organizational and legal issues -- addressing privacy and security issues day 2 – track 5...
TRANSCRIPT
![Page 1: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/1.jpg)
Organizational and Legal Issues
-- Addressing Privacy and Security Issues
Day 2 – Track 5CONNECTING COMMUNITIES for BETTER
HEALTH2nd Annual Learning Forum and Exhibition
![Page 2: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/2.jpg)
Track Co-Chairs
• Bill Bernstein – Manatt Phelps & Phillips
• Bruce Fried – Sonnenschein Nath & Rosenthal
• Gerry Hinkley – Davis Wright Tremaine
![Page 3: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/3.jpg)
Distinguished Panel of Experts
• Holt Anderson
• Bruce Henderson
• Vicki Hohner
• Walter Suarez
![Page 4: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/4.jpg)
Goals for this Session
• Understand the “weakest link”
• Identify privacy and security “must haves” for RHIOS
• Address how privacy and security standards will be established and implemented
• Decide if these issues are solvable
![Page 5: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/5.jpg)
Questions 1 and 2
1. What will be required of privacy practices, beyond HIPAA, to ensure public trust in regional networks?
2. How practically, can a network enforce privacy and security requirements across the broad range of network participants?
![Page 6: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/6.jpg)
Question 3
3. While HIPAA or state laws set the standard for privacy or security, all organizations will meet those standards in their own fashion. How will RHIOs facilitate PHI sharing where entities meet the privacy or security standards in different ways and, thus, may be reluctant to share PHI with entities that may be perceived as having a lower, or a different level of protection?
![Page 7: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/7.jpg)
Question 4
4. Also, we can expect to see RHIOs in multi-state markets (Washington DC, Kansas City, Portland, Oregon, Philadelphia). What steps will be required to permit cross border sharing of PHI in these instances?
![Page 8: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/8.jpg)
Questions 5 and 6
5. What role should ONCHIT and standards setting organizations play in establishing the privacy and security baselines for regional networks?
6. Is a change in HIPAA going to be necessary?
![Page 9: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/9.jpg)
Revisiting our Goals
• Understand the “weakest link”
• Identify privacy and security “must haves” for RHIOS
• Address how privacy and security standards will be established and implemented
• Decide if these issues are solvable
![Page 10: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/10.jpg)
Disclaimer
• The NHIN and RHIOs are a new but
important concepts
• Definitions are not firm at this time
• Public input is being sought by the Office
of the National Coordinator for Health
Information Technology (ONCHIT)
![Page 11: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/11.jpg)
NHIN• National Health Information Network
(NHIN)
– A supportive, nation-wide, interoperable
system with the capacity to exchange
conveniently and securely healthcare
information culminating in the improvement
of consumer health and the reduction in
healthcare costs.
![Page 12: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/12.jpg)
RHIO
• Regional Healthcare Information
Organizations (RHIO)
– A collaborative, consumer-centric organization
focused on facilitating the coordination of
existing and proposed e-health initiatives within
a region, state, or other designated local area.
![Page 13: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/13.jpg)
Types of RHIOs• Federations
– Includes large, “self-sufficient” enterprises
– Agreement to network, share, allow
access to information they maintain on
peer to peer basis
– May develop system of indexing and/or
locating data (e.g., state or region-wide
MPI)
![Page 14: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/14.jpg)
Types of RHIOs (cont.)
• Co-ops– Includes mostly smaller enterprises
– Agreement to pool resources and create a combined, common data repository
– May share technology and administrative overhead
![Page 15: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/15.jpg)
Types of RHIOs (cont.)
• Hybrids– Includes combinations of Federations and
Co-ops
– Agreement to network, share, allow access to information they maintain on peer to peer basis
– Allows aggregation across large areas (statewide or regional
![Page 16: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/16.jpg)
RHIO Structure• 501(c)(3) Nonprofit
– Eligible for Federal and State Grants– Contributions may be tax deductible as charitable
• Issue:– Limit of ~20% of total revenues from “unrelated
business” activities (i.e. not charitable and educational)
– May need to subcontract or otherwise handoff operational aspects of activities
![Page 17: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/17.jpg)
Key Allies for a RHIO Include:• Covered Entities (Providers, Health Plans, Clearinghouses)• Medical Society• Hospital Association• Nurses Association• Health Information Management Assn.• Medical Group Managers Association• Healthcare Financial Management Association• Association of Local Health Directors• Association of Pharmacists• Long-term Care Association• Association of Health Plans• Quality Improvement Organizations (QIOs)• Vendors• Etc., Etc.
![Page 18: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/18.jpg)
Privacy and Security Issues• Overwhelming complexity of understanding the
interplay of all state and federal privacy requirements along with mandated requirements for disclosures
• HIPAA requirements too vague and targeted• Lack of understanding by participants and the
public• Invoke privacy when unsure/proprietary concerns• Differing interpretations of what is required and
adequate • Differing abilities to develop and implement strong
protections (expertise)• Differing abilities to fund strong protections
![Page 19: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/19.jpg)
Privacy and Security Goals• Simplicity, uniformity, and transparency• Balance privacy and security with appropriate
access• Involve and communicate with the public but within
the broader framework of care• Appropriately frame issues for public support and
comfort• Use and disclosures within/across networks occur
according to common published criteria • Strong actions on, mitigation of, and penalties for
violations• Work bi-directionally (up and down) to evolve
protections with systems and industry
![Page 20: Organizational and Legal Issues -- Addressing Privacy and Security Issues Day 2 – Track 5 CONNECTING COMMUNITIES for BETTER HEALTH 2nd Annual Learning](https://reader035.vdocument.in/reader035/viewer/2022072006/56649cfe5503460f949cf0e5/html5/thumbnails/20.jpg)
Privacy and Security Support
• Demonstrate visible benefits to individual care• Aim towards simplicity, specificity, and uniformity• Develop resources and guidance for common use
– Develop practice baselines– Privacy and security “companion guides” – Build rules and protections into system wherever
possible– Work to consolidate and/or converge state privacy laws
• Advocate for federal consolidation/simplification• Consider developing guidance approaches that
can be used in any network setting; test these in real world settings and revise as needed