Date : July 21, 2010 Time : 10:30 am – 1:00 pm Location : NC Hospital Association

1. Date: July 21, 2010 Time: 10:30 am – 1:00 pm Location: NC Hospital Association 2400 Weston Parkway, Cary, NC 27513 Dial in: 1-866-922-3257 Participant Code: 654 032 36#

2. Agenda

3. Meeting Objectives • Define ideal consent framework for NC statewide HIE, not restricted by current NC law

4. Meeting Schedule Revisions

5. New NC Health IT Website Launched www.healthit.nc.gov 5

6. NC Statewide HIE Cooperative Agreement Timeline Strategic Plan Operational Plan Stakeholder Outreach & Begin Transition Biweekly+ Workgroup Meetings with Monthly Board Meetings Strategic Plan Submitted to HHS LaunchPhase 2 Publish Draft Operational Plan for Review/ Comment NC HIE Formed Workgroups Formed & Begin Meeting State HIE Grant App. • Convene Advisory Board & Workgroups • Draft Operational Plan • Publish Draft Operational Plan for Review • Engage and educate stakeholders Aug. 31Submit Operational Plan to HHS Funding Announcement Letter of Intent Submitted 6 6

7. NC Statewide HIE Operational Plan Development Timeline Operational Plan Consensus Recommendations Drafting of Operational Plan Governance WG: Confirm governance model, advise on scope of governance, craft recommendations on bylaws and board structure for new entity; develop recommendation for consumer engagement plan approach Clinical/Technical WG: Recommendations on technical architecture approach for statewide HE, begin prioritization of core and value-added services, begin landscape assessment Governance WG: Participation policies and enforcement mechanisms for the statewide HIE; develop recommendations on roles of State in public/private partnershipprocesses for coordination with other ARRA funded programs in the state Clinical/Technical WG: Development of clinical and business use cases, prioritization for core and value-added services, technical approach May 14 – initial NC HIE Board Meeting Master project planning, develop WG charters and workplans; stakeholder meetings, Legal/Policy WG meetings Aug. 31: Submit Operational Plan to HHS Legal/Policy WG: Conduct legal scan for NC laws related to consent for treatment purposes; draft legal principles; conduct legal scan for NC laws related to health information data security; develop recommendations on approach to 4As; develop initial consent approach recommendation under existing law Finance WG: Develop financial model assumptions; data collection to inform financial models. Legal/Policy WG: Develop recommendations for an “ideal” consent policy not restricted by current law and approach to changing the law; develop recommendations on breach policy principles and role based access principles; develop security recommendations beyond access; review emerging consent policies in neighboring states and identify barriers. Finance WG: Develop 2-3 financial models based on modeling assumptions and develop process for sustainability planning. • Compile NC HIE Board & Workgroup recommendations and decisions • Draft Operational Plan – iterative process with WG review • Publish Draft Operational Plan for Public Review Workgroups formed Workgroups formed 7 7

8. Proposed Operational Plan Drafting Schedule July 13 Board Meeting • Review Operational Plan structure • Approve, reject or modify Workgroup recommendations July 14 – August 2 • Draft Operational Plan components by Domain including decisions endorsed through July 13 Board meeting. • Meaningful Use final rules expected in mid-July. Educational webinar for Board and all workgroups on final regs. August 2 – August 6 • Core project team and co-chair review of working draft • August 6 Workgroup final meetings prior to Operational Plan August 9 – August 12 • Updates and revisions to Operational Plan draft to include August 6 August 17 • Board meeting to review July and August recommendations and preliminary Operational Plan draft August 19– August 25 • Board and public review of revised Operational Plan draft (revisions based on direction in August 17 board meeting) August 27 • Tentative Board call August 27 – August 30 • Prepare final draft for submission to ONC by August 31 Board Meeting Plan Submission to ONC

9. Consent Model Options for Pathway 2(Assuming Change in Existing NC Law)

10. Working Assumptions • Based on subcommittee discussion at July 9 meeting, initial consent framework discussion for Pathway 2 will be focused around an Opt Out patient consent model for the statewide HIE. • As a starting point, the subcommittee will consider an Opt Out model for the exchange of data between providers for treatment purposes. • As part of the continuing discussion, the subcommittee will consider implications for use of data other than for treatment purposes.

11. Opt Out Consent Approach – a Continuum of Options Based on subcommittee discussion at July 9 meeting, initial consent framework discussion for Pathway 2 will be focused around an Opt Out patient consent model for the statewide HIE.

12. Service Access Layer: Transport, Orchestration, Audit, Reporting Decision Points for Statewide HIE ServicesVisual Representation Participating Organizations: With gateways to access Core Infrastructure ClinicNetwork HIO Hospital-Provider Fed Agency Core Infrastructure: Security Services Master Patient Index Master Facilities Index Master Clinician Index NHIN Gateway Candidate Value-Added Services: Immunization Registry Patient Access Decision Support Routing of Labs for Required Reporting Quality Reporting Lab Translation Medication Management Eligibility Checking eRx

13. Services Prioritized by ONC • Operational Plan must describe how North Carolina will invest federal and matching funds to enable eligible providers to have at least one option for each of these Stage 1 meaningful use requirements in 2011: • E-prescribing • Receipt of structured lab results • Sharing patient care summaries across unaffiliated organizations

14. Data Included in a Summary Care Record For meaningful use, summary care records must include: • patient demographics • diagnostic test results • problem list (active and current diagnoses) • medication lists • medication allergies • hospital discharge summary • hospital procedures A summary care record can also contain the following content modules: • advance directive • allergy • comment • condition (problem list) • encounter • healthcare provider • immunization • information source • insurance provider • language spoken • medication - prescription and non-prescription • person information (patient demographics) • plan of care • pregnancy • procedure • support - required if available • vital sign • results (diagnostic results)

15. Straw Principle for Discussion • The joint Legal and Policy Subcommittee recommends an Opt Out patient consent model for treatment purposes that includes available data from all provider types and allows consumers to restrict access to data by specific providers (on a provider-by-provider basis). Further, the Subcommittee recommends that as technology evolves, the NC HIE should ensure that consumers are given the ability to restrict the exchange of specific types of information.

16. How Should Services to Which Minors May Consent Be Handled in an Opt-Out Model?

17. Data Uses • Other Data Uses: • Research • Public health reporting • Provider-based Quality improvement • Payer-based care management • Development of personal health records • De-identified data • Marketing • Improvement and evaluation of local/community HIO operations • Disclosures to government agencies for health oversight • Law enforcement

18. Potential Definitions of Uses of Information The provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party. A third party is an entity with whom a health care provider has a contractual relationship related to the provision, coordination or management of health care and related services for a consumer. Under this contractual relationship, the health care provider must ensure that the contracted entity adheres to new consent policies and procedures; Consultation between health care providers regarding a patient; and The referral of a patient from one health care provider to another. (Source: Modified from HIPAA) Treatment Activities by a provider and/or its contracted entities that include: • Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination; and • Disease management which can include a range of activities that involve the provider-controlled exchange of consumer health information with third parties with whom the provider has a contractual relationship related to the provision, coordination or management of health care and related services for a consumer. • Third party entities may include health plans (Source: Modified from HIPAA) Provider-based quality improvement

19. Potential Definition of Uses of Information A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. (Source: HIPAA) Activities by a health plan that include: • Conducting case management and care coordination; and • Disease management which can include a range of activities through which the health plan has direct access to patient-identifiable clinical data without the provider serving as an intermediary. (Source: Modified from HIPAA) Payer-based care management Research • Any communication about a product or service that encourages recipients to purchase or use the product or service. 1 • An arrangement whereby an RHIO participant and another entity discloses consumer health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. 2 (Source: Modified from HIPAA) Marketing 1 2 The HIPAA Privacy Rule contains a number of exceptions to marketing that do not require patient authorization. HITECH Section 13406 amended HIPAA such that if a Covered Entity is paid by an outside entity to send a communication to a patient, the communication is deemed to be marketing and requires prior authorization from the patient – even if that communication falls into one of the current exceptions to the definition in the Privacy Rule.

20. Potential Definitions of Uses of Information Consistent with applicable provisions of HIPAA: Disclosure to a law enforcement official as required by law including laws that require the reporting of certain types of wounds or other physical injuries. Disclosure in response to a law enforcement official’s request for PHI for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Disclosure in response to a law enforcement official’s request for PHI about an individual who is or is suspected to be be a victim of a crime. Other types of disclosures as allowed under HIPAA and state law. (Source: HIPAA) • Disclosure to a public health authority authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (Source: Modified from HIPAA) • Other types of public health disclosures as allowed under HIPAA and state law. Public health Law enforcement

21. How Does Opt-Out Impact Emergency Access? • In Opt-Out model, two options for information of patient who has opted-out of the exchange: • Collected through the exchange for only legally permitted purposes (e.g., public health reporting), but not otherwise accessible to participants. • Patient’s clinical information never enters exchange. • If NC HIE pursues the former approach, should information of patient who has opted-out of the exchange be made available for medical emergencies?

22. Key Legal Principles – Consent by Minors North Carolina law permits physicians to provide certain services to minors upon their own consent. Ordinarily parents have a right of access to information in their unemancipated minor children’s medical records. However, when a minor receives services under the minor’s consent law, the physician is not permitted to notify parents about the treatment without the minor’s permission, except in limited circumstances prescribed in the law. Whether a physician needs the minor’s consent to disclose information about the services to another health care provider for treatment purposes is governed by other laws (including the mental health and communicable disease laws described above). This is true for one-to-one disclosures as well as disclosures made via a HIE. However, if information about “minor’s consent” services is included in a HIE, there may be a heightened risk that the information will be improperly disclosed to parents without minors’ permission. This could occur if there is a patient portal to which parents have access, or it could occur if a provider who receives information about the minor’s treatment through the HIE is unaware that the minor consented to the treatment and subsequently discloses information to the parent without the minor’s permission. These concerns raise two issues for the consent policy: (1) Many of the minor’s consent services require consent for disclosure of information for treatment purposes, and the minors themselves are the individuals who must provide this consent. (2) Because of the risk of disclosure of information to parents, either via a patient portal or a “downstream” provider who receives information from the HIE, minors either would need to consent to disclosure of information to their parents, or providers and the HIE would need to filter “minor consent” information from other information to avoid improper disclosures. 22

23. How Should Services to Which Minors May Consent Be Handled in Opt-Out Model? 23

24. Next Steps • Upcoming Meetings • Joint Legal/Policy Subcommittee Meeting – July 27 • Security Subcommittee Meeting – July 27 • Full Workgroup Meeting – July 29 (last meeting of this phase) • Questions or Comments? • Contact: nc.hie@healthwellnc.com 24

25. Open Public Comment

26. ATTACHMENTS

27. Should Consumers Have a Granular Level of Control Over their PHI in an Opt Out Model?

28. Opt Out Consent Model Options 28

29. Opt Out Consent Model Options 29

30. Opt-Out Model Options • No Consent – Patient’s information automatically included in and made available through the exchange (in compliance with federal HIPAA regulations and 42 CFR Part 2). • Provides no opportunity for accommodation of individual preference with regard to participation in the exchange.

31. Opt-Out Model Options • Full Opt-Out – Pre-defined set of data is automatically eligible for exchange, with a provision that patients be given the opportunity to opt out in full. • Could mean either that that the information of the patient who opts-out is collected through the exchange (and used only for legally required purposes, e.g. public health reporting) but never shared with accessing providers, OR patient’s clinical information never enters exchange. • Regardless of where information exchange is blocked, this option allows for no granularity of patient preference (i.e., a patient’s information is either all in or all out).

32. Opt-Out Model Options • Partial Opt-Out – Pre-defined sets of data are automatically eligible for exchange, but patients can either opt-out in full, or: • Limit disclosure and/or receipt of their information to specific providers • Limit exchange of categories of data/specific data elements (e.g. sensitive information) • Limit exchange of their information for specific purposes (e.g. treatment, research, etc.) • Technical and procedural complexity increases with level of granularity for opt-out.