2    2     2    -   -     -     -     -      2       8
  Title 45. Public Welfare                                2    2     2    -   -     -     -     -      2       8
    164.512 Security and Privacy: Uses and                2    2     2    -   -     -     -     -      2       8
    disclosures for which an authorization or
    opportunity to agree or object is not required.
State                                                    -     1     -     -    -    -     -   1      -       2
  Title 63. Public Health and Safety Unspecified         -     1     -     -    -    -     -   1      -       2
Total                                                    2     3     2     -    -    -     -   1      2      10


        2.4.3   Critical Observations

Work group members shared similar concerns with providing health care information for
research purposes without proper consent. Business practices supported securing
appropriate Institutional Review Board (IRB) approval and consent from research
participants for additional research activities. Across all domains, Title 45 accounted for
80% of laws cited.


2.5     Law Enforcement (Scenario 8)
Scenario 8 was included gather business practices related to law enforcement (see
Table 26).

Table 26. Scenario 8.

Scenario 8: Scenario for access by law enforcement

An injured nineteen (19) year old college student is brought to the ER following an automobile
accident. It is standard to run blood alcohol and drug screens. The police officer investigating
the accident arrives in the ER claiming that the patient may have caused the accident. The
patient’s parents arrive shortly afterward. The police officer requests a copy of the blood alcohol
test results and the parents want to review the ER record and lab results to see if their child
tested positive for drugs. These requests to print directly from the electronic health record are
made to the ER staff.

The patient is covered under their parent's health and auto insurance policy.




RTI International                            31
Privacy and Security Contract No. 290-05-0015
       2.5.1   Stakeholders

Hospitals, physician groups and federal health facilities contributed 75% of business
practices and 73% of barriers for scenario 8 (see Table 27). Of the business practices
submitted by hospitals, all were coded as barriers. Of the business practices submitted
by physician groups, 80% were coded as barriers. Of the business practices submitted
by federal health facilities, 100% were coded as barriers.

Table 27. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Law
Enforcement Scenario.
                                          Business Practices         Barriers             %
         Stakeholder Organization           #          %         #              %      Barriers*
Hospitals                                      10       26%          10          27%     100%
Physician Groups                               10       26%           8          22%       80%
Federal Health Facilities                       9       23%           9          24%     100%
Clinicians                                      3         8%          3           8%     100%
Community Clinics and Health Centers            3         8%          3           8%     100%
Correctional Facilities                         1         3%          1           3%     100%
Laboratories                                    1         3%          1           3%     100%
Public Health Agency                            1         3%          1           3%     100%
State Government                                1         3%          1           3%     100%
Total                                          39      100%          37         100%       95%
Note: “% Barriers*” is the percent of business practices coded as barriers.



       2.5.2   Domains

There were 39 business practices for scenario 8. Many business practices had multiple
domain assignments resulting in 144 business practices across the nine domains for
scenario 8 (see Table 28). Of these business practices, 95% (137) were coded as
barriers. All domains were represented. Domains with more than one business practice
with the highest proportion of barriers were: state law restrictions (100% of business
practices were coded as barriers), and user and entity authentication (100% of business
practices were coded as barriers). The information use and disclosure policies domain
(28) had the most barriers listed followed by the information authorization and access
controls domain (24), and the patient and provider identification (21).




RTI International                            32
Privacy and Security Contract No. 290-05-0015
Table 28. Number of Business Practices Identified as Barriers and Business
Practices by Domain for Law Enforcement Scenario.
                                                        Scenario 8
                       Domain                          #          %
1. User and entity authentication                    12/12        100%
2. Information authorization and access controls     24/25         96%
3. Patient and provider identification               21/22         95%
4. Information transmission security                 15/16         94%
5. Information protections (modifications)            3/3         100%
6. Information audits                                 8/9          89%
7. Administrative or physical security safeguards    10/11         91%
8. State law restrictions                            16/16        100%
9. Information use and disclosure policies           28/30         93%
Barriers/Business Practices                         137/144        95%


Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 29). Two federal laws were cited. Seventy-eight percent of legal drivers were
based on Title 45. Domain 9 Information use and disclosure policies received the most
citations (7) followed by Domain 2 Information authorization and access controls (6) and
Domain 3 Patient and provider identification (5).

Table 29. Number of Legal Drivers identified as Barriers Identified by Domain for
Law Enforcement Scenario.
                                                                     Domain
                   Legal Driver                     1    2    3    4   5    6     7    8      9    Total
Federal                                              4    6    5    3 3      4     3    2      7     37
  Title 42. Public Health Unspecified                1    1    1    1 1      1     1    -      1       8
  Title 45. Public Welfare                           3    5    4    2 2      3     2    2      6     29
    164.502 Security and Privacy: Uses and           2    4    3    1 1      2     1    1      5     20
    disclosures of protected health information:
    general rules
    Unspecified                                      1    1    1    1    1    1    1   1      1       9
Total                                                4    6    5    3    3    4    3   2      7      37


       2.5.3   Critical Observations

This scenario addresses access of patient health information for law enforcement
officials. Hospitals, physician groups and federal health facilities contributed 75% of the
business practices. The practices address determining the appropriate criteria for
release of PHI for potential criminal implications and appropriate response to law
enforcements request to perform tests on patient. Consent for services represented
41% of practices with release of information representing 36%. Domains with more
than one business practice with the highest proportion of barriers were state law
restrictions, and user and entity authentication with 100% of business practices coded
as barriers.



RTI International                            33
Privacy and Security Contract No. 290-05-0015
2.6     Prescription Drug Use/Benefit (Scenarios 9 and 10)
Scenarios 9 and 10 were included gather business practices related to pharmacy
benefits transactions (see Table 30).

Table 30. Scenario 9 and Scenario 10.

Scenario 9: Pharmacy Benefit Scenario A

The Pharmacy Benefit Manager (PBM) has a mail order pharmacy for a hospital which is self-
insured and also has a closed formulary. The PBM receives a prescription from Patient X, an
employee of the hospital, for the antipsychotic medication Geodon. The PBM’s preferred
alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine (Seroquel), and
Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a
request to the prescribing physician to complete a prior authorization in order to fill and pay for
the Geodon prescription. The PBM is in a different state than the provider’s Outpatient Clinic.


Scenario 10: Pharmacy Benefit Scenario B

A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the
companies’ employees’ prescription drug use and the associated costs of the drugs prescribed.
The objective would be to see if the PBM1 could save the company money on their prescription
drug benefit. Company A is self insured and as part of their current benefits package, they have
the prescription drug claims submitted through their current PBM (PBM2). PBM1 has requested
that Company A send their electronic claims to them to complete the review.


        2.6.1    Stakeholders

Federal health facilities, homecare and hospice, and medical and public health schools
contributed 63% of business practices and 71% of barriers for scenarios 9 and 10 (see
Table 31). Of the business practices submitted by federal health facilities, 93% were
coded as barriers. Of the business practices submitted by homecare and hospice, 64%
were coded as barriers. Of the business practices submitted by medical and public
health schools, 63% were coded as barriers.




RTI International                            34
Privacy and Security Contract No. 290-05-0015
Table 31. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for
Prescription Drug Use/Benefit Scenarios.
                                                    Business Practices          Barriers            %
           Stakeholder Organization                   #          %           #          %        Barriers*
Federal Health Facilities                                15       28%          14        38%         93%
Homecare and hospice                                     11       20%           7        19%         64%
Medical and Public Health Schools                         8       15%           5        14%         63%
Long term care facilities and nursing homes               6       11%           3         8%         50%
Payers                                                    4         7%          3         8%         75%
Pharmacies                                                3         6%          2         5%         67%
Physician Groups                                          3         6%          1         3%         33%
Clinicians                                                2         4%          1         3%         50%
Community Clinics and Health Centers                      1         2%          1         3%       100%
Hospitals                                                 1         2%          0         0%           0%
Total                                                    54      100%          37       100%         69%
Note: “% Barriers*” is the percent of business practices coded as barriers.



       2.6.2   Domains

There were 54 business practices for scenarios 9 and 10, several of which had multiple
domain assignments resulting in 58 business practices across the nine domains for
scenarios 9 and 10 (see Table 32). Scenario 9 was responsible for 93% of business
practices for this domain. Of the business practices generated for scenarios 9 and 10,
43% (25) were coded as barriers. All domains were represented. Domains with more
than one business practice with the highest proportion of barriers were: state law
restrictions (100% of business practices were coded as barriers), and user and entity
authentication (100% of business practices were coded as barriers). The information
authorization and access controls domain (8) had the most barriers listed followed by
the user and entity authentication domain (6), and the information use and disclosure
policies domain (6).

Table 32. Business Practices and Barriers Identified by Domain for Prescription
Drug Use/Benefit Scenarios.
                                                              Scenario                   Total
                       Domain                              9           10          #             %
1. User and entity authentication                        5/11          1/1       6/12            50%
2. Information authorization and access controls          7/8          1/1        8/9            89%
3. Patient and provider identification                    1/7          1/1        2/8            25%
4. Information transmission security                      0/1          1/1        1/2            50%
5. Information protections (modifications)                0/6          0/0        0/6              0%
6. Information audits                                     0/1          0/0        0/1              0%
7. Administrative or physical security safeguards         1/2          1/1        2/3            67%
8. State law restrictions                                 0/5          0/0        0/5              0%
9. Information use and disclosure policies               6/12          0/0       6/12            50%
Barriers/Business Practices                              20/53         5/5       25/58           43%
Percent Barriers                                         38%         100%



RTI International                            35
Privacy and Security Contract No. 290-05-0015
Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 33). Two federal laws and two state laws were cited. Eighty-four percent of
legal drivers were based on federal laws. Ninety-six percent of federal legal drivers
were based on Title 45. Domain 7 Administrative or physical security safeguards
received the most citations (10) followed by Domain 2 Information authorization and
access controls (7) and Domain 8 State law restrictions (6).

Table 33. Number of Legal Drivers identified as Barriers Identified by Domain for
Prescription Drug Use/Benefit Scenarios.
                                                                                         Domain
                        Legal Driver                           1     2     3       4       5    6     7     8    9       Total
Federal                                                         5     6        1    1       -     -   10     3       -      26
  Title 42. Public Health                                        -     -       -     -      -     -     -    1       -       1
    484.2 Home Health Services: Condition of participation:      -     -       -     -      -     -     -    1       -       1
    Reporting OASIS information.
  Title 45. Public Welfare                                      5     6        1    1       -     -   10    2        -     25
    164.502 Security and Privacy: Uses and disclosures of       1     1        1    1       -     -    1    -        -      5
    protected health information: general rules
    164.506 Security and Privacy: Uses and disclosures to       -     -        -    -       -     -     -   1        -      1
    carry out treatment, payment, or health care operations.
    164.53 Security and Privacy: Administrative                 2     2        -    -       -     -    7     -       -     11
    requirements.
    Unspecified                                                 2     3        -    -       -     -    2    1    -          8
State                                                           -     1        -    -       -     -    -    3    1          5
  Title 12. Civil Procedure                                     -     -        -    -       -     -    -    1    -          1
    2503 Physician and Psychotherapist-Patient Privilege        -     -        -    -       -     -    -    1    -          1
  Title 43A. Mental Health                                      -     1        -    -       -     -    -    2    1          4
    1.109 Privileged, Confidential Nature of Medical Records    -     1        -    -       -     -    -    2    1          4
    and Communications Between Physician or
    Psychotherapist and Patient
Total                                                           5     7        1    1       -     -   10    6    1         31


        2.6.3     Critical Observations

Federal health facilities, homecare and hospice, and medical and public health schools
contributed 63% of business practices. Eighty-four percent of legal drivers were based
on federal laws. Ninety-six percent of federal legal drivers were based on Title 45. The
majority of business practices identified for scenario 9 focused on the different methods
used for receiving and filling prescriptions. Variation existed in the manner in which
facilities could receive prescription orders ranging from hand delivery of order to
electronic request.



2.7     Healthcare Operations/Marketing (Scenarios 11 and 12)
Scenario 11 and 12 were included to gather business practices related to healthcare
operations and marketing (see Table 34).


RTI International                            36
Privacy and Security Contract No. 290-05-0015
Table 34. Scenario 11 and Scenario 12.

Scenario 11: Healthcare Operations and Marketing - Scenario A

ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and
one large tertiary hospital, DEF Medical Center, which has served as the system’s primary referral
center. Recently, DEF Medical Center has expanded its rehab services and created a state-of-the-art,
stand-alone rehab center. Six months into operation, ABC Health Care does not feel that the rehab
center is being fully utilized and is questioning the lack of rehab referrals from the critical access
hospitals.

ABC Health Care has requested that its critical access hospitals submit monthly reports containing
patient identifiable data to the system six-sigma team to analyze patient encounters and trends for the
following rehab diagnoses/ procedures:

     Cerebrovascular Accident (CVA)
     Hip Fracture
     Total Joint Replacement

Additionally, ABC Health Care is requesting that this same information, along with individual patient
demographic information, be provided to the system Marketing Department. The Marketing Department
plans to distribute to these individuals a brochure highlighting the new rehab center and the enhanced
services available.


Scenario 12
Healthcare Operations and Marketing - Scenario B

Stakeholder organizations and exchanges:
   Healthcare provider (Hospital obstetrics department sending data)
   Hospital marketing department (receiving data)
   Local company (purchasing data from marketing department)
   Patients/Consumers

ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is requesting
identifiable data on all deliveries including mother’s demographic information and birth outcome (to
ensure that contact is made only with those deliveries resulting in healthy live births).

The Marketing Department has explained that they will use the patient information for the following
purposes:

1.   To provide information on the hospital’s new pediatric wing/services.
2.   To solicit registration for the hospital’s parenting classes.
3.   To request donations for construction of the proposed neonatal intensive care unit
4.   They will sell the data to a local diaper company to use in marketing diaper services directly to
     parents.




RTI International                            37
Privacy and Security Contract No. 290-05-0015
       2.7.1   Stakeholders

Medical and public health schools contributed 45% of business practices and 56% of
barriers for scenarios 11 and 12 (see Table 35). Of the business practices submitted by
medical and public health schools, all were coded as barriers.

Table 35. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for
Healthcare Operations/Marketing Scenarios.
                                             Business Practices           Barriers             %
        Stakeholder Organization               #          %          #               %      Barriers*
Medical and Public Health Schools                  5       45%             5          56%     100%
Federal Health Facilities                          2       18%             0           0%         0%
Hospitals                                          2       18%             2          22%     100%
Payers                                             2       18%             2          22%     100%
Total                                             11      100%             9         100%       82%
Note: “% Barriers*” is the percent of business practices coded as barriers.

       2.7.2   Domains

There were 11 business practices for scenarios 11 and 12, several of which had
multiple domain assignments resulting in 69 business practices across the nine
domains for scenarios 11 and 12 (see Table 36). Of these business practices, 80% (55)
were coded as barriers. All domains were represented except for state law restrictions.
Domains with the highest proportion of barriers were: information protections (89% of
business practices were coded as barriers), information transmission security (82% of
business practices were coded as barriers), and information use and disclosure policy
(82% of business practices were coded as barriers). The information transmission
security domain (9) and the information use and disclosure policies domain (9) had the
most barriers listed followed by the user and entity authentication domain (8), the
information authorization and access controls domain (8), and the information
protections domain (8).

Table 36. Business Practices and Barriers Identified by Domain for Healthcare
Operations/Marketing Scenarios.
                                                           Scenario                     Total
                       Domain                          11           12            #             %
1. User and entity authentication                      4/6          4/4         8/10            80%
2. Information authorization and access controls       4/6          4/4         8/10            80%
3. Patient and provider identification                 5/7          0/0          5/7            71%
4. Information transmission security                   5/7          4/4         9/11            82%
5. Information protections (modifications)             4/5          4/4          8/9            89%
6. Information audits                                  3/4          0/0          3/4            75%
7. Administrative or physical security safeguards      5/7          0/0          5/7            71%
8. State law restrictions                              0/0          0/0          0/0               -
9. Information use and disclosure policies             5/7          4/4         9/11            82%
Barriers/Business Practices                           35/49       20/20         55/69           80%
Percent Barriers                                      71%         100%




RTI International                            38
Privacy and Security Contract No. 290-05-0015
Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 37). One federal law (Title 45) was cited. Domain 9 Information use and
disclosure policies and Domain 4 Information transmission security received the most
citations (14)

Table 37. Number of Legal Drivers identified as Barriers Identified by Domain for
Healthcare Operations/Marketing Scenarios.
                                                                                  Domain
                        Legal Driver                         1    2    3     4      5      6       7    8       9    Total
Federal                                                      12   12   10    14     12         6   10       -   14      90
  Title 45. Public Welfare                                   12   12   10    14     12         6   10       -   14      90
    164.501 Security and Privacy: Definitions                 6    6     5    7       6        3    5       -    7      45
    164.508 Security and Privacy: Uses and disclosures for    6    6     5    7       6        3    5       -    7      45
    which an authorization is required.
Total                                                        12   12   10    14     12         6   10       -   14     90


        2.7.3     Critical Observations

Scenarios 11 and 12 address how to handle health information in association with
health care operations, administration and marketing. Forty-five percent of business
practices were associated with release of information. Medical and public health
schools contributed 45% of business practices. The domain with the highest proportion
of barriers was information protections with 89% of business practices coded as
barriers.

2.8.    Public Health/Bioterrorism (Scenario 13)
Scenario 13 was included to gather business practices related to bioterrorism (see
Table 38).

Table 38. Scenario 13.

Scenario 13: Bioterrorism event

Stakeholder organizations and exchanges:
   Laboratory (collecting data)
   Healthcare provider (transmitting data to public health)
   Public health department (receiving data from provider, providing data to gov’t agencies)
   Law enforcement (receiving data)
   Government agencies (receiving data)
   Patients

A provider sees a person who has anthrax, as determined through lab tests. The lab submits a
report on this case to the local public health department and notifies their organizational patient
safety officer. The public health department in the adjacent county has been contacted and has
confirmed that it is also seeing anthrax cases, and therefore this could be a possible bioterrorism
event. Further investigation confirms that this is a bioterrorism event, and the State declares an
emergency. This then shifts responsibility to a designated state authority to oversee and



RTI International                            39
Privacy and Security Contract No. 290-05-0015
coordinate a response, and involves alerting law enforcement, hospitals, hazmat teams, and
other partners, as well informing the regional media to alert the public to symptoms and seek
treatment if feel affected. The State also notifies the Federal Government of the event, and some
federal agencies may have direct involvement in the event. All parties may need to be notified of
specific identifiable demographic and medical details of each case as they arise to identify the
source of the anthrax, locate and prosecute the parties responsible for distributing the anthrax,
and protect the public from further infection.


        2.8.1   Stakeholders

Hospitals and public health agencies contributed 88% of business practices for scenario
13 (see Table 39). Of the business practices submitted by hospitals, one of four was
coded as barriers. Of the business practices submitted by public health agencies, none
were coded as barriers.

Table 39. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Public
Health/Bioterrorism Scenarios.
                                             Business Practices            Barriers             %
        Stakeholder Organization               #          %            #              %      Barriers*
Hospitals                                          4       50%              1         100%       25%
Public Health Agency                               3       38%              0           0%         0%
State Government                                   1       13%              0           0%         0%
Total                                              8      100%              1         100%       13%
Note: “% Barriers*” is the percent of business practices coded as barriers.



        2.8.2   Domains

There were 8 business practices for scenario 13, several of which had multiple domain
assignments resulting in 14 business practices across the nine domains for scenario 13
(see Error! Reference source not found.). Of these business practices, 21% (3) were
coded as barriers. All domains were represented except for information protections,
information audits, and state law restrictions. Domains with the highest proportion of
barriers were: information authorization and access controls (50% of business practices
were coded as barriers), user and entity authentication (33% of business practices were
coded as barriers), and information use and disclosure policy (25% of business
practices were coded as barriers). The user and entity authentication domain, the
authorization and access controls domain and the information use and disclosure
policies domains each had one barrier listed.




RTI International                            40
Privacy and Security Contract No. 290-05-0015
Table 40. . Business Practices and Barriers Identified by Domain for Public
Health/Bioterrorism Scenarios.
                                                                    Scenario 13
                       Domain                                       #         %
1. User and entity authentication                                 1/3           33%
2. Information authorization and access controls                  1/2           50%
3. Patient and provider identification                            0/1            0%
4. Information transmission security                              0/1            0%
5. Information protections (modifications)                        0/0              -
6. Information audits                                             0/0              -
7. Administrative or physical security safeguards                 0/3            0%
8. State law restrictions                                          0/0             -
9. Information use and disclosure policies                        1/4           25%
Barriers/Business Practices                                       3/14          21%


Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 41). One federal law, Title 45, was cited.

Table 41. Number of Legal Drivers identified as Barriers Identified by Domain for
Public Health/Bioterrorism Scenarios.
                                                                                          Domain
                         Legal Driver                             1    2    3       4       5      6       7       8       9    Total
Federal                                                            1    1       -       -     -        -       -       -    1       3
  Title 45. Public Welfare                                         1    1       -       -     -        -       -       -    1       3
    164.512 Security and Privacy: Uses and disclosures for         1    1       -       -     -        -       -       -    1       3
    which an authorization or opportunity to agree or object is
    not required.
Total                                                             1    1        -       -     -        -       -       -   1       3


        2.8.3     Critical Observations

Scenario 13 addresses providing patient information related to specific symptoms to
appropriate entities where a threat is being investigated. Hospitals and public health
agencies contributed 88% of business practices for scenario 13. The domains with the
highest proportion of barriers was information authorization and access controls with
50% of business practices coded as barriers. The transfer of PHI represented 63% of
the business practices.



2.9.    Employee Health (Scenario 14)
Scenario 14 was included to gather business practices related to a transaction involving
employee health (see Table 42).




RTI International                            41
Privacy and Security Contract No. 290-05-0015
Table 42. Scenario 14.

Scenario 14: Employee Health Information Scenario

Stakeholder organizations and exchanges:
   Hospital emergency room (releasing health information)
   Employer human resources department (requesting health information)
   Employee

An employee (of any company) presents in the local emergency department for treatment of a
chronic condition that has exacerbated which is not work-related. The employee’s condition
necessitates a four-day leave from work for illness. The employer requires a “return to work”
document for any illness requiring more than 2 days leave. The hospital Emergency Department
has an EHR and their practice is to cut and paste patient information directly from the EHR and
transmit the information via email to the Human Resources department of the patient's employer.




       2.9.1   Stakeholders

Hospitals and federal health facilities contributed 78% of business practices and 91% of
barriers for scenario 14 (see Table 43). Of the business practices submitted by
hospitals, 88% were coded as barriers. Of the business practices submitted by federal
health agencies, all were coded as barriers.


Table 43. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Employee
Health Scenario.
                                            Business Practices            Barriers             %
        Stakeholder Organization              #          %            #              %      Barriers*
Hospitals                                         8       57%              7          64%       88%
Federal Health Facilities                         3       21%              3          27%     100%
Public Health Agency                              2       14%              1           9%       50%
State Government                                  1         7%             0           0%         0%
Total                                            14      100%             11         100%       79%
Note: “% Barriers*” is the percent of business practices coded as barriers.


       2.9.2   Domains

There were 14 business practices for scenario 14, several of which had multiple domain
assignments resulting in 22 business practices across the nine domains for scenario 14
(see Table 44). Of these business practices, 91% (20) were coded as barriers. All
domains were represented except for patient and provider identification, information
protections, and information audits. Domains with more than one business practice and
the highest proportion of barriers were: information use and disclosure policy (100% of
business practices were coded as barriers), user and entity authentication (100% of
business practices were coded as barriers), and administrative or physical security
safeguards (100% of business practices were coded as barriers). The information use


RTI International                            42
Privacy and Security Contract No. 290-05-0015
and disclosure policy domain (8) had the most barriers listed followed by the information
authorization and access controls domain (5), followed by the user and entity
authentication domain (4).

Table 44. Business Practices and Barriers Identified by Domain for Employee
Health Scenario.
                                                                Scenario 14
                       Domain                                   #         %
1. User and entity authentication                              4/4        100%
2. Information authorization and access controls               5/6          83%
3. Patient and provider identification                         0/0             -
4. Information transmission security                           0/1           0%
5. Information protections (modifications)                     0/0             -
6. Information audits                                          0/0             -
7. Administrative or physical security safeguards              2/2        100%
8. State law restrictions                                      1/1        100%
9. Information use and disclosure policies                     8/8        100%
Barriers/Business Practices                                   20/22         91%


Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 45). One federal law and one state law were cited. Seventy-five percent of
legal drivers were based on Title 45. Domain 9 Information use and disclosure policies
and Domain 2 Information authorization and access controls (7) received the most
citations (7).

Table 45. Number of Legal Drivers identified as Barriers Identified by Domain for
Employee Health Scenario.
                                                                                         Domain
                        Legal Driver                          1     2    3       4         5      6       7       8     9    Total
Federal                                                        1     5       -       -       -        -       -    1     5      12
  Title 45. Public Welfare                                     1     5       -       -       -        -       -    1     5      12
     164.312 Security and Privacy: Technical safeguards.        -    2       -       -       -        -       -     -    2       4
     164.508 Security and Privacy: Uses and disclosures for    1     1       -       -       -        -       -    1     1       4
     which an authorization is required.
     Unspecified                                               -    2        -       -       -        -       -    -    2       4
State                                                          -    2        -       -       -        -       -    -    2       4
  Title 43A. Mental Health Unspecified                         -    2        -       -       -        -       -    -    2       4
Total                                                          1    7        -       -       -        -       -    1    7      16




RTI International                            43
Privacy and Security Contract No. 290-05-0015
        2.9.3    Critical Observations

Hospitals and federal health facilities contributed 78% of business practices. The
majority of business practices included authenticating the requester of the information
and determining the minimum necessary to share with employer. Release of
information and authentication represented 65% of the business practices. Seventy-five
percent of legal drivers were based on Title 45.


2.10. Public Health (Scenarios 15–17)
Scenario 15, 16 and 17 were included to gather business practices related to common
public health functions (see Table 46).

Table 46. Scenarios 15-17.

Scenario 15: Public Health - Scenario A - Active carrier, communicable disease
notification

Stakeholder organizations and exchanges:
   Healthcare provider (primary care physician)
   Public health department
   Law enforcement
   Patient

A patient with active TB, still under treatment, has decided to move to a desert community that
focuses on spiritual healing, without informing his physician. The TB is classified MDR (multi-
drug resistant). The patient purchases a bus ticket - the bus ride will take a total of nine hours
with two rest stops across several states. State A is made aware of the patient's intent two hours
after the bus with the patient leaves. State A now needs to contact the bus company and other
states with the relevant information.


Scenario 16: Public Health - Scenario B -Newborn screening

Stakeholder organizations and exchanges:
   Healthcare provider (sending initial data to public heath and lab, receiving data on follow
   up/eligibility)
   State laboratory (receiving data)
   State public health department (receiving data, sending data for program eligibility)

A newborn’s screening test comes up positive for a state-mandated screening test and the state
lab test results are made available to the child’s physicians and specialty care centers
specializing in the disorder via an Interactive Voice Response (IVR) system. The state lab also
enters the information in its registry, and tracks the child over time through the child’s physicians.
The state public health department provides services for this disorder and notifies the physician
that the child is eligible for those programs.


Scenario 17: Public Health Scenario C- Homeless shelters

Stakeholder organizations and exchanges:


RTI International                            44
Privacy and Security Contract No. 290-05-0015
    Primary care provider (sending) and hospital-affiliated drug treatment center (receiving)
    the hospital-affiliated drug treatment clinic (releasing) and the county program (requesting for
    purposes of reimbursement)
    the hospital-affiliated drug treatment clinic (releasing) and the shelter (requesting to verify
    the treatment)
    the family member (requesting) and the shelter

Stakeholder entities:
   Health care consumer/patient
   Primary care provider
   Hospital-affiliated drug treatment center
   Homeless shelter
   Patient relative/family member

A homeless man arrives at a county shelter and is found to be a drug addict and in need of
medical care. The person does have a primary care provider, and he is sent there for medical
care. Primary care provider refers patient to a hospital-affiliated drug treatment clinic for his
addiction under a county program. The addiction center must report treatment information back
to the county for program reimbursement, and back to the shelter to verify that the person is in
treatment. Someone claiming to be a relation of the homeless man requests information from the
homeless shelter on all the health services the man has received. The staff at the homeless
shelter is working to connect the homeless man with his relative.




        2.10.1 Stakeholders

Public health agencies and federal health facilities contributed 69% of business
practices and 69% of barriers for scenarios 15, 16 and 17 (see Table 47). Of the
business practices submitted by pubic health agencies, 62% were coded as barriers. Of
the business practices submitted by federal health agencies, 60% were coded as
barriers.


Table 47. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for Public
Health Scenarios.
                                               Business Practices            Barriers             %
        Stakeholder Organization                 #          %            #              %      Barriers*
Public Health Agency                                13       50%              8          50%       62%
Federal Health Facilities                            5       19%              3          19%       60%
Hospitals                                            3       12%              2          13%       67%
Community Clinics and Health Centers                 2         8%             2          13%     100%
Physician Groups                                     2         8%             1           6%       50%
State Government                                     1         4%             0           0%         0%
Total                                               26      100%             16         100%       62%
Note: “% Barriers*” is the percent of business practices coded as barriers.




RTI International                            45
Privacy and Security Contract No. 290-05-0015
        2.10.2 Domains

There were 26 business practices for scenarios 15 through 17. Many business practices
had multiple domain assignments resulting in 107 business practices across the nine
domains for scenarios 15, 16 and 17 (see Table 48). Of these business practices, 71%
(76) were coded as barriers. All domains were represented. Domains with more than
one business practice and the highest proportion of barriers were: user and entity
authentication (81% of business practices were coded as barriers), information
authorization and access controls (81% of business practices were coded as barriers),
and information use and disclosure policy (80% of business practices were coded as
barriers). There was considerable variability in the domains represented by scenario 15
compared to the other two scenarios. All of the business practices identified for
scenario 15, fell into the domain of state law restrictions. Across the three scenarios, the
user and entity authentication domain (13) and the information authorization and access
controls domain (13) had the most barriers listed followed by the information use and
disclosure domain (12).

Table 48. Business Practices and Barriers Identified by Domain for Public Health
Scenarios.
                                                                         Scenario                                 Total
                       Domain                                 15            16                  17            #             %
1. User and entity authentication                             0/0           3/4                10/12        13/16           81%
2. Information authorization and access controls              0/0           3/4                10/12        13/16           81%
3. Patient and provider identification                        0/0           3/4                 7/9         10/13           77%
4. Information transmission security                          0/0           3/4                 7/9         10/13           77%
5. Information protections (modifications)                    0/0           2/2                 3/5          5/7            71%
6. Information audits                                         0/0           3/4                 2/4          5/8            63%
7. Administrative or physical security safeguards             0/0           3/4                 1/3          4/7            57%
8. State law restrictions                                     0/7           1/1                 3/4          4/12           33%
9. Information use and disclosure policies                    0/0           4/5                8/10         12/15           80%
Barriers/Business Practices                                   0/7         25/32                51/68        76/107          71%
Percent Barriers                                              0%           78%                 75%


Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 49). Two federal laws and three state laws were cited. Sixty-four percent of
legal drivers were based on Federal laws with Title 45 representing 68% of federal laws
cited. Among state laws cited, Title 63 received the most mentions. Domain 2
Information authorization and access controls received the most citations (16).

Table 49. Number of Legal Drivers identified as Barriers Identified by Domain for
Public Health Scenarios.
                                                                                       Domain
                        Legal Driver                         1      2    3       4       5        6       7     8     9      Total
Federal                                                       5      8       5    5        2          2    1     1     5        34
  Title 42. Public Health                                     2      3       2    2        -          -     -     -    2        11
    2.14 Confidentiality Of Alcohol And Drug Abuse Patient     -     1       -     -       -          -     -     -     -        1
    Records: Form of written consent Minor Consent.
    Unspecified                                               2     2        2    2        -          -     -     -    2          10


RTI International                            46
Privacy and Security Contract No. 290-05-0015
  Title 45. Public Welfare                                        3   5    3   3   2   2   1    1       3   23
    164.502 Security and Privacy: Uses and disclosures of         -   1    -   -   -   -   -    -       -    1
    protected health information: general rules
    164.508 Security and Privacy: Uses and disclosures for        2   2    2   2   1   1   -    1       2   13
    which an authorization is required.
    164.512 Security and Privacy: Uses and disclosures for        1   1    1   1   1   1   1        -   1    8
    which an authorization or opportunity to agree or object is
    not required.
    Unspecified                                                   -   1    -   -   -   -   -    -       -    1
State                                                             2   8    2   2   1   1   1    -       2   19
  Title 12. Civil Procedure                                       -   1    -   -   -   -   -    -       -    1
    2503 Physician and Psychotherapist-Patient Privilege          -   1    -   -   -   -   -    -       -    1
  Title 43A. Mental Health                                        -   4    -   -   -   -   -    -       -    4
    1.109 Privileged, Confidential Nature of Medical Records      -   1    -   -   -   -   -    -       -    1
    and Communications Between Physician or
    Psychotherapist and Patient
    16 Office, Records and Files.                                 -   1    -   -   -   -   -    -       -    1
    6.503 Admission for Inpatient Mental Health or                -   1    -   -   -   -   -    -       -    1
    Substance Abuse Treatment
    Unspecified                                                   -    1   -   -   -   -   -    -       -    1
  Title 63. Public Health and Safety                              2    3   2   2   1   1   1    -       2   14
    Unspecified                                                   1    2   1   1   -   -   -    -       1    6
    1.401 Definitions                                             1    1   1   1   1   1   1    -       1    8
Total                                                             7   16   7   7   3   3   2    1       7   53

        2.10.3 Critical Observations

Scenarios 15, 16 and 17 address public health issues relating to providing patient
information on a communicable disease, disease screenings and complying with
minimum necessary guidelines. Transfer of PHI represented 65% of identified business
practices. Sixty-four percent of legal drivers were based on Federal laws with Title 45
representing 68% of federal laws cited.


2.11. State Government Oversight (Scenario 18)
Scenario 18 was included to gather business practices related to Legal
compliance/government accountability (see Table 50).

Table 50. Scenario 18.

Scenario 18: Health Oversight: Legal compliance/government accountability

Stakeholder organizations and exchanges:
   State university faculty (requesting health information)
   State public health agencies (asked to provide health information)

The Governor’s office has expressed concern about compliance with immunization and lead
screening requirements among low income children who do not receive consistent health care.
The state agencies responsible for public health, child welfare and protective services, Medicaid
services, and education are asked to share identifiable patient level health care data on an


RTI International                            47
Privacy and Security Contract No. 290-05-0015
ongoing basis to determine if the children are getting the healthcare they need. This is not part
of a legislative mandate. The Governor in this state and those in the surrounding states have
discussed sharing this information to determine if patients migrate between states for these
services. Because of the complexity of the task, the Governor has asked each agency to
provide these data to faculty at the state university medical campus who will design a system for
integrating and analyzing the data. There is not existing contract with the state university for
services of this nature.



        2.11.1 Stakeholders

Medical and public health schools and public health agencies contributed all of the
business practices for scenario 18 (see Table 51). All of the business practices
submitted were coded as barriers.


Table 51. Business Practices Generated, Barriers Identified, and Percent of
Business Practices Coded as Barriers, by Stakeholder Organization for State
Government Oversight Scenario.
                                                     Barriers          Business Practices      %
        Stakeholder Organization                 #              %        #          %       Barriers*
Medical and Public Health Schools                     2          50%         2       50%      100%
Public Health Agency                                  2          50%         2       50%      100%
Total                                                 4         100%         4      100%      100%
Note: “% Barriers*” is the percent of business practices coded as barriers.



        2.11.2 Domains

There were 4 business practices for scenario 18, several of which had multiple domain
assignments resulting in 24 business practices across the nine domains for scenario 18
(see Table 52). Of these business practices, all were coded as barriers. All domains
were represented except for information protections. Patient and provider identification
received the most mentions. The patient and provider identification domain (4) had the
most barriers listed followed by the user and entity authentication domain (3), the
information authorization and access controls domain (3), the information transmission
security domain (3), the administrative or physical security safeguards domain (3), the
state law restrictions domain (3) and the information use and disclosure policy domain
(3).

Table 52. Business Practices and Barriers Identified by Domain for State
Government Oversight Scenario.
                                                           Scenario 18
                      Domain                               #         %
1. User and entity authentication                         3/3        100%
2. Information authorization and access controls          3/3        100%
3. Patient and provider identification                    4/4        100%
4. Information transmission security                      3/3        100%


RTI International                            48
Privacy and Security Contract No. 290-05-0015
5. Information protections (modifications)                         0/0                    -
6. Information audits                                              2/2                100%
7. Administrative or physical security safeguards                  3/3                100%
8. State law restrictions                                          3/3                100%
9. Information use and disclosure policies                         3/3                100%
Barriers/Business Practices                                       24/24               100%


Legal Drivers
Legal drivers for business practices coded as barriers were counted within each domain
(see Table 53). One federal law, Title 45, 164.512 Uses and disclosures for which an
authorization or opportunity to agree or object is not required was cited.


Table 53. Number of Legal Drivers identified as Barriers Identified by Domain for
State Government Oversight Scenario.
                                                                                              Domain
                         Legal Driver                             1    2      3         4       5      6       7    8    9    Total
Federal                                                            2    2         3      2        -        2    2    2    2      17
  Title 45. Public Welfare                                         2    2         3      2        -        2    2    2    2      17
    164.512 Security and Privacy: Uses and disclosures for         2    2         2      2        -        2    2    2    2      16
    which an authorization or opportunity to agree or object is
    not required.
    Unspecified                                                   -       -       1      -        -        -   -    -    -       1
Total                                                             2       2       3      2        -        2   2    2    2      17


        2.11.3 Critical Observations

Scenario 18 on healthcare oversight activities included securing contractual agreements
as well as IRB approval to share appropriate information. Medical and public health
schools and public health agencies contributed all of the business practices for this
scenario. One federal law, Title 45, 164.512 Uses and disclosures for which an
authorization or opportunity to agree or object is not required was cited.




RTI International                            49
Privacy and Security Contract No. 290-05-0015
3.     Summary of Critical Observations and Key Issues

The Variations Working Group identified over 200 organization level business practices
of health information exchange as it relates to privacy and security. The business
practices reflect variation across organizations as it relates to securing consent,
releasing information and how that information is transferred. There is very little health
information being exchanged electronically across organizations in Oklahoma other
than for billing purposes or within state and federal government. Most healthcare
providers currently maintain paper-based patient records; however, the idea of
electronic exchange is attractive to health care providers. Most transfer of PHI is via
fax, mail, telephone or courier. There is a wide disparity in how information using
current technologies is verified as received by the proper organization. Some
organizations call ahead to verify fax number and call back to confirm receipt, while
some simply dial the number and hit send. Across all business practices there is a
general conservative approach to interpreting HIPAA which is resulting in a more
restrictive approach to health information exchange.

Legal Drivers
There were two federal laws and four state laws identified by stakeholders for business
practices coded to barriers to exchange of health information. Across all domains, 77%
of legal drivers were from federal regulations. Of the federal legal drivers, 78% were
from Title 45. Of the state laws, the most cited was Title 43A. Mental Health accounting
for 12% of legal drivers, followed by Title 63. Public Health and Safety and Title 12. Civil
Procedure, both represent five percent of cited legal barriers.

Barriers
In addition to identifying business practices, underlying root causes were documented to
better understand and move into the solution and implementation phases of the project.
The significant barriers were not typically the business practices but the point or source
that caused the practice to be put into place.

Concerns regarding liability are inhibiting transfer of information between health care
providers in Oklahoma. Fear of lawsuits, fraud, malicious browsing, and unintentional
HIPAA violations have essentially shut down health information exchange between
organizations that have the technology in place. In addition, the cost involved with
hardware and software purchases to implement and coordinate electronic systems is a
barrier for most practices and clinics in the state. As critical as cost was the fact that
most of the physicians wanted to avoid investing in a system that would possibly be
outdated in a year or two based on legislation, standards or advances in technology.

Discussion on information use and disclosure policies focused on why the response to
HIPAA and other privacy and security regulations is typically so conservative. The
consensus was that there is a general lack of understanding of HIPAA and what can be
released and under what conditions. In an effort to be sure that they are in compliance,
the most restrictive approach to privacy and security is being applied in most cases.




RTI International                            50
Privacy and Security Contract No. 290-05-0015
Information authorization and access generated a number of questions surrounding the
issue of control, the amount of information shared and who monitors or audits the
access of information. There are no standards for whom, when or how information
audits should be conducted, nor what information should be audited. Concerns range
from computer storage issues, which would require additional hardware expense to
consistency across organizations as to how or what audit trails are conducted.

With electronic records modifying or copying the record becomes easier, and this
increases the need for monitoring and recording changes. Questions regarding
protection against improper modification of records included: What is the protocol for
changing the record and who has the authority to do it? When is it appropriate for a
record to be modified? How do we standardize how modification of records occurs
across organizations?

The business practice documentation stage provided useful insight into the varying
approaches of privacy and security protections as it relates to health information
exchange. The diverse group of stakeholder organizations supplied practices as well as
explanation as to why that practice is in place. The underlying cause, in addition to the
business practice, provides the state with valuable information to move into the
solutions and implementation stage of this project.




RTI International                            51
Privacy and Security Contract No. 290-05-0015
4.     Appendix




RTI International                            52
Privacy and Security Contract No. 290-05-0015
Business Practices by Scenario, Domain, and Stakeholder.

Scenario: 1
   Domain:         1
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                         Policy                                                Legal Driver
        #         Short Name               Description                                                      Class Short Name              Description                   Narrative                              Code/Statute
        OK01.06    Determination of        Determination whether 89 yr old is able to give consent or       Barrier                                                     No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter is able to give consent. Access health                                                                  emergency situation
                                           record and information electronically even information
                                           maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                                                Legal Driver
        #         Short Name               Description                                                      Class Short Name              Description                   Narrative                              Code/Statute
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically        Barrier admin/technology                                    No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally                issues                                              emergency situations
                                           competent?
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or       Barrier                                                     No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                                                emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical        Barrier                                                                                            Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                                                PHI confidentiality mental health
                                           health records.                                                                                                                                                     and physical health.
        OK01.20    Obtain consent when Foremost, ascertain EXACTLY what the sharing hospital                Barrier                                                     No consent required for treatment in   No legal driver
                   patient incapable of requires for consent in such situations (specific consent form                                                                  emergency situations
                   signing consent form for next of kin, verbal consent, etc.). If next-of-kin is on file
                                        with the sharing-institution as emergency contact or POA
                                        then can have her/him sign consent.
        OK01.21    Obtain consent when If sharing hospital has next-of-kin or POA on file as                Barrier Confidentiality/lia                                 No consent required for treatment in   No legal driver
                   patient incapable of emergency contact for the patient, they will often accept                   bility                                              emergency situation
                   signing consent form verbal consent for release from that person (with additional
                                        "witness" from their institution to verify verbal consent)
        OK01.19    Obtain PHI during       If so advised, must call back during business hours. Can         Barrier                                                                                            No legal driver
                   non-business hours.     sometimes ascertain who has the authority to get into
                                           records department during non-business hours and obtain
                                           info that way (assuming consent is obtained).
        OK01.18    Obtain PHI via          Release for info provided will carry through two hospitals,      Neutral Request more          Amount of info received is    No consent needed for treatment in     No legal driver
                   previous consent        therefore a med institution might use a previous release to              info than needed      generally less than amount    an emergency situation
                   documentation           obtain PHI.                                                                                    requested. If ask for more
                                                                                                                                          than needed, an institution
                                                                                                                                          might get enough.


Monday, October 30, 2006                                                                                                                                                                                                         Page 1 of 152
Scenario: 1
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute
        OK01.17    Obtaining PHI          Fax release form which allows sharing-institution to fax           Barrier                                                                     HIPAA Security
                   sufficient to treat    medical records to receiving-institution. Sharing-institution will
                   patient from the       only release info specifically requested by receiving-
                   sharing-institution    institution.
        OK01.07    Transfer of PHI        If individual administrators/physicians know one another then Neutral Patient privilege                                                        No legal driver
                   between providers in   provider authentication is not an issue. Therefore, verbal
                   an emergency           transfer of PHI (via phone, for example) necessary for
                   situation              treatment in an emergent situation can occur. If physical
                                          records become necessary, must request through legitimate
                                          channels.

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute
        OK01.07    Transfer of PHI        If individual administrators/physicians know one another then Neutral Patient privilege                                                        No legal driver
                   between providers in   provider authentication is not an issue. Therefore, verbal
                   an emergency           transfer of PHI (via phone, for example) necessary for
                   situation              treatment in an emergent situation can occur. If physical
                                          records become necessary, must request through legitimate
                                          channels.

   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute
        OK01.06    Determination of       Determination whether 89 yr old is able to give consent or        Barrier                               No consent required for treatment in   No legal driver
                   Patient Competency     whether the daughter is able to give consent. Access health                                             emergency situation
                                          record and information electronically even information
                                          maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute




Monday, October 30, 2006                                                                                                                                                                                   Page 2 of 152
Scenario: 1
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                                                Legal Driver
        #         Short Name               Description                                                       Class Short Name              Description                   Narrative                              Code/Statute
        OK01.10    Accounting for          When asked to restrict certain info in the medical file,          Barrier                                                     Policy or privacy statement must       HIPAA 45 CFR 164.522
                   patients who wish to    hospitals can and often do refuse the request due to                                                                          reflect institution-stipulations
                   offer consent with      unnecessary record-keeping burden. Institutions can provide
                   certain restrictions    the file-copy to the patient and allow them to make info
                                           desired available. This does not change their official hospital
                                           record, but merely makes the info available to the patient to
                                           distribute as they wish.
        OK01.12    Appropriate release     Receive PHI containing physician-commentary from a                Barrier Liability                                                                                  OS 43A 1-109
                   to patient of their     separate treatment facility (with consent). Must ascertain
                   own PHI acquired        what portion of the PHI being received is appropriate for
                   from another            patient consumption so that if patient requests their records
                   treatment facility      the will not be presented with any information that may
                                           possibly affect their mental health. If mental health is an
                                           issue, physician comments could be potentially harmful to
                                           patient.
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically         Barrier admin/technology                                    No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally                 issues                                              emergency situations
                                           competent?
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or        Barrier                                                     No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                                                 emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical         Barrier                                                                                            Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                                                 PHI confidentiality mental health
                                           health records.                                                                                                                                                      and physical health.
        OK01.21    Obtain consent when If sharing hospital has next-of-kin or POA on file as                 Barrier Confidentiality/lia                                 No consent required for treatment in   No legal driver
                   patient incapable of emergency contact for the patient, they will often accept                    bility                                              emergency situation
                   signing consent form verbal consent for release from that person (with additional
                                        "witness" from their institution to verify verbal consent)
        OK01.19    Obtain PHI during       If so advised, must call back during business hours. Can          Barrier                                                                                            No legal driver
                   non-business hours.     sometimes ascertain who has the authority to get into
                                           records department during non-business hours and obtain
                                           info that way (assuming consent is obtained).
        OK01.18    Obtain PHI via          Release for info provided will carry through two hospitals,       Neutral Request more          Amount of info received is    No consent needed for treatment in     No legal driver
                   previous consent        therefore a med institution might use a previous release to               info than needed      generally less than amount    an emergency situation
                   documentation           obtain PHI.                                                                                     requested. If ask for more
                                                                                                                                           than needed, an institution
                                                                                                                                           might get enough.




Monday, October 30, 2006                                                                                                                                                                                                          Page 3 of 152
Scenario: 1
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                              Legal Driver
        #         Short Name                Description                                                       Class Short Name            Description   Narrative                             Code/Statute
        OK01.17    Obtaining PHI            Fax release form which allows sharing-institution to fax           Barrier                                                                        HIPAA Security
                   sufficient to treat      medical records to receiving-institution. Sharing-institution will
                   patient from the         only release info specifically requested by receiving-
                   sharing-institution      institution.
        OK01.13    Reasonable               Healthcare institutions may put restrictions on mental health     Barrier Guardians of the                                                        OS 43A 1-109
                   restriction on release   records due to fear that the receiving institution will provide           record
                   of patient mental        info (considered confidential to the sharing healthcare
                   health records           provider) to the patient.
        OK01.07    Transfer of PHI          If individual administrators/physicians know one another then Neutral Patient privilege                                                           No legal driver
                   between providers in     provider authentication is not an issue. Therefore, verbal
                   an emergency             transfer of PHI (via phone, for example) necessary for
                   situation                treatment in an emergent situation can occur. If physical
                                            records become necessary, must request through legitimate
                                            channels.

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                              Legal Driver
        #         Short Name                Description                                                       Class Short Name            Description   Narrative                             Code/Statute
        OK01.09    Appropriate release      Info can only be released with patient-consent or if court        Barrier Patient privilege                 Law enforcement can request           Title 47 Section 752.
                   of PHI to law            order presented.                                                                                            additional blood be drawn.
                   enforcement officials                                                                                                                (***Changes to Oklahoma Law, 43A
                                                                                                                                                        1-109, effective November 1st, 2006).
        OK01.14    Obtaining additional Request staff obtain the info via faxed/mailed release forms          Barrier                                                                         No legal driver
                   PHI from sharing-     and/or faxed/mailed requests for additional info based on
                   institution (after    previous consent form.
                   having already
                   received certain PHI)
        OK01.07    Transfer of PHI          If individual administrators/physicians know one another then Neutral Patient privilege                                                           No legal driver
                   between providers in     provider authentication is not an issue. Therefore, verbal
                   an emergency             transfer of PHI (via phone, for example) necessary for
                   situation                treatment in an emergent situation can occur. If physical
                                            records become necessary, must request through legitimate
                                            channels.

   Domain:         3




Monday, October 30, 2006                                                                                                                                                                                        Page 4 of 152
Scenario: 1
   Domain:         3
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                         Policy                                                Legal Driver
        #         Short Name               Description                                                      Class Short Name              Description                   Narrative                              Code/Statute
        OK01.06    Determination of        Determination whether 89 yr old is able to give consent or       Barrier                                                     No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter is able to give consent. Access health                                                                  emergency situation
                                           record and information electronically even information
                                           maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                                                Legal Driver
        #         Short Name               Description                                                      Class Short Name              Description                   Narrative                              Code/Statute
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or       Barrier                                                     No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                                                emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically        Barrier admin/technology                                    No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally                issues                                              emergency situations
                                           competent?
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical        Barrier                                                                                            Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                                                PHI confidentiality mental health
                                           health records.                                                                                                                                                     and physical health.
        OK01.20    Obtain consent when Foremost, ascertain EXACTLY what the sharing hospital                Barrier                                                     No consent required for treatment in   No legal driver
                   patient incapable of requires for consent in such situations (specific consent form                                                                  emergency situations
                   signing consent form for next of kin, verbal consent, etc.). If next-of-kin is on file
                                        with the sharing-institution as emergency contact or POA
                                        then can have her/him sign consent.
        OK01.21    Obtain consent when If sharing hospital has next-of-kin or POA on file as                Barrier Confidentiality/lia                                 No consent required for treatment in   No legal driver
                   patient incapable of emergency contact for the patient, they will often accept                   bility                                              emergency situation
                   signing consent form verbal consent for release from that person (with additional
                                        "witness" from their institution to verify verbal consent)
        OK01.19    Obtain PHI during       If so advised, must call back during business hours. Can         Barrier                                                                                            No legal driver
                   non-business hours.     sometimes ascertain who has the authority to get into
                                           records department during non-business hours and obtain
                                           info that way (assuming consent is obtained).
        OK01.18    Obtain PHI via          Release for info provided will carry through two hospitals,      Neutral Request more          Amount of info received is    No consent needed for treatment in     No legal driver
                   previous consent        therefore a med institution might use a previous release to              info than needed      generally less than amount    an emergency situation
                   documentation           obtain PHI.                                                                                    requested. If ask for more
                                                                                                                                          than needed, an institution
                                                                                                                                          might get enough.




Monday, October 30, 2006                                                                                                                                                                                                         Page 5 of 152
Scenario: 1
   Domain:         3
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute
        OK01.17    Obtaining PHI          Fax release form which allows sharing-institution to fax           Barrier                                                                     HIPAA Security
                   sufficient to treat    medical records to receiving-institution. Sharing-institution will
                   patient from the       only release info specifically requested by receiving-
                   sharing-institution    institution.
        OK01.07    Transfer of PHI        If individual administrators/physicians know one another then Neutral Patient privilege                                                        No legal driver
                   between providers in   provider authentication is not an issue. Therefore, verbal
                   an emergency           transfer of PHI (via phone, for example) necessary for
                   situation              treatment in an emergent situation can occur. If physical
                                          records become necessary, must request through legitimate
                                          channels.

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute
        OK01.16    Obtain PHI directly,   If prescription med found in patient's belongings, attempt to     Neutral                                                                      No legal driver
                   via patient            verify that it is the patient's medication by comparing name
                   medications            on med-label to patient photo-ID. Use the label to infer
                                          evidence of medical history (name of medication and
                                          possibly the reason prescribed could be found here). No
                                          assumptions to be made about patient-consumption of the
                                          medication, as there is no way to know when patient took
                                          last (if any) dose.
        OK01.07    Transfer of PHI        If individual administrators/physicians know one another then Neutral Patient privilege                                                        No legal driver
                   between providers in   provider authentication is not an issue. Therefore, verbal
                   an emergency           transfer of PHI (via phone, for example) necessary for
                   situation              treatment in an emergent situation can occur. If physical
                                          records become necessary, must request through legitimate
                                          channels.

   Domain:         4
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                         Policy                          Legal Driver
        #         Short Name              Description                                                       Class Short Name        Description   Narrative                              Code/Statute
        OK01.06    Determination of       Determination whether 89 yr old is able to give consent or        Barrier                               No consent required for treatment in   No legal driver
                   Patient Competency     whether the daughter is able to give consent. Access health                                             emergency situation
                                          record and information electronically even information
                                          maintained in another state. (Modification-VA hospital)


Monday, October 30, 2006                                                                                                                                                                                   Page 6 of 152
Scenario: 1
   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                                             Legal Driver
        #         Short Name               Description                                                       Class Short Name           Description                   Narrative                              Code/Statute
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or        Barrier                                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                                              emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically         Barrier admin/technology                                 No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally                 issues                                           emergency situations
                                           competent?
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical         Barrier                                                                                         Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                                              PHI confidentiality mental health
                                           health records.                                                                                                                                                   and physical health.
        OK01.18    Obtain PHI via          Release for info provided will carry through two hospitals,       Neutral Request more       Amount of info received is    No consent needed for treatment in     No legal driver
                   previous consent        therefore a med institution might use a previous release to               info than needed   generally less than amount    an emergency situation
                   documentation           obtain PHI.                                                                                  requested. If ask for more
                                                                                                                                        than needed, an institution
                                                                                                                                        might get enough.
        OK01.17    Obtaining PHI           Fax release form which allows sharing-institution to fax           Barrier                                                                                        HIPAA Security
                   sufficient to treat     medical records to receiving-institution. Sharing-institution will
                   patient from the        only release info specifically requested by receiving-
                   sharing-institution     institution.

      Stakeholder: Physician Groups
        Business Practice                                                                                          Policy                                             Legal Driver
        #         Short Name               Description                                                       Class Short Name           Description                   Narrative                              Code/Statute
        OK01.14    Obtaining additional Request staff obtain the info via faxed/mailed release forms         Barrier                                                                                         No legal driver
                   PHI from sharing-     and/or faxed/mailed requests for additional info based on
                   institution (after    previous consent form.
                   having already
                   received certain PHI)

   Domain:         5
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                                             Legal Driver
        #         Short Name               Description                                                       Class Short Name           Description                   Narrative                              Code/Statute
        OK01.06    Determination of        Determination whether 89 yr old is able to give consent or        Barrier                                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter is able to give consent. Access health                                                                emergency situation
                                           record and information electronically even information
                                           maintained in another state. (Modification-VA hospital)

Monday, October 30, 2006                                                                                                                                                                                                       Page 7 of 152
Scenario: 1
   Domain:         5
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically       Barrier admin/technology                 No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally               issues                           emergency situations
                                           competent?
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or      Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                            emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical       Barrier                                                                         Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                            PHI confidentiality mental health
                                           health records.                                                                                                                                 and physical health.

   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK01.06    Determination of        Determination whether 89 yr old is able to give consent or      Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter is able to give consent. Access health                                              emergency situation
                                           record and information electronically even information
                                           maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or      Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                            emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically       Barrier admin/technology                 No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally               issues                           emergency situations
                                           competent?
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical       Barrier                                                                         Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                            PHI confidentiality mental health
                                           health records.                                                                                                                                 and physical health.

   Domain:         7


Monday, October 30, 2006                                                                                                                                                                                     Page 8 of 152
Scenario: 1
   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK01.06    Determination of        Determination whether 89 yr old is able to give consent or      Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter is able to give consent. Access health                                              emergency situation
                                           record and information electronically even information
                                           maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or      Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                            emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically       Barrier admin/technology                 No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally               issues                           emergency situations
                                           competent?
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical       Barrier                                                                         Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                            PHI confidentiality mental health
                                           health records.                                                                                                                                 and physical health.
        OK01.19    Obtain PHI during       If so advised, must call back during business hours. Can        Barrier                                                                         No legal driver
                   non-business hours.     sometimes ascertain who has the authority to get into
                                           records department during non-business hours and obtain
                                           info that way (assuming consent is obtained).

   Domain:         8
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK01.06    Determination of        Determination whether 89 yr old is able to give consent or      Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter is able to give consent. Access health                                              emergency situation
                                           record and information electronically even information
                                           maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute

Monday, October 30, 2006                                                                                                                                                                                     Page 9 of 152
Scenario: 1
   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                                             Legal Driver
        #         Short Name               Description                                                       Class Short Name           Description                   Narrative                              Code/Statute
        OK01.10    Accounting for          When asked to restrict certain info in the medical file,          Barrier                                                  Policy or privacy statement must       HIPAA 45 CFR 164.522
                   patients who wish to    hospitals can and often do refuse the request due to                                                                       reflect institution-stipulations
                   offer consent with      unnecessary record-keeping burden. Institutions can provide
                   certain restrictions    the file-copy to the patient and allow them to make info
                                           desired available. This does not change their official hospital
                                           record, but merely makes the info available to the patient to
                                           distribute as they wish.
        OK01.12    Appropriate release     Receive PHI containing physician-commentary from a                Barrier Liability                                                                               OS 43A 1-109
                   to patient of their     separate treatment facility (with consent). Must ascertain
                   own PHI acquired        what portion of the PHI being received is appropriate for
                   from another            patient consumption so that if patient requests their records
                   treatment facility      the will not be presented with any information that may
                                           possibly affect their mental health. If mental health is an
                                           issue, physician comments could be potentially harmful to
                                           patient.
        OK01.05    Determination of        Determination whether 89 yr old is able to give consent or        Barrier                                                  No consent required for treatment in   No legal driver
                   Patient Competency      whether the daughter (next of kin) is able to give consent as                                                              emergency situation
                                           power of attorney. Ask daughter if she can show proof of
                                           Power of Attorney.
        OK01.04    Determination of        Determine competency of 89 yr old. Contact electronically         Barrier admin/technology                                 No consent required for treatment in   No legal driver
                   Patient Competency      other hospital for competency information. Is she legally                 issues                                           emergency situations
                                           competent?
        OK01.02    Mental health history   Mental healthcare network does not coincide with physical         Barrier                                                                                         Practice HIPAA to segregate
                   needed                  health care network. Must receive and examine mental                                                                                                              PHI confidentiality mental health
                                           health records.                                                                                                                                                   and physical health.
        OK01.20    Obtain consent when Foremost, ascertain EXACTLY what the sharing hospital                 Barrier                                                  No consent required for treatment in   No legal driver
                   patient incapable of requires for consent in such situations (specific consent form                                                                emergency situations
                   signing consent form for next of kin, verbal consent, etc.). If next-of-kin is on file
                                        with the sharing-institution as emergency contact or POA
                                        then can have her/him sign consent.
        OK01.19    Obtain PHI during       If so advised, must call back during business hours. Can          Barrier                                                                                         No legal driver
                   non-business hours.     sometimes ascertain who has the authority to get into
                                           records department during non-business hours and obtain
                                           info that way (assuming consent is obtained).
        OK01.18    Obtain PHI via          Release for info provided will carry through two hospitals,       Neutral Request more       Amount of info received is    No consent needed for treatment in     No legal driver
                   previous consent        therefore a med institution might use a previous release to               info than needed   generally less than amount    an emergency situation
                   documentation           obtain PHI.                                                                                  requested. If ask for more
                                                                                                                                        than needed, an institution
                                                                                                                                        might get enough.



Monday, October 30, 2006                                                                                                                                                                                                       Page 10 of 152
Scenario: 1
   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK01.13    Reasonable               Healthcare institutions may put restrictions on mental health     Barrier Guardians of the                                                        OS 43A 1-109
                   restriction on release   records due to fear that the receiving institution will provide           record
                   of patient mental        info (considered confidential to the sharing healthcare
                   health records           provider) to the patient.

   Domain:         9
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK01.06    Determination of         Determination whether 89 yr old is able to give consent or        Barrier                                  No consent required for treatment in   No legal driver
                   Patient Competency       whether the daughter is able to give consent. Access health                                                emergency situation
                                            record and information electronically even information
                                            maintained in another state. (Modification-VA hospital)

      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK01.10    Accounting for           When asked to restrict certain info in the medical file,          Barrier                                  Policy or privacy statement must       HIPAA 45 CFR 164.522
                   patients who wish to     hospitals can and often do refuse the request due to                                                       reflect institution-stipulations
                   offer consent with       unnecessary record-keeping burden. Institutions can provide
                   certain restrictions     the file-copy to the patient and allow them to make info
                                            desired available. This does not change their official hospital
                                            record, but merely makes the info available to the patient to
                                            distribute as they wish.
        OK01.12    Appropriate release      Receive PHI containing physician-commentary from a                Barrier Liability                                                               OS 43A 1-109
                   to patient of their      separate treatment facility (with consent). Must ascertain
                   own PHI acquired         what portion of the PHI being received is appropriate for
                   from another             patient consumption so that if patient requests their records
                   treatment facility       the will not be presented with any information that may
                                            possibly affect their mental health. If mental health is an
                                            issue, physician comments could be potentially harmful to
                                            patient.
        OK01.04    Determination of         Determine competency of 89 yr old. Contact electronically         Barrier admin/technology                 No consent required for treatment in   No legal driver
                   Patient Competency       other hospital for competency information. Is she legally                 issues                           emergency situations
                                            competent?




Monday, October 30, 2006                                                                                                                                                                                        Page 11 of 152
Scenario: 1
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                                                Legal Driver
        #         Short Name                Description                                                       Class Short Name              Description                   Narrative                              Code/Statute
        OK01.05    Determination of         Determination whether 89 yr old is able to give consent or        Barrier                                                     No consent required for treatment in   No legal driver
                   Patient Competency       whether the daughter (next of kin) is able to give consent as                                                                 emergency situation
                                            power of attorney. Ask daughter if she can show proof of
                                            Power of Attorney.
        OK01.02    Mental health history    Mental healthcare network does not coincide with physical         Barrier                                                                                            Practice HIPAA to segregate
                   needed                   health care network. Must receive and examine mental                                                                                                                 PHI confidentiality mental health
                                            health records.                                                                                                                                                      and physical health.
        OK01.20    Obtain consent when Foremost, ascertain EXACTLY what the sharing hospital                  Barrier                                                     No consent required for treatment in   No legal driver
                   patient incapable of requires for consent in such situations (specific consent form                                                                    emergency situations
                   signing consent form for next of kin, verbal consent, etc.). If next-of-kin is on file
                                        with the sharing-institution as emergency contact or POA
                                        then can have her/him sign consent.
        OK01.21    Obtain consent when If sharing hospital has next-of-kin or POA on file as                  Barrier Confidentiality/lia                                 No consent required for treatment in   No legal driver
                   patient incapable of emergency contact for the patient, they will often accept                     bility                                              emergency situation
                   signing consent form verbal consent for release from that person (with additional
                                        "witness" from their institution to verify verbal consent)
        OK01.19    Obtain PHI during        If so advised, must call back during business hours. Can          Barrier                                                                                            No legal driver
                   non-business hours.      sometimes ascertain who has the authority to get into
                                            records department during non-business hours and obtain
                                            info that way (assuming consent is obtained).
        OK01.18    Obtain PHI via           Release for info provided will carry through two hospitals,       Neutral Request more          Amount of info received is    No consent needed for treatment in     No legal driver
                   previous consent         therefore a med institution might use a previous release to               info than needed      generally less than amount    an emergency situation
                   documentation            obtain PHI.                                                                                     requested. If ask for more
                                                                                                                                            than needed, an institution
                                                                                                                                            might get enough.
        OK01.17    Obtaining PHI            Fax release form which allows sharing-institution to fax           Barrier                                                                                           HIPAA Security
                   sufficient to treat      medical records to receiving-institution. Sharing-institution will
                   patient from the         only release info specifically requested by receiving-
                   sharing-institution      institution.
        OK01.13    Reasonable               Healthcare institutions may put restrictions on mental health     Barrier Guardians of the                                                                           OS 43A 1-109
                   restriction on release   records due to fear that the receiving institution will provide           record
                   of patient mental        info (considered confidential to the sharing healthcare
                   health records           provider) to the patient.
        OK01.07    Transfer of PHI          If individual administrators/physicians know one another then Neutral Patient privilege                                                                              No legal driver
                   between providers in     provider authentication is not an issue. Therefore, verbal
                   an emergency             transfer of PHI (via phone, for example) necessary for
                   situation                treatment in an emergent situation can occur. If physical
                                            records become necessary, must request through legitimate
                                            channels.



Monday, October 30, 2006                                                                                                                                                                                                           Page 12 of 152
Scenario: 1
   Domain:         9
      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                              Legal Driver
        #         Short Name               Description                                                     Class Short Name            Description   Narrative                              Code/Statute
        OK01.09    Appropriate release     Info can only be released with patient-consent or if court      Barrier Patient privilege                 Law enforcement can request           Title 47 Section 752.
                   of PHI to law           order presented.                                                                                          additional blood be drawn.
                   enforcement officials                                                                                                             (***Changes to Oklahoma Law, 43A
                                                                                                                                                     1-109, effective November 1st, 2006).
        OK01.14    Obtaining additional Request staff obtain the info via faxed/mailed release forms       Barrier                                                                          No legal driver
                   PHI from sharing-     and/or faxed/mailed requests for additional info based on
                   institution (after    previous consent form.
                   having already
                   received certain PHI)
        OK01.07    Transfer of PHI         If individual administrators/physicians know one another then Neutral Patient privilege                                                          No legal driver
                   between providers in    provider authentication is not an issue. Therefore, verbal
                   an emergency            transfer of PHI (via phone, for example) necessary for
                   situation               treatment in an emergent situation can occur. If physical
                                           records become necessary, must request through legitimate
                                           channels.

Scenario: 2
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                              Legal Driver
        #         Short Name               Description                                                     Class Short Name            Description   Narrative                              Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver
                   requesting
                   healthcare provider.
        OK02.08    Authorization to        Get written consent from patient to provide medical record to   Barrier                                   General discussion regarding request   42CFR, State law (63 O.S. §1-
                   release patient         another MD/entity.                                                                                        from law enforcement for STD           502.2 and general
                   information to                                                                                                                    information on individuals who were    confidentiality statement in
                   another MD/entity.                                                                                                                associated with a child diagnosed      43A), Department policies, i.e.
                                                                                                                                                     with STD Access to records was         requirement that consent must
                                                                                                                                                     denied. How far does release carry     be signed before notary. State
                                                                                                                                                     through chain of events and what are   law review: 42 C.F.R. § 2.32
                                                                                                                                                     prohibitions o                         42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                            16




Monday, October 30, 2006                                                                                                                                                                                      Page 13 of 152
Scenario: 2
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.13    Patient Release of      Refer to patient information department                         Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                     information department. May be
                                                                                                                                                   good business practice to refer
                                                                                                                                                   questions to staff who have more
                                                                                                                                                   experience in answering those
                                                                                                                                                   questions but can be a barrier if they
                                                                                                                                                   are not available.
        OK02.10    Referral to             Get referral if we are substance abuse treatment or get         Barrier                                 How far does release carry through       42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse         consent from patient                                                                                    chain of events and what are             2.31(a)
                                                                                                                                                   prohibitions on re-disclosure…           HIPAA 45 C.F.R. §
                                                                                                                                                   Follwup info: Specific Consent is        164.508(c)                 42
                                                                                                                                                   required. There may be some              C.F.R. 2131a
                                                                                                                                                   exception in the case of a business
                                                                                                                                                   associate agreement.

      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.09    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver.
                   requesting
                   healthcare provider.
        OK02.05    Patient authorization   Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release          provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                           federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                           certify information to single provider. This is a paper only                                            of revocation and follows
                                           scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There      45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                      may be some exception in the case        2.31(a).
                   healthcare provider.                                                                                                            of a business associate agreement.

      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute

Monday, October 30, 2006                                                                                                                                                                                       Page 14 of 152
Scenario: 2
   Domain:         1
      Stakeholder: Public Health Agency
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.07    Authenticating             staff confirm credible provider by accessing online license     Barrier                                                                          No legal driver
                   identity/accreditation     board (not typically done).
                   of sharing-institution
        OK02.06    Transfer/release of        Facility staff sets up appointment between patient and PCP      Barrier                                                                          No legal driver
                   PHI from treatment         then faxes/mails records to PCP or has a case manager
                   institution to patient's   hand-deliver the records.
                   PCP

   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver
                   requesting
                   healthcare provider.
        OK02.08    Authorization to           Get written consent from patient to provide medical record to   Barrier                                 General discussion regarding request     42CFR, State law (63 O.S. §1-
                   release patient            another MD/entity.                                                                                      from law enforcement for STD             502.2 and general
                   information to                                                                                                                     information on individuals who were      confidentiality statement in
                   another MD/entity.                                                                                                                 associated with a child diagnosed        43A), Department policies, i.e.
                                                                                                                                                      with STD Access to records was           requirement that consent must
                                                                                                                                                      denied. How far does release carry       be signed before notary. State
                                                                                                                                                      through chain of events and what are     law review: 42 C.F.R. § 2.32
                                                                                                                                                      prohibitions o                           42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                               16
        OK02.13    Patient Release of         Refer to patient information department                         Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                        information department. May be
                                                                                                                                                      good business practice to refer
                                                                                                                                                      questions to staff who have more
                                                                                                                                                      experience in answering those
                                                                                                                                                      questions but can be a barrier if they
                                                                                                                                                      are not available.
        OK02.10    Referral to                Get referral if we are substance abuse treatment or get         Barrier                                 How far does release carry through       42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse            consent from patient                                                                                    chain of events and what are             2.31(a)
                                                                                                                                                      prohibitions on re-disclosure…           HIPAA 45 C.F.R. §
                                                                                                                                                      Follwup info: Specific Consent is        164.508(c)                 42
                                                                                                                                                      required. There may be some              C.F.R. 2131a
                                                                                                                                                      exception in the case of a business
                                                                                                                                                      associate agreement.


Monday, October 30, 2006                                                                                                                                                                                         Page 15 of 152
Scenario: 2
   Domain:         2
      Stakeholder: Other
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name                Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.09    Authentication of        Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver.
                   requesting
                   healthcare provider.
        OK02.05    Patient authorization    Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release           provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                            federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                            certify information to single provider. This is a paper only                                            of revocation and follows
                                            scenario.                                                                                               incontestability laws.
        OK02.05    Patient authorization    Individual release by patient per release, content, dates and   Barrier                                                                       law 42 CFR part 2, Time limit on
                   of PHI release           provider. Determine time release 9 months if person is under                                                                                  release; "reasonable time"
                                            federally subsidized drug treatment facility. If RHIO can't                                                                                   variation comes in definition of
                                            certify information to single provider. This is a paper only                                                                                  reasonable. HIPAA says 24
                                            scenario.                                                                                                                                     months revocation and follows
                                                                                                                                                                                          incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name                Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of        Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                       may be some exception in the case     2.31(a).
                   healthcare provider.                                                                                                             of a business associate agreement.

      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name                Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.12    Appropriate release      An institution might have a patient sign an additional release Barrier
                   of PHI (consent form     form to specify release of specific data and explain why
                   signed), with regard     being released. Such forms can stipulate no additional re-
                   to guidelines in that    release w/out additional consent from patient. The forms are
                   particular form          signed by the patient, placed in the chart, logged on progress
                                            note, logged in accounting disclosure log, etc. At current
                                            time, all records are hard copy.
        OK02.07    Authenticating           staff confirm credible provider by accessing online license     Barrier                                                                       No legal driver
                   identity/accreditation   board (not typically done).
                   of sharing-institution




Monday, October 30, 2006                                                                                                                                                                                     Page 16 of 152
Scenario: 2
   Domain:         2
      Stakeholder: Public Health Agency
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.06    Transfer/release of        Facility staff sets up appointment between patient and PCP      Barrier                                                                       No legal driver
                   PHI from treatment         then faxes/mails records to PCP or has a case manager
                   institution to patient's   hand-deliver the records.
                   PCP

   Domain:         3
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver
                   requesting
                   healthcare provider.

      Stakeholder: Other
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.09    Authentication of          Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver.
                   requesting
                   healthcare provider.
        OK02.05    Patient authorization      Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release             provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                              federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                              certify information to single provider. This is a paper only                                            of revocation and follows
                                              scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                         may be some exception in the case     2.31(a).
                   healthcare provider.                                                                                                               of a business associate agreement.




Monday, October 30, 2006                                                                                                                                                                                       Page 17 of 152
Scenario: 2
   Domain:         3
      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                              Legal Driver
        #         Short Name                  Description                                                     Class Short Name            Description   Narrative                               Code/Statute
        OK02.11    Naming physician           Often takes 6 wks to get emergency appointment to allow a       Barrier policy - based on                 Naming physician temporarily to         42 C.F.R. § 2.32, 42 C.F.R. §
                   temporarily to staff       different/outside physician to see patient                              insurance plan                    staff. Hospitals are allowed to         2.31(a), HIPAA 45 C.F.R. §
                                                                                                                      credentialing                     temporarily appoint according to        164.508(c)
                                                                                                                      physician                         hospital rules & regulations (Medical
                                                                                                                                                        Staff By-Laws). If not an employee
                                                                                                                                                        would need specific consent.

      Stakeholder: Public Health Agency
        Business Practice                                                                                           Policy                              Legal Driver
        #         Short Name                  Description                                                     Class Short Name            Description   Narrative                               Code/Statute
        OK02.07    Authenticating             staff confirm credible provider by accessing online license     Barrier                                                                           No legal driver
                   identity/accreditation     board (not typically done).
                   of sharing-institution
        OK02.06    Transfer/release of        Facility staff sets up appointment between patient and PCP      Barrier                                                                           No legal driver
                   PHI from treatment         then faxes/mails records to PCP or has a case manager
                   institution to patient's   hand-deliver the records.
                   PCP

   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                              Legal Driver
        #         Short Name                  Description                                                     Class Short Name            Description   Narrative                               Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number                        Barrier Business policy                                                           No legal driver
                   requesting
                   healthcare provider.
        OK02.08    Authorization to           Get written consent from patient to provide medical record to   Barrier                                   General discussion regarding request    42CFR, State law (63 O.S. §1-
                   release patient            another MD/entity.                                                                                        from law enforcement for STD            502.2 and general
                   information to                                                                                                                       information on individuals who were     confidentiality statement in
                   another MD/entity.                                                                                                                   associated with a child diagnosed       43A), Department policies, i.e.
                                                                                                                                                        with STD Access to records was          requirement that consent must
                                                                                                                                                        denied. How far does release carry      be signed before notary. State
                                                                                                                                                        through chain of events and what are    law review: 42 C.F.R. § 2.32
                                                                                                                                                        prohibitions o                          42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                                16




Monday, October 30, 2006                                                                                                                                                                                          Page 18 of 152
Scenario: 2
   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                    Policy                            Legal Driver
        #         Short Name              Description                                                  Class Short Name          Description   Narrative                                Code/Statute
        OK02.03    Exchange of data       Faxing it - call ahead to have someone at fax machine        Barrier Business policy                                                          LWG determined there is no
                   through fax                                                                                                                                                          legal driver other than HIPAA
                                                                                                                                                                                        requires “reasonable
                                                                                                                                                                                        safeguards”.
        OK02.02    Exchange of health     mailing the data certified mail, either US PO, Fed Ex, etc   Barrier Business policy                 It was stated that most physicians       LWG determined there is no
                   information through                                                                                                         choose to err on the side of caution.    legal driver other than HIPAA
                   shipping/mail                                                                                                               The other groups would still need to     requires “reasonable
                                                                                                                                               look at it to see what needs to be       safeguards”.
                                                                                                                                               done (training, technology, etc) to
                                                                                                                                               overcome the barrier.
        OK02.13    Patient Release of     Refer to patient information department                      Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                 information department. May be
                                                                                                                                               good business practice to refer
                                                                                                                                               questions to staff who have more
                                                                                                                                               experience in answering those
                                                                                                                                               questions but can be a barrier if they
                                                                                                                                               are not available.
        OK02.10    Referral to            Get referral if we are substance abuse treatment or get      Barrier                                 How far does release carry through       42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse        consent from patient                                                                                 chain of events and what are             2.31(a)
                                                                                                                                               prohibitions on re-disclosure…           HIPAA 45 C.F.R. §
                                                                                                                                               Follwup info: Specific Consent is        164.508(c)                 42
                                                                                                                                               required. There may be some              C.F.R. 2131a
                                                                                                                                               exception in the case of a business
                                                                                                                                               associate agreement.

      Stakeholder: Other
        Business Practice                                                                                    Policy                            Legal Driver
        #         Short Name              Description                                                  Class Short Name          Description   Narrative                                Code/Statute
        OK02.09    Authentication of      Use caller ID, call back on phone number                     Barrier Business policy                                                          No legal driver.
                   requesting
                   healthcare provider.
        OK02.03    Exchange of data       Faxing it - call ahead to have someone at fax machine        Barrier Business policy                                                          No legal driver
                   through fax
        OK02.04    Exchange of data      mailing the data certified mail, either US PO, Fed Ex, etc    Barrier Business policy                                                          No legal driver
                   through shipping/mail




Monday, October 30, 2006                                                                                                                                                                                   Page 19 of 152
Scenario: 2
   Domain:         4
      Stakeholder: Other
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.05    Patient authorization      Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release             provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                              federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                              certify information to single provider. This is a paper only                                            of revocation and follows
                                              scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                         may be some exception in the case     2.31(a).
                   healthcare provider.                                                                                                               of a business associate agreement.
        OK02.03    Exchange of data           Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                       No legal driver
                   through fax
        OK02.04    Exchange of data           mailing the data certified mail, either US PO, Fed Ex, etc      Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   through shippinf/mail                                                                                                              may be some exception in the case     2.31(a).
                                                                                                                                                      of a business associate agreement.

      Stakeholder: Public Health Agency
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.06    Transfer/release of        Facility staff sets up appointment between patient and PCP      Barrier                                                                       No legal driver
                   PHI from treatment         then faxes/mails records to PCP or has a case manager
                   institution to patient's   hand-deliver the records.
                   PCP

   Domain:         5
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                            Legal Driver
        #         Short Name                  Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver
                   requesting
                   healthcare provider.




Monday, October 30, 2006                                                                                                                                                                                      Page 20 of 152
Scenario: 2
   Domain:         5
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                               Code/Statute
        OK02.03    Exchange of data        Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                         LWG determined there is no
                   through fax                                                                                                                                                             legal driver other than HIPAA
                                                                                                                                                                                           requires “reasonable
                                                                                                                                                                                           safeguards”.
        OK02.02    Exchange of health      mailing the data certified mail, either US PO, Fed Ex, etc      Barrier Business policy                 It was stated that most physicians      LWG determined there is no
                   information through                                                                                                             choose to err on the side of caution.   legal driver other than HIPAA
                   shipping/mail                                                                                                                   The other groups would still need to    requires “reasonable
                                                                                                                                                   look at it to see what needs to be      safeguards”.
                                                                                                                                                   done (training, technology, etc) to
                                                                                                                                                   overcome the barrier.

      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                               Code/Statute
        OK02.09    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                         No legal driver.
                   requesting
                   healthcare provider.
        OK02.03    Exchange of data        Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                         No legal driver
                   through fax
        OK02.04    Exchange of data      mailing the data certified mail, either US PO, Fed Ex, etc        Barrier Business policy                                                         No legal driver
                   through shipping/mail
        OK02.05    Patient authorization   Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release          provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                           federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                           certify information to single provider. This is a paper only                                            of revocation and follows
                                           scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                               Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There     45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                      may be some exception in the case       2.31(a).
                   healthcare provider.                                                                                                            of a business associate agreement.
        OK02.03    Exchange of data        Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                         No legal driver
                   through fax
        OK02.04    Exchange of data        mailing the data certified mail, either US PO, Fed Ex, etc      Barrier Business policy                 Specific consent is required. There     45 CFR 164.508(c) and 42 CFR
                   through shippinf/mail                                                                                                           may be some exception in the case       2.31(a).
                                                                                                                                                   of a business associate agreement.

Monday, October 30, 2006                                                                                                                                                                                      Page 21 of 152
Scenario: 2
   Domain:         6
      Stakeholder: Hospitals
        Business Practice                                                                                       Policy                            Legal Driver
        #         Short Name              Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.01    Authentication of      Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver
                   requesting
                   healthcare provider.
        OK02.08    Authorization to       Get written consent from patient to provide medical record to   Barrier                                 General discussion regarding request     42CFR, State law (63 O.S. §1-
                   release patient        another MD/entity.                                                                                      from law enforcement for STD             502.2 and general
                   information to                                                                                                                 information on individuals who were      confidentiality statement in
                   another MD/entity.                                                                                                             associated with a child diagnosed        43A), Department policies, i.e.
                                                                                                                                                  with STD Access to records was           requirement that consent must
                                                                                                                                                  denied. How far does release carry       be signed before notary. State
                                                                                                                                                  through chain of events and what are     law review: 42 C.F.R. § 2.32
                                                                                                                                                  prohibitions o                           42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                           16
        OK02.03    Exchange of data       Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                          LWG determined there is no
                   through fax                                                                                                                                                             legal driver other than HIPAA
                                                                                                                                                                                           requires “reasonable
                                                                                                                                                                                           safeguards”.
        OK02.02    Exchange of health     mailing the data certified mail, either US PO, Fed Ex, etc      Barrier Business policy                 It was stated that most physicians       LWG determined there is no
                   information through                                                                                                            choose to err on the side of caution.    legal driver other than HIPAA
                   shipping/mail                                                                                                                  The other groups would still need to     requires “reasonable
                                                                                                                                                  look at it to see what needs to be       safeguards”.
                                                                                                                                                  done (training, technology, etc) to
                                                                                                                                                  overcome the barrier.
        OK02.13    Patient Release of     Refer to patient information department                         Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                    information department. May be
                                                                                                                                                  good business practice to refer
                                                                                                                                                  questions to staff who have more
                                                                                                                                                  experience in answering those
                                                                                                                                                  questions but can be a barrier if they
                                                                                                                                                  are not available.
        OK02.10    Referral to            Get referral if we are substance abuse treatment or get         Barrier                                 How far does release carry through       42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse        consent from patient                                                                                    chain of events and what are             2.31(a)
                                                                                                                                                  prohibitions on re-disclosure…           HIPAA 45 C.F.R. §
                                                                                                                                                  Follwup info: Specific Consent is        164.508(c)                 42
                                                                                                                                                  required. There may be some              C.F.R. 2131a
                                                                                                                                                  exception in the case of a business
                                                                                                                                                  associate agreement.

      Stakeholder: Other
        Business Practice                                                                                       Policy                            Legal Driver
        #         Short Name              Description                                                     Class Short Name          Description   Narrative                                Code/Statute

Monday, October 30, 2006                                                                                                                                                                                     Page 22 of 152
Scenario: 2
   Domain:         6
      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.09    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver.
                   requesting
                   healthcare provider.
        OK02.03    Exchange of data        Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                       No legal driver
                   through fax
        OK02.04    Exchange of data      mailing the data certified mail, either US PO, Fed Ex, etc        Barrier Business policy                                                       No legal driver
                   through shipping/mail
        OK02.05    Patient authorization   Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release          provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                           federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                           certify information to single provider. This is a paper only                                            of revocation and follows
                                           scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                      may be some exception in the case     2.31(a).
                   healthcare provider.                                                                                                            of a business associate agreement.
        OK02.03    Exchange of data        Faxing it - call ahead to have someone at fax machine           Barrier Business policy                                                       No legal driver
                   through fax
        OK02.04    Exchange of data        mailing the data certified mail, either US PO, Fed Ex, etc      Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   through shippinf/mail                                                                                                           may be some exception in the case     2.31(a).
                                                                                                                                                   of a business associate agreement.

      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.12    Appropriate release     An institution might have a patient sign an additional release Barrier
                   of PHI (consent form    form to specify release of specific data and explain why
                   signed), with regard    being released. Such forms can stipulate no additional re-
                   to guidelines in that   release w/out additional consent from patient. The forms are
                   particular form         signed by the patient, placed in the chart, logged on progress
                                           note, logged in accounting disclosure log, etc. At current
                                           time, all records are hard copy.

   Domain:         7

Monday, October 30, 2006                                                                                                                                                                                    Page 23 of 152
Scenario: 2
   Domain:         7
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver
                   requesting
                   healthcare provider.
        OK02.08    Authorization to        Get written consent from patient to provide medical record to   Barrier                                 General discussion regarding request     42CFR, State law (63 O.S. §1-
                   release patient         another MD/entity.                                                                                      from law enforcement for STD             502.2 and general
                   information to                                                                                                                  information on individuals who were      confidentiality statement in
                   another MD/entity.                                                                                                              associated with a child diagnosed        43A), Department policies, i.e.
                                                                                                                                                   with STD Access to records was           requirement that consent must
                                                                                                                                                   denied. How far does release carry       be signed before notary. State
                                                                                                                                                   through chain of events and what are     law review: 42 C.F.R. § 2.32
                                                                                                                                                   prohibitions o                           42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                            16
        OK02.13    Patient Release of      Refer to patient information department                         Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                     information department. May be
                                                                                                                                                   good business practice to refer
                                                                                                                                                   questions to staff who have more
                                                                                                                                                   experience in answering those
                                                                                                                                                   questions but can be a barrier if they
                                                                                                                                                   are not available.
        OK02.10    Referral to             Get referral if we are substance abuse treatment or get         Barrier                                 How far does release carry through       42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse         consent from patient                                                                                    chain of events and what are             2.31(a)
                                                                                                                                                   prohibitions on re-disclosure…           HIPAA 45 C.F.R. §
                                                                                                                                                   Follwup info: Specific Consent is        164.508(c)                 42
                                                                                                                                                   required. There may be some              C.F.R. 2131a
                                                                                                                                                   exception in the case of a business
                                                                                                                                                   associate agreement.

      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.09    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver.
                   requesting
                   healthcare provider.
        OK02.05    Patient authorization   Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release          provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                           federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                           certify information to single provider. This is a paper only                                            of revocation and follows
                                           scenario.                                                                                               incontestability laws.



Monday, October 30, 2006                                                                                                                                                                                       Page 24 of 152
Scenario: 2
   Domain:         7
      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There      45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                      may be some exception in the case        2.31(a).
                   healthcare provider.                                                                                                            of a business associate agreement.

      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.12    Appropriate release     An institution might have a patient sign an additional release Barrier
                   of PHI (consent form    form to specify release of specific data and explain why
                   signed), with regard    being released. Such forms can stipulate no additional re-
                   to guidelines in that   release w/out additional consent from patient. The forms are
                   particular form         signed by the patient, placed in the chart, logged on progress
                                           note, logged in accounting disclosure log, etc. At current
                                           time, all records are hard copy.

   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver
                   requesting
                   healthcare provider.
        OK02.08    Authorization to        Get written consent from patient to provide medical record to   Barrier                                 General discussion regarding request     42CFR, State law (63 O.S. §1-
                   release patient         another MD/entity.                                                                                      from law enforcement for STD             502.2 and general
                   information to                                                                                                                  information on individuals who were      confidentiality statement in
                   another MD/entity.                                                                                                              associated with a child diagnosed        43A), Department policies, i.e.
                                                                                                                                                   with STD Access to records was           requirement that consent must
                                                                                                                                                   denied. How far does release carry       be signed before notary. State
                                                                                                                                                   through chain of events and what are     law review: 42 C.F.R. § 2.32
                                                                                                                                                   prohibitions o                           42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                            16
        OK02.13    Patient Release of      Refer to patient information department                         Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                     information department. May be
                                                                                                                                                   good business practice to refer
                                                                                                                                                   questions to staff who have more
                                                                                                                                                   experience in answering those
                                                                                                                                                   questions but can be a barrier if they
                                                                                                                                                   are not available.
Monday, October 30, 2006                                                                                                                                                                                      Page 25 of 152
Scenario: 2
   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.10    Referral to             Get referral if we are substance abuse treatment or get         Barrier                                 How far does release carry through    42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse         consent from patient                                                                                    chain of events and what are          2.31(a)
                                                                                                                                                   prohibitions on re-disclosure…        HIPAA 45 C.F.R. §
                                                                                                                                                   Follwup info: Specific Consent is     164.508(c)                 42
                                                                                                                                                   required. There may be some           C.F.R. 2131a
                                                                                                                                                   exception in the case of a business
                                                                                                                                                   associate agreement.

      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.09    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver.
                   requesting
                   healthcare provider.
        OK02.05    Patient authorization   Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release          provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                           federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                           certify information to single provider. This is a paper only                                            of revocation and follows
                                           scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number.                       Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                      may be some exception in the case     2.31(a).
                   healthcare provider.                                                                                                            of a business associate agreement.

   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                       No legal driver
                   requesting
                   healthcare provider.



Monday, October 30, 2006                                                                                                                                                                                    Page 26 of 152
Scenario: 2
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.08    Authorization to        Get written consent from patient to provide medical record to   Barrier                                 General discussion regarding request     42CFR, State law (63 O.S. §1-
                   release patient         another MD/entity.                                                                                      from law enforcement for STD             502.2 and general
                   information to                                                                                                                  information on individuals who were      confidentiality statement in
                   another MD/entity.                                                                                                              associated with a child diagnosed        43A), Department policies, i.e.
                                                                                                                                                   with STD Access to records was           requirement that consent must
                                                                                                                                                   denied. How far does release carry       be signed before notary. State
                                                                                                                                                   through chain of events and what are     law review: 42 C.F.R. § 2.32
                                                                                                                                                   prohibitions o                           42 C.F.R. § 2.31(a), 45 C.F.R. §
                                                                                                                                                                                            16
        OK02.13    Patient Release of      Refer to patient information department                         Barrier                                 42 CFR part 2; Refer to patient          No legal driver
                   Information                                                                                                                     information department. May be
                                                                                                                                                   good business practice to refer
                                                                                                                                                   questions to staff who have more
                                                                                                                                                   experience in answering those
                                                                                                                                                   questions but can be a barrier if they
                                                                                                                                                   are not available.
        OK02.10    Referral to             Get referral if we are substance abuse treatment or get         Barrier                                 How far does release carry through       42 C.F.R. § 2.32 42 C.F.R. §
                   Substance Abuse         consent from patient                                                                                    chain of events and what are             2.31(a)
                                                                                                                                                   prohibitions on re-disclosure…           HIPAA 45 C.F.R. §
                                                                                                                                                   Follwup info: Specific Consent is        164.508(c)                 42
                                                                                                                                                   required. There may be some              C.F.R. 2131a
                                                                                                                                                   exception in the case of a business
                                                                                                                                                   associate agreement.

      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
        OK02.09    Authentication of       Use caller ID, call back on phone number                        Barrier Business policy                                                          No legal driver.
                   requesting
                   healthcare provider.
        OK02.05    Patient authorization   Individual release by patient per release, content, dates and   Barrier                                 Time limit on release; "reasonal time" 42 CFR § 2.31(a)(ix)
                   of PHI release          provider. Determine time release 9 months if person is under                                            variation comes in definition of
                                           federally subsidized drug treatment facility. If RHIO can't                                             reasonable. HIPAA says 24 months
                                           certify information to single provider. This is a paper only                                            of revocation and follows
                                           scenario.                                                                                               incontestability laws.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                                Code/Statute
Monday, October 30, 2006                                                                                                                                                                                       Page 27 of 152
Scenario: 2
   Domain:         9
      Stakeholder: Physician Groups
        Business Practice                                                                                              Policy                            Legal Driver
        #         Short Name                  Description                                                        Class Short Name          Description   Narrative                             Code/Statute
        OK02.01    Authentication of          Use caller ID, call back on phone number.                          Barrier Business policy                 Specific consent is required. There   45 CFR 164.508(c) and 42 CFR
                   requesting                                                                                                                            may be some exception in the case     2.31(a).
                   healthcare provider.                                                                                                                  of a business associate agreement.

      Stakeholder: Public Health Agency
        Business Practice                                                                                              Policy                            Legal Driver
        #         Short Name                  Description                                                        Class Short Name          Description   Narrative                             Code/Statute
        OK02.12    Appropriate release        An institution might have a patient sign an additional release Barrier
                   of PHI (consent form       form to specify release of specific data and explain why
                   signed), with regard       being released. Such forms can stipulate no additional re-
                   to guidelines in that      release w/out additional consent from patient. The forms are
                   particular form            signed by the patient, placed in the chart, logged on progress
                                              note, logged in accounting disclosure log, etc. At current
                                              time, all records are hard copy.
        OK02.06    Transfer/release of        Facility staff sets up appointment between patient and PCP         Barrier                                                                       No legal driver
                   PHI from treatment         then faxes/mails records to PCP or has a case manager
                   institution to patient's   hand-deliver the records.
                   PCP

Scenario: 3
   Domain:         1
      Stakeholder: Clinicians
        Business Practice                                                                                              Policy                            Legal Driver
        #         Short Name                  Description                                                        Class Short Name          Description   Narrative                             Code/Statute
        OK03.32    Accessing patient          four passwords to access information remotely/from home,           Barrier
                   information remotely       information sent out is encrypted
        OK03.05    Transfer of medical         Business Associate agreement would have to be in place            Barrier HIPAA                           Transcription Service-HIPAA requires No legal driver
                   information with           with transcription service requiring log-in from both sides with                                           "reasonable" (up to judgment of
                   transcription service      secure access of web portal through a VPN.                                                                 people).

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                              Policy                            Legal Driver
        #         Short Name                  Description                                                        Class Short Name          Description   Narrative                             Code/Statute


Monday, October 30, 2006                                                                                                                                                                                         Page 28 of 152
Scenario: 3
   Domain:         1
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                      Barrier                                                                         No legal driver
                   without electronic
                   means

      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK03.08    Access to care          Dr has to be on staff at nursing facility to send info          Barrier                                                                         No legal driver
                   facility EHR is
                   limited to staff only
        OK03.14    Access to EHR by        everyone in office shares one log-in                            Barrier                                  Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                               per employee (possible violation of    164.312
                   credentialed staff                                                                                                               software contract). Legal driver might
                                                                                                                                                    be individual but would have no
                                                                                                                                                    defense in case of violation.
        OK03.04    Appropriate            Dr receives admitting privileges/credentials after attendance    Neutral state/federal                    Appropriate admitting privileges;  45 C.F.R. § 164.530(c), 45
                   admitting              at orientation. Call help desk to get lost or new credentials.           law, HIPAA and                   HIPAA requires "reasonable" system C.F.R. § 142, 162
                   privileges/credentials Help Desk verifies identity with SSN and other criteria.                 audit                            in place and mandates appropriate
                   are given to provider                                                                                                            administrative safeguards &
                                                                                                                                                    "reasonable" safeguards from
                                                                                                                                                    intentional and unintentional
                                                                                                                                                    violations.
        OK03.09    Transfer of data        Staff member must print info and then either fax, mail or       Barrier HIPAA                            HIPAA-"reasonable"-must contain        45 C.F.R. § 2.32
                   when care facility      deliver documents to facility. Staff member must make sure                                               note regarding redisclosure.
                   cannot open             document includes disclaimer statement. Staff member
                   encrypted files         documents transfer method and appropriate phone numbers,
                                           addresses, etc.
        OK03.06    Transfer of             Transfer of assessment would have to be encrypted before        barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to       being sent to care facility. An encryption key would have to                                             encryption, only "reasonable
                   care facility           be transferred separately to access data.                                                                safeguard," though encryption is the
                                                                                                                                                    preferred method.

      Stakeholder: Other
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                      Barrier                                                                         No legal driver
                   without electronic
                   means

Monday, October 30, 2006                                                                                                                                                                                     Page 29 of 152
Scenario: 3
   Domain:         1
      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.12    Access to EHR by         Dr shares log-in access with physician extenders                  Barrier                                  Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                                  per employee (possible violation of    164.312
                   credentialed staff                                                                                                                  software contract). Legal driver might
                                                                                                                                                       be individual but would have no
                                                                                                                                                       defense in case of violation.
        OK03.23    Information transfer     information sent via fax or mail after patient consent, follow-   Barrier
                                            up with verbal consent if referral set up by provider (dentist)
        OK03.33    Staff access to          users/staff are limited to what information they access by        Barrier
                   information              username/password
        OK03.29    Staff access to          login access limits some staff from viewing information           Neutral
                   information

      Stakeholder: Quality Improvement Organizations
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.13    Access to EHR by         nurse signs on and lets Dr see the info                           Barrier                                  HIPAA does not allow access to HER 43A O.S. § 1.109
                   someone other then                                                                                                                  by someone other than credentialed
                   credentialed staff                                                                                                                  staff.

      Stakeholder: State Government
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.03    Transfer of additional   Facility Staff must contact hospital medical records             Barrier HIPAA                             Transfer of additional discharge info Title 310 § 667-12-13, no legal
                   discharge                department to see if additions have been made to chart                                                     following discharge (receiving        driver on transfer of info
                   information after        since info was copied and sent, but this is typically not done.                                            partial/incomplete data). Established
                   discharge                State law doesn't require completion until 30 days after                                                   time frames for completion of medical
                                            discharge, so not all pertinent data is available at time of                                               records (physician has up to 30 days
                                            discharge. What info is available at time of transfer (time lag-                                           to complete discharge summary).
                                            transcription) including changes to care? Follow-up to get
                                            additional records.
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before          barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                               encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                                  safeguard," though encryption is the
                                                                                                                                                       preferred method.

   Domain:         2


Monday, October 30, 2006                                                                                                                                                                                    Page 30 of 152
Scenario: 3
   Domain:         2
      Stakeholder: Clinicians
        Business Practice                                                                                           Policy                           Legal Driver
        #         Short Name               Description                                                        Class Short Name         Description   Narrative                             Code/Statute
        OK03.15    Determine health        Clinic determines what health information is necessary to    Barrier
                   information shared in   share for treatment from doctor to doctor. Someone from
                   mental health           clinic accompanies him if patient is under emergency medical
                   situation               attention, patient rights are waived
        OK03.05    Transfer of medical      Business Associate agreement would have to be in place            Barrier HIPAA                          Transcription Service-HIPAA requires No legal driver
                   information with        with transcription service requiring log-in from both sides with                                          "reasonable" (up to judgment of
                   transcription service   secure access of web portal through a VPN.                                                                people).

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                           Policy                           Legal Driver
        #         Short Name               Description                                                        Class Short Name         Description   Narrative                             Code/Statute
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                         Barrier                                                                      No legal driver
                   without electronic
                   means

      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                           Legal Driver
        #         Short Name               Description                                                        Class Short Name         Description   Narrative                             Code/Statute
        OK03.08    Access to care          Dr has to be on staff at nursing facility to send info             Barrier                                                                      No legal driver
                   facility EHR is
                   limited to staff only
        OK03.14    Access to EHR by        everyone in office shares one log-in                               Barrier                                Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                                per employee (possible violation of    164.312
                   credentialed staff                                                                                                                software contract). Legal driver might
                                                                                                                                                     be individual but would have no
                                                                                                                                                     defense in case of violation.
        OK03.04    Appropriate            Dr receives admitting privileges/credentials after attendance       Neutral state/federal                  Appropriate admitting privileges;  45 C.F.R. § 164.530(c), 45
                   admitting              at orientation. Call help desk to get lost or new credentials.              law, HIPAA and                 HIPAA requires "reasonable" system C.F.R. § 142, 162
                   privileges/credentials Help Desk verifies identity with SSN and other criteria.                    audit                          in place and mandates appropriate
                   are given to provider                                                                                                             administrative safeguards &
                                                                                                                                                     "reasonable" safeguards from
                                                                                                                                                     intentional and unintentional
                                                                                                                                                     violations.
        OK03.02    Secure appropriate      Appropriate consent form signed by patient/guardian on             Barrier HIPAA
                   consent                 admission, patient can say no to certain items




Monday, October 30, 2006                                                                                                                                                                                     Page 31 of 152
Scenario: 3
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK03.09    Transfer of data        Staff member must print info and then either fax, mail or       Barrier HIPAA                            HIPAA-"reasonable"-must contain        45 C.F.R. § 2.32
                   when care facility      deliver documents to facility. Staff member must make sure                                               note regarding redisclosure.
                   cannot open             document includes disclaimer statement. Staff member
                   encrypted files         documents transfer method and appropriate phone numbers,
                                           addresses, etc.
        OK03.06    Transfer of             Transfer of assessment would have to be encrypted before        barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to       being sent to care facility. An encryption key would have to                                             encryption, only "reasonable
                   care facility           be transferred separately to access data.                                                                safeguard," though encryption is the
                                                                                                                                                    preferred method.

      Stakeholder: Other
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK03.26    Consent release to      patient consent for release of information only to identified   Barrier                                                                         Title 43A 1-109.1
                   specified individuals   individuals (can limit who information is shared with)
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                      Barrier                                                                         No legal driver
                   without electronic
                   means
        OK03.19    Secure discharge        Mental health - takes 1-2 weeks to get discharge summary - Barrier                                                                              43A 1-109(e)(VI) [4-107?]
                   summary                 consent from patient or guardian, information is faxed, SW on
                                           staff makes arrangements,

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name               Description                                                     Class Short Name           Description   Narrative                              Code/Statute
        OK03.12    Access to EHR by        Dr shares log-in access with physician extenders                Barrier                                  Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                               per employee (possible violation of    164.312
                   credentialed staff                                                                                                               software contract). Legal driver might
                                                                                                                                                    be individual but would have no
                                                                                                                                                    defense in case of violation.
        OK03.17    Accessing patient       review chart at hospital in person (physician on staff)         Neutral
                   chart
        OK03.22    Accessing patient       login access in private practice                                Barrier
                   electronic health
                   record
        OK03.21    Accessing patient       Physician with staff privileges have access to information      Neutral
                   information


Monday, October 30, 2006                                                                                                                                                                                     Page 32 of 152
Scenario: 3
   Domain:         2
      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.16    Immediate transfer       bypass transcription process, preprinted handwritten note         Barrier
                   of discharge orders      with orders to be given to skilled nursing facility in order to
                                            take care of patient first
        OK03.23    Information transfer     information sent via fax or mail after patient consent, follow-   Barrier
                                            up with verbal consent if referral set up by provider (dentist)
        OK03.27    Patient consent for      Must receive written consent from patient to notify payer         Barrier                                  Does not require consent               45 CFR 164.506
                   vendor pay
        OK03.18    Secure patient           Nurse gets release from patient and faxes it over                 Barrier
                   consent
        OK03.25    Testing done at          no patient consent received to forward to external lab/surgeon Neutral
                   outside location

      Stakeholder: Quality Improvement Organizations
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.13    Access to EHR by         nurse signs on and lets Dr see the info                           Barrier                                  HIPAA does not allow access to HER 43A O.S. § 1.109
                   someone other then                                                                                                                  by someone other than credentialed
                   credentialed staff                                                                                                                  staff.

      Stakeholder: State Government
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.03    Transfer of additional   Facility Staff must contact hospital medical records             Barrier HIPAA                             Transfer of additional discharge info Title 310 § 667-12-13, no legal
                   discharge                department to see if additions have been made to chart                                                     following discharge (receiving        driver on transfer of info
                   information after        since info was copied and sent, but this is typically not done.                                            partial/incomplete data). Established
                   discharge                State law doesn't require completion until 30 days after                                                   time frames for completion of medical
                                            discharge, so not all pertinent data is available at time of                                               records (physician has up to 30 days
                                            discharge. What info is available at time of transfer (time lag-                                           to complete discharge summary).
                                            transcription) including changes to care? Follow-up to get
                                            additional records.
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before          barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                               encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                                  safeguard," though encryption is the
                                                                                                                                                       preferred method.

   Domain:         3

Monday, October 30, 2006                                                                                                                                                                                    Page 33 of 152
Scenario: 3
   Domain:         3
      Stakeholder: Clinicians
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name                Description                                                      Class Short Name   Description   Narrative                             Code/Statute
        OK03.01    The transmission of      Patient must have signed a consent form signed by                Barrier                          Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at        patient/guardian on admission to the hospital psych unit.                                         time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge        Patient can say "no" to certain items. Then staff must ensure                                     driver for faxing requirement. We     1205 §2503
                   from one provider to     RN/LPN/admin is accepting faxes in the nursing home                                               may want to make some
                   another.                 facility. Once confirmed (via telephone) staff would fax data.                                    recommendations to the solutions
                                                                                                                                              group regarding OK physician/patient
                                                                                                                                              language. Oklahoma can be more
                                                                                                                                              restrictive than HIPAA.

      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name                Description                                                      Class Short Name   Description   Narrative                             Code/Statute
        OK03.01    The transmission of      Patient must have signed a consent form signed by                Barrier                          Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at        patient/guardian on admission to the hospital psych unit.                                         time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge        Patient can say "no" to certain items. Then staff must ensure                                     driver for faxing requirement. We     1205 §2503
                   from one provider to     RN/LPN/admin is accepting faxes in the nursing home                                               may want to make some
                   another.                 facility. Once confirmed (via telephone) staff would fax data.                                    recommendations to the solutions
                                                                                                                                              group regarding OK physician/patient
                                                                                                                                              language. Oklahoma can be more
                                                                                                                                              restrictive than HIPAA.

      Stakeholder: State Government
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name                Description                                                      Class Short Name   Description   Narrative                             Code/Statute
        OK03.03    Transfer of additional   Facility Staff must contact hospital medical records             Barrier HIPAA                    Transfer of additional discharge info Title 310 § 667-12-13, no legal
                   discharge                department to see if additions have been made to chart                                            following discharge (receiving        driver on transfer of info
                   information after        since info was copied and sent, but this is typically not done.                                   partial/incomplete data). Established
                   discharge                State law doesn't require completion until 30 days after                                          time frames for completion of medical
                                            discharge, so not all pertinent data is available at time of                                      records (physician has up to 30 days
                                            discharge. What info is available at time of transfer (time lag-                                  to complete discharge summary).
                                            transcription) including changes to care? Follow-up to get
                                            additional records.

   Domain:         4




Monday, October 30, 2006                                                                                                                                                                           Page 34 of 152
Scenario: 3
   Domain:         4
      Stakeholder: Clinicians
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                            Code/Statute
        OK03.15    Determine health        Clinic determines what health information is necessary to    Barrier
                   information shared in   share for treatment from doctor to doctor. Someone from
                   mental health           clinic accompanies him if patient is under emergency medical
                   situation               attention, patient rights are waived
        OK03.01    The transmission of     Patient must have signed a consent form signed by                  Barrier                          Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at       patient/guardian on admission to the hospital psych unit.                                           time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge       Patient can say "no" to certain items. Then staff must ensure                                       driver for faxing requirement. We     1205 §2503
                   from one provider to    RN/LPN/admin is accepting faxes in the nursing home                                                 may want to make some
                   another.                facility. Once confirmed (via telephone) staff would fax data.                                      recommendations to the solutions
                                                                                                                                               group regarding OK physician/patient
                                                                                                                                               language. Oklahoma can be more
                                                                                                                                               restrictive than HIPAA.
        OK03.05    Transfer of medical      Business Associate agreement would have to be in place            Barrier HIPAA                    Transcription Service-HIPAA requires No legal driver
                   information with        with transcription service requiring log-in from both sides with                                    "reasonable" (up to judgment of
                   transcription service   secure access of web portal through a VPN.                                                          people).

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                            Code/Statute
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                         Barrier                                                               No legal driver
                   without electronic
                   means

      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                            Code/Statute
        OK03.01    The transmission of     Patient must have signed a consent form signed by                  Barrier                          Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at       patient/guardian on admission to the hospital psych unit.                                           time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge       Patient can say "no" to certain items. Then staff must ensure                                       driver for faxing requirement. We     1205 §2503
                   from one provider to    RN/LPN/admin is accepting faxes in the nursing home                                                 may want to make some
                   another.                facility. Once confirmed (via telephone) staff would fax data.                                      recommendations to the solutions
                                                                                                                                               group regarding OK physician/patient
                                                                                                                                               language. Oklahoma can be more
                                                                                                                                               restrictive than HIPAA.




Monday, October 30, 2006                                                                                                                                                                              Page 35 of 152
Scenario: 3
   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.09    Transfer of data         Staff member must print info and then either fax, mail or         Barrier HIPAA                            HIPAA-"reasonable"-must contain        45 C.F.R. § 2.32
                   when care facility       deliver documents to facility. Staff member must make sure                                                 note regarding redisclosure.
                   cannot open              document includes disclaimer statement. Staff member
                   encrypted files          documents transfer method and appropriate phone numbers,
                                            addresses, etc.
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before          barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                               encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                                  safeguard," though encryption is the
                                                                                                                                                       preferred method.

      Stakeholder: Other
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.10    Receive patient data     Staff deliver data or arrange for courier.                        Barrier                                                                         No legal driver
                   without electronic
                   means
        OK03.19    Secure discharge         Mental health - takes 1-2 weeks to get discharge summary - Barrier                                                                                43A 1-109(e)(VI) [4-107?]
                   summary                  consent from patient or guardian, information is faxed, SW on
                                            staff makes arrangements,

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name                Description                                                       Class Short Name           Description   Narrative                              Code/Statute
        OK03.24    Confirmation of          assumed delivery, no follow-up, confirm fax sent                  Barrier
                   information
                   transferred
        OK03.16    Immediate transfer       bypass transcription process, preprinted handwritten note         Barrier
                   of discharge orders      with orders to be given to skilled nursing facility in order to
                                            take care of patient first
        OK03.18    Secure patient           Nurse gets release from patient and faxes it over                 Barrier
                   consent
        OK03.30    Transfer of              type up and fax appropriate information to specialist             Barrier
                   information
        OK03.11    Verification of          Physician verifies info received at next visit or                 Neutral                                                                         No legal driver
                   medical information      nursing/medical records staff looking for info
                   receipt at care facility



Monday, October 30, 2006                                                                                                                                                                                        Page 36 of 152
Scenario: 3
   Domain:         4
      Stakeholder: State Government
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before       barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                            encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                               safeguard," though encryption is the
                                                                                                                                                    preferred method.

   Domain:         5
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute
        OK03.04    Appropriate            Dr receives admitting privileges/credentials after attendance    Neutral state/federal                    Appropriate admitting privileges;  45 C.F.R. § 164.530(c), 45
                   admitting              at orientation. Call help desk to get lost or new credentials.           law, HIPAA and                   HIPAA requires "reasonable" system C.F.R. § 142, 162
                   privileges/credentials Help Desk verifies identity with SSN and other criteria.                 audit                            in place and mandates appropriate
                   are given to provider                                                                                                            administrative safeguards &
                                                                                                                                                    "reasonable" safeguards from
                                                                                                                                                    intentional and unintentional
                                                                                                                                                    violations.

      Stakeholder: State Government
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute
        OK03.03    Transfer of additional   Facility Staff must contact hospital medical records             Barrier HIPAA                          Transfer of additional discharge info Title 310 § 667-12-13, no legal
                   discharge                department to see if additions have been made to chart                                                  following discharge (receiving        driver on transfer of info
                   information after        since info was copied and sent, but this is typically not done.                                         partial/incomplete data). Established
                   discharge                State law doesn't require completion until 30 days after                                                time frames for completion of medical
                                            discharge, so not all pertinent data is available at time of                                            records (physician has up to 30 days
                                            discharge. What info is available at time of transfer (time lag-                                        to complete discharge summary).
                                            transcription) including changes to care? Follow-up to get
                                            additional records.

   Domain:         6
      Stakeholder: Clinicians
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute



Monday, October 30, 2006                                                                                                                                                                                 Page 37 of 152
Scenario: 3
   Domain:         6
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.05    Transfer of medical       Business Associate agreement would have to be in place            Barrier HIPAA                            Transcription Service-HIPAA requires No legal driver
                   information with         with transcription service requiring log-in from both sides with                                            "reasonable" (up to judgment of
                   transcription service    secure access of web portal through a VPN.                                                                  people).

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.09    Transfer of data         Staff member must print info and then either fax, mail or          Barrier HIPAA                            HIPAA-"reasonable"-must contain        45 C.F.R. § 2.32
                   when care facility       deliver documents to facility. Staff member must make sure                                                  note regarding redisclosure.
                   cannot open              document includes disclaimer statement. Staff member
                   encrypted files          documents transfer method and appropriate phone numbers,
                                            addresses, etc.
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before           barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                                encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                                   safeguard," though encryption is the
                                                                                                                                                        preferred method.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.11    Verification of          Physician verifies info received at next visit or                  Neutral                                                                         No legal driver
                   medical information      nursing/medical records staff looking for info
                   receipt at care facility

      Stakeholder: State Government
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before           barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                                encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                                   safeguard," though encryption is the
                                                                                                                                                        preferred method.

   Domain:         7



Monday, October 30, 2006                                                                                                                                                                                         Page 38 of 152
Scenario: 3
   Domain:         7
      Stakeholder: Clinicians
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name               Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.05    Transfer of medical      Business Associate agreement would have to be in place            Barrier HIPAA                            Transcription Service-HIPAA requires No legal driver
                   information with        with transcription service requiring log-in from both sides with                                            "reasonable" (up to judgment of
                   transcription service   secure access of web portal through a VPN.                                                                  people).

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name               Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                         Barrier                                                                         No legal driver
                   without electronic
                   means

      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name               Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK03.08    Access to care          Dr has to be on staff at nursing facility to send info             Barrier                                                                         No legal driver
                   facility EHR is
                   limited to staff only
        OK03.14    Access to EHR by        everyone in office shares one log-in                               Barrier                                  Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                                  per employee (possible violation of    164.312
                   credentialed staff                                                                                                                  software contract). Legal driver might
                                                                                                                                                       be individual but would have no
                                                                                                                                                       defense in case of violation.
        OK03.04    Appropriate            Dr receives admitting privileges/credentials after attendance       Neutral state/federal                    Appropriate admitting privileges;  45 C.F.R. § 164.530(c), 45
                   admitting              at orientation. Call help desk to get lost or new credentials.              law, HIPAA and                   HIPAA requires "reasonable" system C.F.R. § 142, 162
                   privileges/credentials Help Desk verifies identity with SSN and other criteria.                    audit                            in place and mandates appropriate
                   are given to provider                                                                                                               administrative safeguards &
                                                                                                                                                       "reasonable" safeguards from
                                                                                                                                                       intentional and unintentional
                                                                                                                                                       violations.
        OK03.09    Transfer of data        Staff member must print info and then either fax, mail or          Barrier HIPAA                            HIPAA-"reasonable"-must contain        45 C.F.R. § 2.32
                   when care facility      deliver documents to facility. Staff member must make sure                                                  note regarding redisclosure.
                   cannot open             document includes disclaimer statement. Staff member
                   encrypted files         documents transfer method and appropriate phone numbers,
                                           addresses, etc.
        OK03.06    Transfer of             Transfer of assessment would have to be encrypted before           barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to       being sent to care facility. An encryption key would have to                                                encryption, only "reasonable
                   care facility           be transferred separately to access data.                                                                   safeguard," though encryption is the
                                                                                                                                                       preferred method.

Monday, October 30, 2006                                                                                                                                                                                        Page 39 of 152
Scenario: 3
   Domain:         7
      Stakeholder: Other
        Business Practice                                                                                 Policy                     Legal Driver
        #         Short Name              Description                                               Class Short Name   Description   Narrative                             Code/Statute
        OK03.10    Receive patient data   Staff deliver data or arrange for courier.                Barrier                                                                no legal driver
                   without electronic
                   means

      Stakeholder: Physician Groups
        Business Practice                                                                                 Policy                     Legal Driver
        #         Short Name              Description                                               Class Short Name   Description   Narrative                             Code/Statute
        OK03.12    Access to EHR by       Dr shares log-in access with physician extenders          Barrier                          Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                per employee (possible violation of    164.312
                   credentialed staff                                                                                                software contract). Legal driver might
                                                                                                                                     be individual but would have no
                                                                                                                                     defense in case of violation.
        OK03.17    Accessing patient      review chart at hospital in person (physician on staff)   Neutral
                   chart
        OK03.22    Accessing patient      login access in private practice                          Barrier
                   electronic health
                   record
        OK03.31    Business           every outside person in proximity of or access to health      Barrier                          HIPAA Reasonable Protection
                   Agreement/Complian information (cleaning service, etc) must have agreement in
                   ce                 place
        OK03.34    Secure physical        secure facility - no separate secure file area            Neutral
                   safety of files
        OK03.28    Staff access to        staff can access all health information                   Barrier
                   information
        OK03.29    Staff access to        login access limits some staff from viewing information   Neutral
                   information

      Stakeholder: Quality Improvement Organizations
        Business Practice                                                                                 Policy                     Legal Driver
        #         Short Name              Description                                               Class Short Name   Description   Narrative                             Code/Statute
        OK03.13    Access to EHR by       nurse signs on and lets Dr see the info                   Barrier                          HIPAA does not allow access to HER 43A O.S. § 1.109
                   someone other then                                                                                                by someone other than credentialed
                   credentialed staff                                                                                                staff.




Monday, October 30, 2006                                                                                                                                                                     Page 40 of 152
Scenario: 3
   Domain:         7
      Stakeholder: State Government
        Business Practice                                                                                         Policy                             Legal Driver
        #         Short Name               Description                                                      Class Short Name           Description   Narrative                              Code/Statute
        OK03.06    Transfer of             Transfer of assessment would have to be encrypted before         barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to       being sent to care facility. An encryption key would have to                                              encryption, only "reasonable
                   care facility           be transferred separately to access data.                                                                 safeguard," though encryption is the
                                                                                                                                                     preferred method.

   Domain:         8
      Stakeholder: Clinicians
        Business Practice                                                                                         Policy                             Legal Driver
        #         Short Name               Description                                                      Class Short Name           Description   Narrative                              Code/Statute
        OK03.15    Determine health        Clinic determines what health information is necessary to    Barrier
                   information shared in   share for treatment from doctor to doctor. Someone from
                   mental health           clinic accompanies him if patient is under emergency medical
                   situation               attention, patient rights are waived
        OK03.01    The transmission of     Patient must have signed a consent form signed by                Barrier                                  Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at       patient/guardian on admission to the hospital psych unit.                                                 time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge       Patient can say "no" to certain items. Then staff must ensure                                             driver for faxing requirement. We     1205 §2503
                   from one provider to    RN/LPN/admin is accepting faxes in the nursing home                                                       may want to make some
                   another.                facility. Once confirmed (via telephone) staff would fax data.                                            recommendations to the solutions
                                                                                                                                                     group regarding OK physician/patient
                                                                                                                                                     language. Oklahoma can be more
                                                                                                                                                     restrictive than HIPAA.

      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                             Legal Driver
        #         Short Name               Description                                                      Class Short Name           Description   Narrative                              Code/Statute
        OK03.04    Appropriate            Dr receives admitting privileges/credentials after attendance     Neutral state/federal                    Appropriate admitting privileges;  45 C.F.R. § 164.530(c), 45
                   admitting              at orientation. Call help desk to get lost or new credentials.            law, HIPAA and                   HIPAA requires "reasonable" system C.F.R. § 142, 162
                   privileges/credentials Help Desk verifies identity with SSN and other criteria.                  audit                            in place and mandates appropriate
                   are given to provider                                                                                                             administrative safeguards &
                                                                                                                                                     "reasonable" safeguards from
                                                                                                                                                     intentional and unintentional
                                                                                                                                                     violations.
        OK03.02    Secure appropriate      Appropriate consent form signed by patient/guardian on           Barrier HIPAA
                   consent                 admission, patient can say no to certain items




Monday, October 30, 2006                                                                                                                                                                                  Page 41 of 152
Scenario: 3
   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative                            Code/Statute
        OK03.01    The transmission of     Patient must have signed a consent form signed by                 Barrier                          Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at       patient/guardian on admission to the hospital psych unit.                                          time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge       Patient can say "no" to certain items. Then staff must ensure                                      driver for faxing requirement. We     1205 §2503
                   from one provider to    RN/LPN/admin is accepting faxes in the nursing home                                                may want to make some
                   another.                facility. Once confirmed (via telephone) staff would fax data.                                     recommendations to the solutions
                                                                                                                                              group regarding OK physician/patient
                                                                                                                                              language. Oklahoma can be more
                                                                                                                                              restrictive than HIPAA.

      Stakeholder: Other
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative                            Code/Statute
        OK03.26    Consent release to      patient consent for release of information only to identified     Barrier                                                               Title 43A 1-109.1
                   specified individuals   individuals (can limit who information is shared with)
        OK03.20    Secure patient          patient signs consents for specific visit/interview for mental    Barrier
                   consent                 health

      Stakeholder: Physician Groups
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative                            Code/Statute
        OK03.21    Accessing patient       Physician with staff privileges have access to information        Neutral
                   information
        OK03.23    Information transfer    information sent via fax or mail after patient consent, follow-   Barrier
                                           up with verbal consent if referral set up by provider (dentist)
        OK03.25    Testing done at         no patient consent received to forward to external lab/surgeon Neutral
                   outside location

      Stakeholder: State Government
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative                            Code/Statute




Monday, October 30, 2006                                                                                                                                                                          Page 42 of 152
Scenario: 3
   Domain:         8
      Stakeholder: State Government
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name                Description                                                        Class Short Name   Description   Narrative                             Code/Statute
        OK03.03    Transfer of additional   Facility Staff must contact hospital medical records             Barrier HIPAA                      Transfer of additional discharge info Title 310 § 667-12-13, no legal
                   discharge                department to see if additions have been made to chart                                              following discharge (receiving        driver on transfer of info
                   information after        since info was copied and sent, but this is typically not done.                                     partial/incomplete data). Established
                   discharge                State law doesn't require completion until 30 days after                                            time frames for completion of medical
                                            discharge, so not all pertinent data is available at time of                                        records (physician has up to 30 days
                                            discharge. What info is available at time of transfer (time lag-                                    to complete discharge summary).
                                            transcription) including changes to care? Follow-up to get
                                            additional records.

   Domain:         9
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name                Description                                                        Class Short Name   Description   Narrative                             Code/Statute
        OK03.01    The transmission of      Patient must have signed a consent form signed by                  Barrier                          Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at        patient/guardian on admission to the hospital psych unit.                                           time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge        Patient can say "no" to certain items. Then staff must ensure                                       driver for faxing requirement. We     1205 §2503
                   from one provider to     RN/LPN/admin is accepting faxes in the nursing home                                                 may want to make some
                   another.                 facility. Once confirmed (via telephone) staff would fax data.                                      recommendations to the solutions
                                                                                                                                                group regarding OK physician/patient
                                                                                                                                                language. Oklahoma can be more
                                                                                                                                                restrictive than HIPAA.
        OK03.05    Transfer of medical       Business Associate agreement would have to be in place            Barrier HIPAA                    Transcription Service-HIPAA requires No legal driver
                   information with         with transcription service requiring log-in from both sides with                                    "reasonable" (up to judgment of
                   transcription service    secure access of web portal through a VPN.                                                          people).

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name                Description                                                        Class Short Name   Description   Narrative                             Code/Statute
        OK03.10    Receive patient data     Staff deliver data or arrange for courier.                         Barrier                                                                No legal driver
                   without electronic
                   means

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name                Description                                                        Class Short Name   Description   Narrative                             Code/Statute


Monday, October 30, 2006                                                                                                                                                                                Page 43 of 152
Scenario: 3
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                             Legal Driver
        #         Short Name               Description                                                      Class Short Name           Description   Narrative                              Code/Statute
        OK03.08    Access to care          Dr has to be on staff at nursing facility to send info           Barrier                                                                         No legal driver
                   facility EHR is
                   limited to staff only
        OK03.14    Access to EHR by        everyone in office shares one log-in                             Barrier                                  Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                                per employee (possible violation of    164.312
                   credentialed staff                                                                                                                software contract). Legal driver might
                                                                                                                                                     be individual but would have no
                                                                                                                                                     defense in case of violation.
        OK03.01    The transmission of     Patient must have signed a consent form signed by                Barrier                                  Transmission of health records at     43A O.S. § 1.109(a)(2), 43A
                   health records at       patient/guardian on admission to the hospital psych unit.                                                 time of discharge. There was no legal O.S. § 5.513, 12 O.S. §2503,
                   time of discharge       Patient can say "no" to certain items. Then staff must ensure                                             driver for faxing requirement. We     1205 §2503
                   from one provider to    RN/LPN/admin is accepting faxes in the nursing home                                                       may want to make some
                   another.                facility. Once confirmed (via telephone) staff would fax data.                                            recommendations to the solutions
                                                                                                                                                     group regarding OK physician/patient
                                                                                                                                                     language. Oklahoma can be more
                                                                                                                                                     restrictive than HIPAA.
        OK03.09    Transfer of data        Staff member must print info and then either fax, mail or        Barrier HIPAA                            HIPAA-"reasonable"-must contain        45 C.F.R. § 2.32
                   when care facility      deliver documents to facility. Staff member must make sure                                                note regarding redisclosure.
                   cannot open             document includes disclaimer statement. Staff member
                   encrypted files         documents transfer method and appropriate phone numbers,
                                           addresses, etc.
        OK03.06    Transfer of             Transfer of assessment would have to be encrypted before         barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to       being sent to care facility. An encryption key would have to                                              encryption, only "reasonable
                   care facility           be transferred separately to access data.                                                                 safeguard," though encryption is the
                                                                                                                                                     preferred method.

      Stakeholder: Other
        Business Practice                                                                                         Policy                             Legal Driver
        #         Short Name               Description                                                      Class Short Name           Description   Narrative                              Code/Statute
        OK03.10    Receive patient data    Staff deliver data or arrange for courier.                       Barrier                                                                         No legal driver
                   without electronic
                   means

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                             Legal Driver
        #         Short Name               Description                                                      Class Short Name           Description   Narrative                              Code/Statute



Monday, October 30, 2006                                                                                                                                                                                      Page 44 of 152
Scenario: 3
   Domain:         9
      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute
        OK03.12    Access to EHR by         Dr shares log-in access with physician extenders               Barrier                                  Shared log-in info due to license cost 43A O.S. § 1.109, 45 C.F.R. §
                   someone other then                                                                                                               per employee (possible violation of    164.312
                   credentialed staff                                                                                                               software contract). Legal driver might
                                                                                                                                                    be individual but would have no
                                                                                                                                                    defense in case of violation.
        OK03.11    Verification of          Physician verifies info received at next visit or              Neutral                                                                         No legal driver
                   medical information      nursing/medical records staff looking for info
                   receipt at care facility

      Stakeholder: Quality Improvement Organizations
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute
        OK03.13    Access to EHR by         nurse signs on and lets Dr see the info                        Barrier                                  HIPAA does not allow access to HER 43A O.S. § 1.109
                   someone other then                                                                                                               by someone other than credentialed
                   credentialed staff                                                                                                               staff.

      Stakeholder: State Government
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name                Description                                                    Class Short Name           Description   Narrative                              Code/Statute
        OK03.03    Transfer of additional   Facility Staff must contact hospital medical records             Barrier HIPAA                          Transfer of additional discharge info Title 310 § 667-12-13, no legal
                   discharge                department to see if additions have been made to chart                                                  following discharge (receiving        driver on transfer of info
                   information after        since info was copied and sent, but this is typically not done.                                         partial/incomplete data). Established
                   discharge                State law doesn't require completion until 30 days after                                                time frames for completion of medical
                                            discharge, so not all pertinent data is available at time of                                            records (physician has up to 30 days
                                            discharge. What info is available at time of transfer (time lag-                                        to complete discharge summary).
                                            transcription) including changes to care? Follow-up to get
                                            additional records.
        OK03.06    Transfer of              Transfer of assessment would have to be encrypted before       barrier HIPAA, state law                 Encryption-HIPAA does not require      45 C.F.R. § 164.132
                   encrypted data to        being sent to care facility. An encryption key would have to                                            encryption, only "reasonable
                   care facility            be transferred separately to access data.                                                               safeguard," though encryption is the
                                                                                                                                                    preferred method.


Scenario: 4
   Domain:         1


Monday, October 30, 2006                                                                                                                                                                                     Page 45 of 152
Scenario: 4
   Domain:         1
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative      Code/Statute
        OK04.03    Sufficient              In outpatient situation, compare signatures for outpatient        Barrier
                   patient/entity          release to signatures for consent form. Can verify institutions
                   authentication for      by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing     fax machine at that institution. Some records (radiology
                   PHI                     images) can be transferred onto CD and provided to patient
                                           for transfer between institutions.

      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative      Code/Statute
        OK04.03    Sufficient              In outpatient situation, compare signatures for outpatient        Barrier                                         No legal driver
                   patient/entity          release to signatures for consent form. Can verify institutions
                   authentication for      by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing     fax machine at that institution. Some records (radiology
                   PHI                     images) can be transferred onto CD and provided to patient
                                           for transfer between institutions.

      Stakeholder: Physician Groups
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative      Code/Statute
        OK04.02    Appropriate method      Patient must sign release form through either the treating-       Barrier
                   of obtaining patient-   institution or sharing-institution
                   consent to request
                   PHI from an
                   institution

   Domain:         2
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name               Description                                                       Class Short Name   Description   Narrative      Code/Statute
        OK04.03    Sufficient              In outpatient situation, compare signatures for outpatient        Barrier
                   patient/entity          release to signatures for consent form. Can verify institutions
                   authentication for      by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing     fax machine at that institution. Some records (radiology
                   PHI                     images) can be transferred onto CD and provided to patient
                                           for transfer between institutions.

Monday, October 30, 2006                                                                                                                                                       Page 46 of 152
Scenario: 4
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name             Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.03    Sufficient            In outpatient situation, compare signatures for outpatient          Barrier                                                              No legal driver
                   patient/entity        release to signatures for consent form. Can verify institutions
                   authentication for    by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing   fax machine at that institution. Some records (radiology
                   PHI                   images) can be transferred onto CD and provided to patient
                                         for transfer between institutions.

      Stakeholder: Physician Groups
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name             Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.04    Appropriate release   Patient requests records of deceased relative which may be          Barrier                          No one has authority to represent     45CFR 2.15(b)(2), 45CFR
                   of PHI for deceased   relevant to hereditary condition. Refer question to legal to                                         deceased person except someone        164.502 (g)(1), HIPAA
                   relative to patient   ascertain who owns the records of deceased persons (estate                                           appointed as personal representative.
                                         of deceased, hospital, etc.). Can the info be released without
                                         a court order or consent of the estate.. Through what means
                                         would this be achieved..

   Domain:         3
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name             Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.03    Sufficient            In outpatient situation, compare signatures for outpatient          Barrier
                   patient/entity        release to signatures for consent form. Can verify institutions
                   authentication for    by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing   fax machine at that institution. Some records (radiology
                   PHI                   images) can be transferred onto CD and provided to patient
                                         for transfer between institutions.

      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                     Legal Driver
        #         Short Name             Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.01    Appropriate release   If patient does not sign consent it becomes their                   Barrier
                   of PHI when patient   responsibility to obtain records from a given institution, filter
                   won't sign consent    out the info they do not want available in their copy, and
                                         provide this copy to their current treatment institution.


Monday, October 30, 2006                                                                                                                                                                            Page 47 of 152
Scenario: 4
   Domain:         3
      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK04.03    Sufficient              In outpatient situation, compare signatures for outpatient          Barrier                                         No legal driver
                   patient/entity          release to signatures for consent form. Can verify institutions
                   authentication for      by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing     fax machine at that institution. Some records (radiology
                   PHI                     images) can be transferred onto CD and provided to patient
                                           for transfer between institutions.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK04.02    Appropriate method      Patient must sign release form through either the treating-         Barrier
                   of obtaining patient-   institution or sharing-institution
                   consent to request
                   PHI from an
                   institution
        OK04.01    Appropriate release     If patient does not sign consent it becomes their                   Barrier                                         HIPAA 45 CFR 164.508(c), 45
                   of PHI when patient     responsibility to obtain records from a given institution, filter                                                   CFR 2.31(a)
                   won't sign consent      out the info they do not want available in their copy, and
                                           provide this copy to their current treatment institution.

   Domain:         7
      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK04.01    Appropriate release     If patient does not sign consent it becomes their                   Barrier
                   of PHI when patient     responsibility to obtain records from a given institution, filter
                   won't sign consent      out the info they do not want available in their copy, and
                                           provide this copy to their current treatment institution.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK04.01    Appropriate release     If patient does not sign consent it becomes their                   Barrier                                         HIPAA 45 CFR 164.508(c), 45
                   of PHI when patient     responsibility to obtain records from a given institution, filter                                                   CFR 2.31(a)
                   won't sign consent      out the info they do not want available in their copy, and
                                           provide this copy to their current treatment institution.

Monday, October 30, 2006                                                                                                                                                         Page 48 of 152
Scenario: 4
   Domain:         9
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.03    Sufficient              In outpatient situation, compare signatures for outpatient          Barrier
                   patient/entity          release to signatures for consent form. Can verify institutions
                   authentication for      by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing     fax machine at that institution. Some records (radiology
                   PHI                     images) can be transferred onto CD and provided to patient
                                           for transfer between institutions.

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.01    Appropriate release     If patient does not sign consent it becomes their                   Barrier
                   of PHI when patient     responsibility to obtain records from a given institution, filter
                   won't sign consent      out the info they do not want available in their copy, and
                                           provide this copy to their current treatment institution.
        OK04.03    Sufficient              In outpatient situation, compare signatures for outpatient          Barrier                                                              No legal driver
                   patient/entity          release to signatures for consent form. Can verify institutions
                   authentication for      by calling ahead to verify fax number provided is in fact for a
                   accessing/releasing     fax machine at that institution. Some records (radiology
                   PHI                     images) can be transferred onto CD and provided to patient
                                           for transfer between institutions.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.02    Appropriate method      Patient must sign release form through either the treating-         Barrier
                   of obtaining patient-   institution or sharing-institution
                   consent to request
                   PHI from an
                   institution
        OK04.04    Appropriate release     Patient requests records of deceased relative which may be          Barrier                          No one has authority to represent     45CFR 2.15(b)(2), 45CFR
                   of PHI for deceased     relevant to hereditary condition. Refer question to legal to                                         deceased person except someone        164.502 (g)(1), HIPAA
                   relative to patient     ascertain who owns the records of deceased persons (estate                                           appointed as personal representative.
                                           of deceased, hospital, etc.). Can the info be released without
                                           a court order or consent of the estate.. Through what means
                                           would this be achieved..




Monday, October 30, 2006                                                                                                                                                                              Page 49 of 152
Scenario: 4
   Domain:         9
      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name              Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK04.01    Appropriate release    If patient does not sign consent it becomes their                   Barrier                                                              HIPAA 45 CFR 164.508(c), 45
                   of PHI when patient    responsibility to obtain records from a given institution, filter                                                                        CFR 2.31(a)
                   won't sign consent     out the info they do not want available in their copy, and
                                          provide this copy to their current treatment institution.

Scenario: 5
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name              Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or           Barrier                                                              No legal driver.
                   is granted to payer to third party agreement
                   access EHR

      Stakeholder: Payers
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name              Description                                                         Class Short Name   Description   Narrative                           Code/Statute
        OK05.15    Appropriate            If access is requested to med records in the EHR the                Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.
        OK05.03    Payer can request      Payer provides written request with patient                         Barrier                          Insurance requires proof of loss.   36 O.S. § 1219
                   specific info they     name/date/diagnosis on letterhead for authentication
                   need

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name              Description                                                         Class Short Name   Description   Narrative                           Code/Statute
Monday, October 30, 2006                                                                                                                                                                              Page 50 of 152
Scenario: 5
   Domain:         1
      Stakeholder: Physician Groups
        Business Practice                                                                                     Policy                              Legal Driver
        #         Short Name               Description                                                  Class Short Name            Description   Narrative                             Code/Statute
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or     Barrier                                                                         No legal driver.
                   is granted to payer to third party agreement
                   access EHR

   Domain:         2
      Stakeholder: Consumers
        Business Practice                                                                                     Policy                              Legal Driver
        #         Short Name               Description                                                  Class Short Name            Description   Narrative                             Code/Statute
        OK05.10    Amount of             Govt entities have full access/audit of patient information.   Neutral state/federal law                 Medicare has access to anything.      45 C.F.R. § 164.502(b) & (d)
                   information           OIG, CDC, DHS, FDA, etc. doing it for the public good                  to supersede
                   accessible by payers. (fraud, quality assurance, etc)                                        patient privacy

      Stakeholder: Hospitals
        Business Practice                                                                                     Policy                              Legal Driver
        #         Short Name               Description                                                  Class Short Name            Description   Narrative                             Code/Statute
        OK05.11    Amount of             Contract could allow payer access to data if data was          Barrier HIPAA,                            Family history is a part of EHR.
                   information           portioned out. Provider would not allow full access to                 accreditation
                   accessible by payers. electronic health record. Software exists to portion out               standards,
                                         pertinent patient data - OGSA-DAI (www.ogsadai.org)                    Privacy Act of
                                                                                                                1974
        OK05.09    Amount of             Deny access of info to private payer if outside scope of       Barrier HIPAA,                            Retrieve only info they need and no   45 C.F.R. § 164.502(a), 36 O.S.
                   information           contract between provider and payer                                    accreditation                     more.                                 § 1219
                   accessible by payers.                                                                        standards,
                                                                                                                Privacy Act of
                                                                                                                1974
        OK05.11    Amount of             Contracts with payers determine min necessary info to get      Barrier                                   Retrieve only info they need and no   45 C.F.R. § 164.502(a), 36 O.S.
                   information           payment (different with each payer)                                                                      more.                                 § 1219
                   accessible by payers.
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or     Barrier                                                                         No legal driver.
                   is granted to payer to third party agreement
                   access EHR
        OK05.01    Secure appropriate     Patient/guardian signs provider/payer release(s)/consent      Barrier                                                                         No legal driver.
                   release of patient
                   information for health
                   plan (payer).



Monday, October 30, 2006                                                                                                                                                                                   Page 51 of 152
Scenario: 5
   Domain:         2
      Stakeholder: Payers
        Business Practice                                                                                        Policy                           Legal Driver
        #         Short Name              Description                                                      Class Short Name         Description   Narrative                             Code/Statute
        OK05.08    Appropriate access     Payer needs identifiable info (Name, SSN, etc.) for              Barrier                                HIPAA-"reasonable safeguards"
                   for payer to           credentialing
                   identifiable
                   information for
                   credentialing
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                           Legal Driver
        #         Short Name              Description                                                      Class Short Name         Description   Narrative                             Code/Statute
        OK05.13    Amount of             Contract could allow payer access to data if data was             Barrier HIPAA,                         Family history is a part of EHR.
                   information           portioned out. Provider would not allow full access to                    accreditation
                   accessible by payers. electronic health record. Software exists to portion out                  standards,
                                         pertinent patient data - OGSA-DAI (www.ogsadai.org)                       Privacy Act of
                                                                                                                   1974
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or        Barrier                                                                      No legal driver.
                   is granted to payer to third party agreement
                   access EHR

   Domain:         3
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                           Legal Driver
        #         Short Name              Description                                                      Class Short Name         Description   Narrative                             Code/Statute
        OK05.11    Amount of             Contracts with payers determine min necessary info to get         Barrier                                Retrieve only info they need and no   45 C.F.R. § 164.502(a), 36 O.S.
                   information           payment (different with each payer)                                                                      more.                                 § 1219
                   accessible by payers.



Monday, October 30, 2006                                                                                                                                                                                   Page 52 of 152
Scenario: 5
   Domain:         3
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                           Code/Statute
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or        Barrier                                                              No legal driver.
                   is granted to payer to third party agreement
                   access EHR
        OK05.06    Provider is asking     Patients often don't know what services they are eligible for.   Neutral                                                              No legal driver.
                   payer for coverage
                   info.

      Stakeholder: Payers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                           Code/Statute
        OK05.08    Appropriate access     Payer needs identifiable info (Name, SSN, etc.) for              Barrier                          HIPAA-"reasonable safeguards"
                   for payer to           credentialing
                   identifiable
                   information for
                   credentialing
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.
        OK05.03    Payer can request      Payer provides written request with patient                      Barrier                          Insurance requires proof of loss.   36 O.S. § 1219
                   specific info they     name/date/diagnosis on letterhead for authentication
                   need

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                           Code/Statute
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or        Barrier                                                              No legal driver.
                   is granted to payer to third party agreement
                   access EHR

   Domain:         4
Monday, October 30, 2006                                                                                                                                                                           Page 53 of 152
Scenario: 5
   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.01    Secure appropriate     Patient/guardian signs provider/payer release(s)/consent         Barrier                                         No legal driver.
                   release of patient
                   information for health
                   plan (payer).

      Stakeholder: Payers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.

   Domain:         5
      Stakeholder: Payers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.

   Domain:         7

Monday, October 30, 2006                                                                                                                                                      Page 54 of 152
Scenario: 5
   Domain:         7
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or        Barrier                                         No legal driver.
                   is granted to payer to third party agreement
                   access EHR

      Stakeholder: Payers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.02    Appropriate access     Payer has user id and password through payer agreement or        Barrier                                         No legal driver.
                   is granted to payer to third party agreement
                   access EHR

   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK05.01    Secure appropriate     Patient/guardian signs provider/payer release(s)/consent         Barrier                                         No legal driver.
                   release of patient
                   information for health
                   plan (payer).




Monday, October 30, 2006                                                                                                                                                      Page 55 of 152
Scenario: 5
   Domain:         8
      Stakeholder: Payers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.

   Domain:         9
      Stakeholder: Payers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK05.15    Appropriate            If access is requested to med records in the EHR the             Barrier
                   policy/procedure for   institution must have consent from patient to reveal info. The
                   obtaining access to    institution assesses the reason for the request and whether
                   operating EHR          the request warrants viewing capabilities only or also access
                                          to hard copies. Charge appropriate fee for EHR access.
                                          Case referred to peer review if does not meet criteria for
                                          approval. Institutions informed of approval of access by
                                          phone, fax, or mail. Confirmation letter requesting provider,
                                          AP, and enrollee is then mailed. Manner of response is
                                          recorded in Med info System. Access stands until patient
                                          discharged or criteria no longer met.

Scenario: 6
   Domain:         1
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK06.17    Appropriate IRB        Contact/receive IRB approval                                     Barrier                          Appropriate IRB approval (must   42 C.F.R.
                   approval                                                                                                                 have).

Monday, October 30, 2006                                                                                                                                                                 Page 56 of 152
Scenario: 6
   Domain:         1
      Stakeholder: Other
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK06.08    Accept referral from Accepts their referral form or alternate form with required         Barrier Nonprofit charter   P&P HIPPA     HIPPA - Continuity of Care
                   provider for          information [Scenario Modification: referral coordinating                  501c3
                   additional service    network]
                   written referral -
                   unique to provider &
                   patient (fax or USPS)
        OK06.15    Entry of patient data   Process patient data to determine eligibility if not already     Barrier                                   HIPPA - Continuity of Care. HIPAA     HIPPA - continuity of care, 45
                   (Enrollment)            completed. Enrollment forms received by fax or USPS                                                        requires release. Once signed, info   C.F.R. § 64.512 (I)(i)
                                           (written) or e-mail [currently]. Moving to online entry of                                                 could be shared inside RHIO. Not
                                           patient data. Patient signs forms                                                                          based on continuity of care but on
                                                                                                                                                      contract.
        OK06.07    Patient appointment     Some Providers have access to online system to access            Barrier Internal policy
                   notification sent to    patient referral status including patient data, not everyone             approved by
                   provider limited        has access. Provider organization limits access to their staff           board
                   online access - read    (Must attend training & must be issues an individual access
                   only access             agreement.

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK06.23    HIPAA compliant         log-in over web, encryption, depending on size of data           Barrier                                   HIPAA "reasonable standards"
                   security exchange

      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK06.14    Researchers have        Data provided in any format by request of researcher -           Neutral                                   OK cancer reporting law- State 63051- OK cancer reporting law- State
                   access to cancer        patient are not required to give authorization of release of                                               551; Federal PL 102-515               63051-551; Federal PL 102-515
                   patient data after      data. [Scenario Modification: cancer instead of diabetes].
                   IRB approval and
                   commission of
                   Health approval for
                   study

   Domain:         2



Monday, October 30, 2006                                                                                                                                                                                   Page 57 of 152
Scenario: 6
   Domain:         2
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                              Code/Statute
        OK06.17    Appropriate IRB         Contact/receive IRB approval                                     Barrier                                   Appropriate IRB approval (must         42 C.F.R.
                   approval                                                                                                                           have).

      Stakeholder: Other
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                              Code/Statute
        OK06.08    Accept referral from Accepts their referral form or alternate form with required         Barrier Nonprofit charter   P&P HIPPA     HIPPA - Continuity of Care
                   provider for          information [Scenario Modification: referral coordinating                  501c3
                   additional service    network]
                   written referral -
                   unique to provider &
                   patient (fax or USPS)
        OK06.06    Authorization from      No authorization is given by patients to use their PHI in this   Barrier                                   VWG and LWG have different             Legal Driver is HIPAA – requires
                   patients to allow       way, staff communicates that patient data is only shared for                                               perspectives. Only people to see all   any identifying markers to be
                   RHIO to monitor         continuity of care.                                                                                        of info is RHIO.                       removed. There may be other
                   their PHI for disease                                                                                                                                                     applicable state laws. (OHCA to
                   management.                                                                                                                                                               review)
        OK06.15    Entry of patient data   Process patient data to determine eligibility if not already     Barrier                                   HIPPA - Continuity of Care. HIPAA      HIPPA - continuity of care, 45
                   (Enrollment)            completed. Enrollment forms received by fax or USPS                                                        requires release. Once signed, info    C.F.R. § 64.512 (I)(i)
                                           (written) or e-mail [currently]. Moving to online entry of                                                 could be shared inside RHIO. Not
                                           patient data. Patient signs forms                                                                          based on continuity of care but on
                                                                                                                                                      contract.
        OK06.07    Patient appointment     Some Providers have access to online system to access            Barrier Internal policy
                   notification sent to    patient referral status including patient data, not everyone             approved by
                   provider limited        has access. Provider organization limits access to their staff           board
                   online access - read    (Must attend training & must be issues an individual access
                   only access             agreement.
        OK06.04    Patient signs consent If patient doesn't sign form, provider can't make referral         Barrier Project Access                    Project Access Program policy          45 C.F.R. § 64.512 (I)(i)
                                                                                                                    Program policy
        OK06.25    Provider Referral       Form completed by provider and included in enrollment.           Barrier                                   HIPPA - Continuity of Care. HIPAA      HIPPA - continuity of care, 45
                   Form                    Patient does not sign.                                                                                     requires release. Once signed, info    C.F.R. § 64.512 (I)(i)
                                                                                                                                                      could be shared inside RHIO. Not
                                                                                                                                                      based on continuity of care but on
                                                                                                                                                      contract.
        OK06.21    Required to provide     obligated to take care of patient even if they do not provide Neutral
                   care                    patient consent for treatment and payment (if core committed)




Monday, October 30, 2006                                                                                                                                                                                     Page 58 of 152
Scenario: 6
   Domain:         2
      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                               Legal Driver
        #         Short Name              Description                                                     Class Short Name             Description   Narrative                             Code/Statute
        OK06.16    Define patient data    Determine what information is necessary to be sent and how       Barrier
                   requested              information will be used
        OK06.23    HIPAA compliant        log-in over web, encryption, depending on size of data           Barrier                                   HIPAA "reasonable standards"
                   security exchange
        OK06.11    Release of             Limit the type of information the RHIO receives                  Barrier                                                                         No legal driver.
                   information
        OK06.02    Release of             wouldn't release information if information is not used for      Barrier
                   Information            medical treatment,
        OK06.02    Release of             if release of information isn't used for wrong purpose, punitive Barrier
                   Information            to provider, patient - should be based on patient care
        OK06.10    Relesae of             Define use of info by RHIO, should only be for education         Barrier                                                                         No legal driver.
                   information

   Domain:         3
      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                               Legal Driver
        #         Short Name              Description                                                     Class Short Name             Description   Narrative                             Code/Statute
        OK06.23    HIPAA compliant        log-in over web, encryption, depending on size of data           Barrier                                   HIPAA "reasonable standards"
                   security exchange

   Domain:         4
      Stakeholder: Other
        Business Practice                                                                                       Policy                               Legal Driver
        #         Short Name              Description                                                     Class Short Name             Description   Narrative                             Code/Statute
        OK06.08    Accept referral from Accepts their referral form or alternate form with required        Barrier Nonprofit charter   P&P HIPPA     HIPPA - Continuity of Care
                   provider for          information [Scenario Modification: referral coordinating                 501c3
                   additional service    network]
                   written referral -
                   unique to provider &
                   patient (fax or USPS)
        OK06.20    Issuing patient        Provider mails packet of appointment information to patient      Barrier                                   HIPPA - Continuity of Care. HIPAA     HIPPA - continuity of care, 45
                   appointment                                                                                                                       requires release. Once signed, info   C.F.R. § 64.512 (I)(i)
                   information to patient                                                                                                            could be shared inside RHIO. Not
                                                                                                                                                     based on continuity of care but on
                                                                                                                                                     contract.

Monday, October 30, 2006                                                                                                                                                                                      Page 59 of 152
Scenario: 6
   Domain:         4
      Stakeholder: Other
        Business Practice                                                                                          Policy                            Legal Driver
        #         Short Name              Description                                                        Class Short Name          Description   Narrative                             Code/Statute
        OK06.07    Patient appointment    Some Providers have access to online system to access              Barrier Internal policy
                   notification sent to   patient referral status including patient data, not everyone               approved by
                   provider limited       has access. Provider organization limits access to their staff             board
                   online access - read   (Must attend training & must be issues an individual access
                   only access            agreement.
        OK06.25    Provider Referral      Form completed by provider and included in enrollment.             Barrier                                 HIPPA - Continuity of Care. HIPAA     HIPPA - continuity of care, 45
                   Form                   Patient does not sign.                                                                                     requires release. Once signed, info   C.F.R. § 64.512 (I)(i)
                                                                                                                                                     could be shared inside RHIO. Not
                                                                                                                                                     based on continuity of care but on
                                                                                                                                                     contract.
        OK06.24    Send referral to       Information sent via fax with confidentiality statement. Patient   Barrier                                 HIPAA requires release. Once          45 C.F.R. § 64.512 (I)(i)
                   consulting provider    authorizes transfer of information.                                                                        signed, info could be shared inside
                   to set up account                                                                                                                 RHIO. Not based on continuity of
                                                                                                                                                     care but on contract.

      Stakeholder: Physician Groups
        Business Practice                                                                                          Policy                            Legal Driver
        #         Short Name              Description                                                        Class Short Name          Description   Narrative                             Code/Statute
        OK06.23    HIPAA compliant        log-in over web, encryption, depending on size of data             Barrier                                 HIPAA "reasonable standards"
                   security exchange
        OK06.11    Release of             Limit the type of information the RHIO receives                    Barrier                                                                       No legal driver.
                   information
        OK06.10    Relesae of             Define use of info by RHIO, should only be for education           Barrier                                                                       No legal driver.
                   information

      Stakeholder: Public Health Agency
        Business Practice                                                                                          Policy                            Legal Driver
        #         Short Name              Description                                                        Class Short Name          Description   Narrative                             Code/Statute
        OK06.14    Researchers have       Data provided in any format by request of researcher -             Neutral                                 OK cancer reporting law- State 63051- OK cancer reporting law- State
                   access to cancer       patient are not required to give authorization of release of                                               551; Federal PL 102-515               63051-551; Federal PL 102-515
                   patient data after     data. [Scenario Modification: cancer instead of diabetes].
                   IRB approval and
                   commission of
                   Health approval for
                   study

   Domain:         5

Monday, October 30, 2006                                                                                                                                                                                      Page 60 of 152
Scenario: 6
   Domain:         5
      Stakeholder: Other
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.06    Authorization from      No authorization is given by patients to use their PHI in this   Barrier                                 VWG and LWG have different             Legal Driver is HIPAA – requires
                   patients to allow       way, staff communicates that patient data is only shared for                                             perspectives. Only people to see all   any identifying markers to be
                   RHIO to monitor         continuity of care.                                                                                      of info is RHIO.                       removed. There may be other
                   their PHI for disease                                                                                                                                                   applicable state laws. (OHCA to
                   management.                                                                                                                                                             review)
        OK06.15    Entry of patient data   Process patient data to determine eligibility if not already     Barrier                                 HIPPA - Continuity of Care. HIPAA      HIPPA - continuity of care, 45
                   (Enrollment)            completed. Enrollment forms received by fax or USPS                                                      requires release. Once signed, info    C.F.R. § 64.512 (I)(i)
                                           (written) or e-mail [currently]. Moving to online entry of                                               could be shared inside RHIO. Not
                                           patient data. Patient signs forms                                                                        based on continuity of care but on
                                                                                                                                                    contract.
        OK06.07    Patient appointment     Some Providers have access to online system to access            Barrier Internal policy
                   notification sent to    patient referral status including patient data, not everyone             approved by
                   provider limited        has access. Provider organization limits access to their staff           board
                   online access - read    (Must attend training & must be issues an individual access
                   only access             agreement.

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.10    Relesae of              Define use of info by RHIO, should only be for education         Barrier                                                                        No legal driver.
                   information

      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.14    Researchers have        Data provided in any format by request of researcher -           Neutral                                 OK cancer reporting law- State 63051- OK cancer reporting law- State
                   access to cancer        patient are not required to give authorization of release of                                             551; Federal PL 102-515               63051-551; Federal PL 102-515
                   patient data after      data. [Scenario Modification: cancer instead of diabetes].
                   IRB approval and
                   commission of
                   Health approval for
                   study

   Domain:         6




Monday, October 30, 2006                                                                                                                                                                                      Page 61 of 152
Scenario: 6
   Domain:         6
      Stakeholder: Other
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.06    Authorization from      No authorization is given by patients to use their PHI in this   Barrier                                 VWG and LWG have different             Legal Driver is HIPAA – requires
                   patients to allow       way, staff communicates that patient data is only shared for                                             perspectives. Only people to see all   any identifying markers to be
                   RHIO to monitor         continuity of care.                                                                                      of info is RHIO.                       removed. There may be other
                   their PHI for disease                                                                                                                                                   applicable state laws. (OHCA to
                   management.                                                                                                                                                             review)

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.10    Relesae of              Define use of info by RHIO, should only be for education         Barrier                                                                        No legal driver.
                   information

      Stakeholder: State Government
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.09    Patient notified of     Patient receives notice that info will be shared for treatment   Neutral                                 HIPAA for treatment purposes.
                   information transfer    purposes. Patient cannot opt out if they want service.
                   for treatment
                   purposes.

   Domain:         7
      Stakeholder: Other
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.05    Contractors access      Contractors must sign confidentiality agreement                  Barrier Internal policy                 HIPAA requires network agreement       45 C.F.R. § 160.103 & 45
                   to patient data                                                                                  approved by                     containing business associate          C.F.R. § 164.504
                                                                                                                    board                           language.

      Stakeholder: Physician Groups
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name               Description                                                      Class Short Name          Description   Narrative                              Code/Statute
        OK06.23    HIPAA compliant         log-in over web, encryption, depending on size of data           Barrier                                 HIPAA "reasonable standards"
                   security exchange



Monday, October 30, 2006                                                                                                                                                                                      Page 62 of 152
Scenario: 6
   Domain:         7
      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name              Description                                                      Class Short Name          Description   Narrative                            Code/Statute
        OK06.14    Researchers have       Data provided in any format by request of researcher -           Neutral                                 OK cancer reporting law- State 63051- OK cancer reporting law- State
                   access to cancer       patient are not required to give authorization of release of                                             551; Federal PL 102-515               63051-551; Federal PL 102-515
                   patient data after     data. [Scenario Modification: cancer instead of diabetes].
                   IRB approval and
                   commission of
                   Health approval for
                   study

   Domain:         8
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name              Description                                                      Class Short Name          Description   Narrative                            Code/Statute
        OK06.17    Appropriate IRB        Contact/receive IRB approval                                     Barrier                                 Appropriate IRB approval (must       42 C.F.R.
                   approval                                                                                                                        have).

      Stakeholder: Other
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name              Description                                                      Class Short Name          Description   Narrative                            Code/Statute
        OK06.07    Patient appointment    Some Providers have access to online system to access            Barrier Internal policy
                   notification sent to   patient referral status including patient data, not everyone             approved by
                   provider limited       has access. Provider organization limits access to their staff           board
                   online access - read   (Must attend training & must be issues an individual access
                   only access            agreement.
        OK06.21    Required to provide    obligated to take care of patient even if they do not provide Neutral
                   care                   patient consent for treatment and payment (if core committed)

      Stakeholder: State Government
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name              Description                                                      Class Short Name          Description   Narrative                            Code/Statute
        OK06.09    Patient notified of    Patient receives notice that info will be shared for treatment   Neutral                                 HIPAA for treatment purposes.
                   information transfer   purposes. Patient cannot opt out if they want service.
                   for treatment
                   purposes.

   Domain:         9

Monday, October 30, 2006                                                                                                                                                                               Page 63 of 152
Scenario: 6
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK06.01    Appropriate release Patient authorization - release of information with opt out/opt      Barrier
                   of patient information in clause
        OK06.18    Requirement to         Make participation mandatory to receive services                  Barrier                                                          No legal driver.
                   provide care

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK06.17    Appropriate IRB        Contact/receive IRB approval                                      Barrier                         Appropriate IRB approval (must   42 C.F.R.
                   approval                                                                                                                 have).
        OK06.03    Third Party Contract   Would require Business Associate agreement in place               Barrier                         HIPAA


      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK06.01    Appropriate release Patient authorization - release of information with opt out/opt      Barrier
                   of patient information in clause
        OK06.23    HIPAA compliant        log-in over web, encryption, depending on size of data            Barrier                         HIPAA "reasonable standards"
                   security exchange
        OK06.22    Release of             Contract with RHIO on how they use data                           Barrier                                                          No legal driver.
                   information
        OK06.11    Release of             Limit the type of information the RHIO receives                   Barrier                                                          No legal driver.
                   information
        OK06.10    Relesae of             Define use of info by RHIO, should only be for education          Barrier                                                          No legal driver.
                   information
        OK06.13    Requirement to         If they don't sign consent, can provide patient 30 day           Unassig
                   provide care           notification to discontinue to provide treatment                    ned

      Stakeholder: State Government
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                        Code/Statute
        OK06.09    Patient notified of    Patient receives notice that info will be shared for treatment   Neutral                          HIPAA for treatment purposes.
                   information transfer   purposes. Patient cannot opt out if they want service.
                   for treatment
                   purposes.

Monday, October 30, 2006                                                                                                                                                                        Page 64 of 152
Scenario: 7
   Domain:         1
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                              Legal Driver
        #         Short Name             Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent   Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                  criminal/personal                 might vary if drug company has
                   participants                                                                                   gain, licensure                   property rights.
                                                                                                                  boards, state
                                                                                                                  laws, mental
                                                                                                                  health state laws
        OK07.05    Appropriate IRB       Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new      multiple IRB, hospital, research)
                   activities

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                              Legal Driver
        #         Short Name             Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent   Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                  criminal/personal                 might vary if drug company has
                   participants                                                                                   gain, licensure                   property rights.
                                                                                                                  boards, state
                                                                                                                  laws, mental
                                                                                                                  health state laws
        OK07.05    Appropriate IRB       Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new      multiple IRB, hospital, research)
                   activities

   Domain:         2
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                              Legal Driver
        #         Short Name             Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent   Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                  criminal/personal                 might vary if drug company has
                   participants                                                                                   gain, licensure                   property rights.
                                                                                                                  boards, state
                                                                                                                  laws, mental
                                                                                                                  health state laws
        OK07.05    Appropriate IRB       Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new      multiple IRB, hospital, research)
                   activities



Monday, October 30, 2006                                                                                                                                                                                 Page 65 of 152
Scenario: 7
   Domain:         2
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.03    IRB approval            Re-obtain consent. Resubmit IRB, New pharmacy                    Barrier IRB cannon rule
                   required for protocol   agreement.                                                               of OHRP/HHS
                   changes

      Stakeholder: Public Health Agencies
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.02    Cannot provide raw      Data has to be cleared first                                     Barrier                                   State Law 63 051-551
                   data

      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent     Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                    criminal/personal                 might vary if drug company has
                   participants                                                                                     gain, licensure                   property rights.
                                                                                                                    boards, state
                                                                                                                    laws, mental
                                                                                                                    health state laws
        OK07.05    Appropriate IRB         Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new        multiple IRB, hospital, research)
                   activities

   Domain:         3
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent     Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                    criminal/personal                 might vary if drug company has
                   participants                                                                                     gain, licensure                   property rights.
                                                                                                                    boards, state
                                                                                                                    laws, mental
                                                                                                                    health state laws
        OK07.05    Appropriate IRB         Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new        multiple IRB, hospital, research)
                   activities

Monday, October 30, 2006                                                                                                                                                                                   Page 66 of 152
Scenario: 7
   Domain:         3
      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                              Code/Statute
        OK07.07    Appropriate consent     Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                    criminal/personal                 might vary if drug company has
                   participants                                                                                     gain, licensure                   property rights.
                                                                                                                    boards, state
                                                                                                                    laws, mental
                                                                                                                    health state laws
        OK07.05    Appropriate IRB         Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new        multiple IRB, hospital, research)
                   activities

   Domain:         4
      Stakeholder: Consumers
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                              Code/Statute
        OK07.01    IRB approval            Receiving IRB approval for research project: Must receive        Barrier IRB Policy                        Since State Law 63 051-551 was         Consensus that this cannot be
                   required for protocol   IRB approval for change in the research project. If the                                                    cited by VWG but appears to have       done based on several state
                   changes                 change in the research protocol is approved the investigator                                               been repealed, is there another        laws, including O.S. 43 1-109.
                                           requesting the data will not be provided with raw data.                                                    applicable state law? Perhaps 1-551-   Discussion about “63 O.S. §051-
                                                                                                                                                      .1 Research? Parental consent.         551” noted by variations group,
                                                                                                                                                                                             cursory review of statutes
                                                                                                                                                                                             indicated this law was repealed.
                                                                                                                                                                                             Should "informed consent" be
                                                                                                                                                                                             included?

   Domain:         5
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                              Code/Statute
        OK07.05    Appropriate IRB         Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new        multiple IRB, hospital, research)
                   activities
        OK07.03    IRB approval            Re-obtain consent. Resubmit IRB, New pharmacy                    Barrier IRB cannon rule
                   required for protocol   agreement.                                                               of OHRP/HHS
                   changes




Monday, October 30, 2006                                                                                                                                                                                   Page 67 of 152
Scenario: 7
   Domain:         5
      Stakeholder: Public Health Agency
        Business Practice                                                                                    Policy                     Legal Driver
        #         Short Name          Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK07.05    Appropriate IRB    Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new   multiple IRB, hospital, research)
                   activities

   Domain:         6
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                    Policy                     Legal Driver
        #         Short Name          Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK07.05    Appropriate IRB    Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new   multiple IRB, hospital, research)
                   activities

      Stakeholder: Public Health Agency
        Business Practice                                                                                    Policy                     Legal Driver
        #         Short Name          Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK07.05    Appropriate IRB    Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new   multiple IRB, hospital, research)
                   activities

   Domain:         7
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                    Policy                     Legal Driver
        #         Short Name          Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK07.05    Appropriate IRB    Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new   multiple IRB, hospital, research)
                   activities

      Stakeholder: Public Health Agency
        Business Practice                                                                                    Policy                     Legal Driver
        #         Short Name          Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK07.05    Appropriate IRB    Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new   multiple IRB, hospital, research)
                   activities

Monday, October 30, 2006                                                                                                                                          Page 68 of 152
Scenario: 7
   Domain:         8
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.03    IRB approval            Re-obtain consent. Resubmit IRB, New pharmacy                    Barrier IRB cannon rule
                   required for protocol   agreement.                                                               of OHRP/HHS
                   changes
        OK07.04    Review of proposal      Ask for proposal of researcher                                   Barrier


      Stakeholder: Public Health Agencies
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.02    Cannot provide raw      Data has to be cleared first                                     Barrier                                   State Law 63 051-551
                   data

   Domain:         9
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent     Get consent from all participants & drug company                 barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                    criminal/personal                 might vary if drug company has
                   participants                                                                                     gain, licensure                   property rights.
                                                                                                                    boards, state
                                                                                                                    laws, mental
                                                                                                                    health state laws
        OK07.05    Appropriate IRB         Submit to IRB for approval of new activities (potentially from   barrier
                   approval for new        multiple IRB, hospital, research)
                   activities
        OK07.03    IRB approval            Re-obtain consent. Resubmit IRB, New pharmacy                    Barrier IRB cannon rule
                   required for protocol   agreement.                                                               of OHRP/HHS
                   changes

      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                              Legal Driver
        #         Short Name               Description                                                      Class Short Name            Description   Narrative                             Code/Statute




Monday, October 30, 2006                                                                                                                                                                                   Page 69 of 152
Scenario: 7
   Domain:         9
      Stakeholder: Public Health Agency
        Business Practice                                                                                          Policy                              Legal Driver
        #         Short Name              Description                                                        Class Short Name            Description   Narrative                             Code/Statute
        OK07.07    Appropriate consent    Get consent from all participants & drug company                   barrier HIPAA -                           First consent would usually apply, but 45 C.F.R. § 164.512
                   from research                                                                                     criminal/personal                 might vary if drug company has
                   participants                                                                                      gain, licensure                   property rights.
                                                                                                                     boards, state
                                                                                                                     laws, mental
                                                                                                                     health state laws
        OK07.05    Appropriate IRB        Submit to IRB for approval of new activities (potentially from     barrier
                   approval for new       multiple IRB, hospital, research)
                   activities

Scenario: 8
   Domain:         1
      Stakeholder: Clinicians
        Business Practice                                                                                          Policy                              Legal Driver
        #         Short Name              Description                                                        Class Short Name            Description   Narrative                             Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require   Barrier                                                                         No legal driver
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Correctional Facilities
        Business Practice                                                                                          Policy                              Legal Driver
        #         Short Name              Description                                                        Class Short Name            Description   Narrative                             Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                              Legal Driver
        #         Short Name              Description                                                        Class Short Name            Description   Narrative                             Code/Statute




Monday, October 30, 2006                                                                                                                                                                                       Page 70 of 152
Scenario: 8
   Domain:         1
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                          Code/Statute
        OK08.14    Appropriate              Presentation to the IHS ER would indicate need to have             Barrier Privacy Act,                 Requires consent                   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication            service, the amount to transfer is fully explained on the back             HIPPA
                   between IHS - Clinic     of the paperwork (called PCC for ER). Continuity of care                   compliance
                   and PCP                  between the ER provider & the PCP would be initiated per
                                            HIPAA compliance by using a release form or using the
                                            "continuity of care."
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to             Barrier Privacy Act,                                                    HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                        FMCRA                                                           502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                                 Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.
        OK08.23    Appropriate              Will comply with contracts with State/County but patient still     Barrier                              Determine difference between IHS
                   response to law          must give consent to give info unless court ordered by Tribal                                           and Tribal Health Center…
                   enforcement              Court Judge. Consent to perform drug screen by patient
                   request/order to         would be required in Tribal Clinic.
                   perform tests (Tribal)
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                          Code/Statute
        OK08.16    Appropriate manner       The hospital would verify eligibility with parents insurance       Barrier                                                                 45 CFR 164-502(a)(1)(IV)
                   of insurance             before releasing information to parents. This could be done
                   verification when        by viewing a valid ins card, calling ins co, checking hospital
                   patient is not holder    database for current eligibility. No release of PHI to holder of
                   of the policy            ins policy without patient consent.
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                          Code/Statute




Monday, October 30, 2006                                                                                                                                                                              Page 71 of 152
Scenario: 8
   Domain:         1
      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.09    Appropriate              Blood only drawn with patient consent unless court-ordered.        Barrier State penal code                 Consent not required with serious      Title 47, section 752 or probable
                   response to law          Results not released without patient consent unless court-                                                  injury or death (search federal law)   cause
                   enforcement              ordered.
                   request/order to
                   perform tests on
                   patient
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Public Health Agency
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: State Government
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

   Domain:         2
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier                                                                         45 CFR § 164.502(g)(2)
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier                                                                         No legal driver
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.


Monday, October 30, 2006                                                                                                                                                                                         Page 72 of 152
Scenario: 8
   Domain:         2
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                            Policy                              Legal Driver
        #         Short Name                Description                                                        Class Short Name            Description   Narrative                           Code/Statute
        OK08.04    Providers do not         ER's can draw blood for drug & alcohol for medical                 Barrier state law - 63                    Requires probably cause by police   OS 47§752
                   disclose drug &          assessment & treatments                                                    OS1-551
                   alcohol information                                                                                 Federal PL 102-
                   without patient                                                                                     515
                   authorization

      Stakeholder: Correctional Facilities
        Business Practice                                                                                            Policy                              Legal Driver
        #         Short Name                Description                                                        Class Short Name            Description   Narrative                           Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                              Legal Driver
        #         Short Name                Description                                                        Class Short Name            Description   Narrative                           Code/Statute
        OK08.15    Appropriate              As long as the consent to treat was signed by patient or next      Barrier State law
                   communication            of kin, then communication between ER provider and PCP                     regarding
                   between IHS - Clinic     would be allowed. Consent to treat would contain policies                  consent to treat,
                   and PCP                  regarding releasing information and patient/next of kin would              HIPPA for
                                            be aware of the communication between providers.                           treatment options
        OK08.14    Appropriate              Presentation to the IHS ER would indicate need to have             Barrier Privacy Act,                      Requires consent                    HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication            service, the amount to transfer is fully explained on the back             HIPPA
                   between IHS - Clinic     of the paperwork (called PCC for ER). Continuity of care                   compliance
                   and PCP                  between the ER provider & the PCP would be initiated per
                                            HIPAA compliance by using a release form or using the
                                            "continuity of care."
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.17    Appropriate              Reports should have a signed authorization by patient unless Barrier                                         Insurance company can verify
                   procurement of           not responsive, in which case the next of kin/spouse can sign
                   consent when             consent. Insurance information verification (i.e. ins card),
                   patient is not holder    patient ID, and next of kin/spouse ID would be required
                   of the policy            before releasing any info.




Monday, October 30, 2006                                                                                                                                                                                  Page 73 of 152
Scenario: 8
   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                             Policy                          Legal Driver
        #         Short Name                Description                                                         Class Short Name        Description   Narrative                          Code/Statute
        OK08.21    Appropriate release      IHS requires a patient's signed consent to allow law                Barrier Privacy Act
                   of PHI to law            enforcement access to info. In all cases if court order is
                   enforcement when         issued it must be signed by Fed Judge.
                   patient consents to
                   alcohol/drug testing
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to              Barrier Privacy Act,                                                     HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                         FMCRA                                                            502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                                   Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.
        OK08.23    Appropriate              Will comply with contracts with State/County but patient still      Barrier                               Determine difference between IHS
                   response to law          must give consent to give info unless court ordered by Tribal                                             and Tribal Health Center…
                   enforcement              Court Judge. Consent to perform drug screen by patient
                   request/order to         would be required in Tribal Clinic.
                   perform tests (Tribal)
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Hospitals
        Business Practice                                                                                             Policy                          Legal Driver
        #         Short Name                Description                                                         Class Short Name        Description   Narrative                          Code/Statute
        OK08.11    Appropriate denial to    Will not share info w/ patient's parents/family if the patient is   Barrier
                   release PHI to           18 years old, married, or emancipated, unless consent has
                   patient's                been obtained to do so.
                   parents/family
        OK08.10    Appropriate release      Can share patient's med info with parents/family if written      Barrier
                   of PHI to patient's      consent is on file or verbal consent has been noted in the file.
                   parents/family
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.
        OK08.03    Continuity of care       Request PCP info for continuity of care                             Barrier HIPPA -
                                                                                                                        Continuity of
                                                                                                                        Care




Monday, October 30, 2006                                                                                                                                                                                Page 74 of 152
Scenario: 8
   Domain:         2
      Stakeholder: Physician Groups
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative                              Code/Statute
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if        Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.11    Appropriate denial to    Will not share info w/ patient's parents/family if the patient is   Barrier                                                                         45 CFR § 164.502(a)(1)(IV)
                   release PHI to           18 years old, married, or emancipated, unless consent has
                   patient's                been obtained to do so.
                   parents/family
        OK08.08    Appropriate release      If patient is in police custody then refer the request of patient   Neutral
                   of PHI to law            records to hospital administration.
                   enforcement officials
        OK08.10    Appropriate release      Can share patient's med info with parents/family if written      Barrier                                                                            45 CFR § 164.502(a)(1)(IV)
                   of PHI to patient's      consent is on file or verbal consent has been noted in the file.
                   parents/family
        OK08.09    Appropriate              Blood only drawn with patient consent unless court-ordered.         Barrier State penal code                 Consent not required with serious      Title 47, section 752 or probable
                   response to law          Results not released without patient consent unless court-                                                   injury or death (search federal law)   cause
                   enforcement              ordered.
                   request/order to
                   perform tests on
                   patient
        OK08.09    Appropriate              Cannot fulfill requests of law enforcement to specifically test     Barrier                                                                         Title 47 Section 752
                   response to law          for drugs/alcohol without a court order. Will only do
                   enforcement              "medically indicated" tests and can only provide records to
                   request/order to         law enf with consent or court order.
                   perform tests on
                   patient
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.
        OK08.01    Secure patient           Gaining patient consent to share information                        Barrier
                   consent

      Stakeholder: Public Health Agency
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.


Monday, October 30, 2006                                                                                                                                                                                       Page 75 of 152
Scenario: 8
   Domain:         2
      Stakeholder: State Government
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

   Domain:         3
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-                                   Title 45 § 164-502(a)(1)(IV)
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier                                                 45 CFR § 164.502(g)(2)
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier                                                 No legal driver
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.

      Stakeholder: Correctional Facilities
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.



Monday, October 30, 2006                                                                                                                                                                 Page 76 of 152
Scenario: 8
   Domain:         3
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                              Legal Driver
        #         Short Name                Description                                                        Class Short Name            Description   Narrative                          Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.
        OK08.15    Appropriate              As long as the consent to treat was signed by patient or next      Barrier State law
                   communication            of kin, then communication between ER provider and PCP                     regarding
                   between IHS - Clinic     would be allowed. Consent to treat would contain policies                  consent to treat,
                   and PCP                  regarding releasing information and patient/next of kin would              HIPPA for
                                            be aware of the communication between providers.                           treatment options
        OK08.14    Appropriate              Presentation to the IHS ER would indicate need to have             Barrier Privacy Act,                      Requires consent                   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication            service, the amount to transfer is fully explained on the back             HIPPA
                   between IHS - Clinic     of the paperwork (called PCC for ER). Continuity of care                   compliance
                   and PCP                  between the ER provider & the PCP would be initiated per
                                            HIPAA compliance by using a release form or using the
                                            "continuity of care."
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.17    Appropriate              Reports should have a signed authorization by patient unless Barrier                                         Insurance company can verify
                   procurement of           not responsive, in which case the next of kin/spouse can sign
                   consent when             consent. Insurance information verification (i.e. ins card),
                   patient is not holder    patient ID, and next of kin/spouse ID would be required
                   of the policy            before releasing any info.
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to             Barrier Privacy Act,                                                         HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                        FMCRA                                                                502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                                      Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.
        OK08.23    Appropriate              Will comply with contracts with State/County but patient still     Barrier                                   Determine difference between IHS
                   response to law          must give consent to give info unless court ordered by Tribal                                                and Tribal Health Center…
                   enforcement              Court Judge. Consent to perform drug screen by patient
                   request/order to         would be required in Tribal Clinic.
                   perform tests (Tribal)
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.




Monday, October 30, 2006                                                                                                                                                                                   Page 77 of 152
Scenario: 8
   Domain:         3
      Stakeholder: Hospitals
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with            Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                   laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                    treat (scope)
                   and PCP                  should be documented.
        OK08.16    Appropriate manner       The hospital would verify eligibility with parents insurance        Barrier                                                 45 CFR 164-502(a)(1)(IV)
                   of insurance             before releasing information to parents. This could be done
                   verification when        by viewing a valid ins card, calling ins co, checking hospital
                   patient is not holder    database for current eligibility. No release of PHI to holder of
                   of the policy            ins policy without patient consent.
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Physician Groups
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative      Code/Statute
        OK0813     Appropriate              Verify consent by patient to treat (& communication with            Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                   laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                    treat (scope)
                   and PCP                  should be documented.
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if        Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.06    Appropriate release      Note in file to send discharge summary to primary care              Neutral                                                 45 CFR 114-502(a)(1)(IV),
                   of PHI to PCP            provider (know who provider is by ins card or ask). No                                                                      Federal Law
                                            release required. If patient requests records not be released
                                            to PCP then refer liability to patient by noting in file that the
                                            patient was advised to follow up with their PCP.
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Public Health Agency
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative      Code/Statute



Monday, October 30, 2006                                                                                                                                                              Page 78 of 152
Scenario: 8
   Domain:         3
      Stakeholder: Public Health Agency
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: State Government
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

   Domain:         4
      Stakeholder: Clinicians
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate            Verify consent by patient to treat (& communication with           Barrier Med Staff by-                                   Title 45 § 164-502(a)(1)(IV)
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                should be documented.
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require   Barrier                                                 No legal driver
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate            Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                should be documented.

      Stakeholder: Correctional Facilities
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative      Code/Statute

Monday, October 30, 2006                                                                                                                                                               Page 79 of 152
Scenario: 8
   Domain:         4
      Stakeholder: Correctional Facilities
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                          Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                          Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.
        OK08.14    Appropriate              Presentation to the IHS ER would indicate need to have             Barrier Privacy Act,                     Requires consent                   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication            service, the amount to transfer is fully explained on the back             HIPPA
                   between IHS - Clinic     of the paperwork (called PCC for ER). Continuity of care                   compliance
                   and PCP                  between the ER provider & the PCP would be initiated per
                                            HIPAA compliance by using a release form or using the
                                            "continuity of care."
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to             Barrier Privacy Act,                                                        HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                        FMCRA                                                               502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                                     Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.
        OK08.23    Appropriate              Will comply with contracts with State/County but patient still     Barrier                                  Determine difference between IHS
                   response to law          must give consent to give info unless court ordered by Tribal                                               and Tribal Health Center…
                   enforcement              Court Judge. Consent to perform drug screen by patient
                   request/order to         would be required in Tribal Clinic.
                   perform tests (Tribal)
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                          Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.

Monday, October 30, 2006                                                                                                                                                                                  Page 80 of 152
Scenario: 8
   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative      Code/Statute
        OK0813     Appropriate            Verify consent by patient to treat (& communication with            Barrier Med Staff by-
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                   laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                    treat (scope)
                   and PCP                should be documented.
        OK08.06    Appropriate release    Note in file to send discharge summary to primary care              Neutral                                                 45 CFR 114-502(a)(1)(IV),
                   of PHI to PCP          provider (know who provider is by ins card or ask). No                                                                      Federal Law
                                          release required. If patient requests records not be released
                                          to PCP then refer liability to patient by noting in file that the
                                          patient was advised to follow up with their PCP.
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Public Health Agency
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: State Government
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

   Domain:         5

Monday, October 30, 2006                                                                                                                                                            Page 81 of 152
Scenario: 8
   Domain:         5
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name              Description                                                      Class Short Name           Description   Narrative          Code/Statute
        OK08.14    Appropriate            Presentation to the IHS ER would indicate need to have           Barrier Privacy Act,                     Requires consent   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication          service, the amount to transfer is fully explained on the back           HIPPA
                   between IHS - Clinic   of the paperwork (called PCC for ER). Continuity of care                 compliance
                   and PCP                between the ER provider & the PCP would be initiated per
                                          HIPAA compliance by using a release form or using the
                                          "continuity of care."
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to         Barrier Privacy Act,                                        HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                    FMCRA                                               502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                 Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.

      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name              Description                                                      Class Short Name           Description   Narrative          Code/Statute
        OK08.03    Continuity of care     Request PCP info for continuity of care                          Barrier HIPPA -
                                                                                                                   Continuity of
                                                                                                                   Care

   Domain:         6
      Stakeholder: Clinicians
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name              Description                                                      Class Short Name           Description   Narrative          Code/Statute
        OK08.13    Appropriate            Verify consent by patient to treat (& communication with         Barrier Med Staff by-                                       Title 45 § 164-502(a)(1)(IV)
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                 treat (scope)
                   and PCP                should be documented.

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                        Policy                             Legal Driver
        #         Short Name              Description                                                      Class Short Name           Description   Narrative          Code/Statute
        OK08.13    Appropriate            Verify consent by patient to treat (& communication with         Barrier Med Staff by-
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                 treat (scope)
                   and PCP                should be documented.


Monday, October 30, 2006                                                                                                                                                              Page 82 of 152
Scenario: 8
   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                              Legal Driver
        #         Short Name              Description                                                      Class Short Name            Description   Narrative          Code/Statute
        OK08.13    Appropriate            Verify consent by patient to treat (& communication with         Barrier Med Staff by-
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                 treat (scope)
                   and PCP                should be documented.
        OK08.14    Appropriate            Presentation to the IHS ER would indicate need to have           Barrier Privacy Act,                      Requires consent   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication          service, the amount to transfer is fully explained on the back           HIPPA
                   between IHS - Clinic   of the paperwork (called PCC for ER). Continuity of care                 compliance
                   and PCP                between the ER provider & the PCP would be initiated per
                                          HIPAA compliance by using a release form or using the
                                          "continuity of care."
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to         Barrier Privacy Act,                                         HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                    FMCRA                                                502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                  Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.

      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                              Legal Driver
        #         Short Name              Description                                                      Class Short Name            Description   Narrative          Code/Statute
        OK08.13    Appropriate            Verify consent by patient to treat (& communication with         Barrier Med Staff by-
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                 treat (scope)
                   and PCP                should be documented.
        OK08.02    Provide discharge      No release of PHI without patient consent.                       Barrier Clinical                                             HIPAA 45 CFR 164-502(a)(1)(IV)
                   instructions to a                                                                               standards of care
                   competent caregiver

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                              Legal Driver
        #         Short Name              Description                                                      Class Short Name            Description   Narrative          Code/Statute
        OK0813     Appropriate            Verify consent by patient to treat (& communication with         Barrier Med Staff by-
                   communication          PCP). Staff privileges needed by PCP if verbal orders are                laws, Consent to
                   between ER staff       accepted by emergency department. Otherwise history only                 treat (scope)
                   and PCP                should be documented.




Monday, October 30, 2006                                                                                                                                                               Page 83 of 152
Scenario: 8
   Domain:         6
      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name              Description                                                         Class Short Name       Description   Narrative          Code/Statute
        OK08.06    Appropriate release    Note in file to send discharge summary to primary care              Neutral                                                 45 CFR 114-502(a)(1)(IV),
                   of PHI to PCP          provider (know who provider is by ins card or ask). No                                                                      Federal Law
                                          release required. If patient requests records not be released
                                          to PCP then refer liability to patient by noting in file that the
                                          patient was advised to follow up with their PCP.

   Domain:         7
      Stakeholder: Clinicians
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name              Description                                                         Class Short Name       Description   Narrative          Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier                                                 No legal driver
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Correctional Facilities
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name              Description                                                         Class Short Name       Description   Narrative          Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name              Description                                                         Class Short Name       Description   Narrative          Code/Statute
        OK08.14    Appropriate            Presentation to the IHS ER would indicate need to have              Barrier Privacy Act,                 Requires consent   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication          service, the amount to transfer is fully explained on the back              HIPPA
                   between IHS - Clinic   of the paperwork (called PCC for ER). Continuity of care                    compliance
                   and PCP                between the ER provider & the PCP would be initiated per
                                          HIPAA compliance by using a release form or using the
                                          "continuity of care."
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to            Barrier Privacy Act,                                    HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                       FMCRA                                           502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.


Monday, October 30, 2006                                                                                                                                                                Page 84 of 152
Scenario: 8
   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer    Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal      additional interface and standards to operate smoothly.
                   justice system          Criminal justice system does not use HL-7.

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer    Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal      additional interface and standards to operate smoothly.
                   justice system          Criminal justice system does not use HL-7.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK08.08    Appropriate release     If patient is in police custody then refer the request of patient   Neutral
                   of PHI to law           records to hospital administration.
                   enforcement officials
        OK08.09    Appropriate             Cannot fulfill requests of law enforcement to specifically test     Barrier                                         Title 47 Section 752
                   response to law         for drugs/alcohol without a court order. Will only do
                   enforcement             "medically indicated" tests and can only provide records to
                   request/order to        law enf with consent or court order.
                   perform tests on
                   patient
        OK08.12    Appropriate transfer    Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal      additional interface and standards to operate smoothly.
                   justice system          Criminal justice system does not use HL-7.

      Stakeholder: Public Health Agency
        Business Practice                                                                                            Policy                     Legal Driver
        #         Short Name               Description                                                         Class Short Name   Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer    Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal      additional interface and standards to operate smoothly.
                   justice system          Criminal justice system does not use HL-7.




Monday, October 30, 2006                                                                                                                                                      Page 85 of 152
Scenario: 8
   Domain:         7
      Stakeholder: State Government
        Business Practice                                                                                            Policy                            Legal Driver
        #         Short Name                Description                                                        Class Short Name          Description   Narrative                           Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

   Domain:         8
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                            Legal Driver
        #         Short Name                Description                                                        Class Short Name          Description   Narrative                           Code/Statute
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier                                                                     45 CFR § 164.502(g)(2)
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier                                                                     No legal driver
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                            Policy                            Legal Driver
        #         Short Name                Description                                                        Class Short Name          Description   Narrative                           Code/Statute
        OK08.04    Providers do not         ER's can draw blood for drug & alcohol for medical                 Barrier state law - 63                  Requires probably cause by police   OS 47§752
                   disclose drug &          assessment & treatments                                                    OS1-551
                   alcohol information                                                                                 Federal PL 102-
                   without patient                                                                                     515
                   authorization
        OK08.22    Waiver for               Patient is asked to sign a waiver authorizing the hospital to      Barrier
                   authorization            draw blood on behalf of law enforcement. This allows law
                                            enforcement access to lab report.

      Stakeholder: Correctional Facilities
        Business Practice                                                                                            Policy                            Legal Driver
        #         Short Name                Description                                                        Class Short Name          Description   Narrative                           Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.



Monday, October 30, 2006                                                                                                                                                                                     Page 86 of 152
Scenario: 8
   Domain:         8
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative          Code/Statute
        OK08.14    Appropriate              Presentation to the IHS ER would indicate need to have             Barrier Privacy Act,                 Requires consent   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication            service, the amount to transfer is fully explained on the back             HIPPA
                   between IHS - Clinic     of the paperwork (called PCC for ER). Continuity of care                   compliance
                   and PCP                  between the ER provider & the PCP would be initiated per
                                            HIPAA compliance by using a release form or using the
                                            "continuity of care."
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Hospitals
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative          Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.
        OK08.22    Waiver for               Patient is asked to sign a waiver authorizing the hospital to      Barrier
                   authorization            draw blood on behalf of law enforcement. This allows law
                                            enforcement access to lab report.

      Stakeholder: Laboratories
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative          Code/Statute
        OK08.22    Waiver for               Patient is asked to sign a waiver authorizing the hospital to      Barrier
                   authorization            draw blood on behalf of law enforcement. This allows law
                                            enforcement access to lab report.

      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative          Code/Statute




Monday, October 30, 2006                                                                                                                                                            Page 87 of 152
Scenario: 8
   Domain:         8
      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.09    Appropriate              Blood only drawn with patient consent unless court-ordered.        Barrier State penal code                 Consent not required with serious      Title 47, section 752 or probable
                   response to law          Results not released without patient consent unless court-                                                  injury or death (search federal law)   cause
                   enforcement              ordered.
                   request/order to
                   perform tests on
                   patient
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.
        OK08.01    Secure patient           Gaining patient consent to share information                       Barrier
                   consent

      Stakeholder: Public Health Agency
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: State Government
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

   Domain:         9
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative                              Code/Statute


Monday, October 30, 2006                                                                                                                                                                                      Page 88 of 152
Scenario: 8
   Domain:         9
      Stakeholder: Clinicians
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-                                   Title 45 § 164-502(a)(1)(IV)
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier                                                 45 CFR § 164.502(g)(2)
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier                                                 No legal driver
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.

      Stakeholder: Correctional Facilities
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                             Legal Driver
        #         Short Name                Description                                                        Class Short Name           Description   Narrative      Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with           Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                  laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                   treat (scope)
                   and PCP                  should be documented.




Monday, October 30, 2006                                                                                                                                                                 Page 89 of 152
Scenario: 8
   Domain:         9
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                              Legal Driver
        #         Short Name                Description                                                        Class Short Name            Description   Narrative                          Code/Statute
        OK08.15    Appropriate              As long as the consent to treat was signed by patient or next      Barrier State law
                   communication            of kin, then communication between ER provider and PCP                     regarding
                   between IHS - Clinic     would be allowed. Consent to treat would contain policies                  consent to treat,
                   and PCP                  regarding releasing information and patient/next of kin would              HIPPA for
                                            be aware of the communication between providers.                           treatment options
        OK08.14    Appropriate              Presentation to the IHS ER would indicate need to have             Barrier Privacy Act,                      Requires consent                   HIPAA 45 CFR 104.502(a)(1)(IV)
                   communication            service, the amount to transfer is fully explained on the back             HIPPA
                   between IHS - Clinic     of the paperwork (called PCC for ER). Continuity of care                   compliance
                   and PCP                  between the ER provider & the PCP would be initiated per
                                            HIPAA compliance by using a release form or using the
                                            "continuity of care."
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if       Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.17    Appropriate              Reports should have a signed authorization by patient unless Barrier                                         Insurance company can verify
                   procurement of           not responsive, in which case the next of kin/spouse can sign
                   consent when             consent. Insurance information verification (i.e. ins card),
                   patient is not holder    patient ID, and next of kin/spouse ID would be required
                   of the policy            before releasing any info.
        OK08.21    Appropriate release      IHS requires a patient's signed consent to allow law               Barrier Privacy Act
                   of PHI to law            enforcement access to info. In all cases if court order is
                   enforcement when         issued it must be signed by Fed Judge.
                   patient consents to
                   alcohol/drug testing
        OK08.18    Appropriate release Insurance carriers (parents or other) do not have access to             Barrier Privacy Act,                                                         HIPAA 45 CFR 164-
                   of PHI when patient patient records unless consent signed. If unable to give                        FMCRA                                                                502(a)(1)(IV), Federal Medical
                   is not holder of policy consent, next of kin can sign until patient is able to sign                                                                                      Care Recovery Act
                                           consent. Parents would have access to patient general info
                                           (not records) due to FMCRA.
        OK08.23    Appropriate              Will comply with contracts with State/County but patient still     Barrier                                   Determine difference between IHS
                   response to law          must give consent to give info unless court ordered by Tribal                                                and Tribal Health Center…
                   enforcement              Court Judge. Consent to perform drug screen by patient
                   request/order to         would be required in Tribal Clinic.
                   perform tests (Tribal)
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require   Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.




Monday, October 30, 2006                                                                                                                                                                                   Page 90 of 152
Scenario: 8
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative                   Code/Statute
        OK08.13    Appropriate              Verify consent by patient to treat (& communication with            Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                   laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                    treat (scope)
                   and PCP                  should be documented.
        OK08.11    Appropriate denial to    Will not share info w/ patient's parents/family if the patient is   Barrier
                   release PHI to           18 years old, married, or emancipated, unless consent has
                   patient's                been obtained to do so.
                   parents/family
        OK08.07    Appropriate release      Consent must be obtained while patient not impaired from            Barrier                                  Release is standard HIPAA   OS 47§752,HIPAA 45 CFR
                   of PHI to law            accident, condition, drugs, or other impairment factors. If                                                                              164.502(a)
                   enforcement officials    consent is legitimately obtained, can release info to law
                                            enforcement.
        OK08.10    Appropriate release      Can share patient's med info with parents/family if written      Barrier
                   of PHI to patient's      consent is on file or verbal consent has been noted in the file.
                   parents/family
        OK08.12    Appropriate transfer     Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal       additional interface and standards to operate smoothly.
                   justice system           Criminal justice system does not use HL-7.

      Stakeholder: Physician Groups
        Business Practice                                                                                             Policy                             Legal Driver
        #         Short Name                Description                                                         Class Short Name           Description   Narrative                   Code/Statute
        OK0813     Appropriate              Verify consent by patient to treat (& communication with            Barrier Med Staff by-
                   communication            PCP). Staff privileges needed by PCP if verbal orders are                   laws, Consent to
                   between ER staff         accepted by emergency department. Otherwise history only                    treat (scope)
                   and PCP                  should be documented.
        OK08.19    Appropriate criteria     Priority for release: 1) Court order, 2) Patient consent (if        Barrier
                   for release of PHI for   competent), 3) Spouse consent (if patient not competent), 4)
                   potential criminal       Parental consent (if patient not competent), 5) Next of kin
                   implications             consent (if patient not competent).
        OK08.11    Appropriate denial to    Will not share info w/ patient's parents/family if the patient is   Barrier                                                              45 CFR § 164.502(a)(1)(IV)
                   release PHI to           18 years old, married, or emancipated, unless consent has
                   patient's                been obtained to do so.
                   parents/family
        OK08.08    Appropriate release      If patient is in police custody then refer the request of patient   Neutral
                   of PHI to law            records to hospital administration.
                   enforcement officials




Monday, October 30, 2006                                                                                                                                                                           Page 91 of 152
Scenario: 8
   Domain:         9
      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative                              Code/Statute
        OK08.10    Appropriate release    Can share patient's med info with parents/family if written      Barrier                                                                            45 CFR § 164.502(a)(1)(IV)
                   of PHI to patient's    consent is on file or verbal consent has been noted in the file.
                   parents/family
        OK08.06    Appropriate release    Note in file to send discharge summary to primary care              Neutral                                                                         45 CFR 114-502(a)(1)(IV),
                   of PHI to PCP          provider (know who provider is by ins card or ask). No                                                                                              Federal Law
                                          release required. If patient requests records not be released
                                          to PCP then refer liability to patient by noting in file that the
                                          patient was advised to follow up with their PCP.
        OK08.09    Appropriate            Blood only drawn with patient consent unless court-ordered.         Barrier State penal code                 Consent not required with serious      Title 47, section 752 or probable
                   response to law        Results not released without patient consent unless court-                                                   injury or death (search federal law)   cause
                   enforcement            ordered.
                   request/order to
                   perform tests on
                   patient
        OK08.09    Appropriate            Cannot fulfill requests of law enforcement to specifically test     Barrier                                                                         Title 47 Section 752
                   response to law        for drugs/alcohol without a court order. Will only do
                   enforcement            "medically indicated" tests and can only provide records to
                   request/order to       law enf with consent or court order.
                   perform tests on
                   patient
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: Public Health Agency
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.

      Stakeholder: State Government
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name              Description                                                         Class Short Name           Description   Narrative                              Code/Statute
        OK08.12    Appropriate transfer   Electronic data transfer to criminal justice system will require    Barrier
                   of EHR to criminal     additional interface and standards to operate smoothly.
                   justice system         Criminal justice system does not use HL-7.


Monday, October 30, 2006                                                                                                                                                                                     Page 92 of 152
Scenario: 9
   Domain:         1
      Stakeholder: Clinicians
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for      Neutral                                                             No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient
        OK09.39    Physical safeguards     two different access codes to get into health information      Barrier                                                             No legal driver (for multiple
                                                                                                                                                                              access codes)
        OK09.33    Physical safeguards     security awareness training has to be completed, user names Barrier                                 Reasonable safeguard applies   HIPAA Security - 45 CFR
                                           and passwords issued to access electronic records                                                                                  164.530(c)
        OK09.13    Scheduling              confirmation of appointment scheduled is confirmed by          Barrier                                                             No legal driver
                   appointments            calling party back to authenticate identity

      Stakeholder: Homecare and hospice
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.39    Physical safeguards     two different access codes to get into health information      Barrier                                                             No legal driver (for multiple
                                                                                                                                                                              access codes)

      Stakeholder: Hospitals
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute




Monday, October 30, 2006                                                                                                                                                                        Page 93 of 152
Scenario: 9
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

      Stakeholder: Long term care facilities and nursing homes
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.28    Physical safeguards     electronic records are secured by passcodes that authorize     Barrier                              Access code is required        HIPAA Security - 45 CFR 142
                                           different levels of information access                                                                                             and 45 CFR 162; No legal driver
                                                                                                                                                                              for levels of access.

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.30    Physical safeguards     user id code and password issued to access electronic          Barrier                              Reasonable safeguard applies   HIPAA Security - 45 CFR
                                           records                                                                                                                            164.530(c)

      Stakeholder: Payers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative                      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.
        OK09.03    Prior Authorization     When a prescribed drug is not on the formulary and is not a    Barrier Pharmacy                                                    No legal driver
                                           preferred alternative, it is necessary to obtain a prior               Practice Act
                                           authorization. It is standard practice for a PBM to fax a
                                           physician a PA form to be filled out and faxed back to the
                                           PBM.



Monday, October 30, 2006                                                                                                                                                                        Page 94 of 152
Scenario: 9
   Domain:         1
      Stakeholder: Pharmacies
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.
        OK09.06    Pharmacy contacting Pharmaceutical company contacts physician notifying them Neutral                                                       Oklahoma Law - Title 43A
                   provider            that pharmacy will be contacting them to determine why drug
                                       is prescribed. No patient information is shared when it
                                       regards mental health.

   Domain:         2
      Stakeholder: Clinicians
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact



Monday, October 30, 2006                                                                                                                                                        Page 95 of 152
Scenario: 9
   Domain:         2
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                           Policy                                        Legal Driver
        #         Short Name              Description                                                         Class Short Name     Description                    Narrative                      Code/Statute
        OK09.02    Appropriate release    Make agreements for data sharing between institutions and      Barrier Clinical Policy   Requirement for outside
                   of PHI to PBM for      allow pharmacy to deal with requests or prior authorization by                           prescriptions that need to
                   medication purposes    physicians.                                                                              be filled to obtain records
                                                                                                                                   from ER or obtain info from
                                                                                                                                   physician offices. Providers
                                                                                                                                   must approve outside
                                                                                                                                   prescriptions to be filled.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                           Policy                                        Legal Driver
        #         Short Name              Description                                                         Class Short Name     Description                    Narrative                      Code/Statute
        OK09.02    Appropriate release    Make agreements for data sharing between institutions and      Barrier Clinical Policy   Requirement for outside
                   of PHI to PBM for      allow pharmacy to deal with requests or prior authorization by                           prescriptions that need to
                   medication purposes    physicians.                                                                              be filled to obtain records
                                                                                                                                   from ER or obtain info from
                                                                                                                                   physician offices. Providers
                                                                                                                                   must approve outside
                                                                                                                                   prescriptions to be filled.
        OK09.42    Following up with      after information is finally received, track down to pass           Barrier                                                                            No legal driver
                   patient after          information to patient
                   discharge
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for          Neutral                                                                            No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient
        OK09.39    Physical safeguards    two different access codes to get into health information           Barrier                                                                            No legal driver (for multiple
                                                                                                                                                                                                 access codes)
        OK09.33    Physical safeguards    security awareness training has to be completed, user names Barrier                                                     Reasonable safeguard applies   HIPAA Security - 45 CFR
                                          and passwords issued to access electronic records                                                                                                      164.530(c)
        OK09.14    Providing medication   faxed medication lists of patient to hospitals, etc for             Barrier                                                                            HIPAA Privacy
                   lists                  emergency situation
        OK09.41    Securing consent       request health information on patient currently in another          Barrier                                                                            No legal driver
                                          facility by faxing consent form to provider/facility, it can take
                                          up to 5 days or more to receive information

      Stakeholder: Homecare and hospice
        Business Practice                                                                                           Policy                                        Legal Driver
        #         Short Name              Description                                                         Class Short Name     Description                    Narrative                      Code/Statute

Monday, October 30, 2006                                                                                                                                                                                           Page 96 of 152
Scenario: 9
   Domain:         2
      Stakeholder: Homecare and hospice
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                           Code/Statute
        OK09.44    Discharge summary       if discharge summary isn't received in time, we must make          Barrier                                                              No legal driver
                   for follow-up care      request to medical records to receive patient health
                                           information for home health care
        OK09.43    Discharge summary       Hospital wants home health arranged, discharge orders are          Barrier                          Discharge order needed to provide   No legal driver.
                   for follow-up care      to be faxed for arrangements to be made                                                             care.
        OK09.39    Physical safeguards     two different access codes to get into health information          Barrier                                                              No legal driver (for multiple
                                                                                                                                                                                   access codes)

      Stakeholder: Long term care facilities and nursing homes
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                           Code/Statute
        OK09.07    Authorization to        Admission contract allows for pickup of medication                 Neutral                                                              No legal driver
                   pickup medicine
        OK09.09    Authorization to        authorization in writing from resident to purchase medicine        Barrier                                                              No legal driver
                   purchase medicine
        OK09.28    Physical safeguards     electronic records are secured by passcodes that authorize         Barrier                          Access code is required             HIPAA Security - 45 CFR 142
                                           different levels of information access                                                                                                  and 45 CFR 162; No legal driver
                                                                                                                                                                                   for levels of access.
        OK09.21    Securing patient        secure signed release from patient and fax it to facility to get   Barrier                                                              43A 1-109
                   information             information on mental health patient

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                           Code/Statute
        OK09.10    Ordering medication     call pharmacy on word from doctor to get medication                Neutral                                                              No legal driver
        OK09.30    Physical safeguards     user id code and password issued to access electronic              Barrier                          Reasonable safeguard applies        HIPAA Security - 45 CFR
                                           records                                                                                                                                 164.530(c)

      Stakeholder: Payers
        Business Practice                                                                                           Policy                     Legal Driver
        #         Short Name               Description                                                        Class Short Name   Description   Narrative                           Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized          Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
Monday, October 30, 2006                                                                                                                                                                              Page 97 of 152
Scenario: 9
   Domain:         2
      Stakeholder: Payers
        Business Practice                                                                                        Policy                         Legal Driver
        #         Short Name               Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.03    Prior Authorization     When a prescribed drug is not on the formulary and is not a     Barrier Pharmacy                                    No legal driver
                                           preferred alternative, it is necessary to obtain a prior                Practice Act
                                           authorization. It is standard practice for a PBM to fax a
                                           physician a PA form to be filled out and faxed back to the
                                           PBM.

      Stakeholder: Pharmacies
        Business Practice                                                                                        Policy                         Legal Driver
        #         Short Name               Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized       Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.08    Filling prescriptions   physician or nurse carries prescription to pharmacy directly,   Barrier                                             No legal driver
                                           physicians are onsite, do not accept faxes

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                         Legal Driver
        #         Short Name               Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized       Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact

   Domain:         3
      Stakeholder: Clinicians
        Business Practice                                                                                        Policy                         Legal Driver
        #         Short Name               Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                  Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.



Monday, October 30, 2006                                                                                                                                                         Page 98 of 152
Scenario: 9
   Domain:         3
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for      Neutral                                             No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient

      Stakeholder: Hospitals
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

      Stakeholder: Payers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.
        OK09.03    Prior Authorization    When a prescribed drug is not on the formulary and is not a     Barrier Pharmacy                                    No legal driver
                                          preferred alternative, it is necessary to obtain a prior                Practice Act
                                          authorization. It is standard practice for a PBM to fax a
                                          physician a PA form to be filled out and faxed back to the
                                          PBM.

      Stakeholder: Pharmacies
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.




Monday, October 30, 2006                                                                                                                                                        Page 99 of 152
Scenario: 9
   Domain:         3
      Stakeholder: Physician Groups
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name               Description                                                         Class Short Name       Description   Narrative                           Code/Statute
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-             Neutral Pharmacy                                                         No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                      Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

   Domain:         4
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name               Description                                                         Class Short Name       Description   Narrative                           Code/Statute
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for           Neutral                                                                  No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient
        OK09.41    Securing consent        request health information on patient currently in another          Barrier                                                                  No legal driver
                                           facility by faxing consent form to provider/facility, it can take
                                           up to 5 days or more to receive information

      Stakeholder: Homecare and hospice
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name               Description                                                         Class Short Name       Description   Narrative                           Code/Statute
        OK09.43    Discharge summary       Hospital wants home health arranged, discharge orders are           Barrier                              Discharge order needed to provide   No legal driver.
                   for follow-up care      to be faxed for arrangements to be made                                                                  care.
        OK09.44    Discharge summary       if discharge summary isn't received in time, we must make           Barrier                                                                  No legal driver
                   for follow-up care      request to medical records to receive patient health
                                           information for home health care
        OK09.37    Transferring patient    software (Patron) allows electronic transfer of patient             Neutral                                                                  No legal driver
                   information             information to payers
        OK09.36    Transferring patient    software (Patron) allows encrypted patient information to be        Neutral                                                                  No legal driver
                   information             transmitted electronically to state (OSDH)

      Stakeholder: Pharmacies
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name               Description                                                         Class Short Name       Description   Narrative                           Code/Statute
        OK09.08    Filling prescriptions   physician or nurse carries prescription to pharmacy directly,       Barrier                                                                  No legal driver
                                           physicians are onsite, do not accept faxes

Monday, October 30, 2006                                                                                                                                                                              Page 100 of 152
Scenario: 9
   Domain:         5
      Stakeholder: Clinicians
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for      Neutral                                             No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient

      Stakeholder: Hospitals
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

      Stakeholder: Payers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

      Stakeholder: Pharmacies
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.
Monday, October 30, 2006                                                                                                                                                    Page 101 of 152
Scenario: 9
   Domain:         5
      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative                      Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-         Neutral Pharmacy                                                    No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                  Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative                      Code/Statute
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for      Neutral                                                             No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient

   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative                      Code/Statute
        OK09.32    Offsite patient care   Can only take file in home for the patient being seen           Barrier                              Reasonable safeguard applies   HIPAA Security 45 CFR
                                                                                                                                                                              164.530(c)
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for      Neutral                                                             No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient
        OK09.35    Physical safeguards    issue keys to limit certain information access to specific      Barrier                              Reasonable safeguard applies   HIPAA Security - 45 CFR
                                          parties                                                                                                                             164.530(c)
        OK09.34    Physical safeguards    use same computer software but can't access other facilities    Barrier                              Reasonable safeguard applies   HIPAA Privacy and HIPAA
                                          records                                                                                                                             Security - 45 CFR 164.530(c)
        OK09.26    Physical safeguards    facility locked, code to access records room                    Barrier                              Reasonable safeguard applies   HIPAA Security - 45 CFR
                                                                                                                                                                              164.530(c)

      Stakeholder: Homecare and hospice
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name              Description                                                     Class Short Name       Description   Narrative                      Code/Statute

Monday, October 30, 2006                                                                                                                                                                    Page 102 of 152
Scenario: 9
   Domain:         7
      Stakeholder: Homecare and hospice
        Business Practice                                                                                     Policy                           Legal Driver
        #         Short Name              Description                                                   Class Short Name         Description   Narrative                       Code/Statute
        OK09.27    Physical safeguards    medical records are locked in record room, office manager     Barrier                                Reasonable safeguard applies    HIPAA Security - 45 CFR
                                          authorizes access                                                                                                                    164.530(c)
        OK09.25    Securing               employee has to sign a confidentiality agreement              Barrier                                                                HIPAA Privacy
                   confidentiality
                   agreements

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                     Policy                           Legal Driver
        #         Short Name              Description                                                   Class Short Name         Description   Narrative                       Code/Statute
        OK09.31    Offsite patient care   door to door care provided, paper records transported, lock   Barrier policy - lock                  Reasonable safeguard applies.   HIPAA Security 45 CFR
                                          files in trunk                                                        information in                                                 164.530(c)
                                                                                                                trunk
        OK09.29    Physical safeguards    each case manager supports physical security of paper         Barrier                                Reasonable safeguard applies    HIPAA Security - 45 CFR
                                          health records                                                                                                                       164.530(c)

      Stakeholder: Payers
        Business Practice                                                                                     Policy                           Legal Driver
        #         Short Name              Description                                                   Class Short Name         Description   Narrative                       Code/Statute
        OK09.03    Prior Authorization    When a prescribed drug is not on the formulary and is not a   Barrier Pharmacy                                                       No legal driver
                                          preferred alternative, it is necessary to obtain a prior              Practice Act
                                          authorization. It is standard practice for a PBM to fax a
                                          physician a PA form to be filled out and faxed back to the
                                          PBM.

   Domain:         8
      Stakeholder: Clinicians
        Business Practice                                                                                     Policy                           Legal Driver
        #         Short Name              Description                                                   Class Short Name         Description   Narrative                       Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-       Neutral Pharmacy                                                       No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.




Monday, October 30, 2006                                                                                                                                                                     Page 103 of 152
Scenario: 9
   Domain:         8
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                      Policy                         Legal Driver
        #         Short Name              Description                                                    Class Short Name       Description   Narrative               Code/Statute
        OK09.15    Sharing patient        patient signs consent for health information to be sent for    Barrier                                                      No legal driver
                   information for        referral purposes
                   referral

      Stakeholder: Homecare and hospice
        Business Practice                                                                                      Policy                         Legal Driver
        #         Short Name              Description                                                    Class Short Name       Description   Narrative               Code/Statute
        OK09.23    Exchanging             contract and BAA to exchange information with physical         Barrier                                                      No legal driver
                   information with       therapists (not employees)
                   physical therapists
        OK09.19    Patient discharge      patient discharge summary is provided to us (home health)      Neutral                                                      No legal driver
                   summary
        OK09.18    Providing transfer     Medicare patients require a summary be sent by home health Neutral                                                          No legal driver
                   summary                care (transfer summary) that includes medications, advance
                                          directives and other services being provided
        OK09.25    Securing               employee has to sign a confidentiality agreement               Barrier                                                      HIPAA Privacy
                   confidentiality
                   agreements
        OK09.38    Securing consent       when collecting OASIS information, explains to patient the     Barrier                              Medicare Requirements   42 CFR 484.20
                                          use of information, if patient doesn't give consent, patient
                                          cannot be admitted/cared for

      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                         Legal Driver
        #         Short Name              Description                                                    Class Short Name       Description   Narrative               Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                             No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                 Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

      Stakeholder: Long term care facilities and nursing homes
        Business Practice                                                                                      Policy                         Legal Driver
        #         Short Name              Description                                                    Class Short Name       Description   Narrative               Code/Statute
        OK09.07    Authorization to       Admission contract allows for pickup of medication             Neutral                                                      No legal driver
                   pickup medicine



Monday, October 30, 2006                                                                                                                                                            Page 104 of 152
Scenario: 9
   Domain:         8
      Stakeholder: Long term care facilities and nursing homes
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                               Code/Statute
        OK09.09    Authorization to         authorization in writing from resident to purchase medicine        Barrier                                                                      No legal driver
                   purchase medicine
        OK09.21    Securing patient         secure signed release from patient and fax it to facility to get   Barrier                                                                      43A 1-109
                   information              information on mental health patient
        OK09.22    Sharing non-             Would share treatment information without identifying patient Neutral                                   Allowable only if NO patient-           HIPAA 45 CFR 2.11, 45 CFR
                   identifiable patient     specific data                                                                                           identifiable data is exchanged.         164.514(b)(2)(i)
                   information

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                               Code/Statute
        OK09.10    Ordering medication      call pharmacy on word from doctor to get medication                Neutral                                                                      No legal driver
        OK09.12    Sharing patient          for information to be shared with additional third parties,        Barrier                                                                      No legal driver (but only for
                   information              verbal consent is received and written consent is then                                                                                          treatment in an emergency
                                            acquired                                                                                                                                        situation)
        OK09.11    Sharing patient          consent received to identify who patient information can be        Barrier                              OK State law firmly requires consent    OS 43A 1-109, 12 OS 25.03,
                   information              shared with                                                                                             (Patient Privilege), but HIPAA allows   HIPAA 45 CFR 164.506(c)
                                                                                                                                                    disclosure without consent if needed
                                                                                                                                                    for treatment, payment, and/or
                                                                                                                                                    healthcare operations.
        OK09.24    Sharing patient          patient health information exchanges between parties               Neutral                              HIPAA allows for inter-organization     HIPAA
                   information internally   internally even if it includes other facilities within the same                                         exchange of PHI for "care/treatment
                                            umbrella organization do not require a release                                                          purposes only."

      Stakeholder: Payers
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                               Code/Statute
        OK09.05    Appropriate transfer     Mail out pharmacy would normally resolve formulary non-            Neutral Pharmacy                                                             No legal driver
                   of PHI between PBM       compliance via direct communication between pharmacist                     Practice Act
                   and PCP                  and prescribing physician. In this situation no additional
                                            consent is required due to confidential communication.

      Stakeholder: Pharmacies
        Business Practice                                                                                            Policy                         Legal Driver
        #         Short Name                Description                                                        Class Short Name       Description   Narrative                               Code/Statute


Monday, October 30, 2006                                                                                                                                                                                  Page 105 of 152
Scenario: 9
   Domain:         8
      Stakeholder: Pharmacies
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.
        OK09.06    Pharmacy contacting Pharmaceutical company contacts physician notifying them Neutral                                                       Oklahoma Law - Title 43A
                   provider            that pharmacy will be contacting them to determine why drug
                                       is prescribed. No patient information is shared when it
                                       regards mental health.

   Domain:         9
      Stakeholder: Clinicians
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute



Monday, October 30, 2006                                                                                                                                                    Page 106 of 152
Scenario: 9
   Domain:         9
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                             Policy                                        Legal Driver
        #         Short Name                Description                                                         Class Short Name     Description                    Narrative                           Code/Statute
        OK09.02    Appropriate release      Make agreements for data sharing between institutions and      Barrier Clinical Policy   Requirement for outside
                   of PHI to PBM for        allow pharmacy to deal with requests or prior authorization by                           prescriptions that need to
                   medication purposes      physicians.                                                                              be filled to obtain records
                                                                                                                                     from ER or obtain info from
                                                                                                                                     physician offices. Providers
                                                                                                                                     must approve outside
                                                                                                                                     prescriptions to be filled.

      Stakeholder: Federal Health Facilities
        Business Practice                                                                                             Policy                                        Legal Driver
        #         Short Name                Description                                                         Class Short Name     Description                    Narrative                           Code/Statute
        OK09.02    Appropriate release      Make agreements for data sharing between institutions and      Barrier Clinical Policy   Requirement for outside
                   of PHI to PBM for        allow pharmacy to deal with requests or prior authorization by                           prescriptions that need to
                   medication purposes      physicians.                                                                              be filled to obtain records
                                                                                                                                     from ER or obtain info from
                                                                                                                                     physician offices. Providers
                                                                                                                                     must approve outside
                                                                                                                                     prescriptions to be filled.
        OK09.04    PBM to obtain PHI      Orders would have to be ordered by proper IHS provider for            Neutral                                                                                 No legal driver
                   sufficient to fill     IHS facility giving care. Formulary for IHS is per facility &
                   prescribed             area office.
                   medication for patient
        OK09.16    Providing referral     referral is mailed to patient for patient to take to doctor           Barrier                                                                                 No legal driver
                   information to patient
        OK09.17    Referral to physician    medical records dept will require patient sign consent if           Barrier                                                                                 No legal driver
                                            patient information is being sent for referral to a physician not
                                            known by facility
        OK09.15    Sharing patient          patient signs consent for health information to be sent for         Barrier                                                                                 No legal driver
                   information for          referral purposes
                   referral

      Stakeholder: Homecare and hospice
        Business Practice                                                                                             Policy                                        Legal Driver
        #         Short Name                Description                                                         Class Short Name     Description                    Narrative                           Code/Statute
        OK09.43    Discharge summary        Hospital wants home health arranged, discharge orders are           Barrier                                             Discharge order needed to provide   No legal driver.
                   for follow-up care       to be faxed for arrangements to be made                                                                                 care.




Monday, October 30, 2006                                                                                                                                                                                              Page 107 of 152
Scenario: 9
   Domain:         9
      Stakeholder: Homecare and hospice
        Business Practice                                                                                          Policy                         Legal Driver
        #         Short Name              Description                                                        Class Short Name       Description   Narrative                         Code/Statute
        OK09.44    Discharge summary      if discharge summary isn't received in time, we must make          Barrier                                                                No legal driver
                   for follow-up care     request to medical records to receive patient health
                                          information for home health care
        OK09.23    Exchanging             contract and BAA to exchange information with physical             Barrier                                                                No legal driver
                   information with       therapists (not employees)
                   physical therapists
        OK09.19    Patient discharge      patient discharge summary is provided to us (home health)          Neutral                                                                No legal driver
                   summary
        OK09.18    Providing transfer     Medicare patients require a summary be sent by home health Neutral                                                                        No legal driver
                   summary                care (transfer summary) that includes medications, advance
                                          directives and other services being provided

      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                         Legal Driver
        #         Short Name              Description                                                        Class Short Name       Description   Narrative                         Code/Statute
        OK09.05    Appropriate transfer   Mail out pharmacy would normally resolve formulary non-            Neutral Pharmacy                                                       No legal driver
                   of PHI between PBM     compliance via direct communication between pharmacist                     Practice Act
                   and PCP                and prescribing physician. In this situation no additional
                                          consent is required due to confidential communication.

      Stakeholder: Long term care facilities and nursing homes
        Business Practice                                                                                          Policy                         Legal Driver
        #         Short Name              Description                                                        Class Short Name       Description   Narrative                         Code/Statute
        OK09.21    Securing patient       secure signed release from patient and fax it to facility to get   Barrier                                                                43A 1-109
                   information            information on mental health patient
        OK09.22    Sharing non-           Would share treatment information without identifying patient Neutral                                   Allowable only if NO patient-     HIPAA 45 CFR 2.11, 45 CFR
                   identifiable patient   specific data                                                                                           identifiable data is exchanged.   164.514(b)(2)(i)
                   information

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                          Policy                         Legal Driver
        #         Short Name              Description                                                        Class Short Name       Description   Narrative                         Code/Statute
        OK09.20    Sharing patient        exchange verbal information between case manager and first Neutral                                                                        No legal driver
                   information            responders and whoever is present




Monday, October 30, 2006                                                                                                                                                                          Page 108 of 152
Scenario: 9
   Domain:         9
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name                Description                                                       Class Short Name       Description   Narrative                             Code/Statute
        OK09.24    Sharing patient          patient health information exchanges between parties              Neutral                              HIPAA allows for inter-organization   HIPAA
                   information internally   internally even if it includes other facilities within the same                                        exchange of PHI for "care/treatment
                                            umbrella organization do not require a release                                                         purposes only."

      Stakeholder: Payers
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name                Description                                                       Class Short Name       Description   Narrative                             Code/Statute
        OK09.01    Appropriate action to    Formulary compliance should be identified by computerized         Barrier
                   avoid need for           order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit         the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer     Mail out pharmacy would normally resolve formulary non-           Neutral Pharmacy                                                           No legal driver
                   of PHI between PBM       compliance via direct communication between pharmacist                    Practice Act
                   and PCP                  and prescribing physician. In this situation no additional
                                            consent is required due to confidential communication.

      Stakeholder: Pharmacies
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name                Description                                                       Class Short Name       Description   Narrative                             Code/Statute
        OK09.01    Appropriate action to    Formulary compliance should be identified by computerized         Barrier
                   avoid need for           order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit         the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer     Mail out pharmacy would normally resolve formulary non-           Neutral Pharmacy                                                           No legal driver
                   of PHI between PBM       compliance via direct communication between pharmacist                    Practice Act
                   and PCP                  and prescribing physician. In this situation no additional
                                            consent is required due to confidential communication.

      Stakeholder: Physician Groups
        Business Practice                                                                                           Policy                         Legal Driver
        #         Short Name                Description                                                       Class Short Name       Description   Narrative                             Code/Statute




Monday, October 30, 2006                                                                                                                                                                               Page 109 of 152
Scenario: 9
   Domain:         9
      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK09.01    Appropriate action to   Formulary compliance should be identified by computerized      Barrier
                   avoid need for          order entry (CPOE) software at the time the physician orders
                   Pharmacy Benefit        the medication. This aleviates all subsequent transactions.
                   Manager (PBM)
                   contact
        OK09.05    Appropriate transfer    Mail out pharmacy would normally resolve formulary non-        Neutral Pharmacy                                    No legal driver
                   of PHI between PBM      compliance via direct communication between pharmacist                 Practice Act
                   and PCP                 and prescribing physician. In this situation no additional
                                           consent is required due to confidential communication.

Scenario: 10
   Domain:         1
      Stakeholder: Payers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK10.01    Appropriate release     When releasing data with a business partner it is necessary    Barrier HIPPA                                       HIPAA 45 CFR 164.502(b)(1)
                   of EHR to business      to only provide the minimum necessary fields and records.
                   partner for review

   Domain:         2
      Stakeholder: Payers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute
        OK10.01    Appropriate release     When releasing data with a business partner it is necessary    Barrier HIPPA                                       HIPAA 45 CFR 164.502(b)(1)
                   of EHR to business      to only provide the minimum necessary fields and records.
                   partner for review

   Domain:         3
      Stakeholder: Payers
        Business Practice                                                                                       Policy                         Legal Driver
        #         Short Name               Description                                                    Class Short Name       Description   Narrative      Code/Statute


Monday, October 30, 2006                                                                                                                                                    Page 110 of 152
Scenario: 10
   Domain:         3
      Stakeholder: Payers
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                  Code/Statute
        OK10.01    Appropriate release     When releasing data with a business partner it is necessary   Barrier HIPPA                                               HIPAA 45 CFR 164.502(b)(1)
                   of EHR to business      to only provide the minimum necessary fields and records.
                   partner for review

   Domain:         4
      Stakeholder: Payers
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                  Code/Statute
        OK10.01    Appropriate release     When releasing data with a business partner it is necessary   Barrier HIPPA                                               HIPAA 45 CFR 164.502(b)(1)
                   of EHR to business      to only provide the minimum necessary fields and records.
                   partner for review

   Domain:         7
      Stakeholder: Payers
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                  Code/Statute
        OK10.01    Appropriate release     When releasing data with a business partner it is necessary   Barrier HIPPA                                               HIPAA 45 CFR 164.502(b)(1)
                   of EHR to business      to only provide the minimum necessary fields and records.
                   partner for review

Scenario: 11
   Domain:         1
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                  Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to           Neutral                          Written consent REQUIRED   HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                  164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                   164.501
                   report- demographic
                   info for certain groups




Monday, October 30, 2006                                                                                                                                                          Page 111 of 152
Scenario: 11
   Domain:         1
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.03    Sharing PHI internally Share database internally, ADM/Appropriate staff query the Neutral                                       Written consent REQUIRED   HIPAA Privacy 45 CFR
                                          database - Excel develop spreadsheet and e-mail unsecured                                                                           164.508(a)(3)(ii), 45 CFR
                                          through internal network e-mail                                                                                                     164.501

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                    164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                           164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                           164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                              164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                      164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                         164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                      164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                         164.501
                                           IT director. Then the report or query may be run.

   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                           164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                            164.501
                   report- demographic
                   info for certain groups

Monday, October 30, 2006                                                                                                                                                                   Page 112 of 152
Scenario: 11
   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.03    Sharing PHI internally Share database internally, ADM/Appropriate staff query the Neutral                                       Written consent REQUIRED   HIPAA Privacy 45 CFR
                                          database - Excel develop spreadsheet and e-mail unsecured                                                                           164.508(a)(3)(ii), 45 CFR
                                          through internal network e-mail                                                                                                     164.501

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                    164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                           164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                           164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                              164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                      164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                         164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                      164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                         164.501
                                           IT director. Then the report or query may be run.

   Domain:         3
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                           164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                            164.501
                   report- demographic
                   info for certain groups

Monday, October 30, 2006                                                                                                                                                                   Page 113 of 152
Scenario: 11
   Domain:         3
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.03    Sharing PHI internally Share database internally, ADM/Appropriate staff query the Neutral                                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                                          database - Excel develop spreadsheet and e-mail unsecured                                                                              164.508(a)(3)(ii), 45 CFR
                                          through internal network e-mail                                                                                                        164.501

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                       164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                              164.501
        OK11.01    Identifiable data not   determine if identifiable data is necessary                     Barrier                                 Written consent is REQUIRED   HIPAA Privacy 45 CFR
                   necessary                                                                                                                                                     164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                              164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                         164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                            164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                         164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                            164.501
                                           IT director. Then the report or query may be run.

   Domain:         4
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute


Monday, October 30, 2006                                                                                                                                                                      Page 114 of 152
Scenario: 11
   Domain:         4
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                              164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                               164.501
                   report- demographic
                   info for certain groups
        OK11.03    Sharing PHI internally Share database internally, ADM/Appropriate staff query the Neutral                                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                                          database - Excel develop spreadsheet and e-mail unsecured                                                                              164.508(a)(3)(ii), 45 CFR
                                          through internal network e-mail                                                                                                        164.501

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                       164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                              164.501
        OK11.01    Identifiable data not   determine if identifiable data is necessary                     Barrier                                 Written consent is REQUIRED   HIPAA Privacy 45 CFR
                   necessary                                                                                                                                                     164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                              164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                         164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                            164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                         164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                            164.501
                                           IT director. Then the report or query may be run.

   Domain:         5


Monday, October 30, 2006                                                                                                                                                                      Page 115 of 152
Scenario: 11
   Domain:         5
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                           164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                            164.501
                   report- demographic
                   info for certain groups

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                    164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                           164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                           164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                              164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                      164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                         164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                      164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                         164.501
                                           IT director. Then the report or query may be run.

   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                  Code/Statute




Monday, October 30, 2006                                                                                                                                                                   Page 116 of 152
Scenario: 11
   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                      Legal Driver
        #         Short Name               Description                                                     Class Short Name    Description   Narrative                  Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                           Written consent REQUIRED   HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                     164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                      164.501
                   report- demographic
                   info for certain groups

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                      Legal Driver
        #         Short Name               Description                                                     Class Short Name    Description   Narrative                  Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                           Written consent REQUIRED   HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                              164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                     164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                           Written consent REQUIRED   HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                     164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                        164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                      Legal Driver
        #         Short Name               Description                                                     Class Short Name    Description   Narrative                  Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                 Written consent REQUIRED   HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                   164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.

   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                      Legal Driver
        #         Short Name               Description                                                     Class Short Name    Description   Narrative                  Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                           Written consent REQUIRED   HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                     164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                      164.501
                   report- demographic
                   info for certain groups



Monday, October 30, 2006                                                                                                                                                             Page 117 of 152
Scenario: 11
   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.03    Sharing PHI internally Share database internally, ADM/Appropriate staff query the Neutral                                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                                          database - Excel develop spreadsheet and e-mail unsecured                                                                              164.508(a)(3)(ii), 45 CFR
                                          through internal network e-mail                                                                                                        164.501

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                       164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                              164.501
        OK11.01    Identifiable data not   determine if identifiable data is necessary                     Barrier                                 Written consent is REQUIRED   HIPAA Privacy 45 CFR
                   necessary                                                                                                                                                     164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                              164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                         164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                            164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                         164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                            164.501
                                           IT director. Then the report or query may be run.

   Domain:         9
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute


Monday, October 30, 2006                                                                                                                                                                      Page 118 of 152
Scenario: 11
   Domain:         9
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.04    Patient benefit         Part of care team, covered in HIPAA must fw data to             Neutral                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   coordinator can         national database Identify health info for Indian Health                                                                              164.508(a)(3)(ii), 45 CFR
                   follow-up - run         Service. Done by internal file transfer                                                                                               164.501
                   report- demographic
                   info for certain groups
        OK11.03    Sharing PHI internally Share database internally, ADM/Appropriate staff query the Neutral                                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                                          database - Excel develop spreadsheet and e-mail unsecured                                                                              164.508(a)(3)(ii), 45 CFR
                                          through internal network e-mail                                                                                                        164.501

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.06    HIPAA compliant         B associate or something similar secure agreement not use       Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   transfer                data for other purposes other than identified encrypt the data,                                                                       164.508(a)(3)(ii), 45 CFR
                                           establish secure connection and transfer                                                                                              164.501
        OK11.01    Identifiable data not   determine if identifiable data is necessary                     Barrier                                 Written consent is REQUIRED   HIPAA Privacy 45 CFR
                   necessary                                                                                                                                                     164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501
        OK11.05    Secure additional       Upfront obtain additional patient consent for specific target   Barrier                                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   consent                 audience                                                                                                                              164.508(a)(3)(ii), 45 CFR
                                                                                                                                                                                 164.501

      Stakeholder: Payers
        Business Practice                                                                                        Policy                            Legal Driver
        #         Short Name               Description                                                     Class Short Name          Description   Narrative                     Code/Statute
        OK11.07    Appropriate request When the Public Info Division needs a list of addresses for a Barrier Internal Policy                       Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for info based on PHI unique group of people, the request and criteria is provided to                                                                         164.508(a)(3)(ii), 45 CFR
                   or demographics       the IT department where it is reviewed and approved/rejected                                                                            164.501
                                         by the IT director. If approved the address list is created and
                                         supplied to the Public Info Department as de-identified data.
        OK11.08    Appropriate request     Must be formally submitted to IT with a director's signature.   Barrier Internal Policy                 Written consent REQUIRED      HIPAA Privacy 45 CFR
                   for patient data        The data owner will give written consent for the report to be                                                                         164.508(a)(3)(ii), 45 CFR
                                           created. Once approved by data owner it is approved by the                                                                            164.501
                                           IT director. Then the report or query may be run.

Scenario: 12

Monday, October 30, 2006                                                                                                                                                                      Page 119 of 152
Scenario: 12
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy                 Requires consent; can be initial   HIPAA, 45CFR 164.501,
                   of PHI to external    original entity/department in which data was collected, need                                               consent.                           164.508(a)(3)
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy                 Requires consent; can be initial   45CFR 164.501, 164.508(a)(3)
                   of PHI to internal    to a marketing dept.                                                                                       consent.
                   marketing
                   department

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy
                   of PHI to external    original entity/department in which data was collected, need
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy
                   of PHI to internal    to a marketing dept.
                   marketing
                   department

   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy                 Requires consent; can be initial   HIPAA, 45CFR 164.501,
                   of PHI to external    original entity/department in which data was collected, need                                               consent.                           164.508(a)(3)
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy                 Requires consent; can be initial   45CFR 164.501, 164.508(a)(3)
                   of PHI to internal    to a marketing dept.                                                                                       consent.
                   marketing
                   department




Monday, October 30, 2006                                                                                                                                                                           Page 120 of 152
Scenario: 12
   Domain:         2
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy
                   of PHI to external    original entity/department in which data was collected, need
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy
                   of PHI to internal    to a marketing dept.
                   marketing
                   department

   Domain:         4
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy                 Requires consent; can be initial   HIPAA, 45CFR 164.501,
                   of PHI to external    original entity/department in which data was collected, need                                               consent.                           164.508(a)(3)
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy                 Requires consent; can be initial   45CFR 164.501, 164.508(a)(3)
                   of PHI to internal    to a marketing dept.                                                                                       consent.
                   marketing
                   department

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy
                   of PHI to external    original entity/department in which data was collected, need
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy
                   of PHI to internal    to a marketing dept.
                   marketing
                   department

   Domain:         5


Monday, October 30, 2006                                                                                                                                                                           Page 121 of 152
Scenario: 12
   Domain:         5
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy                 Requires consent; can be initial   HIPAA, 45CFR 164.501,
                   of PHI to external    original entity/department in which data was collected, need                                               consent.                           164.508(a)(3)
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy                 Requires consent; can be initial   45CFR 164.501, 164.508(a)(3)
                   of PHI to internal    to a marketing dept.                                                                                       consent.
                   marketing
                   department

      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy
                   of PHI to external    original entity/department in which data was collected, need
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy
                   of PHI to internal    to a marketing dept.
                   marketing
                   department

   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                         Policy                            Legal Driver
        #         Short Name             Description                                                        Class Short Name          Description   Narrative                          Code/Statute
        OK12.01    Appropriate release   If releasing info to solicit services not associated with the      Barrier Internal policy                 Requires consent; can be initial   HIPAA, 45CFR 164.501,
                   of PHI to external    original entity/department in which data was collected, need                                               consent.                           164.508(a)(3)
                   marketing company     patient consent. Refer criteria to legal's. Also explore ethical
                                         issues.
        OK12.02    Appropriate release   Need consent to provide anything more than name/address            Barrier Internal policy                 Requires consent; can be initial   45CFR 164.501, 164.508(a)(3)
                   of PHI to internal    to a marketing dept.                                                                                       consent.
                   marketing
                   department




Monday, October 30, 2006                                                                                                                                                                           Page 122 of 152
Scenario: 12
   Domain:         9
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                           Policy                                            Legal Driver
        #         Short Name               Description                                                        Class Short Name          Description                   Narrative                          Code/Statute
        OK12.01    Appropriate release     If releasing info to solicit services not associated with the      Barrier Internal policy
                   of PHI to external      original entity/department in which data was collected, need
                   marketing company       patient consent. Refer criteria to legal's. Also explore ethical
                                           issues.
        OK12.02    Appropriate release     Need consent to provide anything more than name/address            Barrier Internal policy
                   of PHI to internal      to a marketing dept.
                   marketing
                   department


Scenario: 13
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                                            Legal Driver
        #         Short Name               Description                                                        Class Short Name          Description                   Narrative                          Code/Statute
        OK13.02    Identification of law   need to verify persons presenting to organization are              barrier HIPAA - legal     Must assume person is who     Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   enforcement             authorized to receive info                                                 restrictions to   they claim. Policies          patient consent due to chain-of-
                                                                                                                      who can obtain    regarding release of          response instruction by Homeland
                                                                                                                      info              information to law            Security
                                                                                                                                        enforcement
        OK13.01    Identification of       distribute medication                                              Neutral                   Issue with has person         Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   persons seeking                                                                                                      sought treatment at another   patient consent
                   treatment                                                                                                            institution to ___ or hoard
                                                                                                                                        medication

      Stakeholder: State Government
        Business Practice                                                                                           Policy                                            Legal Driver
        #         Short Name               Description                                                        Class Short Name          Description                   Narrative                          Code/Statute
        OK13.09    DHS/DDSD/ORC -          1. Notify state epidemiology 2. Notify county contact on       Neutral Bioterrorism          Draft procedure based on      Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   Intermediate Care       organization chart for dealing with Bio-T event; Facility had          event                 mock bioterrorism event in    patient consent due to chain-of-
                   Facility for clients    bio-T training from state health department-received all 3                                   conjunction with county.      response instruction by Homeland
                   with mental             levels of FEMA certification Training was followed by mock                                   Had state health              Security
                   retardation             bio t event organization chart using standard FEMA language                                  department & FEMA auditors
                                           was created for the county and the facility addressing all the
                                           issues of privacy & security

   Domain:         2
Monday, October 30, 2006                                                                                                                                                                                             Page 123 of 152
Scenario: 13
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                                           Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                  Narrative                          Code/Statute
        OK13.02    Identification of law   need to verify persons presenting to organization are         barrier HIPAA - legal     Must assume person is who    Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   enforcement             authorized to receive info                                            restrictions to   they claim. Policies         patient consent due to chain-of-
                                                                                                                 who can obtain    regarding release of         response instruction by Homeland
                                                                                                                 info              information to law           Security
                                                                                                                                   enforcement

      Stakeholder: State Government
        Business Practice                                                                                      Policy                                           Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                  Narrative                          Code/Statute
        OK13.09    DHS/DDSD/ORC -          1. Notify state epidemiology 2. Notify county contact on       Neutral Bioterrorism     Draft procedure based on     Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   Intermediate Care       organization chart for dealing with Bio-T event; Facility had          event            mock bioterrorism event in   patient consent due to chain-of-
                   Facility for clients    bio-T training from state health department-received all 3                              conjunction with county.     response instruction by Homeland
                   with mental             levels of FEMA certification Training was followed by mock                              Had state health             Security
                   retardation             bio t event organization chart using standard FEMA language                             department & FEMA auditors
                                           was created for the county and the facility addressing all the
                                           issues of privacy & security

   Domain:         3
      Stakeholder: State Government
        Business Practice                                                                                      Policy                                           Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                  Narrative                          Code/Statute
        OK13.09    DHS/DDSD/ORC -          1. Notify state epidemiology 2. Notify county contact on       Neutral Bioterrorism     Draft procedure based on     Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   Intermediate Care       organization chart for dealing with Bio-T event; Facility had          event            mock bioterrorism event in   patient consent due to chain-of-
                   Facility for clients    bio-T training from state health department-received all 3                              conjunction with county.     response instruction by Homeland
                   with mental             levels of FEMA certification Training was followed by mock                              Had state health             Security
                   retardation             bio t event organization chart using standard FEMA language                             department & FEMA auditors
                                           was created for the county and the facility addressing all the
                                           issues of privacy & security

   Domain:         4
      Stakeholder: Public Health Agency
        Business Practice                                                                                      Policy                                           Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                  Narrative                          Code/Statute



Monday, October 30, 2006                                                                                                                                                                                       Page 124 of 152
Scenario: 13
   Domain:         4
      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                                              Legal Driver
        #         Short Name                Description                                                   Class Short Name             Description                  Narrative                          Code/Statute
        OK13.06    Receiving lab report     OSDH lab receives report from lab via PHIN, Consolidates        Neutral OSDH BT                                         Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   of anthrax               with other labs' reports, coordinate reports from county health         Manual                                          patient consent
                                            department, on the CDC

   Domain:         7
      Stakeholder: Hospitals
        Business Practice                                                                                       Policy                                              Legal Driver
        #         Short Name                Description                                                   Class Short Name             Description                  Narrative                          Code/Statute
        OK13.04    Notification of health   Talk with infectious disease specialist and determine if health Neutral CDC rules & regs                                Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   department               department notification is required                                                                                     patient consent due to chain-of-
                                                                                                                                                                    response instruction by Homeland
                                                                                                                                                                    Security

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                                              Legal Driver
        #         Short Name                Description                                                   Class Short Name             Description                  Narrative                          Code/Statute
        OK13.07    BT event coordinator     Law enforcement and emergency management notified of the Neutral OSDH BT                                                Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   initiates appropriate    extent of the exposure, Media is notified for informing public   policy, rules &                                        patient consent due to chain-of-
                   disaster-intervention    re: exposure area, symptoms, etc.                                regulation                                             response instruction by Homeland
                   entities                                                                                                                                         Security

      Stakeholder: State Government
        Business Practice                                                                                       Policy                                              Legal Driver
        #         Short Name                Description                                                   Class Short Name             Description                  Narrative                          Code/Statute
        OK13.09    DHS/DDSD/ORC -           1. Notify state epidemiology 2. Notify county contact on       Neutral Bioterrorism        Draft procedure based on     Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   Intermediate Care        organization chart for dealing with Bio-T event; Facility had          event               mock bioterrorism event in   patient consent due to chain-of-
                   Facility for clients     bio-T training from state health department-received all 3                                 conjunction with county.     response instruction by Homeland
                   with mental              levels of FEMA certification Training was followed by mock                                 Had state health             Security
                   retardation              bio t event organization chart using standard FEMA language                                department & FEMA auditors
                                            was created for the county and the facility addressing all the
                                            issues of privacy & security

   Domain:         9



Monday, October 30, 2006                                                                                                                                                                                           Page 125 of 152
Scenario: 13
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                                            Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                   Narrative                          Code/Statute
        OK13.02    Identification of law   need to verify persons presenting to organization are         barrier HIPAA - legal     Must assume person is who     Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   enforcement             authorized to receive info                                            restrictions to   they claim. Policies          patient consent due to chain-of-
                                                                                                                 who can obtain    regarding release of          response instruction by Homeland
                                                                                                                 info              information to law            Security
                                                                                                                                   enforcement
        OK13.05    Management Plan         policy for management of bioterrorism treatment of patients   Neutral                   ? Re release of information   Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   information             staff preventative care                                                                 to law enforcement            patient consent

      Stakeholder: Public Health Agency
        Business Practice                                                                                      Policy                                            Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                   Narrative                          Code/Statute
        OK13.08    Emergency               Aggregated data compiled and analyzed, submitted to           Neutral OSCH BT rules                                   Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   response                designated agencies                                                   & regulations                                   patient consent due to chain-of-
                   documentation                                                                                                                                 response instruction by Homeland
                   compiled                                                                                                                                      Security

      Stakeholder: State Government
        Business Practice                                                                                      Policy                                            Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                   Narrative                          Code/Statute
        OK13.09    DHS/DDSD/ORC -          1. Notify state epidemiology 2. Notify county contact on       Neutral Bioterrorism     Draft procedure based on      Disclosures CAN be made without    HIPAA 45 CFR 164.512(j)
                   Intermediate Care       organization chart for dealing with Bio-T event; Facility had          event            mock bioterrorism event in    patient consent due to chain-of-
                   Facility for clients    bio-T training from state health department-received all 3                              conjunction with county.      response instruction by Homeland
                   with mental             levels of FEMA certification Training was followed by mock                              Had state health              Security
                   retardation             bio t event organization chart using standard FEMA language                             department & FEMA auditors
                                           was created for the county and the facility addressing all the
                                           issues of privacy & security

Scenario: 14
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                                            Legal Driver
        #         Short Name               Description                                                   Class Short Name          Description                   Narrative                          Code/Statute



Monday, October 30, 2006                                                                                                                                                                                        Page 126 of 152
Scenario: 14
   Domain:         1
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                             Code/Statute
        OK14.07    Written verification   hospital will fax their release form to patient to sign and        Barrier                                  Authorization required                HIPAA 45 CFR 164.508
                                          submit, hospital will match signatures on file to fax signature
                                          to authenticate identity. Patient can send in letter to require
                                          information. Hospitals preference to use their form.
        OK14.05    Written verification   Don't authorize or give information over phone, we require         Barrier                                                                        No legal driver
                                          written verification. Employer faxes request on letterhead
                                          and hospital follows up by phone, looking up phone number
                                          in directory or from fax sheet
        OK14.06    Written verification   Require in person request, look at government issued ID to         Barrier                                                                        No legal driver
                                          determine identity

      Stakeholder: Public Health Agency
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                             Code/Statute
        OK14.08    Release of             Determine way to authenticate identify between patient and         Barrier                                                                        No legal driver
                   Information            provider (code word on chart) non emergency situation

   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                             Code/Statute
        OK14.01    Determining            Each facility has ROI Policy & Procedure. Patient must fill        Barrier Authorization to                 Discussion included e-mail security   Legal Drivers include HIPAA
                   employee agreement     out and sign an Authorization to Release Confidential                      Release                          requirements and definition of        security requirements
                   to release             Information (often called ROI) describing what information                 Confidential                     informed consent.                     164.312.321(e)(1) Standard
                   information.           can be released and to whom. Facility would check the                      Information                                                            Submissions Security, 43A
                                          patient file for the ROI. If it was, then they could release the                                                                                  O.S. and 45CFR Authorization
                                          information to the employer.                                                                                                                      to Release Confidential
                                                                                                                                                                                            Information

      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                             Code/Statute




Monday, October 30, 2006                                                                                                                                                                                  Page 127 of 152
Scenario: 14
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                                Code/Statute
        OK14.01    Determining            Each facility has ROI Policy & Procedure. Patient must fill        Barrier Authorization to                 Discussion included e-mail security      Legal Drivers include HIPAA
                   employee agreement     out and sign an Authorization to Release Confidential                      Release                          requirements and definition of           security requirements
                   to release             Information (often called ROI) describing what information                 Confidential                     informed consent.                        164.312.321(e)(1) Standard
                   information.           can be released and to whom. Facility would check the                      Information                                                               Submissions Security, 43A
                                          patient file for the ROI. If it was, then they could release the                                                                                     O.S. and 45CFR Authorization
                                          information to the employer.                                                                                                                         to Release Confidential
                                                                                                                                                                                               Information
        OK14.09    Determining type of    Hospital staff walks patient through what information is being Neutral                                                                               No legal driver
                   information shared     released.
        OK14.02    Include only basic     Any information beyond release to work must require patient        Barrier                                  Consent is required for any info         HIPAA 45 CFR 164.508(c)
                   information            consent to release.                                                                                         beyond general return-to-work
                                                                                                                                                      instructions. The fact that it must be
                                                                                                                                                      in writing is legally drive; how the
                                                                                                                                                      written consent is obtained is NOT
                                                                                                                                                      legally driven.
        OK14.06    Written verification   Require in person request, look at government issued ID to         Barrier                                                                           No legal driver
                                          determine identity

      Stakeholder: Public Health Agency
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                                Code/Statute
        OK14.08    Release of             Determine way to authenticate identify between patient and         Barrier                                                                           No legal driver
                   Information            provider (code word on chart) non emergency situation
        OK14.12    Transfer Health        Can share information with sister agencies because they use Neutral                                                                                  No legal driver (however,
                   Information            same encryption software                                                                                                                             required consent still applies)

      Stakeholder: State Government
        Business Practice                                                                                          Policy                             Legal Driver
        #         Short Name              Description                                                        Class Short Name           Description   Narrative                                Code/Statute
        OK14.04    Employee               Employer has contract with employee to provide information.        Neutral                                                                           No legal driver
                   responsible for        Not the responsibility of the employer.
                   providing info

   Domain:         4



Monday, October 30, 2006                                                                                                                                                                                     Page 128 of 152
Scenario: 14
   Domain:         4
      Stakeholder: Public Health Agency
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                                Code/Statute
        OK14.12    Transfer Health         Can share information with sister agencies because they use Neutral                                                                     No legal driver (however,
                   Information             same encryption software                                                                                                                required consent still applies)

   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                                Code/Statute
        OK14.03    Request for             Only Health Information Management can answer inquiries       Barrier                                                                   No legal driver
                   information by          for information from employer.
                   employer is
                   transferred to Health
                   Information
                   Management

      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                                Code/Statute
        OK14.03    Request for             Only Health Information Management can answer inquiries       Barrier                                                                   No legal driver
                   information by          for information from employer.
                   employer is
                   transferred to Health
                   Information
                   Management

   Domain:         8
      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name               Description                                                   Class Short Name   Description   Narrative                                Code/Statute
        OK14.02    Include only basic      Any information beyond release to work must require patient   Barrier                          Consent is required for any info         HIPAA 45 CFR 164.508(c)
                   information             consent to release.                                                                            beyond general return-to-work
                                                                                                                                          instructions. The fact that it must be
                                                                                                                                          in writing is legally drive; how the
                                                                                                                                          written consent is obtained is NOT
                                                                                                                                          legally driven.


Monday, October 30, 2006                                                                                                                                                                         Page 129 of 152
Scenario: 14
   Domain:         9
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name               Description                                                        Class Short Name           Description   Narrative                                Code/Statute
        OK14.01    Determining             Each facility has ROI Policy & Procedure. Patient must fill        Barrier Authorization to                 Discussion included e-mail security      Legal Drivers include HIPAA
                   employee agreement      out and sign an Authorization to Release Confidential                      Release                          requirements and definition of           security requirements
                   to release              Information (often called ROI) describing what information                 Confidential                     informed consent.                        164.312.321(e)(1) Standard
                   information.            can be released and to whom. Facility would check the                      Information                                                               Submissions Security, 43A
                                           patient file for the ROI. If it was, then they could release the                                                                                     O.S. and 45CFR Authorization
                                           information to the employer.                                                                                                                         to Release Confidential
                                                                                                                                                                                                Information
        OK14.03    Request for             Only Health Information Management can answer inquiries            Barrier                                                                           No legal driver
                   information by          for information from employer.
                   employer is
                   transferred to Health
                   Information
                   Management
        OK14.11    Transfer Health         policy prohibits transfer of data outside network                  Barrier                                                                           No legal driver
                   Information

      Stakeholder: Hospitals
        Business Practice                                                                                           Policy                             Legal Driver
        #         Short Name               Description                                                        Class Short Name           Description   Narrative                                Code/Statute
        OK14.01    Determining             Each facility has ROI Policy & Procedure. Patient must fill        Barrier Authorization to                 Discussion included e-mail security      Legal Drivers include HIPAA
                   employee agreement      out and sign an Authorization to Release Confidential                      Release                          requirements and definition of           security requirements
                   to release              Information (often called ROI) describing what information                 Confidential                     informed consent.                        164.312.321(e)(1) Standard
                   information.            can be released and to whom. Facility would check the                      Information                                                               Submissions Security, 43A
                                           patient file for the ROI. If it was, then they could release the                                                                                     O.S. and 45CFR Authorization
                                           information to the employer.                                                                                                                         to Release Confidential
                                                                                                                                                                                                Information
        OK14.10    Don't transfer          policy prohibits transfer of health information through email      Barrier                                                                           No legal driver
                   electronic health
                   record or any health
                   information by email
        OK14.02    Include only basic      Any information beyond release to work must require patient        Barrier                                  Consent is required for any info         HIPAA 45 CFR 164.508(c)
                   information             consent to release.                                                                                         beyond general return-to-work
                                                                                                                                                       instructions. The fact that it must be
                                                                                                                                                       in writing is legally drive; how the
                                                                                                                                                       written consent is obtained is NOT
                                                                                                                                                       legally driven.




Monday, October 30, 2006                                                                                                                                                                                      Page 130 of 152
Scenario: 14
   Domain:         9
      Stakeholder: Hospitals
        Business Practice                                                                                     Policy                     Legal Driver
        #         Short Name               Description                                                  Class Short Name   Description   Narrative      Code/Statute
        OK14.03    Request for             Only Health Information Management can answer inquiries      Barrier                                         No legal driver
                   information by          for information from employer.
                   employer is
                   transferred to Health
                   Information
                   Management
        OK14.05    Written verification    Don't authorize or give information over phone, we require   Barrier                                         No legal driver
                                           written verification. Employer faxes request on letterhead
                                           and hospital follows up by phone, looking up phone number
                                           in directory or from fax sheet

Scenario: 15
   Domain:         8
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                     Policy                     Legal Driver
        #         Short Name               Description                                                  Class Short Name   Description   Narrative      Code/Statute
        OK15.05    Providing patient       Would contact Department of Health by phone, based on        Neutral
                   health information      public good would provide information necessary, state law
                   concerning a            requires notification of communicable disease
                   communicable
                   disease.

      Stakeholder: Hospitals
        Business Practice                                                                                     Policy                     Legal Driver
        #         Short Name               Description                                                  Class Short Name   Description   Narrative      Code/Statute
        OK15.05    Providing patient       Would contact Department of Health by phone, based on        Neutral
                   health information      public good would provide information necessary, state law
                   concerning a            requires notification of communicable disease
                   communicable
                   disease.

      Stakeholder: Physician Groups
        Business Practice                                                                                     Policy                     Legal Driver
        #         Short Name               Description                                                  Class Short Name   Description   Narrative      Code/Statute

Monday, October 30, 2006                                                                                                                                              Page 131 of 152
Scenario: 15
   Domain:         8
      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                             Legal Driver
        #         Short Name            Description                                                       Class Short Name           Description   Narrative                             Code/Statute
        OK15.05    Providing patient    Would contact Department of Health by phone, based on             Neutral
                   health information   public good would provide information necessary, state law
                   concerning a         requires notification of communicable disease
                   communicable
                   disease.

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                             Legal Driver
        #         Short Name            Description                                                       Class Short Name           Description   Narrative                             Code/Statute
        OK15.01    Providing patient    Patient refused to follow state law. In this case, the district   Neutral Public Health                     Law supports release depending on    45 CFR; Public Health
                   health information   attorney would contact law enforcement by telephone.                      Exemption;                       stage of disease (Public Health 63    Exemption; Authorization to
                   concerning a                                                                                   Authorization to                 O.S. §1-401 thru §1-410. Discussion   release confidential Information
                   communicable                                                                                   release                          centered on quarantine laws.          No legal barrier.
                   disease.                                                                                       confidential
                                                                                                                  Information
        OK15.03    Providing patient    Would notify state health officer in other state if appropriate   Neutral
                   health information   and law enforcement because they are not complying their
                   concerning a         name would be released.
                   communicable
                   disease.
        OK15.04    Providing patient    Notification would be sent to public but name would not be        Neutral
                   health information   released
                   concerning a
                   communicable
                   disease.

      Stakeholder: State Government
        Business Practice                                                                                       Policy                             Legal Driver
        #         Short Name            Description                                                       Class Short Name           Description   Narrative                             Code/Statute
        OK15.02    Providing patient    Patient refused to follow state law. In this case, the district   Neutral Public Health                                                          Title 75
                   health information   attorney would be contacted by telephone.                                 Exemption;
                   concerning a                                                                                   Authorization to
                   communicable                                                                                   release
                   disease.                                                                                       confidential
                                                                                                                  Information

Scenario: 16

Monday, October 30, 2006                                                                                                                                                                               Page 132 of 152
Scenario: 16
   Domain:         1
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do      Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are   Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered

   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do      Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are   Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.



Monday, October 30, 2006                                                                                                                                                                      Page 133 of 152
Scenario: 16
   Domain:         2
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered

   Domain:         3
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do      Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are   Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered

   Domain:         4
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language


Monday, October 30, 2006                                                                                                                                                                      Page 134 of 152
Scenario: 16
   Domain:         4
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do      Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are   Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered

   Domain:         5
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered

   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language


Monday, October 30, 2006                                                                                                                                                                      Page 135 of 152
Scenario: 16
   Domain:         6
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do      Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are   Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered

   Domain:         7
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                          Policy                      Legal Driver
        #         Short Name               Description                                                       Class Short Name    Description   Narrative                          Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.     Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do      Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are   Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.       Barrier                           Federal law allows it; State law   45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                         requires it.                       63§1-401
                                          registry. Report results in state database required to be
                                          entered


Monday, October 30, 2006                                                                                                                                                                      Page 136 of 152
Scenario: 16
   Domain:         8
      Stakeholder: Public Health Agency
        Business Practice                                                                                            Policy                      Legal Driver
        #         Short Name               Description                                                         Class Short Name    Description   Narrative                           Code/Statute
        OK16.01    Providing patient       State Law requires that hospital labs take blood from               Barrier                           State Law; HIPAA, 45 CFR submitted Statutes need to be consulted…
                   information to the      newborns, logs that it has been taken, then sends specimen                                            by VWG                             follwup: 45 CFR 164.512(b)(1)(I)
                   health department       to Public Health Laboratory via mail. The Public Health
                   for a disease under     Laboratory will perform the test and if positive, will inform the
                   investigation.          newborn's physician to say the patient is positive.

   Domain:         9
      Stakeholder: Federal Health Facilities
        Business Practice                                                                                            Policy                      Legal Driver
        #         Short Name               Description                                                         Class Short Name    Description   Narrative                           Code/Statute
        OK16.02    Agreement to            Hospital has agreement with state lab to process lab results.       Barrier
                   process lab results     Payment agreement to process lab results and non-
                                           disclosure language
        OK16.03    Required reporting to (Facilities report PKU & hearing test results to state lab. Do        Neutral
                   Health Dept.          not have to check for consent )
                   required to report
                   PKU & hearing test
                   to state lab - does
                   not require patient
                   consent
        OK16.04    Sharing of lab results Lab results are transported via courier to courier - results are     Barrier state law
                                          mailed back from lab to hospital to go in patient file - lab
                                          abnormal results report that to DOH. Patient /guardian can
                                          opt out of database.
        OK16.05    Sharing of patient     Only HIPAA allows this clinic to share this info with state.         Barrier                           Federal law allows it; State law    45CFR 164.512(b)(c)(i), OS
                   information with state Guardian has option to opt in/out of state database to enter                                           requires it.                        63§1-401
                                          registry. Report results in state database required to be
                                          entered

      Stakeholder: Public Health Agency
        Business Practice                                                                                            Policy                      Legal Driver
        #         Short Name               Description                                                         Class Short Name    Description   Narrative                           Code/Statute
        OK16.01    Providing patient       State Law requires that hospital labs take blood from               Barrier                           State Law; HIPAA, 45 CFR submitted Statutes need to be consulted…
                   information to the      newborns, logs that it has been taken, then sends specimen                                            by VWG                             follwup: 45 CFR 164.512(b)(1)(I)
                   health department       to Public Health Laboratory via mail. The Public Health
                   for a disease under     Laboratory will perform the test and if positive, will inform the
                   investigation.          newborn's physician to say the patient is positive.

Monday, October 30, 2006                                                                                                                                                                          Page 137 of 152
Scenario: 17
   Domain:         1
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name              Description                                                    Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--        Barrier                                                                No legal driver
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Hospitals
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name              Description                                                    Class Short Name   Description   Narrative                             Code/Statute
        OK17.12    Release of             verify they are who they say they are, Power of Attorney,      Barrier                                                                No legal driver
                   Information            release, and ID showing I am who I say I am

      Stakeholder: Physician Groups
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name              Description                                                    Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--        Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Public Health Agency
        Business Practice                                                                                      Policy                     Legal Driver
        #         Short Name              Description                                                    Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must   Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                     to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                          furthermore, a treatment center may treatment)
                                                                                                                                          NOT deny treatment per HIPAA.
        OK17.05    Appropriate            Treatment center might require special consent form for        Barrier                                                                HIPAA 45 CFR 164.508(b)(3)(ii),
                   response to request    mental health records. May not accept HIPPA consent form.                                                                             OS Title 63
                   from homeless
                   shelter for PHI
        OK17.03    Appropriate            Treatment center might provide info to the homeless shelter    Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    verbally (by phone) or by mail. Exception: Mental Health
                   from homeless          Records. Without release, Mental Health Records cannot be
                   shelter for PHI        discussed with anyone other than the patient.




Monday, October 30, 2006                                                                                                                                                                      Page 138 of 152
Scenario: 17
   Domain:         1
      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name               Description                                                     Class Short Name   Description   Narrative                               Code/Statute
        OK17.06    Appropriate transfer    Referral entity notifies MHF of referral by phone. No patient   Barrier                                                                  No legal driver
                   of mental health        record sent to MHF; typically don't have customized mental
                   records between         health consent form.
                   referring agency and
                   treatment agency
        OK17.10    Client Data Core        Data entry into this system begins in hard copy. Then           Barrier                                                                  No legal driver
                                           entered electronically into ICIS by an intake worker at the
                                           treatment center.
        OK17.07    Obtain PHI sufficient   Patient seeks treatment at treatment center; appointment is     Barrier                                                                  No legal driver
                   to treat patient        set. Review intake notes for assessment and screening. No
                                           previous patient records available for initial appointment at
                                           drug treatment center.
        OK17.14    Release of              access to child's information                                   Barrier                                                                  No legal driver
                   Information
        OK17.08    Transfer of PHI         CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency           OS 43A 1-109
                   between referring       then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and              into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for     Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                  No legal driver
                   reimbursement to        electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         2
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name               Description                                                     Class Short Name   Description   Narrative                               Code/Statute
        OK17.04    Appropriate              PCP can send PHI via fax, mail, or personal delivery--         Barrier                                                                  No legal driver
                   response to request     directly to the patient who can then provide the data to the
                   from homeless           treatment center to provide to the homeless shelter.
                   shelter for PHI
        OK17.01    Providing patient       Check in file, to see if there is a signed ROI that indicates Barrier                            Committed questioned why relative       Legal Barriers: HIPAA, 43A
                   information to a        that the inquiring person has is a designated person (s)). If                                    wants information, there might be       O.S. 1-109, 12 O.S. §2503.
                   relative.               so, provide the person with information. If not, contact                                         other statutes that would apply
                                           patient and inform them who was trying to obtain                                                 depending on the circumstances
                                           information. If patient wants to provide information to that                                     such as the wife could be notified if
                                           inquiring person patient would need to sign a ROI and have it                                    there were a STD diagnosis.
                                           on file with the provider.



Monday, October 30, 2006                                                                                                                                                                          Page 139 of 152
Scenario: 17
   Domain:         2
      Stakeholder: Hospitals
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                             Code/Statute
        OK17.13    Release of             pin number to patient - will give info to anyone with said pin   Barrier                          Consent is REQUIRED to release        42 CFR 2.14, HIPAA 45 CFR
                   Information            number                                                                                            minor patient mental                  164.502(g)(3)(ii), 63 OS 26.01,
                                                                                                                                            health/substance abuse, family        OS 43A 5-503, OS 43A 16,17
                                                                                                                                            planning records; no minimum age

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--          Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must     Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                       to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                            furthermore, a treatment center may treatment)
                                                                                                                                            NOT deny treatment per HIPAA.
        OK17.03    Appropriate            Treatment center might provide info to the homeless shelter      Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    verbally (by phone) or by mail. Exception: Mental Health
                   from homeless          Records. Without release, Mental Health Records cannot be
                   shelter for PHI        discussed with anyone other than the patient.
        OK17.05    Appropriate            Treatment center might require special consent form for          Barrier                                                                HIPAA 45 CFR 164.508(b)(3)(ii),
                   response to request    mental health records. May not accept HIPPA consent form.                                                                               OS Title 63
                   from homeless
                   shelter for PHI
        OK17.06    Appropriate transfer   Referral entity notifies MHF of referral by phone. No patient    Barrier                                                                No legal driver
                   of mental health       record sent to MHF; typically don't have customized mental
                   records between        health consent form.
                   referring agency and
                   treatment agency
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then            Barrier                                                                No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.




Monday, October 30, 2006                                                                                                                                                                        Page 140 of 152
Scenario: 17
   Domain:         2
      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name               Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.07    Obtain PHI sufficient   Patient seeks treatment at treatment center; appointment is     Barrier                                                                No legal driver
                   to treat patient        set. Review intake notes for assessment and screening. No
                                           previous patient records available for initial appointment at
                                           drug treatment center.
        OK17.08    Transfer of PHI         CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency         OS 43A 1-109
                   between referring       then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and              into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for     Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                No legal driver
                   reimbursement to        electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         3
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name               Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate              PCP can send PHI via fax, mail, or personal delivery--         Barrier                                                                No legal driver
                   response to request     directly to the patient who can then provide the data to the
                   from homeless           treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Physician Groups
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name               Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate              PCP can send PHI via fax, mail, or personal delivery--         Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request     directly to the patient who can then provide the data to the
                   from homeless           treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name               Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release     When a patient is admitted to the treatment center they must    Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient    sign consent for release of info. Will only release minimum                                      to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment         necessary information.                                                                           furthermore, a treatment center may treatment)
                                                                                                                                            NOT deny treatment per HIPAA.

Monday, October 30, 2006                                                                                                                                                                        Page 141 of 152
Scenario: 17
   Domain:         3
      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                       Code/Statute
        OK17.03    Appropriate            Treatment center might provide info to the homeless shelter     Barrier                          Consent is REQUIRED             HIPAA 42 CFR part 2
                   response to request    verbally (by phone) or by mail. Exception: Mental Health
                   from homeless          Records. Without release, Mental Health Records cannot be
                   shelter for PHI        discussed with anyone other than the patient.
        OK17.05    Appropriate            Treatment center might require special consent form for         Barrier                                                          HIPAA 45 CFR 164.508(b)(3)(ii),
                   response to request    mental health records. May not accept HIPPA consent form.                                                                        OS Title 63
                   from homeless
                   shelter for PHI
        OK17.06    Appropriate transfer   Referral entity notifies MHF of referral by phone. No patient   Barrier                                                          No legal driver
                   of mental health       record sent to MHF; typically don't have customized mental
                   records between        health consent form.
                   referring agency and
                   treatment agency
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then           Barrier                                                          No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.
        OK17.08    Transfer of PHI        CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency   OS 43A 1-109
                   between referring      then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and             into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for    Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                          No legal driver
                   reimbursement to       electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         4
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                       Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--         Barrier                                                          No legal driver
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                       Code/Statute


Monday, October 30, 2006                                                                                                                                                                 Page 142 of 152
Scenario: 17
   Domain:         4
      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--         Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must    Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                      to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                           furthermore, a treatment center may treatment)
                                                                                                                                           NOT deny treatment per HIPAA.
        OK17.05    Appropriate            Treatment center might require special consent form for         Barrier                                                                HIPAA 45 CFR 164.508(b)(3)(ii),
                   response to request    mental health records. May not accept HIPPA consent form.                                                                              OS Title 63
                   from homeless
                   shelter for PHI
        OK17.03    Appropriate            Treatment center might provide info to the homeless shelter     Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    verbally (by phone) or by mail. Exception: Mental Health
                   from homeless          Records. Without release, Mental Health Records cannot be
                   shelter for PHI        discussed with anyone other than the patient.
        OK17.06    Appropriate transfer   Referral entity notifies MHF of referral by phone. No patient   Barrier                                                                No legal driver
                   of mental health       record sent to MHF; typically don't have customized mental
                   records between        health consent form.
                   referring agency and
                   treatment agency
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then           Barrier                                                                No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.
        OK17.08    Transfer of PHI        CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency         OS 43A 1-109
                   between referring      then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and             into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for    Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                No legal driver
                   reimbursement to       electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         5


Monday, October 30, 2006                                                                                                                                                                       Page 143 of 152
Scenario: 17
   Domain:         5
      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must    Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                      to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                           furthermore, a treatment center may treatment)
                                                                                                                                           NOT deny treatment per HIPAA.
        OK17.06    Appropriate transfer   Referral entity notifies MHF of referral by phone. No patient   Barrier                                                                No legal driver
                   of mental health       record sent to MHF; typically don't have customized mental
                   records between        health consent form.
                   referring agency and
                   treatment agency
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then           Barrier                                                                No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.
        OK17.08    Transfer of PHI        CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency         OS 43A 1-109
                   between referring      then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and             into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for    Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                No legal driver
                   reimbursement to       electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         6
      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must    Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                      to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                           furthermore, a treatment center may treatment)
                                                                                                                                           NOT deny treatment per HIPAA.
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then           Barrier                                                                No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.
        OK17.08    Transfer of PHI        CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency         OS 43A 1-109
                   between referring      then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and             into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for    Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                No legal driver
                   reimbursement to       electronic run. If patient indigent… (sinus? serious?)
                   State

Monday, October 30, 2006                                                                                                                                                                       Page 144 of 152
Scenario: 17
   Domain:         7
      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.06    Appropriate transfer   Referral entity notifies MHF of referral by phone. No patient   Barrier                                                                No legal driver
                   of mental health       record sent to MHF; typically don't have customized mental
                   records between        health consent form.
                   referring agency and
                   treatment agency
        OK17.08    Transfer of PHI        CDC completed - send top part (monthly) to DMHSAS and           Neutral                          Only permissible in emergency         OS 43A 1-109
                   between referring      then to ICIS (integrated client info system). DMHSAS enters                                      situations
                   agency and             into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for    Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                No legal driver
                   reimbursement to       electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         8
      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must    Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                      to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                           furthermore, a treatment center may treatment)
                                                                                                                                           NOT deny treatment per HIPAA.
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then           Barrier                                                                No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.
        OK17.14    Release of             access to child's information                                   Barrier                                                                No legal driver
                   Information
        OK17.09    Transfer of PHI for    Entered into ICIS (dept of MHSAS) - cont. standard monthly,     Neutral                                                                No legal driver
                   reimbursement to       electronic run. If patient indigent… (sinus? serious?)
                   State

   Domain:         9
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute



Monday, October 30, 2006                                                                                                                                                                       Page 145 of 152
Scenario: 17
   Domain:         9
      Stakeholder: Community Clinics and Health Centers
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--         Barrier                                                                No legal driver
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Physician Groups
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.04    Appropriate             PCP can send PHI via fax, mail, or personal delivery--         Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    directly to the patient who can then provide the data to the
                   from homeless          treatment center to provide to the homeless shelter.
                   shelter for PHI

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name              Description                                                     Class Short Name   Description   Narrative                             Code/Statute
        OK17.01    Appropriate release    When a patient is admitted to the treatment center they must    Barrier                          No legal driver to REQUIRE a patient HIPAA 45 CFR
                   of PHI while patient   sign consent for release of info. Will only release minimum                                      to sign consent to release info;     164.508(b)(4)(prohibits denial of
                   is in treatment        necessary information.                                                                           furthermore, a treatment center may treatment)
                                                                                                                                           NOT deny treatment per HIPAA.
        OK17.03    Appropriate            Treatment center might provide info to the homeless shelter     Barrier                          Consent is REQUIRED                   HIPAA 42 CFR part 2
                   response to request    verbally (by phone) or by mail. Exception: Mental Health
                   from homeless          Records. Without release, Mental Health Records cannot be
                   shelter for PHI        discussed with anyone other than the patient.
        OK17.05    Appropriate            Treatment center might require special consent form for         Barrier                                                                HIPAA 45 CFR 164.508(b)(3)(ii),
                   response to request    mental health records. May not accept HIPPA consent form.                                                                              OS Title 63
                   from homeless
                   shelter for PHI
        OK17.06    Appropriate transfer   Referral entity notifies MHF of referral by phone. No patient   Barrier                                                                No legal driver
                   of mental health       record sent to MHF; typically don't have customized mental
                   records between        health consent form.
                   referring agency and
                   treatment agency
        OK17.10    Client Data Core       Data entry into this system begins in hard copy. Then           Barrier                                                                No legal driver
                                          entered electronically into ICIS by an intake worker at the
                                          treatment center.




Monday, October 30, 2006                                                                                                                                                                       Page 146 of 152
Scenario: 17
   Domain:         9
      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                     Legal Driver
        #         Short Name               Description                                                      Class Short Name   Description   Narrative                       Code/Statute
        OK17.07    Obtain PHI sufficient   Patient seeks treatment at treatment center; appointment is      Barrier                                                          No legal driver
                   to treat patient        set. Review intake notes for assessment and screening. No
                                           previous patient records available for initial appointment at
                                           drug treatment center.
        OK17.08    Transfer of PHI         CDC completed - send top part (monthly) to DMHSAS and            Neutral                          Only permissible in emergency   OS 43A 1-109
                   between referring       then to ICIS (integrated client info system). DMHSAS enters                                       situations
                   agency and              into ICIS. Carbon copy kept in file.
                   treatment agency
        OK17.09    Transfer of PHI for     Entered into ICIS (dept of MHSAS) - cont. standard monthly,      Neutral                                                          No legal driver
                   reimbursement to        electronic run. If patient indigent… (sinus? serious?)
                   State

Scenario: 18
   Domain:         1
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                         Policy                     Legal Driver
        #         Short Name               Description                                                      Class Short Name   Description   Narrative                       Code/Statute
        OK18.02    Oklahoma State          Most providers who administer immunizations have access          barrier                                                          No legal driver
                   Immunization            to OSIIS. State can track immunizations, adverse reactions
                   Information System      to immunizations, and basic demographic info on patients. It
                   (OSIIS)                 requires agreement (BAA) to ensure security of data. Batch
                                           file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient     Require contract, IRB approval, and interstate agreement         barrier                                                          HIPAA 45 CFR 164.512(i)
                   data from state         from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                         Policy                     Legal Driver
        #         Short Name               Description                                                      Class Short Name   Description   Narrative                       Code/Statute
        OK18.03    Request for patient     Require contract, IRB approval, and interstate agreement         barrier                                                          HIPAA 45 CFR 164.512(i)
                   data from state         from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies



Monday, October 30, 2006                                                                                                                                                                   Page 147 of 152
Scenario: 18
   Domain:         2
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.02    Oklahoma State        Most providers who administer immunizations have access          barrier                                         No legal driver
                   Immunization          to OSIIS. State can track immunizations, adverse reactions
                   Information System    to immunizations, and basic demographic info on patients. It
                   (OSIIS)               requires agreement (BAA) to ensure security of data. Batch
                                         file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

   Domain:         3
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.02    Oklahoma State        Most providers who administer immunizations have access          barrier                                         No legal driver
                   Immunization          to OSIIS. State can track immunizations, adverse reactions
                   Information System    to immunizations, and basic demographic info on patients. It
                   (OSIIS)               requires agreement (BAA) to ensure security of data. Batch
                                         file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute


Monday, October 30, 2006                                                                                                                                                Page 148 of 152
Scenario: 18
   Domain:         3
      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                            Code/Statute
        OK18.01    Procedure a state      Governor would work with the Legislator and get a mandate.       barrier                          With Federal approval may do State   HIPAA 45 CFR 160.203(c)
                   public health agency   Or contracts would need to be set up between state                                                mandate.
                   undertakes if          agencies and university
                   requested to share
                   private patient
                   information with
                   university
                   researchers for
                   health oversight
                   goals.
        OK18.03    Request for patient    Require contract, IRB approval, and interstate agreement         barrier                                                               HIPAA 45 CFR 164.512(i)
                   data from state        from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

   Domain:         4
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                            Code/Statute
        OK18.02    Oklahoma State         Most providers who administer immunizations have access          barrier                                                               No legal driver
                   Immunization           to OSIIS. State can track immunizations, adverse reactions
                   Information System     to immunizations, and basic demographic info on patients. It
                   (OSIIS)                requires agreement (BAA) to ensure security of data. Batch
                                          file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient    Require contract, IRB approval, and interstate agreement         barrier                                                               HIPAA 45 CFR 164.512(i)
                   data from state        from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                        Policy                     Legal Driver
        #         Short Name              Description                                                      Class Short Name   Description   Narrative                            Code/Statute
        OK18.03    Request for patient    Require contract, IRB approval, and interstate agreement         barrier                                                               HIPAA 45 CFR 164.512(i)
                   data from state        from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies



Monday, October 30, 2006                                                                                                                                                                       Page 149 of 152
Scenario: 18
   Domain:         6
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

   Domain:         7
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.02    Oklahoma State        Most providers who administer immunizations have access          barrier                                         No legal driver
                   Immunization          to OSIIS. State can track immunizations, adverse reactions
                   Information System    to immunizations, and basic demographic info on patients. It
                   (OSIIS)               requires agreement (BAA) to ensure security of data. Batch
                                         file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

   Domain:         8
Monday, October 30, 2006                                                                                                                                                Page 150 of 152
Scenario: 18
   Domain:         8
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.02    Oklahoma State        Most providers who administer immunizations have access          barrier                                         No legal driver
                   Immunization          to OSIIS. State can track immunizations, adverse reactions
                   Information System    to immunizations, and basic demographic info on patients. It
                   (OSIIS)               requires agreement (BAA) to ensure security of data. Batch
                                         file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

   Domain:         9
      Stakeholder: Medical and Public Health Schools
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute
        OK18.02    Oklahoma State        Most providers who administer immunizations have access          barrier                                         No legal driver
                   Immunization          to OSIIS. State can track immunizations, adverse reactions
                   Information System    to immunizations, and basic demographic info on patients. It
                   (OSIIS)               requires agreement (BAA) to ensure security of data. Batch
                                         file on secure site; requires log-on credentials and password.
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement         barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies

      Stakeholder: Public Health Agency
        Business Practice                                                                                       Policy                     Legal Driver
        #         Short Name             Description                                                      Class Short Name   Description   Narrative      Code/Statute


Monday, October 30, 2006                                                                                                                                                Page 151 of 152
Scenario: 18
   Domain:         9
      Stakeholder: Public Health Agency
        Business Practice                                                                                    Policy                     Legal Driver
        #         Short Name             Description                                                   Class Short Name   Description   Narrative      Code/Statute
        OK18.03    Request for patient   Require contract, IRB approval, and interstate agreement      barrier                                         HIPAA 45 CFR 164.512(i)
                   data from state       from state univ and accept scope, level, Determine purpose.
                   public health
                   agencies




Monday, October 30, 2006                                                                                                                                           Page 152 of 152

				
DOCUMENT INFO