We've all heard that the legal and policy issues around sharing data are more difficult and time-consuming than the technical details of designing a system.
In the post-mortem of the failed Santa Barbara County Care Data Exchange in California a few years ago, participants noted that privacy and liability concerns were major impediments to success. The complexity level is even greater for organizations trying to share data across state lines.
But after listening to a June 30 seminar put on by the Inter-organizational Agreements (IOA) Collaborative of the Health Information Security and Privacy Collaboration (HISPC), I was encouraged by the progress its members reported on developing templates for data-sharing agreements.
The IOA Collaborative developed models for both sharing data between private entities, which might be used between two hospitals in an HIE, and for public-to-public entity exchanges, for use in sharing public health data such as immunization data for registries. They are also working on a private-to-public model. Collaborative members reported on successful pilot projects in which participants worked through issues and agreed that the data-sharing agreement models were workable.
As IOA Collaborative co-chair Roy Wyman, a North Carolina attorney, explained, their main goal was to come up with agreements that people would actually sign.
In the public-to-public model pilot project, Bill O'Byrne, state coordinator of electronic health information technology development at the New Jersey Department of Banking and Insurance, described his state's successful effort to exchange immunization data with the state of New York and progress toward exchanging data with the Commonwealth of Pennsylvania. Another pilot involved the exchange of data between bordering counties in South Dakota and Iowa. The American Immunization Registry Association has endorsed use of the data-sharing agreement template.
Seventeen organizations in the North Carolina Healthcare Information and Communications Alliance (NCHICA) that are engaged in a trial of the Nationwide Health Information Network used the IOA model agreements for the simulated exchange of medical information between providers. Although many made suggestions for minor changes and improvements, all the organizations said they could work with the model.
Jo Ellen Whitney, an attorney with the Iowa law firm of Davis Brown, wrapped up the presentation by saying the IOA agreements will be welcomed by the CIOs and CFOs who are her clients. They want standardization and consistency in legal agreements, she said, so they are not reinventing the wheel each time they share data.
The IOA Collaborative has defined the core privacy, security and liability provisions partners must consider. There are always many specific issues to work out in any agreement, but as Whitney described it, the IOA model is like the Christmas tree, and the provisions specific to the exchange are the ornaments that decorate it.