consent policy design group - ct.gov-connecticut's ...€¦ · consent policy design group...
TRANSCRIPT
ConsentPolicyDesignGroupMeeting#2April23,2019Facilitatedby:MichaelMatthews,CedarBridgeGroupDr.RossMartin,CedarBridgeGroup
Agenda
2
AgendaItem Time
Welcome&introductions 1:00pm
Publiccomment 1:10pm
ReviewofConsentDesignGrouprole,workplan,schedule,anddesiredoutcomes 1:15pm
Completereviewoffederalregulatorylandscape;follow-uponquestionsfromMeeting1;addressadditionalquestionsandcommentsfrommembers
1:20pm
CurrentstateofconsentpoliciesinConnecticut:generalissuesandspecialcases(minors,SDIs,publichealth,mentalhealth,etc.)
1:30pm
High-leveloverviewofborderingstatepolicies 1:50pm
Wrap-upandmeetingadjournment 2:00pm
TheConsentPolicyDesignGroupØ StacyBeck,RN,BSN*– Anthem/ClinicalQualityProgramDirectorØ PatChecko,DrPH*– ConsumerAdvocateØ CarrieGray,MSIA– UConnHealth/HIPAASecurityOfficerØ SusanIsrael,MD– PatientPrivacyAdvocate/PsychiatristØ RobRioux,MA*– CHCACT/NetworkDirectorØ RachelRudnick,JD– UConn/AVP,ChiefPrivacyOfficerØ NicScibelli,MSW*– WheelerClinic/CIO
*HealthITAdvisoryCouncilMember
3
TheSupportTeamStateofConnecticut
AllanHackneyHealthInformationTechnologyOfficer
Chair,HITAdvisoryCouncil
4
CedarBridgeGroupCarolRobinson
MichaelMatthews,MSPHRossMartin,MD,MHA
ChrisRobinson
VelaturaTimPletcher,DHA,MSLisaMoon,PhD,RN
5
6
ConsentPolicyDesignGroup– WorkplanMeeting Focus Meeting ObjectivesMeeting 1 – 4/9/2019 1pm – 2pmKickoff and orientation
• Review and discuss project charter and proposed process for achieving desired outcomes
• Orientation on relevant policies and procedures and semantic alignment / shared understanding of key terms
Meeting 2 – 4/23/2019 1pm – 2pmCurrent consent policies
• Establish understanding around current state of consent policies in Connecticut and bordering states
• Consider draft language for a HIPAA TPO consent policy for recommendation to Advisory Council
Meeting 3 – 5/7/2019 1pm – 2pmFocus on TPO consent draft
• Review proposed process for the development of a consent policy framework, based on HIE use case requirements
• Discuss stakeholder engagement and communication needs
Meeting 4 – 5/21/2019 1pm – 2pmMatching use cases to consent model
• Review and discuss received input from Advisory Council or other stakeholders
• Review use cases where individual consent is required by state or federal law, or areas of ambiguity
Meeting 5 – 6/4/2019 1pm – 2pmUse Case A discussion
• Discuss the pros/cons of a statewide consent policy framework vs. HIE Entity consent policy framework to determine
scope
Meeting 6 – 6/18/2019 1pm – 2pmUse Case B discussion
• Discuss the various ways that consent could be collected and possible roles for organizations in the consent process
• Establish high-level understanding of technical architecture for electronic consent management solutions• Discuss workflows that could provide individuals with information and the ability to manage preferences
Meeting 7 – 7/9/2019 1pm – 2pmReview draft consent framework
recommendations – structure and process
• Review and discuss strawman options
• Develop draft recommendations for consent policy framework
Meeting 8 – 7/23/2019 1pm – 2pmVote on draft recommendations
• Finalize and approve recommendations
• Discuss stakeholder / general population engagement and communication process
RoleoftheConsentPolicyDesignGroupØ Analyzeexistingconsentpoliciesfromotherstates,reviewrelevantpoliciesandlegislation,anddiscussissuesandbarrierstohealthinformationexchange.
Ø DevelopandrecommendaninitialapproachtopatientconsentinsupportofthefirstwaveofrecommendedHIEusecasesunderHIPAATPO.
Ø RecommendanongoingprocessandstructureforevolvingtheconsentmodelforsupportingtheHIEEntityandfutureusecases.
7
Consentpolicydesignprocess
8
Consent Policy Design Group recommendations
are presented to the Health IT Advisory
Council.
Advisory Council reviews and approves / amends
recommendations.
Advisory Council presents their recommendations to the newly formed HIE
Entity.
These recommendations will inform the leadership
of the HIE Entity in the formulation of their policy framework.
ConsentPolicyDesignGroup
Level-settingDiscussionPoints
Ø Thepatientisthe“NorthStar”inallourdeliberations.Ø Consentpoliciesshouldbedevelopedinaflexiblewaytoallowforadaptationsovertime,astheregulatoryenvironmentwillcontinuetochange.
Ø Thereisanimmediate-termneedforaconsentpolicythatalignswiththecurrentHIPAArequirementsandpermissionsforsharingpersonallyidentifiableinformation(PII)fortreatment,payment,andhealthcareoperations.
Ø Aconsentmanagementsolutionthatgivesindividualstheabilitytomanagetheirconsentpreferenceswillneedtofitwithintheworkflowsofproviderorganizationsaswellasmeettheneedsofconsumers/patients.
Ø ConsentpoliciesmustconsiderliabilityrisksforallpartiesinvolvedintheHIEEntity.
10
ConsentRequiresMultipleElements…10
Policy
Technology
Patient Engagement
11
WhataretheFedsthinking?Ø Recentfederallaws,regulations,proposedrules,andpublicationssettheframeforthefutureofhealthinformationexchange▫ TheHealthInsurancePortabilityandAccountabilityActof1996(HIPAA)▫ TheHealthInformationTechnologyforEconomicandClinicalHealthActof2009(HITECH)▫ NEW:
12
Draft Trusted Exchange Framework (TEFCA) ONC (1/5/2018)
Request for Information on updates to HIPAA HHS (12/14/2018)NPRM on the 21st Century Cures Act: Interoperability and Patient Access Proposed Rule (and related RFIs)CMS (2/11/2019)NPRM on the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification ProgramONC (3/4/2019)
WhataretheFedsthinking?MajorThemes:Ø Less:SpecificfunctionalityrequirementswithintheEHR(e.g.,medicationlist).Ø More:Coreinteroperabilityanddataflowcapabilities(e.g.,APIs).Ø Heavypushtowardstandards-basedAPIs(ApplicationProgrammingInterfaces),i.e.,HL7FHIR®,tomakeinteroperabilitysimplerandfastertoimplement.Forproviders,thismeansthatacertifiedproductshouldbeabletoconnect“withoutspecialeffort”,meaningthattheseAPIsare:▫ Standardized – builtonmoderncomputingstandardssuchasRESTfulinterfacesandXML/JSONandtestedinreal-worldsettingspriortocertification▫ Transparent – vendorsmustprovidefreelyaccessible,cleardocumentationonhowtocallAPIsandwhatisreturned.▫ Pro-competitive– vendorsmustnotinterferewithaprovider’sabilitytouseacompetitor’sAPIandconnectittotheirEHRorothercertifiedtechnology
Ø Noinformationblocking – allactorsmustnotactinwaysthatimpededataflow(withexceptions)
13
ONCNPRM– ConsentManagementØ The2015CertificationEditioncontainedtwo“datasegmentationforprivacy”(DS4P)criteria,butwereneverrequiredforcertificationorusedinanyHHSprograms.Sincethattime,moreworkhasbeendoneonsimplifyingconsentprotocolsandmakingthemeasiertoimplementinanAPI-drivenenvironment.
Ø Consent2Share (C2S)isanopensourceapplicationfordatasegmentationandconsentmanagement.
Ø C2Senablesdatasegmentationandconsentmanagementfordisclosureofseveraldiscretecategoriesofsensitivehealthdatarelatedtoconditionsandtreatmentsincluding:alcohol,tobaccoandsubstanceusedisorders(includingopioidusedisorder),behavioralhealth,HIV/AIDS,andsexualityandreproductivehealth.
14
ONCNPRM– ConsentManagementØ SAMHSAcreatedaConsentImplementationGuidethatdescribeshowtheConsent2ShareapplicationandassociatedaccesscontrolsolutionusestheFHIRConsentresourcetorepresentandpersistpatientconsentfortreatment,research,ordisclosure.
Ø NotethatthespecificationrequirestheuseofFHIRRelease3,whichisstillatrialstandardandnotaballotedstandard(allothercertificationrequirementsreferenceFHIRRelease2,aballotedstandard).
Ø ONCisproposingtousethisspecificationasacertificationrequirement.
15
16
ConnecticutLawsandRegulations:DISCLAIMERThefollowingslideshighlightsomeofthestatutesandpoliciesthatmayhaveanimpactonthedesignofconsentpoliciesthatwillgovernhealthinformationexchangeunderthenewhealthinformationexchangeentity.ItisnotintendedtobeanexhaustivereviewofallConnecticutlawsthatmayapplytothedesignofconsentpoliciesfortheHIE.Thesehighlightedexamplesareintendedtoinformthedesignworkbyillustratingexceptionsandotherspecialcasesthatwillneedtobeaccountedforwhenbuildingouttheexchangeandthepoliciesthatgoverntheexchange.
17
Minors– GeneralConsent• Aminoris(withsomeexceptions)apersonunder18yearsofage.• Consentofaminor’sparentorguardianisgenerallyrequiredpriortothedisclosureofhealthcareinformationabouttheminor. Inthosecircumstanceswhenaminormaylegallyauthorizethetreatmentwithoutparentalconsent(outpatientmentalhealthtreatment,substanceabusetreatment,orvenerealdiseasetreatment,emancipation),thenonlytheminorcanconsenttothereleaseoftheinformation.
Resources:▫ CTOLRResearchReport:https://www.cga.ct.gov/2013/rpt/2013-R-0382.htm
18
Minors– ExceptionsforParentalConsent• Minorsobtainingoutpatientmentalhealthtreatment:▫ 1992CTlawenableslicensedmentalhealthprofessionalstoprovidecounselingtominors(under18withnospecificminimumage)withoutparentalconsent.▫ Thereareotherprovisions,buttherelevantissuehereisthatifaprovideristreatingaminorunderthisstatutetheproviderisprohibitedfromnotifyingtheparent(s)/guardianofthetreatmentorfromdisclosinginformationaboutthetreatmentwithouttheminor’sconsent.Itisadvisedthatsuchconsentbeinwriting.▫ HIEwillneedtobeabletomanagethisconsentifanyinformationisprovidedfromlicensedmentalhealthproviders.Thisdoesn'tapplytoallminortreatment,justtreatmentthatwasrequestedbyaminorwithoutparentalconsent.
Resources:� OverviewfromSocialWorkersSite:http://naswct.org/professional-information/links/outpatient-mental-health/� Regulation:https://www.cga.ct.gov/current/pub/chap_368a.htm#sec_19a-14c� JudicialBranch:https://www.jud.ct.gov/juv_infoguide/IJCP_MedicalTreatmentMinors.html#fnContent40
19
Minors– ExceptionsforParentalConsent• Minorsobtainingsubstanceabusetreatment:▫ Ifthepersonseekingtreatmentorrehabilitationforalcoholdependenceordrugdependenceisaminor,thefactthattheminorsoughtsuchtreatmentorrehabilitationorthattheminorisreceivingsuchtreatmentorrehabilitation,shallnotbereportedordisclosedtotheparentsorlegalguardianoftheminorwithouttheminor’sconsent. Theminormaygivelegalconsenttoreceiptofsuchtreatmentandrehabilitation.Aminorshallbepersonallyliableforallcostsandexpensesforalcoholanddrugdependencytreatmentaffordedtotheminorattheminor’srequestundersection17a-682.▫ Thecommissionermayuseormakeavailabletoauthorizedpersonsinformationfrompatients'recordsforpurposesofconductingscientificresearch,managementaudits,financialauditsorprogramevaluation,providedsuchinformationshallnotbeutilizedinamannerthatdisclosesapatient'snameorotheridentifyinginformation.
Resources:� Regulation:https://www.cga.ct.gov/current/pub/chap_319j.htm#sec_17a-688� JUSTIAhttps://law.justia.com/codes/connecticut/2012/title-17a/chapter-319j/section-17a-688
20
Minors– ExceptionsforParentalConsent
• Minorsobtainingvenerealdiseasetreatment:▫ Adoctormayexamineandtreataminorforvenerealdisease. Recordsofthetreatmentareconfidentialandmaynotbedisclosedtotheparentorguardian.Theminorisfinanciallyresponsibleforthetreatment,andpaymentmaynotbesoughtfromtheparentorguardian.Iftheminorisunder12yearsofage,however,thetreatingphysicianmustreportittoDCF.
Resources:
� Regulation:https://www.cga.ct.gov/current/pub/chap_368e.htm#sec_19a-216
� CTJudicialInfoGuide:https://www.jud.ct.gov/juv_infoguide/IJCP_MedicalTreatmentMinors.html#fnContent42
21
Minors– ExceptionsforParentalConsent• Emancipatedminors:▫ Aminorwhoisatleast16yearsofagemaypetitionthecourtforemancipation.Theeffectofemancipationistoreleasetheparentorguardianfromallobligationsofguardianshipandallowstheemancipatedminortoassumetheresponsibilitiesofanadult,includingconsentingtomedical,dentalorpsychiatriccare.
Resources:� Regulation:https://www.cga.ct.gov/current/pub/chap_815t.htm#sec_46b-150e� CTJudicialInfoGuide:https://www.jud.ct.gov/juv_infoguide/IJCP_MedicalTreatmentMinors.html#fnContent47
22
Minors– ConsentDesignConsiderations• Theconsentpolicywillneedtoaddressissuesrelatedtofullyemancipatedminorsandfor“conditionallyemancipated”minorsthatareabletoprovidetheirownconsentundercertainconditions.• ThistopicisofinterestbecauseitappliestogeneralhealthinformationexchangeunderTPOrules.
23
TheCommissioner’sList(reportablediseases,illnesses,labs,etc.)• Ahealthcareprovidershallreporteachcaseoccurringinsuchprovider'spractice,ofanydiseaseonthecommissioner'slistofreportablediseases,emergencyillnessesandhealthconditionstothedirectorofhealthofthetown,cityorboroughinwhichsuchcaseresidesandtotheDepartmentofPublicHealth,nolaterthantwelvehoursaftersuchprovider'srecognitionofthedisease.
Resources:▫ CTGeneralStatute:https://www.cga.ct.gov/current/pub/chap_368e.htm#sec_19a-215
24
25
Source: CT.gov
HIEOperations
• ThestateagenciesthatparticipateintheConnecticutHealthInformationNetwork,subjecttofederalrestrictionsondisclosureorredisclosureof
information,maydisclosepersonallyidentifiableinformationheldin
agencydatabasestotheadministratoroftheConnecticutHealth
InformationNetworkanditssubcontractorsforthepurposesof(1)
networkdevelopmentandverification,and(2)dataintegrationand
aggregationtoenableresponsetonetworkqueries.
• Suchdisclosuremustoccurincompliancewithstateandfederallaws(e.g.HIPAAandFERPA).Thenetworkadministratorandtheirsubcontractors
maynotfurtherdisclosepersonallyidentifiableinformation.
Resources:
▫ CTGeneralStatute:https://www.cga.ct.gov/current/pub/chap_368a.htm#sec_19a-25f
26
HIVStatus• NopersonwhoobtainsconfidentialHIV-relatedinformationmaydiscloseorbecompelledtodisclosesuchinformation,excepttothefollowing:▫ Theindividual/guardian▫ Someonewithareleaseofinformation▫ Authorizedpublichealthofficer▫ Healthcareproviderwhenknowledgeisnecessarytoprovidecare▫ Healthcareworkerexposedtobodilyfluids▫ 8otherexceptions• Anyonewiththedisclosedinformationcannotfurtherdisclose.
Resources:▫ CTGeneralStatute:https://www.cga.ct.gov/current/pub/chap_368x.htm#sec_19a-583
27
CancerRegistry• TheDepartmentofPublicHealthmustmaintainatumorregistrytohousereportsoftumorsdiagnosedortreatedinConnecticut.Hospitals,clinicallaboratories,andhealthcareprovidersmustreportdemographic,treatment,andmedicalinformationtotheRegistryasspecifiedbythedepartment.• DPH shallbeprovidedsuchaccesstorecordsofanyhealthcareprovider,asthedepartmentdeemsnecessary,toperformcasefindingorotherqualityimprovementaudits.
Resources:▫ CTGeneralStatute:https://www.cga.ct.gov/current/pub/chap_368a.htm#sec_19a-72
28
29
RegionalStateConsentPolicies– ExamplesState Policy ScopeMaine Opt-Out Applies to the state-designated HIE
Maryland Opt-Out (Opt-In for some services) Applies to state-designated HIE and all qualifying HIEs in the state
Massachusetts Opt-In/Opt-Out Applies to all providers and state-funded plans
New Hampshire Opt-Out Applies to the state-created HIE
New Jersey Opt-Out NJHIN is a network of networks that includes several Health Information Organizations
New York Opt-In Applies only to qualified entities certified by the state of New York to participate in the Statewide Health Information Network for New York (SHIN-NY)
Rhode Island Opt-In Applies to the state-designated HIE
Vermont Opt-In Applies to providers participating in VHIE and Vermont State Blueprint for Health HIEs
30
StatewideHealthInformationNetworkforNewYork(SHIN-NY)• TheNewYorkmodelforconsentgenerallyfitsinthe"opt-in"bucket.• Network-of-networksconsistingofeightregionalnetworks(QualifiedEntitiesorQEs)
31
Bronx RHIO
HealtheConnections
HEALTHeLINK
Healthix
Hixny
NY Care Information Gateway (NYCIG)
Rochester RHIOSource: NYeC
StatewideHealthInformationNetworkforNewYork(SHIN-NY)• SHIN-NYreliesonaconsent-to-accessratherthanaconsent-to-disclosemodel.Underaconsent-to-accessmodel,patientinformationisuploadedbyparticipantstotheQEwithoutpatientconsentunderabusinessassociateagreement.However,thedatamaintainedbytheQEisgenerallynotavailabletoparticipantsuntilthepatientprovidesconsentauthorizingtheparticipanttoaccessthepatient’sinformation.• Noactiveconsentisrequiredforpoint-to-pointexchangebetweenproviderwithacarerelationshipwiththepatient(e.g.,labresultsreportingfororderedlabs;Directmessaging)• HospitalsandhealthcarefacilitieswithcertifiedEHRsarerequiredtoparticipateinSHIN-NY
32
StatewideHealthInformationNetworkforNewYork
(SHIN-NY)
• PrivacyandSecurityPoliciesandProceduresforQes andtheirParticipantsinNewYorkState(revisedDecember2018)
▫ DrivestherequirementsforconsentandotherpolicyrequirementsforQualifiedEntities(QEs)participatinginSHIN-NY.
▫ Coreconsentdiscussionisonpp9-19withadditionaltopicsthroughp27.▫ https://health.ny.gov/technology/regulations/shin-ny/docs/privacy_and_security_policies.pdf
• NYeCSHIN-NYConsentWhitepaper(February2017)▫ Excellentsummaryofconsentoptionsthatcaninformourdiscussion▫ UsefuldiscussionaboutthedevelopmentofaSHIN-NYWideConsentModel
� Thecurrentmodelrequiresthatconsentbeobtainedbyeveryhealthcareproviderwhowishesto
access.QEsmayofferblanketconsent,buttherearerulesforinformingpatientswhenparticipantsin
theexchangechange.
� Proposedoptionwouldcreateoneconsentformtogovernallappropriateaccesstopatientinformation.
▫ http://www.nyehealth.org/nyec16/wp-content/uploads/2017/02/SHIN-NY_consent_white_paper_022817.pdf
33
MassHIway (Massachusetts)• CombinationOpt-In/Opt-Outmodel• Directmessaging(secureprovider-to-provideremail):▫ MassHIway usersmaytransmitinformationviaHIway DirectMessagingandmyimplementalocalopt-inand/oropt-outprocessthatappliestotheuseofHIway DirectMessagingbytheirorganization,butarenotrequiredtodoso.▫ AlignsDirectwithmakingaphonecallorsendingafax.
34Source: Mass HIway
MassHIway (Massachusetts)• HIway-sponsoredServices(notethatnoneareavailableyet):
� Opt-in.HIway participantsmustprovideeachpatientand/ortheirlegalrepresentativeswithwrittennoticeofhowtheorganizationusesHIway-sponsoredservices.� Writtennotice(inmultiplelanguagesifrequired)mustbeprovidedviainclusioninaNoticeofPrivacyPractices,apatienthandout,oraletter,emailorotherpersonalelectroniccommunicationtothepatient.
� Thewrittennoticemustdescribethemannerandmeansthatthepatientcanopt-outofHIway-sponsoredservices.
� Opt-out.TheMassHIway oritsdesigneeadministersacentralizedopt-outsystem.Patientsand/ortheirauthorizeddesignees(includingtheprovider)maynotifytheMassHIway oritsdesigneedirectlyiftheychoosetooptout.
� Localopt-inopt-out.HIway participantsmaychoosetoimplementtheirownlocalopt-inand/oropt-outprocessthatappliestotheuseofHIway-sponsoredServicesbytheirorganization,butarenotrequiredtodoso.
35Source: Mass HIway
ChesapeakeRegionalInformationSystemforourPatients(CRISP– Maryland)• Opt-Out▫ PatientinformedthroughrequiredadditionstoHIPAANoticeofPrivacyPractices(NPP)forallParticipatingEntities.▫ NPPlanguagemustinformthepatientonhowtooptoutofCRISP.▫ Opt-outformsmustbeavailabletopatientsreceivingcarefromParticipatingEntities.AlsoavailableonlineandbycallingCRISP.▫ Lowopt-outrate(<0.5%).• Opt-Inforsomeservices▫ Researchrequiresconsentinmostinstances▫ Servicescoveredby42CFRPart2(substanceabusetreatment),someancillaryservices.
36
HIEConsentFormExamples• CamdenHIE(NJ):https://www.camdenhealth.org/wp-content/uploads/2017/12/CAMDEN-HIE-OPT-OUT.pdf• CRISP(MD,DC):https://crisphealth.org/wp-content/uploads/2019/02/Optout-Form-English-2019.pdf• SHIN-NY(NY):https://health.ny.gov/technology/regulations/shin-ny/docs/privacy_and_security_policies.pdf (appendix)• SoutheastNebraskaBehavioralHealthInformationNetwork:https://healthit.ahrq.gov/sites/default/files/docs/behavioral-health-consent-022713.pdf• St.JosephHealth(CA):http://www.stjhs.org/documents/HIE/48795330_SJH_HIE_OptInForm.pdf• CurrentCare (RI):http://www.currentcareri.com/Portals/0/Uploads/Documents/CC_and_CC4Me_Dual_Enrollment_Form-031017F.pdf▫ Onlineenrollment:https://enroll.currentcareri.org/
37
38
39
ConsentPolicyDesignGroup– WorkplanMeeting Focus Meeting ObjectivesMeeting 1 – 4/9/2019 1pm – 2pmKickoff and orientation
• Review and discuss project charter and proposed process for achieving desired outcomes
• Orientation on relevant policies and procedures and semantic alignment / shared understanding of key terms
Meeting 2 – 4/23/2019 1pm – 2pmCurrent consent policies
• Establish understanding around current state of consent policies in Connecticut and bordering states
• Consider draft language for a HIPAA TPO consent policy for recommendation to Advisory Council
Meeting 3 – 5/7/2019 1pm – 2pmFocus on TPO consent draft
• Review proposed process for the development of a consent policy framework, based on HIE use case requirements
• Discuss stakeholder engagement and communication needs
Meeting 4 – 5/21/2019 1pm – 2pmMatching use cases to consent model
• Review and discuss received input from Advisory Council or other stakeholders
• Review use cases where individual consent is required by state or federal law, or areas of ambiguity
Meeting 5 – 6/4/2019 1pm – 2pmUse Case A discussion
• Discuss the pros/cons of a statewide consent policy framework vs. HIE Entity consent policy framework to determine
scope
Meeting 6 – 6/18/2019 1pm – 2pmUse Case B discussion
• Discuss the various ways that consent could be collected and possible roles for organizations in the consent process
• Establish high-level understanding of technical architecture for electronic consent management solutions
• Discuss workflows that could provide individuals with information and the ability to manage preferences
Meeting 7 – 7/9/2019 1pm – 2pmReview draft consent framework
recommendations – structure and process
• Review and discuss strawman options
• Develop draft recommendations for consent policy framework
Meeting 8 – 7/23/2019 1pm – 2pmVote on draft recommendations
• Finalize and approve recommendations
• Discuss stakeholder / general population engagement and communication process
40
ImportantAcronyms(RedFontIndicatesNewEntry)• ADT– Admission,DischargeandTransfermessage• API– ApplicationProgrammingInterface• C2S– ConsenttoShare• CMMI – CenterforMedicareandMedicaidInnovation• CMS– CentersforMedicareandMedicaidServices• DS4P– DataSegmentationforPrivacy• EHI – ElectronicHealthInformation(ONCNPRMon21stCenturyCuresAct)
• EHR – ElectronicHealthRecord• FERPA– FamilyEducationalRightsandPrivacyAct• HIE – HealthInformationExchange• HIN – HealthInformationNetwork(TEFCA)• HIO– HealthInformationOrganization• HIPAA– HealthInsurancePortabilityandAccountabilityActof1996
• HITECH– HealthInformationTechnologyforEconomicandClinicalHealthActof2009
• HL7FHIR® – HealthLevel7FastHealthInteroperabilityResources
• NPP– HIPAANoticeofPrivacyPractices• NPRM– NoticeofProposedRulemaking• OCR– OfficeofCivilRights
• ONC– OfficeoftheNationalCoordinatorforHealthInformationTechnology
• QE– QualifiedEntity(NY)• PHI – ProtectedHealthInformation(HIPAA)• QHIN – QualifiedHealthInformationNetwork(TEFCA)• RCE – RecognizedCoordinatingEntity(TEFCA)• RFI– RequestforInformation• SAMHSA– SubstanceAbuseandMentalHealthServicesAdministration
• SHIN-NY– StatewideHealthInformationNetworkforNewYork
• TEFCA – TrustedExchangeFrameworkandCommonAgreement
• TPO– Treatment,PaymentandOperations• USCDI – UnitedStatesCoreDataforInteroperability(21stCenturyCuresAct)
41
WhataretheFedsthinking?– TEFCAØ TrustedExchangeFrameworkandCommonAgreement(TEFCA)▫ The21st CenturyCuresActof2016requiredONCto“developorsupportatrustedexchangeframework,includingacommonagreementamonghealthinformationnetworksnationally.”▫ DraftTrustedExchangeFrameworkwasreleasedbyONCon1/5/2018(nofinalframeworkhasbeenreleasedasof3/26/2019).▫ Establishesaminimumsetofrequirementstoenableappropriatehealthinformationexchangeamongnetworks.▫ Establishesprinciplesfortrustedexchangetoserveasguardrailstoengendertrustamonghealthinformationnetworks(HINs).
42
Source: ONC
HowwilltheTrustedExchangeFrameworkwork?
43
Source: ONC
Whatisincluded(andnotincluded)inTEFCA?INCLUDED:Ø AminimumfloorintheareaswherethereiscurrentlyvariationbetweenHINsthatcausesalackofinteroperability.
Ø ObligationtorespondtoBroadcastorDirectedQueriesforallthePermittedPurposesoutlinedintheTrustedExchangeFramework.
Ø QualifiedHINsmustexchangeallofthedataspecifiedintheUSCDItotheextentsuchdataisthenavailableandhasbeenrequested.
Ø BasesetofexpectationsforhowQualifiedHealthInformationNetworksconnectwitheachother.
NOTINCLUDED:Ø Nofullend-to-endagreementthatwouldbeanetnewagreement.
Ø NoexpectationthateveryHINwillservesameconstituentsorusecases.(i.e.,norequirementthatQualifiedHINsinitiateBroadcastorDirectedQueriesforallofthePermittedPurposesoutlinedintheTrustedExchangeFramework)
Ø Notdictatinginternaltechnologyorinfrastructurerequirements.
Ø NolimitationonadditionalagreementstosupportusescasesotherthanBroadcastQueryandDirectedQueryfortheTrustedExchange
Ø Frameworkspecifiedpermittedpurposes.
44
Source: ONC
WhataretheFedsthinking?– HHSHIPAARFIØ HHSsoughtcommentsonmodifyingHIPAArulestoimprovecoordinatedcare.Specificallyon:▫ Promotinginformationsharingfortreatmentandcarecoordinationand/orcasemanagementbyamendingthePrivacyRuletoencourage,incentivize,orrequirecoveredentitiestodiscloseprotectedhealthinformation(PHI)toothercoveredentities.▫ Encouragingcoveredentities,particularlyproviders,tosharetreatmentinformationwithparents,lovedones,andcaregiversofadultsfacinghealthemergencies,withaparticularfocusontheopioidcrisis.▫ ImplementingtheHITECHActrequirementtoinclude,inanaccountingofdisclosures,disclosuresfortreatment,payment,andhealthcareoperations(TPO)fromanelectronichealthrecord(EHR)inamannerthatprovideshelpfulinformationtoindividuals,whileminimizingregulatoryburdensanddisincentivestotheadoptionanduseofinteroperableEHRs.
NOTE:HHSreceived1,337commentsinresponsetothisRFI.
45
Source: Federal Register
WhataretheFedsthinking?– HHSHIPAARFI(continued)Ø HHSsoughtcommentsonmodifyingHIPAArulestoimprovecoordinatedcare.Specificallyon:▫ Eliminatingormodifyingtherequirementforcoveredhealthcareproviderstomakeagoodfaithefforttoobtainindividuals'writtenacknowledgmentofreceiptofproviders'NoticeofPrivacyPractices,toreduceburdenandfreeupresourcesforcoveredentitiestodevotetocoordinatedcarewithoutcompromisingtransparencyoranindividual'sawarenessofhisorherrights.▫ OCRthereforerequestsinputonwhetheritshouldmodifyorotherwiseclarifyprovisionsofthePrivacyRuletoencouragecoveredentitiestosharePHIwithnon-coveredentitieswhenneededtocoordinatecareandproviderelatedhealthcareservicesandsupport forindividualsinthesesituations.▫ Shouldhealthcareclearinghousesbesubjecttotheindividualaccessrequirements,therebyrequiringhealthcareclearinghousestoprovideindividualswithaccesstotheirPHIinadesignatedrecordsetuponrequest?
46
Source: Federal Register
WhataretheFedsthinking?– CMSNPRM
Ø OnFebruary11,2019,theCenterforMedicareandMedicaid
Services(CMS)issuedaNoticeofProposedRulemakingon
improvinginteroperabilityofEHRsandpatientaccesstotheirdata.
ThecommentperiodforthisruleendsonMay3,2019.
Ø InadditiontotheNPRM,CMSalsoissuedtworelatedrequestsfor
information(RFIs)onimprovingpatientmatchingandapproaches
tointeroperabilityinlong-term,post-acute,mentalhealth,andother
ancillarycaresettings.
47
CMSNPRM– InteroperabilityandPatientAccessØ Highlightsofproposedrules:▫ PatientaccesstodatathroughApplicationProgrammingInterfaces(APIs):ParticipatingpayersmustcreateFHIR®-basedAPIstomakepatientclaimsandotherhealthinformationavailabletopatientsthroughthird-partyapplicationsanddevelopers.▫ Healthinformationexchangeandcarecoordinationacrosspayers:Payersmustsharepatientdatawhentheytransitiontoanewplan.▫ APIaccesstopublishedproviderdirectorydata:PayersmustmakeprovidernetworksavailabletoenrolleesandprospectiveenrolleesthroughAPItechnology.▫ Carecoordinationthroughtrustedexchangenetworks:CMSproposesrequiringMAorganizations(includingMA-PDplans),Medicaidmanagedcareplans,CHIPmanagedcareentities,andQHPissuersintheFFEstoparticipateintrustnetworkstoimproveinteroperability.
48
CMSNPRM– InteroperabilityandPatientAccess(continued)Ø Highlightsofproposedrules:▫ ImprovingtheDualEligibleexperiencebyincreasingfrequencyoffederal-statedataexchanges:MoretimelylistsofDualEligibles fromstates.▫ Publicreportingandpreventionofinformationblocking:Publiclypostwhichhospitalsarenotattestingtopreventionofinformationblocking.▫ Providerdigitalcontactinformation:AdditionofdigitalcontactinfototheNationalPlanandProviderEnumerationSystem(NPPES)▫ RevisionstoConditionsofParticipationforHospitalsandCriticalAccessHospitals: requirementforparticipationtosendadmission-discharge-transfer(ADT)notifications.▫ Advancinginteroperabilityininnovativemodels: GrantopportunitiesthroughtheCenterforMedicareandMedicaidInnovation(CMMI)
49
WhataretheFedsthinking?– ONCNPRM
50
Source: ONC
ONCNPRM– HighlightsØ NewAcronymAlert:EHI– ElectronicHealthInformation▫ ONCproposedrulesapplyexplicitlytohealthinformationinelectronicform.▫ Definedaselectronicprotectedhealthinformationthatidentifiestheindividualandistransmittedbyormaintainedinelectronicmedia,thatrelatestothepast,present,orfuturehealthorconditionofanindividual.
Ø Regulatedactors:▫ HealthCareProvider▫ HealthITDeveloper▫ HealthInformationExchange▫ HealthInformationNetwork
Ø VendorsthathaveonecertifiedproducthavetocomplywithrulesforALLoftheirsoftwareproducts(i.e.,can’thaveonenarrowsolutionthatiscertifiedandclaimalltheotherpiecesaren’tpartofthecertifiedsolution).
51
Source: ONC
ONCNPRM– InformationBlocking:7Exceptions
Ø Preventingharm
▫ ActorhasareasonablebeliefthatthepracticeofnotsharingEHIwilldirectlyandsubstantiallyreducethelikelihoodofharmtoapatient(e.g.mentalhealth).
Ø Promotingtheprivacyofelectronichealthinformation
▫ ActormayengageinpracticesthatprotecttheprivacyofEHI,basedonsub-exceptionsfocusedonscenariosthatrecognizeexistingprivacylawsandprivacy-protectivepractices(WhatConnecticutlawscouldbeimpactedbythisexception?)
Ø Promotingthesecurityofelectronichealthinformation
▫ Thepracticemustbedirectlyrelatedtosafeguardingtheconfidentiality,integrity,andavailabilityofEHI.Ageneralprohibitionisnotacceptable.
52
Source: ONC
ONCNPRM– InformationBlocking:7ExceptionsØ Recoveringcostsreasonablyincurred▫ Actormayrecovercoststhatreasonablyincurred,inprovidingaccess,exchange,oruseofEHI(cannotbearbitraryordiscriminatory).
Ø Respondingtorequeststhatareinfeasible▫ Actormaydeclinetoprovideaccess,exchange,oruseofEHIifitimposesasubstantialburdenthatisunreasonable(difficulttoclaimifusingcertifiedtech).
Ø Licensingofinteroperabilityelementsonreasonableandnon-discriminatoryterms▫ TechnologylicensesthatarenecessarytoenableEHIaccessmustbeofferedonreasonableandnon-discriminatoryterms.
Ø MaintainingandimprovinghealthITperformance▫ HealthITcanbemadetemporarilyunavailableinordertoperformmaintenanceorimprovementstothehealthIT,butfornolongerthannecessarytoachievethemaintenanceorimprovements
53
Source: ONC