2. [Cover a range of topics here related to privacy, including consumer consent to participate in HIE][Cover a range of topics here related to privacy, including consumer consent to participate in HIE]
3. �What is the Arizona Health Privacy Project?
34 states and territories (including Arizona) awarded federal grants to evaluate privacy and security issues in electronic health information exchange (HIE)
Identify privacy and security practices that affect HIE
Propose solutions and develop implementation plans to remove barriers to HIE
Collaborate through regional and national meetings to develop solutions with broader application
Based on this assessment, Arizona Health-e Connection will identify practical ways to enable HIE, while protecting the privacy and security of health information
4. Arizona Health Privacy Project Project Team
Kim Snyder Arizona Government Information Technology Agency
Nell Lawrence Arizona Government Information Technology Agency
Kristen Rosati Coppersmith Gordon Schermer & Brockelman PLC
Ajay Vinze ASU Center for Advancing Business through Information Technology (CABIT)
Benjamin Shao ASU CABIT
Harvey Shrednick ASU CABIT
Raghu Santanam ASU CABIT
Minu Ipe ASU CABIT
Orneita Burton ASU CABIT
5. Arizona Health Privacy Project Chairs and Facilitators of Work Groups
Variations Work Group
Rick Potter, Health Services Advisory Group (Chair)
Harvey Shrednick, CABIT (Facilitator)
Solutions and Implementation Work Group
Mike Stearns, formerly at Scottsdale Healthcare (Chair)
Raghu Santanam, CABIT (Facilitator)
Legal Work Group
Kristen Rosati , Coppersmith Gordon Schermer & Brockelman PLC (Chair)
Bill Pike, Carondelet (Facilitator)
Education Work Group
Anne Winter, United Health Care (Chair)
Ajay Vinze, CABIT (Facilitator)
6. Volunteers! Hundreds of people volunteered on the Arizona Health Privacy Project workgroups
THANK YOU!! Now that the Arizona Health Privacy Project is formally coming to an end, Arizona Health-e Connection certainly will not end this outreach to volunteers and particularly to consumers. We continue to welcome the guidance and input from consumers in how the health information exchange should protect the privacy of their health information.Now that the Arizona Health Privacy Project is formally coming to an end, Arizona Health-e Connection certainly will not end this outreach to volunteers and particularly to consumers. We continue to welcome the guidance and input from consumers in how the health information exchange should protect the privacy of their health information.
7. The Process The Arizona Health Privacy Project was operating under the ground rules set by AHRQ and its subcontractors RTI and the National Governors Association.
Unfortunately, the required process was a bit bureaucratic and unwieldy, but we thankfully ended up with some very useful information. Also, getting all of these volunteers involved in the process served probably the most important underlying goalgetting the stakeholdersconsumers, health care providers, and insurance companies-- involved in the process
One of the frustrations for the project leaders about the required processes is that we were prohibited from doing surveys of Arizona stakeholders apparently the federal Paperwork Reduction Act prohibited suveys under this grant. We were particularly excited about the involvement of ASU and CABIT because of their expertise in survey development and their ability to conduct research.
But we were able to convene focus groups to collect information about what Arizona providers and plans security and privacy business practices, and CABIT did a great job at that process.
Here is a quick view of the required process we applied, and then Harvey and Raghu form CABIT will provide more details for you.The Arizona Health Privacy Project was operating under the ground rules set by AHRQ and its subcontractors RTI and the National Governors Association.
Unfortunately, the required process was a bit bureaucratic and unwieldy, but we thankfully ended up with some very useful information. Also, getting all of these volunteers involved in the process served probably the most important underlying goalgetting the stakeholdersconsumers, health care providers, and insurance companies-- involved in the process
One of the frustrations for the project leaders about the required processes is that we were prohibited from doing surveys of Arizona stakeholders apparently the federal Paperwork Reduction Act prohibited suveys under this grant. We were particularly excited about the involvement of ASU and CABIT because of their expertise in survey development and their ability to conduct research.
But we were able to convene focus groups to collect information about what Arizona providers and plans security and privacy business practices, and CABIT did a great job at that process.
Here is a quick view of the required process we applied, and then Harvey and Raghu form CABIT will provide more details for you.
8. The Process
9.
LEGAL WORK GROUP (LWG)
10. Legal Work Group �Findings� Some Arizona laws and regulations may interfere with HIE
Genetic testing information, A.R.S. 12-2801, et seq. and A.R.S. 20-448.02, et seq.
Communicable disease information: A.R.S. 36-661 et seq., A.R.S. 20-448.01 and A.A.C. R20-6-1204
Mental health information, A.R.S. 36-501, et seq.
AHCCCS member information regulations: A.A.C. R9-22-512
Adult Day Health Care Facility records regulation: A.A.C. R9-10-511(C)
Medical records subpoena statute: A.R.S. 12-2294.01
11. Legal Work Group�Findings� Some Arizona laws may be required to encourage HIE
Immunity from liability for participants in e-health data exchange that follow best privacy and security practices
Enforcement statute with penalties for participants who do not follow the access rules for the exchange, as well as unauthorized individuals that have not been granted access
12. Legal Work Group Subgroups� Nine subgroups are working on proposals for legislative/regulatory changes:
(1) Genetic testing statutes: Ira Berkowitz, St Josephs Hospital and Medical Center
(2) Communicable disease information statutes and regulations: Laura Carpenter
(3) Drafting amendments to the mental health information statute: Bob Sorce, Arizona Attorney Generals Office, representing Department of Health Services
13. Legal Work Group Subgroups� Nine subgroups continued:
(4) AHCCCS member information regulations: Matt Devlin, AHCCCS
(5) Adult Day Health Care Facility records regulation
(6) ADHS disclosure of immunization information: Beth Dietz, Arizona Attorney Generals Office, representing ADHS
(7) Medical records subpoena statute: Bonnie Petterson, Phoenix College and Brigid Holland, Navapache Regional Medical Center
14. Legal Work Group Subgroups� Nine subgroups continued:
(8) Immunity statute for participants in e-health data exchange: Ira Berkowitz
(9) Enforcement statute with penalties for participants who do not follow the access rules for the exchange, as well as unauthorized individuals that have not been granted access: Barbara Hess, Pinal/Gila County Long Term Care
15. Legal Work Group Subgroups� Your involvement is encouraged!
16.
VARIATIONS WORK GROUP (VWG)
17. Assessment Process of Business Practices
18. Variations Work Group: �Business Practices 18 factual scenarios about health information exchange were provided by RTI
Six volunteer focus groups convened to identify business practices used to handle each factual scenario
Representatives from consumer advocacy organizations, hospitals, specialized facilities, physician offices, insurance companies, public health
Over 200 business practices identified!
19. Stakeholder Representation and Outreach
20. Barriers and �Non-barriers Business Practices were coded as a barrier or non-barrier to information exchange
Non-barrier practices were defined broadly as those that were:
consistent with Arizona law
permit interoperability (exchange between providers)
easy to put into practice
Barriers were practices that make electronic information exchange challenging
Coding a practice as a barrier flagged that practice for further review by Legal Working Group and Solutions Working Group
21. VWG Major Findings Variations in business practices principally centered around mode of communication, security procedures, and interpretation of HIPAA regulations
Variations in communications media create difficulties in information exchange
Non-uniform implementation of encryption technology is a concern in electronic methods of information exchange
Organization size and associated financial constraints pose barriers to information exchange as a result of lack of investments in implementing technologies for information safeguards
Organizations interpret HIPAA reasonable safeguards guidelines inconsistently
22. Variations in practice cause barriers to HIE Different information transmission security or exchange protocols
Different administrative or physical security safeguards
Different information use and disclosure policies
Lack of appropriate information sharing protocols between the state public health department and the 22 Native American tribes in the state
23.
SOLUTIONS AND IMPLEMENTATION WORK GROUPS (SWG & IPWG)
24. Solutions Work Group Objectives
25. Solutions Work Group Analysis Critical barriers identified for deliberation:
Reviewed barriers within as-is business practices that make HIE challenging
Brainstormed and collected potential solutions to barriers
Highlighted identified solutions and best practices
Identified issues for follow-up in implementation
Identified practices with no solutions
26. Identification of Barriers to HIE Legal (covered earlier)
Business
Variations in interpretation of HIPAA guidelines
Financial constraints of smaller organizations
Technology
Authorization, authentication, access control, audit
Protection of information from unauthorized/improper modification when transmitted electronically
27. Major Barriers Health care organizations in Arizona use different media to share critical information. These multiple communication methods cause challenges in responding to information requests.
Health care organizations interpret the HIPAA regulations inconsistently and implement safeguards that may be either overly restrictive or lax. These differences in interpretation pose a barrier to e-health data exchange.
Health care organizations in Arizona face different financial constraints on whether, or how much, they invested in technologies such as encryption and secure emails to protect patient information.
28. SWG Recommendations Over 25 distinct (and related) solutions were recommended
Examples:
Use RHIOs to develop consensus on role-based authorization standards for all entities in the network
Centralized provider directory within the state
Use certification authorities (such as Certification Commission for Healthcare IT (CCHIT)) to establish criteria for ensuring secure information exchange
Explore uniform adoption of technology solutions such as Digital Signatures, biometrics, etc.
29. Implementation Work Group Objectives To document practical approaches and actionable steps for implementing solutions
Planning assumptions and decisions
Project ownership and responsibilities
Project scope
30. IPWG Recommended Projects
31. Next Steps Recommendations are the first steps in addressing the privacy and security issues facing Arizona
Suggest integration into the Arizona Health-e Connection implementation roadmap
EMR-Lite
Master Provider Index
32. Perspectives of the Stakeholders Arizona Health Privacy Project Work Group Members:
Mary Beth Joublanc
Arizona Department of Health Services
Wendy Dietrich Benz
Raising Special Kids
Theresa Wall
Native American Public Health
Cleo Long
Arizona Senior Care
33. Questions?
