For the managers of every fledgling regional health information organization involved in hammering out a set of privacy and security rules, there almost always comes a moment of despair.
“It’s tough to balance privacy with the whole idea of exchanging data, and so people will get into this, become frustrated and say, ‘We can’t do this,’” said Gerry Hinkley, an expert in health information security and a partner at the law firm Davis Wright Tremaine. “But it can be done. People are smart enough to find a way. The key is to not let perfection get in the way of progress.”
RHIO planners who have been through the process agree, and their optimism is bolstered by the findings of a recent study Avalere Health conducted for the California HealthCare Foundation. Authors Sheera Rosenfeld, a director at Avalere; Shannah Koss, vice president of Avalere; and Sharon Siler, a senior associate at Avalere, determined that RHIO privacy and security challenges, while daunting, are not insurmountable.
The survey also found that there is no one-size-fits-all approach to privacy and security policies. However, several basic principles are common to all the successful ones.
RHIO executives and other experts agreed with many of the report’s findings and have added their advice on basic approaches RHIO planners should consider. 1. Think nationally, act locally With all the emphasis on the National Health Information Network and the roles that local and regional health information exchanges might play, RHIO planners could find themselves becoming distracted from local needs. Although RHIOs should keep track of national developments and emerging standards, they must remain focused on the needs and priorities of their communities, experts say.
“A privacy policy, like health care, should be local,” Koss said.
For that reason, RHIO executives should not think in terms of absolutes. For example, some privacy advocates say RHIOs should not be in the business of creating and maintaining aggregated databases of patient information.
“We heard both sides of that story, and it doesn’t hold up,” Koss said. “If you’re in a small community where most of the providers are small and don’t have a lot of resources or technical expertise, then a centralized service that does that on their behalf might be more secure and private. By contrast, if you’re in downtown Boston and you’re connecting three major medical institutions that already have a robust privacy and security infrastructure, that’s not really an issue.”
Therefore, she said, RHIOs must do what’s right for their communities by conducting research and aligning their privacy and security policies with local needs and their unique characteristics.
2. Use available tools RHIOs do not have to start from scratch. Tennessee’s Volunteer eHealth Initiative, for example, began by gathering a coalition of eight stakeholders to explore possible approaches to security and privacy based on the Markle Foundation’s nine principles for data security.
“We got some basic agreement in place before we called the lawyers,” said Dr. Mark Frisse, director of regional informatics programs at Vanderbilt University’s Center for Better Health and director of the Tennessee initiative’s Regional Health Demonstration Project, which is funded by the federal Agency for Healthcare Research and Quality. “We believe that we saved $250,000 and six months’ worth of time by doing that.”
Officials should also spend time consulting with their colleagues at other RHIOs, Koss said. “The more RHIOs can share each other’s experiences, the less they’re going to have some of the same missteps,” she said. “They’ll also gain some insights into other ways to approach the issues.”
3. Bring the right people to the table RHIOs that struggle with privacy and security issues often start out working with too few stakeholders — or the wrong ones. “They end up
not being able to inform what it is they’re trying to accomplish, or they can’t gain the necessary buy-in,” Koss said.
RHIOs should make sure that “every voice is heard and that they’re the right voices,” Hinkley said. That means making sure the RHIO’s privacy committee includes emergency room physicians, chief medical officers, privacy officers, private physicians and consumers. And most RHIO officials say it’s important to find real-world patients, not self-appointed consumer advocates.
Ted Kremer, executive director of the Greater Rochester RHIO in New York, said his organization made a major mistake early on by staffing committees with too many executive-level decision-makers and not enough frontline employees.
“That approach will not necessarily ferret out the more thorny privacy issues soon enough,” he said. “You’ve got to get the medical officers and the privacy officers and the physicians in there so they can really work through privacy and security from a bunch of different angles.”
4. Be broad but restrictive The Tennessee initiative is governed by a set of bylaws that restrict the use of data to authorized people at authorized sites.
“We have a broad framework, though, so as we go to other uses, we can expand our bylaws and change,” Frisse said, adding that a privacy group meets every two weeks to address any new issues that arise.
5. Study HIPAA then go beyond it RHIOs qualify as business associates under the Health Insurance Portability and Accountability Act (HIPAA), so they can exchange information without explicit patient consent.
However, Hinkley said, “what we’re seeing with RHIOs is [that] that’s not good enough. Patients want to control their information, so the question needs to be asked of patients: ‘Do you want the information about this episode of care available electronically for other providers?’ When it’s answered in the negative, there has to be a system in place that allows for that.”
At the same, RHIO privacy committees must make sure that HIPAA champions are involved in the study phase.
“There are people in the community, particularly privacy officers, who think HIPAA is the answer,” Hinkley said. “They need to be involved in the conversation, so that they really understand that it isn’t the answer, that HIPAA wasn’t intended for this.”
Frisse said HIPAA also does not adequately address how to handle secondary uses of data. Therefore, his organization went beyond the federal standard by establishing strict rules about how providers use the information they receive and whether they can share it with other participants.
“If Hospital A gives it to Hospital B, can Hospital B pass it on to Hospital C? No, not the way our rules are set,” he said. “Hospital B can only use it for the patient in a patient care setting. And we have 100 percent audits to make sure only authorized providers in both hospitals are using the information the way they’re authorized to use it.”
6. Keep the focus on the patient In the end, exchanging information is about improving health care, and trust and transparency are essential. Therefore, RHIO officials must believe that the data belongs to patients, Hinkley said. “Whatever happens, the patient ultimately needs to be able to control that data,” he said.
RHIOs have taken different approaches to the issue of patient consent based on local institutions, populations and concerns. The Greater Rochester RHIO, for example, asks for written consent from the patient upfront and then asks for permission to continue exchanging information electronically every time the patient receives care.
“We felt we really owed patients a pretty good amount of information and communication,” Kremer said, adding that the organization is sending letters to providers’ patients to educate them about the RHIO’s value.
Tennessee’s initiative, by contrast, automatically allows electronic exchange of information, but every time patients receive medical care, “they hav
a chance to check a box that says, ‘I don’t want my information to be exchanged electronically,’” Frisse said. “And at that point, that institution no longer keeps any data about you electronically. It’s turned off.”
Finally, experts say, keep it as simple as possible and don’t get hung up on perfection. “What I recommend is to make it as good as it can be without making it overly cumbersome,” Hinkley said. “And then start exchanging with a very controlled pilot [program]. Demonstrate to everyone’s satisfaction that the thing works and then grow from there.”
From the battlefield to the home front: Managing medical data
Government Health IT presents Col. Claude Hines Jr., program manager for the Defense Health Information Management System, in this recent InSight eSeminar. Col. Hines discusses the health information technology and tactical challenges faced by the military medical community in Iraq, Afghanistan and other areas of conflict. In doing so, he describes the current information technology solutions for transferring clinical data between battlefield care givers to health care personnel at military treatment facilities worldwide.
