Privacy, Security, and the Regional Health Information Organization June 2007 Privacy, Security, and the Regional Health Information Organization Prepared for California HealthCare Foundation by Sheera Rosenfeld, Shannah Koss, and Sharon Siler Avalere Health LLC June 2007 Acknowledgments The authors thank all of the organizations that participated in this project for sharing their experiences and insight. About the Authors Sheera Rosenfeld is a director, Shannah Koss is a vice president, and Sharon Siler is a senior associate at Avalere Health LLC, focusing on health information technology and exchange issues. Avalere Health provides strategy, research, and educational products to a range of commercial and non-profit customers with interests in improving the health care system. About the Foundation The California HealthCare Foundation, based in Oakland, is an independent philanthropy committed to improving California’s health care delivery and financing systems. Formed in 1996, our goal is to ensure that all Californians have access to affordable, quality health care. For more information about CHCF, visit us online at www.chcf.org. ISBN 1-933795-29-8 ©2007 California HealthCare Foundation Contents 2 I. Executive Summary 3 II. Introduction 4 Background Benefits of Information Exchange Common Issues 6 IV. Methodology 7 V. Findings Highlights Four Key Questions 1 1 VI. Privacy Policies and Practices at Emerging RHIOs 1 4 VII. Security Practices and Technical Solutions 1 7 VIII. The Consumer Perspective Collaboration Is Limited Best Practices and Principles 2 0 IX. Common Themes 2 2 X. Recommendations 2 4 Appendices A: The Federal Privacy and Security Landscape B: Interviewees C: Glossary 2 9 Endnotes I. Executive Summary Regional health information organizations (RHIOs), which promote electronic exchange of patient information among participants, are in the early stages of development. As they grow, RHIOs must establish policies and practices to protect the privacy and security of that information, an often difficult undertaking. This study, based on a literature review, interviews, and an informal survey, examines key privacy and security issues that some RHIOs encounter, the policies and practices they adopt to manage these issues, and common emerging strategies. The study finds that privacy and security challenges are surmountable. A RHIO’s unique characteristics — the types of data shared, who participates, its specific needs and priorities, and other factors — influence how an exchange addresses these challenges. Solutions are diverse and evolving. The study also finds that consumers play a limited role in privacy and policy decisions, even though they are important RHIO constituents. Nascent exchanges could benefit from the experiences of and collaboration with others, and policymakers can help RHIOs navigate privacy and security issues and move toward sustainability. RHIOs are more likely to overcome privacy and security challenges if they avoid narrow privacy and security solutions, address external factors such as legal requirements and community priorities, and engage a broad range of constituents. They should also use existing privacy and security frameworks as a starting point, anticipate long- term infrastructure needs and goals, and consider how they can become sustainable over the long term.   |  California HealthCare Foundation II. Introduction Resolving privacy and security issues is essential in forming, governing, and operating regional health information organizations. RHIO participants, including consumers, must feel confident that personal health information is private and secure, and that all exchanges of information meet legal and ethical requirements. Most RHIOs are evolving and many continue to struggle with these challenges, although common strategies for meeting them are beginning to surface. Avalere Health conducted research and interviews to better understand some of the key privacy and security issues RHIOs face, including how such issues affect RHIO development and operations, how significant the challenges are, how RHIOs are managing those challenges, and the types of best practices that are emerging. This report: K Identifies key privacy and security questions that RHIOs must consider. K Discusses how privacy and security issues may influence the planning and implementation of RHIOs and the support of participants. K Examines current privacy and security policies. K Considers the consumer perspective and level of consumer engagement in privacy and security issues. K Recommends steps RHIOs and others can take to overcome the related challenges. Privacy, Security, and the Regional Health Information Organization   |  III. Background Health information exchange initiatives first emerged in the mid- to late-1980s as community health informa­ tion networks (CHINs). CHINs achieved some success through the mid-1990s but ultimately failed because of organizational and implementation issues, including a lack of standards and funding and poor technical infrastructure.1– 4 Rapid advances in information technology, an industrywide focus on standards, and the ability of different computer systems to share information have enabled health information exchange to come to the forefront. RHIOs typically provide one or both of two core services: the governance body and policies for facilitating information exchange among participants and the technical infrastructure for automated exchange. Increasingly, they formally oversee and govern information sharing, and they often shape policy and direct decision-making — for example, by convening committees or workgroups to address privacy and security issues and by designating board members to lead these activities. Although RHIOs often start out informally or as part of existing public or nonprofit organizations, most anticipate establishing stand-alone entities that may have nonprofit, 501(c)(3) status under the Internal Revenue Code. A RHIO consists of physicians, hospitals, health plans, laboratories, consumers, and others who seek to share electronic health information about patients in a community, state, or region. Each RHIO is unique, based on the needs and characteristics of the community it serves.5 Medication, lab, emergency, and administrative data are the most common types of information that RHIOs initially plan to exchange. They also may offer additional capabilities, such as data storage. Benefits of Information Exchange Among the benefits of RHIOs are higher quality of care, more efficient delivery of services, safer patient care, and overall cost savings. Greater availability of clinical information at the point of care can reduce duplicate services and administrative follow-up, such as requests for patient records or clarification of prescriptions; reduce adverse drug events; and promote better coordination   |  California HealthCare Foundation of care. Information exchange also can facilitate However, many initiatives are still in the planning or preventive care and disease management, and, for early implementation stages. Few RHIOs currently providers, foster a better understanding of specific exchange data, and even fewer have been exchanging treatment protocols, drug regimens, and related multiple data sets for more than a year.10,11 Many outcomes. expect to continue expanding their scope by adding new participants and types of shared data. The Federal Role Common Issues The federal government is promoting, and Throughout their evolution, RHIOs must address reducing the barriers to, health information exchange in part by harmonizing standards and four critical issues that will largely determine success: certifying criteria for electronic health records. Financial. These are the most challenging. See Appendix A for details about specific initiatives and activities. They include overcoming the high up-front cost of technology systems, aligning incentives for participation, developing a strong and common Improvements in quality and efficiency can save value proposition for all stakeholders, and creating a money. Potential annual savings — between $70 sustainable revenue model. and $80 billion6 – 8 — will largely accrue to payers and depend on how quickly providers adopt health Cultural and organizational. Such issues often information technology and participate in data include workflow and productivity disruptions, exchanges. fear that health plans will prematurely use data in pay-for-performance programs, and participants’ RHIO formation is largely driven by the competing priorities and demands on time. interests of participants, what they believe will Technical. These issues range from participants’ benefit their community, and a relatively quick different levels of technical sophistication and demonstration of a strong business case. The information technology expertise to the inability type of information exchange, the community’s of information systems to exchange data because needs, the kinds of participants, the previous the data are inadequate and exchange standards are relationships and level of trust among them, and lacking. the backgrounds and perspectives of those who lead the organization — vendors, clinicians, or Privacy and security. All RHIO stages involve researchers — all determine how a RHIO makes privacy and security issues, the complexity of privacy and security decisions. which varies. These include concerns about the confidentiality of patient information and Nationwide, more than 100 health information questions about who should have access to it, how exchange initiatives are under way, most of which the information will be used, and the technical focus on patient-level clinical information.9 safeguards in place to secure it. Privacy, Security, and HIPAA Privacy and security are related but distinct issues. Privacy is the protection of patient health information due to its sensitive and confidential nature. Security is the means by which organizations ensure the availability, confidentiality, and integrity of that information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets the backdrop for how RHIOs deal with privacy and security. However, most RHIOs are not directly subject to HIPAA’s requirements. See Appendix A for more information about HIPAA. Privacy, Security, and the Regional Health Information Organization   |  IV. Methodology To further understand current and future issues regarding privacy and security, Avalere Health reviewed the literature, interviewed representatives of nine mature RHIOs and two privacy experts (Appendix B), and informally surveyed other RHIO representatives. Most of these RHIOs are operating; others have nearly completed a pilot phase or are at the end of a planning phase. Over four months, Avalere Health developed and used a structured guide for interviewing the nine RHIO representatives about their privacy and security policies and practices, and related issues. Questions focused on how privacy and security concerns have influenced participation in their exchange organizations, how difficult it was for their RHIOs to develop privacy policies, whether the exchanges used any existing policies as models, and how federal privacy and security activities affect their day-to-day operations. Using this guide, the authors also asked representatives of several other exchanges to complete an informal written survey. For the consumer perspective, the authors interviewed two consumer privacy experts.   |  California HealthCare Foundation V. Findings Most RHIOs, which must ensure that safeguards are adequate to protect data exchange, are working to build trust within their health care communities. The literature and anecdotes suggest that privacy and security present substantial challenges and even barriers for most developing or operational RHIOs. Understanding the extent of such challenges was a primary goal of this study. Highlights The most significant insights about privacy and security policies and practices and how they affect RHIO planning, implementation, and operations include the following: K While privacy and security are important issues, interviewees did not consider them insurmountable. Still, privacy and security directly affect an array of key RHIO decisions, must be carefully considered and managed, and may ultimately impact community trust and the willingness of certain constituents to participate in information exchange. K RHIOs’ privacy and security practices are evolving and vary. Even as such practices mature and become more defined, they will continue to change as RHIOs expand the type of data exchanged and as the number and types of participants grow. K The significance of privacy and security, the related challenges, and the ways that policy and technical issues are addressed depend on a RHIO’s unique characteristics, particularly on the kinds of data being exchanged and types of participants involved. K Although the privacy and security issues RHIOs must address are similar, approaches vary significantly. RHIOs must scale policies and procedures to the needs, sizes, and types of participants. While maintaining privacy and security, they also must allow some flexibility in each participant’s approach to these issues. K Consumers remain on the sidelines when it comes to developing RHIO privacy and security policies and practices. They and consumer advocates are more concerned about these issues than Privacy, Security, and the Regional Health Information Organization   |  RHIOs are because privacy and security have a direct personal impact. To Give but Not Receive Many RHIO participants are not authorized to K There are privacy and security models and lessons access data that health care providers generate. learned that could guide nascent RHIOs, such For example, some RHIOs permit certain as using HIPAA as a starting framework. By constituent groups, such as health plans or collaborating with other exchanges, evolving employers, to give but not receive data. Concerns about the potential use of data for performance RHIOs could benefit from existing privacy and measurement and oversight, rather than about security policies and practices, and from successful patient privacy, may drive these limitations. strategies for implementing them. K Federal and state policymakers can play a study, physicians first and foremost have consistent supporting role for RHIOs and help them achieve access to patient information. Other commonly their long-term goal of sustainability. In particular, authorized users are employees of participating they can clarify HIPAA, evaluate the barriers to hospitals — registered nurses, pharmacists, secondary uses of data, look at ways to overcome and registrar and medical-records staffers, for those barriers, and continue to foster shared example — and those who work in physician offices, learning among exchanges. such as registered nurses, physician assistants, and administrative staff. Four Key Questions All nascent RHIOs must address four fundamental Interviewees noted that, despite some differences questions: Who will have access to patient of opinion, giving access to users directly involved information? Which information will be accessible? in patient care was generally not contentious. What are acceptable purposes of exchange? And However, reaching consensus on secondary uses under what circumstances should users be able to of data was more challenging. According to some access information? interviewees, secondary-use issues generated concerns about privacy and security, as well as significant The questions are closely related, as the approach a controversy, particularly regarding information RHIO takes to one issue often directly influences its access for payers, ancillary providers, and others approach to others. Moreover, as RHIOs continue who were not physicians or on a physician’s staff, to evolve, expand the kinds of data exchanged, and or who did not treat patients directly. A small increase the number and types of participants, they number of interviewees suggested that the type of must ask and answer these questions repeatedly. participants who were the leading constituents in a Given the rudimentary nature of most RHIOs, RHIO — most often physicians and hospitals — had resolving an issue may be difficult. greater influence on deciding who would have access than any specific privacy concerns did. Who Will Have Access? Often, a RHIO must decide which entities, but also Which Information Will Be Accessible? which individuals within those entities, will have Which data to exchange, be they lab results, access. And the RHIO must determine what level of medication history, and/or admission and discharge access will be necessary to support its data exchange information, often is determined in the early RHIO goals. stages. In many cases, such decisions depend on which information is easily accessible, is readily Some exchanges decide who will have access available, and provides immediate value at the point based solely on the potential users’ role in direct of care. Interviewees indicated that common initial patient care. At nearly all of the RHIOs in this data exchanges included lab results, medication   |  California HealthCare Foundation history, and clinical records for emergency What Are Acceptable Purposes of department admissions. Privacy and security issues Exchange? often dictated more detailed or explicit decisions This is a core issue for nascent RHIOs, one than other issues did. One issue, for example, influenced to varying degrees by privacy and security was whether only part of a clinical record, such concerns. Interviewees said their RHIOs were able as demographic information, could or should be to establish, without controversy, rules for using data viewed and exchanged. in clinical treatment and that they usually imposed disclosure limitations consistent with HIPAA and Although they define and determine access to state laws. However, when potential purposes specific data in different ways, most RHIOs are included secondary uses, such as conducting clinical driven in part by the “minimum necessary” standard research, measuring performance, improving under HIPAA, which governs and sets a floor for population health, and marketing, consensus was most use and disclosure policies. The premise of this sometimes unattainable. standard is that physicians, hospital clinical staffers, administrative staff members, and others should have The extent to which participating organizations use access only to the minimum amount of personal RHIO data for their own institutional purposes health information necessary. Such decisions other than treatment tends to generate considerable determine not only which data will be exchanged, discussion and concern. Interviewees mentioned but also which will be explicitly excluded. such use, but none said his or her RHIO authorized it specifically to support marketing. And few cited Nearly all interviewees said their RHIOs explicitly research or other uses as a primary purpose for initial exclude sensitive patient data—including information exchange. information about mental health, substance abuse, and HIV/AIDS — from their exchanges. Most Some RHIOs increasingly view clinical research, in acknowledged the challenge of total exclusion, particular, as a legitimate and potentially revenue- given that many diagnoses can be inferred from generating secondary use. Those affiliated with an medication lists or lab tests. Many states have laws academic medical center or research institution may protecting certain types of patient data, yet these be more interested in and willing to accept such use. laws did not appear to be the primary stimulus for RHIOs’ strict access rules; rather, deeply rooted What Circumstances Justify Exchange? ethical concerns about inappropriate access, the The circumstances under which RHIO participants sensitive nature of the information, and the concerns can access and exchange data drive the design of of patients and patient advocacy groups tended to infrastructure, processes, and safeguards. Policies drive such rules. specify those circumstances and how security measures will protect privacy. Information Access Policies Once RHIOs answer these four questions and have These may define “read only” or “read and a clear set of privacy and security principles in place, add.” The latter means an authorized user can they can begin exploring policy solutions to ensure supplement the existing record with notes, compliance and adherence. results, or other information but cannot edit, alter, or delete anything. Access is often time-limited: Users can access patient information only during an episode of care. Privacy, Security, and the Regional Health Information Organization   |  Business Associate Agreements Ensure Compliance Because most RHIOs are not subject to HIPAA, business associate agreements are the primary way they ensure that participants will comply with an exchange’s practices and data exchange requirements. These agreements: • Specify how the RHIO will handle and use data. • Specify how it will notify patients about privacy practices. • Define participants’ roles and business arrangements in the exchange. • Clarify privacy and security policies. • Make it easier to put the policies in place. The agreements can be more or less prescriptive when it comes to privacy and security protections, depending on what the participants believe is appropriate. 10  |  California HealthCare Foundation VI. rivacy Policies and Practices P at Emerging RHIOs The RHIOs in this study are at various stages of developing and implementing privacy and security policies and practices. Some have adopted the internal policies and practices that participants already had, while others have required that participants make them more robust. The presence or absence of policies a RHIO has and their types seem to be linked to the RHIO’s maturity, sophistication, and level of community engagement. They are influenced by the RHIO’s interpretation of HIPAA and applicable state laws, the kinds of participants in the exchange, and how open its policy process is. Most interviewees did not cite privacy as an insurmountable barrier to RHIO development, but they did say that developing policies on data-use limitations, patient consent, patient access, and authentication of users were significant challenges. Privacy Policies Information use and disclosure, which a business associate agreement often defines, are the “rules of the RHIO road” — the broad parameters for information exchange. Many interviewees said they support the use and disclosure policies of hospitals in their RHIO; each hospital adheres to its own policies — for example, giving doctors access only to data about patients for whom they are the physician of record. One interviewee characterized this approach as following the “rules of the people who control the data.” Most said participants’ own policies control how they use data created in-house, although at least one indicated that the RHIO’s policies govern the exchange of data among participants. Regardless of the model, exchange members may have inconsistent and sometimes conflicting data-sharing policies. Most of the RHIOs in this survey have not confronted such conflicts or they trust that participants will adhere to HIPAA and ensure sufficient protection. Patient-consent policies define patients’ right to choose whether they want to participate in data exchange. A related issue is whether Privacy, Security, and the Regional Health Information Organization   |  11 patients should have the right to control or prohibit to entities outside the organization but not which access or use of some personal health information, data will be widely exchanged within it. such as that regarding mental health treatment. Many RHIOs aspire to give patients access to Developing patient-consent policies is difficult their own information, but few have policies and because of sensitivity about patient privacy and technology in place to do so. Some did not have patient control of data, tension between the desire a policy governing patient access to RHIO-based to improve care and patients’ concerns about loss data and have not formally addressed the issue. of privacy, and patients not understanding how the As mentioned earlier, most of the RHIOs exclude RHIO will use their information. Concerns also may highly sensitive information from exchange, but such stem from a fear that broader automated access poses exclusion is part of their overall policy. greater privacy risks. For several RHIOs, patient- consent policies were among the most contentious Privacy Practices privacy issues they addressed. A common way to protect patient privacy is to authorize access to patient information based on the There are three main approaches to patient consent user’s role in an organization. This specifically meets and inclusion of personal information in data the HIPAA standard of releasing only the minimum exchange: opt-in, opt-out, and no-opt (see sidebar). amount of information necessary to provide care. Only one RHIO chose opt-in, citing community Many of the RHIOs in this survey employ role- concerns and state law. Most RHIOs use opt-out, based access to ensure adherence to their use and and only one has a no-opt policy. disclosure policies. Exchange participants —  frequently hospitals or physicians in group practices Legal issues aside, many RHIOs and their  — set the rules for their employees’ access. communities feel strongly that informed consent and educating patients about how the organization will The way RHIOs and participating providers manage information disclosure according to patient interpret and implement role-based access varies. preferences are important in forming a RHIO and Several allow hospitals’ internal policies to govern in- building its culture of trust and communication. house use of patient data. For example, registrars at (One way to inform patients about data exchange one hospital are authorized to view all data collected is to give them standard HIPAA and privacy- while a patient is in that facility, but they may have notification forms. Depending on the model, a access to only limited data, such as demographic RHIO may be able to accommodate a mix of information, if the same patient is in a different consent approaches.) Many stressed that this can hospital. A similar policy might apply to physician encourage the participation of providers, at least offices. While providers in all of the RHIOs initially, because they are not forced to change their have access to at least some patient information, policies. physicians may be able to view only the information about patients they treat directly rather than Most RHIOs in this study do not let patients set information about all patients, depending on the limits on what portion of their personal data will specific provider, the user’s role, or RHIO policy. be available for exchange, nor do they give patients direct access to that information through the Interviewees indicated that their RHIO infrastruc­ organization. In some, however, patients may have tures can accommodate the different rules and types access to their information through a personal health of user access. record. Additionally, some of the RHIOs may give patients authority to limit which data will be released 12  |  California HealthCare Foundation Protocols for patient recourse must be in place to deal with instances when information is Patient-Consent Models inappropriately disclosed. While RHIOs strive Opt-In. Health care providers must obtain to maintain the privacy of patient information, explicit written consent from patients to include their personal health information in a RHIO. breaches are likely to occur. The potential for a The information is included only if the patient patient to be adversely affected by the misuse of so chooses. This model often is the most sensitive information is high. burdensome and challenging for a RHIO. It ultimately may limit the number of participating The interviews revealed that how RHIOs define, patients and the availability of data. develop, or manage consumer remedies in the Opt-Out. Patient information is assumed to be event of a privacy breach is inconsistent. Several included in data exchange. Patients may elect not interviewees indicated they are focused on this issue to participate, but they must explicitly request that and working to develop a comprehensive policy, their information be excluded. Depending on RHIO policy, they may have to opt out at the individual- but “are not there yet.” Many of the RHIOs are hospital or physician level or opt out at the RHIO aware of the basic HIPAA requirements, but they level. The burden is not on the RHIO to enlist have not defined or implemented practices that are patients, which makes inclusion simpler and less more stringent or meaningful to consumers. Other costly. Typically, the opt-out approach means more interviewees said their RHIOs allow participants to patients and more data are automatically included develop and adhere to their own internal policies. in the exchange. Interviewees did not typically cite this as a challenge. No-Opt. Patient information is assumed to be Given the variation and immaturity of some policies, part of the exchange for treatment purposes many RHIOs may not have sufficiently discussed only. Patients do not have the option to include or exclude their data. Under HIPAA, patients are or fully considered the fundamental breach and not required to consent to data exchange for mitigation issues. treatment purposes; therefore, a no-opt approach is legal under federal law, although it may not be Procedures for addressing and managing security permissible under some state laws. If a RHIO breaches are critical because RHIOs are custodians wants to use patient data for secondary purposes, of sensitive data. As business associations, they are such as research, the no-opt approach is more problematic. obligated to notify participants if data transmission or storage is breached. Several interviewees said their organizations take a “federated approach”: They defer to participants’ privacy-breach procedures. However, Interviewees highlighted several other approaches, some stressed that this method limits RHIOs’ ability such as requiring immediate notification of the to ensure that breaches are addressed promptly and affected hospital’s HIPAA officer and forcing means the organization must rely on individual immediate removal of the faulted user’s access exchange participants to establish and enforce to information. Several RHIOs are developing appropriate policies. or revisiting their security-breach policies. Most interviewees said they do not view this task as challenging. HIPAA Flexibility Health care organizations must support the security measures that HIPAA specifies for protecting patient privacy. However, an organization can define and use other security measures as long as it reasonably and appropriately supports the standards and specifications for those alternative measures. Privacy, Security, and the Regional Health Information Organization   |  13 VII. ecurity Practices and S Technical Solutions RHIOs use a variety of security practices and technical solutions to ensure privacy. Few interviewees consider security to be a major planning and implementation challenge, with the possible exceptions of user and entity authentication, and patient and provider identification matching. This may be due partly to the limited scope and relative nascence of several exchanges. Instead of developing security policies, some RHIOs chose instead to defer to participants’ policies and practices. Others drafted policies to which all entities must conform when they exchange data. Clearly, RHIOs must have an overall security policy in place that is separate from participants’ policies. Hospitals supply much of the patient information that emerging RHIOs exchange because they typically are among the first constituents to collect automated data and they often house the largest amount of it. Individual participants tend to shape how a RHIO approaches security; in contrast, privacy policies involve input from a broader array of stakeholders working in concert. Security Practices User authentication procedures are necessary to confirm the claimed identity of all users who access data through a RHIO. Authorization procedures are necessary to ensure that appropriate users view the information. Most interviewees said their RHIOs defer to provider organizations regarding authentication and authorization. As a result, authentication occurs in various ways, some of which are more burdensome than others. Hospitals typically authenticate their own users and notify the RHIO when physicians and other staff members are credentialed and ready to access RHIO data. Some providers require that other professional staff members vouch for all users through a formal process. At one RHIO, physicians must apply in person at the participating hospital, where they present appropriate identification and submit a written authorization request that includes contact 14  |  California HealthCare Foundation information and details about their supervisor. After Another common security practice — frequently that, the RHIO establishes a user account. referred to as “break the glass” — is to enable data access when authorization fails or emergencies arise. According to most interviewees, authorized persons RHIOs in this survey and their participants set access their RHIO’s system with a unique name different parameters and restrictions on who has and password; some may also use secure token authority to gain such access and the situations in identification. One RHIO is trying to standardize which it is acceptable. Typically, override procedures the process so physicians need not enter multiple apply in emergencies — for example, when a patient IDs and passwords to access information through arrives unconscious in the emergency department. their hospital, their practice, or the exchange. Certain designees, such as the emergency department physician or hospital administrators, usually have In general, interviewees did not think that building override authority. consensus for and developing these policies was difficult. The real challenges, several of them Technical Solutions emphasized, are putting secure authentication and It is essential that RHIOs be able to match a authorization practices in place and getting the patient’s and provider’s identifications. As RHIOs resources at both the provider and RHIO levels to continue to expand their scope and add patients and make them work. Another challenge, some said, providers, the likelihood that two people with the is engaging individual physicians in information same or similar names will have data in the system is exchange and managing the potentially burdensome very high. To ensure appropriate data access and use, requirements, such as authentication paperwork and the RHIOs in this survey have developed processes the use of multiple passwords, that doctors must and protocols to distinguish one “John Smith” from meet to participate in the RHIO. another. RHIOs also ensure data security by enabling and Most of them match patient records through a tracking the detection of any inappropriate access to combination of automated and manual means. The or use of data. Most interviewees said their RHIOs automated process uses specific algorithms that often can maintain a full audit trail and track several are the underpinnings of a master patient index. parameters, including user login, the data that have been accessed, and time of access. As a standard Some interviewees commented that full automation security practice, the RHIOs maintain an audit might not always be accurate. For that reason, log distinct from the one each participant keeps. several of the RHIOs also use human intervention Most of these exchanges can match their log with to ensure 100 percent matching and to eliminate a participant’s — when, for example, unauthorized duplicate entries, which can be challenging and users are suspected — but they do not share their labor intensive. For example, issues may arise when audit information with participants. a master patient index contains identical names or Social Security numbers. Most interviewees indicated that developing and implementing auditing technology and supporting As the patient population increases, RHIOs must this capability are possible. Concerns and challenges manage the matching process more vigilantly and centered on ways to access audit data, the usefulness ensure that protocols for matching are scalable. and clarity of the voluminous reports, and how to Several of the exchanges in this survey use a variety inspect the information efficiently. of patient protection protocols, such as alerts if patient information is inappropriately sent to a physician or patient records are incorrectly merged. Privacy, Security, and the Regional Health Information Organization   |  15 RHIOs may use both automated and manual privacy protections and maintain the necessary processes to match providers, just as they do to infrastructure, and they lack the resources and match patients. According to several interviewees, expertise needed to store data on-site. One RHIO this is simpler than matching patients, largely chose the centralized approach because, according because there are fewer physicians. One noted that to its representative, it believes this model offers a “hole” occurs when a hospital does not inform the stronger protections. RHIO that a physician is no longer affiliated with that facility. For several of the RHIOs, the setting — particularly one led by an academic medical center (as Interviewees suggested that RHIOs link to in Indiana and Memphis) or a vendor (as in the human resources systems of participating Philadelphia) — dictated the type of architecture. In organizations to more efficiently match physicians, these situations, interviewees said, developing and although the RHIOs in this survey do not have that implementing a security policy around data storage capability. Several said that, as in patient matching, is rarely difficult. manually removing duplicate entries or physicians who are no longer affiliated with a hospital can be Some of the RHIOs also use secure edge servers, extremely time-consuming. which mirror their internal computer networks but store data outside the main system. This helps Distributed vs. Centralized Architecture them manage the volume of data access requests For evolving RHIOs, a fundamental decision is and any potential impact on the performance of the selecting an architecture design to support secure information systems they need for daily operations. data exchange. Their perspective on and concerns about privacy influence this decision. Technology information protocols ensure that an architecture can encrypt information and exchange RHIOs in this study typically use a distributed or it securely. Many RHIOs in this study use a virtual a centralized architecture to support information private network and secure sockets layer technology exchange (most chose the former), rather than to support such protocols. Some interviewees said a combination of the two or a hybrid. In the that identifying and implementing appropriate distributed approach, a network connects separate protocols is not challenging “if you know what data systems so the information in them can be you are doing.” Others cited challenges such as exchanged. In the centralized approach, all data connection failures in virtual private networks and reside in one location. getting exchange participants to devote the staff time and dollars necessary to support protocols. Those who favor a distributed architecture believe that data should reside where they originate but be accessible to all participants. This is consistent with the Markle Foundation’s Connecting for Health Common Framework, which “helps information networks…share information among their members and nationwide while protecting privacy and allowing for local autonomy and innovation.”12 A centralized architecture may be preferable when small participating hospitals do not have the wherewithal to establish comprehensive 16  |  California HealthCare Foundation VIII. The Consumer Perspective Improving patient and consumer services is a major focus of the RHIOs and is at the foundation of their privacy and security policies. Nevertheless, the exchanges are struggling to engage and include consumers in planning and development in a way that will be most effective. With that in mind, the authors took a closer look at the relationship between RHIOs and consumers, the current and potential role of consumers, and the issues ahead. Collaboration Is Limited Few RHIOs today seek the advice of consumer experts, patient advocates, or patients as they develop policies, including those related to privacy. Yet experts and some RHIO representatives agree that consumers are key constituents. Collaboration between consumers or advocates and RHIO leaders can help an exchange develop comprehensive and appropriate privacy policies and practices. There are several reasons why such collaboration is uncommon. They include difficulty in engaging representative or knowledgeable consumers, limited resources to conduct consumer outreach and education, and the fact that many individuals and consumer groups do not understand or believe in the benefits of health information exchange. RHIOs and patient advocates alike are struggling with these issues and considering various countermeasures. The RHIOs in this report acknowledge the importance and complexity of developing comprehensive and transparent privacy policies, many of which directly affect and concern patients. They address the array of privacy issues very differently and their policies are not always readily available or transparent to consumers. Diverse philosophies about patient rights, control, and choice make it even more difficult to manage these issues. A patient’s right to view and access data can be contentious. While many consumers may expect to have automated access to information about themselves, most RHIOs are not prepared to enable it. One RHIO in this study enables such access by exporting data to the individual’s personal health record, but this capability is a longer-term proposition for others. Privacy, Security, and the Regional Health Information Organization   |  17 Some experts and consumer advocates argue that Consumer-focused best practices are not yet evident patients should be able to visit their provider in RHIOs. But several organizations, including electronically and access all of the information the Markle Foundation, the National Consumers about them in the RHIO, not just information League, and the Health Privacy Project, have the provider houses. Many health care stakeholders established consumer-directed principles that could agree, but they note that related policies and serve as best-practice models and guide future RHIO processes — how patients are authenticated and view privacy policy. data and how to make sure not to overload patients with information, for example — are extremely These principles advise that consumers: challenging and beyond the scope of most RHIOs. K Know what information about them is in a health information exchange. Moreover, such access may create more burdens for RHIOs, like the cost of developing the necessary K Have access to the information and be able to infrastructure and educating patients about data correct or amend it. content. (See Appendix A regarding efforts by the K Understand how the information will be used, American Health Information Community and the who has access to it, and how it can be tracked. Health Information Technology Standards Panel to address these issues.) K Control whether and how the information will be shared. The RHIOs in this study use diverse strategies to K Be aware of their authority concerning the engage consumers. Some are struggling to identify information, for example, knowing about and engage the most appropriate and representative consent policies. consumers and to define consumers’ roles in information exchange. The North Carolina Health K Ensure they are notified of breaches in a timely Information and Communications Alliance, Secure manner and that effective legal remedies are Architecture for Exchanging Health Information available to them. (SAFEHealth), Michiana, and the Rhode Island Health Information Exchange reach out to and As approaches to privacy issues evolve at RHIOs, engage consumers differently. But it is still unclear many consumer advocates would like consumers if RHIOs generally want to involve, or can to play a greater role in developing policies related accommodate, educated consumers in planning. to privacy and other issues, such as personal health records and pay for performance. Ways to reach out Best Practices and Principles to and engage consumers are emerging. They include Patient privacy advocates and some RHIOs believe consumer councils, consumer-directed focus groups, that addressing privacy issues and potential consumer and consumer and patient representatives on RHIO concerns early in a RHIO’s development is crucial. governing bodies. Consumer and privacy experts agree that RHIOs can build on privacy models like the Connecting Slowly but increasingly, states are collaborating for Health Common Framework, HIPAA, and with RHIOs to better understand the priorities and others. The Common Framework, in particular, has concerns of key health care stakeholders, including received much attention; increasingly, RHIOs and consumers. State-based workgroups, for example, other health care stakeholders are referring to this give consumers an opportunity to be visible and model for recommendations on consumer choice, participate in the dialogue. entity authentication, and architecture for health information exchange. 18  |  California HealthCare Foundation There are other barriers to stimulating broader among other consumer issues that warrant further consumer interest in RHIOs. Advocacy groups may attention. Some RHIOs face much more restrictive not see health information exchange as central to privacy laws than RHIOs in neighboring states do, their mission, or they and consumer groups may which suggests that state laws need to be reworked to not see its potential benefits. The tremendous gap make them consistent. in consumer awareness — poor health literacy, for example, and consumers not realizing that complete There is already movement on this front. Under medication lists and lab results are important — may a contract with the federal Office of the National ultimately hinder exchange efforts. Coordinator for Health Information Technology, several interests are exploring privacy and security Organizing workgroups that represent a wide barriers, such as conflicting state laws. These interests array of interests is one way to communicate with include the Confidentiality, Privacy, and Security and educate consumers, and to create a broader Workgroup of the American Health Information constituency in favor of health information Community; the Health Information Security and exchange. Unfortunately, local and national advocacy Privacy Collaboration; and RTI International, a groups and organizations do not have the financial research institute. (See Appendix A for more details.) and human resources to educate all consumers in a coordinated fashion. Perhaps the federal government Interviewees disagreed about whether HIPAA’s pre- could support such efforts, as well as forums in emption of state privacy laws should be re-examined, which consumers suggest how RHIOs can engage but they agreed that HIPAA is only a floor for them. privacy policy and regulation. The two consumer privacy experts agreed that enforcing the HIPAA Privacy Rule is essential and suggested that the Shortcomings at the Federal Level federal government is not doing so effectively. The U.S. Government Accountability Office released a report in February 2007, titled Patient-consent policies also raise concerns. “Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach According to some experts, a RHIO’s no-opt Needed for National Strategy,” on how the U.S. policy could prompt a patient to conceal personal Department of Health and Human Services (HHS) health information, not seek care, or seek care is incorporating privacy into its national health elsewhere. Under no-opt, for example, a patient information technology strategy. who opposes information exchange and whose According to the report, HHS, through its physician is unwilling to treat her without complete Office of the National Coordinator for Health data may have to find a doctor outside the RHIO. Information Technology, has spurred efforts to Furthermore, patients who opt out of an exchange, develop solutions for protecting personal health if they have that choice, could limit a hospital’s or information. But HHS has not come up with a comprehensive plan for integrating those efforts other provider’s ability to deliver high-quality care into its strategy and has not set a clear timetable because potentially critical information would not be for such integration. accessible. RHIOs should enlist multiple stakeholders to Reconciling state privacy laws, more federal weigh these issues and design the most appropriate legislation to promote the development and privacy and security policies. Excluding consumers strengthening of local privacy-breach policies, or soliciting their input only after the fact may and specifying who is accountable and what the make the process more challenging and tenuous for appropriate remedies are when breaches do occur are everyone involved. Privacy, Security, and the Regional Health Information Organization   |  19 IX. Common Themes This study revealed a number of themes that could have important implications for the design of privacy and security policies. Privacy policies and priorities, like health care, are local. Much of what shapes a RHIO’s policy depends on local priorities, the types of participants it has, and the level of community trust. The initial focus for most RHIOs is on local data exchange; intrastate and interstate exchanges tend to be a second, third, or even more distant concern. The institutional perspectives of RHIO organizers influence privacy and security policies. Their background and the “hat they wear”—as a vendor, academician, or clinician, for example—affect their approach to privacy and security issues and their credibility on privacy matters. RHIOs affiliated with academic settings may be more comfortable using data for research purposes, while vendor-led RHIOs may be more technology-oriented in privacy and security matters. RHIOs should develop privacy policies early and revisit them often. It is more efficient and effective to address privacy policies before the technological infrastructure is designed. Putting this task off until later may result in greater barriers or a revision of technical solutions as these policies expand. Privacy policies, like RHIOs, are evolutionary. Most exchanges shape them over time based on a RHIO’s development stage, priorities, and internal or external pressures to address certain issues quickly. Work on privacy and security policies is on-going. RHIOs are broadening their goals and scope, adding participants, and exchanging new data. As the types of data and participants increase, so will the number of privacy and security issues. What works today for 500 physicians may not work tomorrow for 5,000, which means RHIOs must adapt their policies over time. Although few best practices exist, one size will never fit all. Functioning RHIOs and policy models like the Connecting for 20  |  California HealthCare Foundation Health Common Framework provide some guidance data exchange and the extent to which a RHIO for emerging exchanges, but practices and policies should defer to participants’ policies, and identifying will reflect a community’s own priorities and goals. and matching patient and provider information Some variance can be expected and is appropriate. uniquely. Building consensus on privacy policies requires time, patience, and resources. This process, which usually has a committee or workgroup driving or informing it, can take months or even years. It requires continuous oversight, review, and the participation of people who have privacy, security, and IT expertise. Consumers have limited opportunity to influence privacy policy. Hospitals, physicians, privacy and security officers, and IT professionals top the list of constituents who shape privacy and security policy. At only a few RHIOs do consumers formally participate in general or specific policy considerations. Confidentiality is just a starting point. Nascent RHIOs should anticipate that, in the future, they will need to emphasize the integrity of patient information and ways to secure it. Education, collaboration, communication, and commitment are critical. A RHIO’s success will depend heavily on educating participants (including consumers), collaboration among them, effective and continuous communication, and a commitment to developing comprehensive privacy and security policies. Transparent practices and effective management of privacy and security issues often facilitate and sustain participation in a RHIO because constituents are more knowledgeable and have more confidence in the exchange. RHIOs that designate a privacy champion and a “decisionmaker with authority,” and that communicate a strong value proposition, will speed the development of privacy and security policies. All RHIOs address certain issues. These include selecting a technical solution for secure data exchange, determining patients’ role in authorizing Privacy, Security, and the Regional Health Information Organization   |  21 X. Recommendations As RHIOs evolve, trust, collaboration, and communication are fundamental to their successful implementa­ tion. Successful policies hinge on a RHIO’s recognition of the community’s sensitivities and priorities. Emerging exchanges must appreciate the local nature of policy questions, quickly start to build consensus around key issues, and, early on, engage a broad cross-section of stakeholders, including consumers, in thoughtful discussion. Meanwhile, policymakers should further analyze important issues. These include liability concerns, pre-emption of state laws by federal law or resolution of conflicting state laws, consistent and effective consumer remedies for privacy breaches, the implications of patient consent and access to data, and the impact and value of secondary uses of data. The authors recommend that nascent RHIOs: Avoid narrow solutions. Strict privacy and security requirements are premature at this point. RHIOs and federal initiatives should use existing models and frameworks only as guides, not as finite or exclusive solutions. Address external factors. Depending on their near- or mid-term goals, RHIOs can manage privacy and security in various ways. The approaches must be consistent with state and federal laws, with participants’ appetite for thinking strategically about the RHIO’s growth, and with the community’s practices and culture. Engage a wide range of stakeholders. To maximize possibilities and minimize roadblocks, from the outset RHIOs should consider how to engage all relevant health care stakeholders, including consumers. This will most likely encourage participation in the exchange and expose a range of concerns, even though some may not relate to current or near-term activities or policies. Look to local privacy and security policies for guidance. Most care providers will already have privacy and security practices and written policies in place. Emerging RHIOs should use these “rules of the road” as a starting point and build upon them. Ultimately, however, they will have to develop policies that still meet local needs. 22  |  California HealthCare Foundation Refer to HIPAA and state laws at the outset. Pay attention to federal initiatives. It is HIPAA’s privacy and security standards are a important to monitor the activities of several good starting point. If a RHIO’s top priority is to federal initiatives, among them the Confidentiality, demonstrate a near-term value proposition, it can Privacy, and Security Workgroup of the American initially exchange information only among entities Health Information Community, and the Health covered by HIPAA, and, if more stringent state laws Information Security and Privacy Collaboration; to exist, share data only for purposes of treatment, learn about new policies; and to give policymakers payment, and operations consistent with those laws. an “on the ground” versus an insider’s view of health This enables a RHIO to proceed without policies information exchange. beyond those that govern infrastructure operations. Foster discussion. RHIOs and federal and state For instance, using HIPAA’s security standards policymakers should continue to promote forums for audit controls, an exchange can build upon where interested parties can collaborate, share participants’ own audit control practices and come information, obtain a better understanding of to agreement with them on which capabilities the privacy and security issues, and discuss ways to tackle RHIO should maintain and which information them. should be shared and under what circumstances. Champion consumer rights. Because consumers’ Anticipate long-term infrastructure needs and concerns about privacy and security warrant goals. A RHIO must look beyond its immediate attention, RHIO policy and federal and state laws technical capabilities, such as identity mapping, should address them. In particular, policies and laws and the system architecture necessary for health should require consumer remedies when security is information exchange. How will it expand those breached. Consumers will more likely support health capabilities down the road? What kind of technical information exchange if they trust that it will not infrastructure and policies will the RHIO need so it compromise the confidentiality and security of their can evolve? personal data, and that they have redress if a breach Keep sustainability in mind. Thinking ahead, occurs. RHIOs should contemplate models that include using data for secondary purposes, such as research The RHIOs in this survey have invested significant or marketing. Because secondary uses are likely to energy addressing a number of important privacy affect the extent of consumer participation, RHIOs and security issues. Evidence suggests they are should also consider ways to engage consumers more intensely focused on developing related policies in effectively and comfortably in decisions about those a well-informed, collaborative manner. Although uses. their approaches to privacy and security vary, they can provide valuable insight to other, more nascent These recommendations are for policymakers and exchanges, which can base their initial efforts on the communities in which RHIOs operate: one or more of these models and ultimately tailor a solution that meets local needs. Consider future data uses. To meet the long- term goal of sustainability, RHIOs should identify However, most functioning RHIOs acknowledge the barriers to secondary uses of data and ways to there is much more privacy and security policy work overcome them. to be done locally and at the state and federal levels Share lessons learned. RHIOs should share their to enable effective, comprehensive, and ultimately experiences with others and explore common widespread health information exchange. solutions or consistent ways to address key issues, such as liability and secondary uses of data. Privacy, Security, and the Regional Health Information Organization   |  23 Appendix A: The Federal Privacy and Security Landscape All federal health agencies have privacy and Two HHS offices oversee and enforce HIPAA, security responsibilities, and many administrative mostly through voluntary compliance and education. and congressional activities related to health The Office of Civil Rights communicates privacy information technology have privacy and security rights, investigates complaints, and provides components. These activities began with HIPAA and extensive guidance (largely to consumers) on HIPAA continue today through the Office of the National privacy. The Office of E-Health Standards and Coordinator for Health Information Technology. Services interprets and enforces the HIPAA Security Rule. Both offices can impose civil monetary The federal government is primarily concerned penalties for violations. The U.S. Department of about issues requiring national leadership: standards Justice investigates possible criminal violations. and penalties regarding health information privacy and security standards, information exchange The Office of Civil Rights has received more than standards, and patient identification. HIPAA 20,000 complaints, but it has referred only one includes minimum privacy and security standards, case for trial. The Office of E-Health Standards and although states may set more-stringent ones. Services has received few complaints. According to a recent Department of Justice opinion, only covered HIPAA Privacy and Security entities, not their employees, can be prosecuted Administrative simplification provisions in HIPAA under HIPAA. In light of this opinion and HIPAA’s required the U.S. Department of Health and 2006 enforcement guidelines, which reaffirm HHS’s Human Services (HHS) to establish privacy and commitment to voluntary compliance, a significant security rules, national standards for electronic number of HIPAA prosecutions seems unlikely. health care transactions, and national identifiers for providers, health plans, and employers. Privacy Events Since HIPAA and security standards went into effect in 2003 and Among the most noteworthy recent events at the 2005, respectively. federal level are the targeted privacy and security initiatives by the Office of the National Coordinator Under HIPAA, providers, plans, and clearinghouses and the American Health Information Community’s must protect individually identifiable health creation of a privacy and security workgroup. information. Written consent is required to use or AHIC is a federal advisory committee with 18 disclose protected health information outside of members representing public and private health care treatment, payment, or health care operations. stakeholders. According to HIPAA, entities must analyze the The initiatives include formation of the Health vulnerability of personal health information. Information Security and Privacy Collaboration, Based on that analysis, they must then establish for which RTI International is the contractor. The appropriate and reasonable administrative, physical, collaboration will examine best practices and develop and technical safeguards to secure the confidentiality, solutions for overcoming differences in laws and integrity, and accessibility of protected information. practices that prevent nationwide data sharing. The Centers for Medicare & Medicaid Services, the Department of Defense, and the Department of The Office of the National Coordinator also has Veterans Affairs also are covered entities and must engaged four contractors to create prototype privacy comply with HIPAA. and security architectures for the Nationwide Health Information Network that address privacy and 24  |  California HealthCare Foundation security issues. The contractors demonstrated their recommending that HHS adopt the following prototypes at the American Health Information positions: Community meeting in January 2007. The Office K Patients should have the right to decide if their of the National Coordinator will seek to advance the personal health information will be included in nationwide network by soliciting contracts in 2007 the nationwide network. for trial implementations. K Providers should not be able to deny treatment to In June 2006, the American Health Information patients who choose not to have their information Community announced a new Confidentiality, included. Privacy, and Security Workgroup that is considering K Patients should receive culturally sensitive and privacy and security issues. However, in February understandable educational materials about 2007, workgroup co-chair Paul Feldman resigned, the implications of allowing their personal citing lack of substantial progress in developing information to be exchanged. policies to address privacy issues related to health information exchange. Seven workgroups now Chief among the other privacy and security issues support the community, whose co-chairs are Michael in the draft report are authentication, authorization, Leavitt, secretary of HHS, and Dr. David Brailer, and matching patients to their information. The former national coordinator for health information committee also recommended that HHS recognize technology. that RHIOs and vendors of personal health records are not necessarily covered entities under HIPAA, HIPAA assigned another advisory body, the National and that augmenting or expanding HIPAA might Committee on Vital Health Statistics, to make provide equivalent protections for the personal privacy and security recommendations to Leavitt. It health information that noncovered entities use. recommended stronger security measures, possibly to include biometrics, digital signatures, and public Among other groups operating in the national key infrastructure, in electronic prescribing and other health privacy and security arena is the Certification medical transactions. The committee held hearings Commission for Health Information Technology. on the national patient identifier and issued a report It recently certified 55 electronic health record based on them. It continues to weigh in on certain products. The certification criteria include privacy privacy and security standards — for example, by and security specifications. The commission has recommending that consumers be given the right indicated it may adopt the minimum functional to decide if their personal health information will requirements by the National Committee on be included in the Nationwide Health Information Vital Statistics as standards for certifying health Network. (The committee was unable to decide if information exchanges beginning in 2008. the process should be opt-in or opt-out.) On the Legislative Front In November 2006, the committee released a Since HIPAA’s privacy and security rules took effect, draft report, “Minimum but Inclusive Functional physicians’ slow adoption of health information Requirements Needed for the Initial Definition of a technology and numerous security failures among Nationwide Health Information Network (NHIN).” government agencies have prompted Congress to The report includes guidelines, created at the request consider taking action on privacy and security. The of the Office of the National Coordinator, that Senate and House passed related bills in the last describe the critical privacy and security elements session. for connecting to the nationwide network. The committee focused on patient-consent policies, Privacy, Security, and the Regional Health Information Organization   |  25 Senate Bill 1418 contained additional protections for health information privacy. The corresponding House legislation, HR 4157, does not call for changes in federal privacy law nor does the most recent version call for pre-empting state health information security laws, as the original version had initially proposed. HR 5318 was one of several data security bills introduced in Congress after the U.S. Department of Veterans Affairs experienced a pair of security breaches. None of this legislation would be likely to pre-empt state laws governing data breach or notification. In the new congressional session under Democratic leadership, it is unclear if lawmakers will consider the same bills in 2007. However, Senate Democrats have expressed interest in reviving the legislative push on health information technology issues. 26  |  California HealthCare Foundation Appendix B: Interviewees A. John Blair III, M.D. Victoria M. Prescott President and Chief Executive Officer General Counsel and Business Development Specialist Taconic IPA Inc. Regenstrief Institute Inc. Taconic Health Information Network and Community Peggy Pruesse, R.N. Vicki Estrin Privacy Officer Program Manager, Regional Informatics Programs Fallon Clinic Vanderbilt Center for Better Health Secure Architecture for Exchanging Health Mid-South eHealth Alliance (Memphis RHIO) Information (SAFEHealth) Mark Frisse, M.D., M.B.A., M.Sc. Robert Reid, M.D. Accenture Professor, Biomedical Informatics Director, Medical Affairs and Director, Regional Informatics Programs Cottage Health System Vanderbilt Center for Better Health Santa Barbara County Care Data Exchange Mid-South eHealth Alliance (Memphis RHIO) Allison Rein Larry Garber, M.D. Assistant Director, Food and Health Policy Director, Medical Informatics National Consumers League Fallon Clinic Secure Architecture for Exchanging Health Mike Skinner Information (SAFEHealth) Executive Director Santa Barbara County Care Data Exchange Janlori Goldman Director, Health Privacy Project Research Scholar, Center on Medicine as a Profession, Columbia College of Physicians and Surgeons Keith Hepp Chief Financial Officer and Vice President, Business Development HealthBridge Pat Holmstead Director, Quality Improvement Services Inland Northwest Health Services Northwest RHIO Jay McCutcheon President, Health Network Services Health Information Exchange Planning Implementation and Operations Michiana Health Information Network Elliot Menschik, M.D. Chief Executive Officer Hx Technologies Inc. Philadelphia Health Information Exchange Privacy, Security, and the Regional Health Information Organization   |  27 Appendix C: Glossary Note: The use and understanding of privacy and security terms vary. The following are not formal or standard definitions. Access-rights management Secure sockets layer The process of ensuring access rights — that is, who is A security protocol methodology designed to create authorized to see, edit, or remove patient data. Access a secure connection to the server for transmitting rights determine which actions users can perform, such as confidential data via the Internet. It uses public key read, write, execute, create, and delete, on shared files in encryption, one of the industry’s strongest encryption health information exchange. methods, to protect data as it travels. Centralized architecture User authorization A technology architecture in which all data reside in one The ability to determine which data a user may access location, generally on a central server. It offers security and which functions may be performed on them. and system management benefits. Disadvantages include Authorization is typically based on role. In smaller concerns about “data ownership” and space for hardware. facilities and physician practices, users sometimes have more than one role because they perform multiple staff Central servers functions. An example is a nurse who is both the medical A hardware configuration that houses data and records keeper and receptionist. applications accessible from various points in a computer network. User authentication The ability to verify the identity of a system user. A simple Decentralized or federated architecture authorization method is to require that the user provide A network of individual entities that are connected to an identifying token and a secret known only to that share data. The information resides, and is maintained person. The banking industry uses an ATM card and a locally within individual organizations, but it is accessible PIN to authenticate account holders. via the network. Virtual private network Edge server A way to use a public telecommunication infrastructure, Houses data and applications outside the main computer such as the Internet, to give remote offices or individual network of an organization participating in a RHIO. users secure access to their organization’s network. Master patient index A computer-based system that links patient information across a variety of health care settings. Due to different name spellings, such as Brown and Browne, and duplicate names, such as more than one John Smith, a master patient index uses a range of data and matching algorithms to ensure that patients are correctly matched to their individual data. An assigned unique identifier facilitates access to patient-specific clinical information at all points of care. Record-locator service Provides information about where patient health information is located and where the patient has received care — for example, at a hospital or doctor’s office. It does not contain patient data collected at the point of care. 28  |  California HealthCare Foundation Endnotes 1. Lassila, K.S. “Assessing the Impact of Community 11. Health Information and Management Systems and Health Information Networks: A Multi-site Study of Society. HIT Dashboard the Wisconsin Health Information Network.” Topics in (www.hitdashboard.com/default.aspx). Health Information Management 1997;18(2): 64 –76. 12. Markle Foundation. The Connecting for Health Common 2. McDonald, C.J., Overhage, J.M., Barnes, M., Schadow, Framework: Resources for Implementing Private and G., Blevins, L., Dexter, P.R., Mamlin, B., INPC Secure Health Information Exchange. April 2006 Management Committee. “The Indiana Network for (www.connectingforhealth.org/commonframework). Patient Care: A Working Local Health Information The Common Framework, which is publicly available, Infrastructure.” Health Affairs 2005;24(5): 1214 –1220. includes suggested privacy and technical policies, as well as model contract language for business associate agree- 3. Starr, P. “Smart Technology, Stunted Policy: Developing ments with participating entities. Experts in information Health Information Networks.” Health Affairs technology, health privacy law, and policy developed 1997;16(3): 91–105. the framework, which Connecting for Health prototype 4. Brown, E.G. Regional Health Information Organizations’ teams in Massachusetts, Indiana, and California have Modest Start. Forrester Research. February 2006. been testing since mid-2005. 5. For specific examples, see: Agency for Health Research and Quality. Evolution of State Health Information Exchange: a Study of Vision, Strategy, and Progress. January 2006. 6. Center for Information Technology Leadership. The Value of Healthcare Information Exchange and Interoperability (HIEI). January 2005. 7. Walker, J., Pan, E., Johnston, D., Adler-Milstein, J., Bates, D.W., Middleton, B. “The Value of Health Information Exchange and Interoperability.” Health Affairs 2005 (content.healthaffairs.org/cgi/content/full/ hlthaff.w5.10/DC1). 8. Hillestad, R., Bigelow, J., Bower, A., Girosi, F., Meili, R., Scoville, R., Taylor, R. “Can Electronic Medical Records Systems Transform Health Care? Potential Health Benefits, Savings, and Costs.” Health Affairs 2005;24(5): 1103–1117. 9. Because there is no universal definition of a RHIO or HIE, it is difficult to pinpoint the exact number of initiatives. For estimates, see Brown EG, op. cit.; eHealth Initiative. Improving the Quality of Healthcare Through Health Information Exchange: Selected Findings from eHealth Initiative’s Third Annual Survey of Health Information Exchange Activities at the State, Local and Regional Levels. September 2006; and Health Information and Management Systems and Society. HIT Dashboard (www.hitdashboard.com/default.aspx). 10. See Note 4, above. Privacy, Security, and the Regional Health Information Organization   |  29