EXECUTIVE SUMMARY:
The journey for statewide HIEs has been slow-going and fraught with challenges of governance, consent, security, auditing structure, and secondary data use. Executive directors of statewide health information exchanges speak about thepolicy hurdles they have encountered, and those that still lay ahead.
A quick look at the Maryland Health Care Commission’s ongoing health information exchange (HIE) policy work illustrates both how much progress states are making and how far they still have to go. The Old Line State has completed final recommended policies on 13 topics, ranging from secondary data use to consumer choice. Still in the works are policy provisions for 15 other topics, ranging from consumer portals and health record banks to breach notification.
None of the work on privacy and security frameworks has been easy or quick. Many states have had to go to their legislatures to have laws rewritten. Others have used state laws in place as their starting point and worked around them. And officials have come to realize that, because health IT policy is constantly evolving, their work is never really done.
When market research firm IDC listed its “Top 12 Best Practices for Sustainable Health Information Exchange” earlier this year, No. 10 was more of a warning: Don’t underestimate how long privacy and security will take.
Executive directors of statewide HIEs are under no illusions that privacy and security policies, especially dealing with patient consent, will happen overnight.
They have discovered that only the dedication and hard work of hundreds of stakeholders makes it possible to move from aspirations to the operational stage of HIE. As Michael Matthews, CEO of regional HIE MedVirginia puts it, the volunteer governance body set up to create ConnectVirginia, the statewide HIE, is doing great work to move forward on challenging issues. To follow that learning curve, they often have to sit through five- or six-hour meetings. “It speaks to their commitment,” he says. By the third quarter of 2012, the amount of policy work is expected to subside, but once the HIE is operational, Matthews added, they will have to see if state laws need to be adapted for data to flow.
Michael Matthews
Healthcare Informatics asked several statewide HIE leaders to describe some of the policy hurdles they are dealing with. Many admit that governance structures and policy details have been difficult to reach agreement on, and some say that aligning their efforts with those on the federal level adds to the degree of difficulty.
CHALLENGES WITH CONSENT POLICIES SEEN
The state of Connecticut, which hasn’t made as much HIE progress as other states in New England, has fashioned consent policies and made them a condition of participating in the HIE. But getting consensus among stakeholders has been difficult, notes David Gilbertson, CEO of the Health Information Technology Exchange of Connecticut (HITE-CT). “We have been working on it for two years,” he reports. “You have to get compromises from attorneys and privacy advocates. Hospital organizations that treat data one way are now being asked to treat it a different way for the HIE.”
Because the federal State HIE Cooperative Agreement Program funding was part of the stimulus act, the states have to spend the money over a fairly short time frame in the next two years. That puts states that had made little progress previously on HIE in a difficult situation because governance, consent, security, auditing structure, and secondary data use policies must all be worked through.
Another challenge is the fact that many private health systems are developing their own local HIEs to attract physician groups seeking meaningful use funds. “They have spent time developing their own governance process that may not be consistent with what we are doing at the state level,” Gilbertson explains. “So now we are asking them to revisit that.”
Consent issues also continue to challenge Maine’s HIE, HealthInfoNet. In a legislative session a few years ago, a bill drafted with the support of the Maine Civil Liberties Union was introduced that would require the state’s HIE to switch from an opt-out model of consent to opt-in. A compromise was crafted that gives patients a separate form about the HIE and explicitly offers the opportunity to opt out.
But in dealing with mental health and other sensitive data such as HIV status, there are state laws that require that patients be told whom their health data is being sent to. That is unworkable with Maine’s central data repository model, says Dev Culver, HealthInfoNet’s CEO. “So now, HealthInfoNet must sequester that data, and the patient can choose to opt in for certain categories of content, either permanently or at the time of a doctor visit.” Maine is testing a new hybrid opt-in/opt out form of consent. “We think we can do it technically,” Culver adds, “but all of the burden is on our shoulders.” Typically with an HIE, if a provider releases data inappropriately, they are at risk, he notes. “Now all the risk is with us. It is a liability concern, so we are being cautious and going slow.”
Another policy question on the horizon involves the appropriate use of information, and what fits under the definition of “treatment and operations.” For instance, Culver says, Maine has an all-claims database. “How that data is merged with clinical data is a question.”
One rule of thumb about HIE policy seems to be that the earlier the state got started, the longer it took to work through policy issues (although now those pioneering states are in a much better position than others late to the game). When the Delaware Health Information Network (DHIN) was established in 1997, there was no playbook or other successful model to follow, says Jan Lee, M.D., DHIN’s current executive director. “They had to work through all the issues about architecture and policy from scratch,” she said. And despite the success DHIN has had in connecting all the hospitals and 93 percent of providers in the state, new policy issues will arise, Lee says. One on the horizon involves the secondary use of data. "We were set up in legislation explicitly to be used for clinical purposes at the point of care,” she explains. “But if there is a need to use the network for research purposes for population-level analytics, which is part of the ultimate vision, we will have to rework all the data-sharing agreements.”
Sometimes, the state-level organization takes a policy route unfamiliar to RHIOs in the state. That is the case in Virginia, where the Community Health Alliance, the nonprofit partner of MedVirginia, is managing the ConnectVirginia. Its independent governance body has chosen an opt-in consent policy for the commonwealth, says Matthews, so that it’s driving policy around creation of a statewide consent registry. The board is also examining how sensitive data is treated, exceptions for emergency situations, and policies around Direct protocol messaging. “Direct is the first technology to be deployed,” he says, “so they had to create a policy framework for it.”
Speaking at the State Healthcare IT Connect Summit in June, Arizona’s State HIT Coordinator Lorie Mayer said her state has struggled with many things in the area of HIE. Originally, exchanges were developed in both the Phoenix metropolitan area and in Tucson. Payers, however, only wanted to help pay for infrastructure for one exchange, and other stakeholders agreed that multiple governance bodies and regional health organizations (RHIOs) would not be effective. So the two exchanges were combined in 2010 to form the Health Information Network of Arizona, which now serves 70 percent of Arizona’s patients. Nevertheless, governance issues arise. Arizona still has five different organizations that support meaningful use, including the Arizona Governor’s Office of Economic Recovery (the state HIE grantee organization), the State Medicaid office (which administers the electronic health record incentive program), the Arizona Department of Public Health, the Arizona Health e-Connection (the state regional extension center), and the Health Information Network of Arizona (the state HIE organization). “It’s a five-ring challenge to make sure that we are all aligned and supporting the ultimate goal of meaningful use of EHR adoption,” Mayer said.
CERTIFYING HIEs IN MINNESOTA
The state of Minnesota chose to certify and regulate health information service providers (HISPs) that develop in the private sector, rather than creating a central organization to provide services, an approach that other states may end up following. An entity providing HIE services for clinical meaningful use transactions must apply for a certificate of authority to conduct business in Minnesota as either a health information organization (HIO) or a health data intermediary (HDI).
Marty LaVenture, director of the state’s Office of Health Information Technology, says that setting up the HISP certification process required enabling legislation and developing agency rules. “It was not a trivial task,” he says. “We had to create definitions of players and health information exchange so there is a level playing field. We had to create a process for applications and fees. We have only one full-time-equivalent employee overseeing that process along with a voluntary review team, so it is fairly lightweight oversight.”
LaVenture and other HIE leaders are also watching closely the work being done on the federal level to try to standardize interoperability. On May 15 the Office of the National Coordinator published a Request for Information (RFI) on governance of the nationwide health information network (NwHIN). ONC is considering an accreditation and validation system to make trusted exchange of health data easier. Based on the RFI, LaVenture believes the federal framework aligns nicely with what Minnesota already has set up. Yet organizations such as the eHealth Initiative and the College of Healthcare Information Management Executives (CHIME) have submitted responses questioning the need for such a regulatory framework at the federal level at this time.
THE GLASS IS HALF FULL
Tennessee recently announced it was winding down a statewide HIE effort and would instead focus on a state government program to promote Direct secure messaging. At least a few of the issues Tennessee faced were on the policy level, says Lynn Dierker, a principal consultant in Health Management Associations’ Denver office. “Part of what they encountered was a challenge on data-sharing agreements and the value proposition for ‘statewide-ness’ not being there,” she says.
Lynn Dierker
Dierker, who previously served as director for the State-Level Health Information Exchange Consensus Project, notes that some state leaders who thought they would be able to work through the policy and business case issues and get to statewide interoperability in the next year and a half are finding their efforts are too little, too late. But she adds that there is a “glass-half-full” way of looking at the situation. “Adversity breeds innovation,” she says. “There is an opportunity for states to go back to the drawing board, look at their IT assets and determine how they can build on them.”
State leaders need to think about the evolution of the HIE marketplace and how they can complement what is happening in the private sector, Dierker adds. They may not be able to follow a plan created two or three years ago, she said. Many are now realizing they are not going to be able to set up a subscription-based statewide exchange, at least not right away. “They need to leverage the public data they have, because it is valuable, and figure other ways to leverage buy-in,” she says. The Medicaid system can be one cornerstone they can build around with a more streamlined approach to bringing up an HIE. But the states have to assert themselves, she adds. “They have to rethink what the public levers are.”
Maryland Health Care Commission | |
Approved HIE Policies & Resolutions | Policies Still Under Development |
1. Participating Organization Access | 1. Notification of Breach |
2. User Authorization | 2. Consumer Verification |
3. Consumer Choice | 3. Direct Messaging & Notification |
4. User Authentication | 4. Complaints |
5. Sensitive Health Information | 5. Public Health Reporting |
6. Emergency Access for Participating Organizations | 6. Suspension and Termination of Consumer Access |
7. Suspension and Reinstatement of Access | 7. Enforcement |
8. Consumer Access | 8. Policy Review & Revisions |
9. Consumer Outreach, Education & Engagement | 9. Liability |
10. Audit for Access, Use and Disclosure | 10. Compulsory and Legal Processes |
11. Secondary Data Use | 11. Cyber Security |
12. Primary Data Use and Disclosure | 12. Portable Devices and Removable Media |
13. Consumer Access to Audit | 13. Telemedicine |
| 14. Consumer Portals & Health Record Banks |