HIE Privacy Guidance: An AssessmentLeader of Indiana Exchange Effort Sizes Up Framework
New privacy and security guidance for federally funded health information exchanges provides a good framework, but the recommendations will need to be phased in over time, says Andrew VanZee, director of a statewide HIE initiative in Indiana.
"As long as you're continually working toward improving your infrastructure and general operations and policies, that goes a long way in trying to achieve what the intent of the guidance was," VanZee, statewide health IT director, says in an interview with Information Security Media Group's Howard Anderson (transcript below).
With five regional health information organizations already running HIEs, Indiana is one of the most advanced states when it comes to exchanging patient information among various organizations. VanZee heads efforts to link the five HIEs to pave the way for sharing data statewide.
The Department of Health and Human Services' Office of the National Coordinator for Health IT recently issued privacy and security guidance to federally funded HIEs, including the statewide effort in Indiana. The guidance points out actions HIEs should be taking, such as using encryption and authentication, obtaining patient consent for data exchange and providing patients with access to their complete records (see HIEs Get Privacy, Security Guidance).
ONC provided the guidance to federally funded HIEs while it continues a long-term project effort to prepare a Nationwide Health Information Network Governance Rule. That rule, as proposed, would establish voluntary standards, including privacy and security guidelines, for HIEs and others (See: Voluntary HIE Rules: Early Reaction). ONC is accepting comments on the NwHIN Governance Rule concept through June 29.
Guidance that ONC provided to federally funded HIEs could eventually wind up in the NwHIN Governance Rule as well.
VanZee calls the ONC guidance for federally funded HIEs a "vision statement." He notes that Indiana's exchanges already have many privacy procedures in place, but they must "start to harmonize some of the policies and approaches so we have a more consistent approach across the state."
In an interview, VanZee also:
- Describes pilot projects that are testing, for example, how to offer patients the ability to consent to the exchange of only specific portions of their records;
- Notes that the Indiana exchanges now use the "opt out" model of consent, automatically exchanging all of a patient's records unless the patient chooses to opt out; and
- Stresses that "privacy is probably one of the most difficult topics that HIEs have to deal with," highlighting the need to educate patients about what HIEs are doing to protect their records.
VanZee is statewide health IT director for the Indiana Family and Social Services Administration. He is responsible for managing the allocation of the $10.3 million in federal HIE funding the state received in March 2010. VanZee oversees Indiana's state designated entity, Indiana Health Information Technology Inc., which coordinates the statewide HIE initiative. He previously worked at hospitals, most recently serving as vice president of provider networks and operations at Logansport Memorial Hospital.
Indiana's HIE Initiative
HOWARD ANDERSON: For starters, please describe your role in helping the state's five health information exchanges link together to form what amounts to a statewide exchange.
ANDREW VANZEE: The state of Indiana took the approach of setting up a not-for-profit, Indiana Health Information Technology Inc., or IHIT, to oversee the development of the state HIE infrastructure. We're fortunate here in Indiana to have five health information organizations that have been in operation over the past 10-15 years. And because of that robust infrastructure, we really are working at collaborating and working with those organizations to build capacity, drive interoperability and link additional data sources up to the current, already established private-sector infrastructure.
ANDERSON: How many of the five HIEs are able to exchange information now and when will all five be linked? And what are the main types of information that will be exchanged?
VANZEE: The five sub-state health information organizations already, at least within their own network, do exchange information with hospitals, providers and other entity types such as nursing homes and hospice, long-term care-type facilities. There are a few of them that have been exchanging information with each other. Most of that information that's being exchanged from one HIO to another is around the areas of lab results and diagnostic-type results. It's mainly push-type technology between the HIO nodes.
Now, [we're] looking more toward the ability to query the data repositories of these existing HIOs and exchanging information in that query format, as far as an HIO having the ability to query the other four HIOs in the state to then do patient discovery, find out if any information exists, to then request a document of all information that is readily available on that patient.
Privacy, Security Guidance
ANDERSON: The HHS Office of the National Coordinator for Health IT recently issued a long list of privacy and security guidelines for federally funded HIEs, including your statewide effort. In general, what do you think of the privacy and security guidance provided by ONC recently and will it prove practical to carry out?
VANZEE: It lays out a good roadmap or framework for what the future state of health information exchange could look like. If you read into the standards, most of them say "should," vs. "shall." It's kind of inspirational. It's almost like a vision statement of an organization to say these are the items that we're working toward in the future. And so I think it does lay out the direction that healthcare and the health information exchange is moving toward, but it doesn't necessarily represent what the current state environment is. What we're doing here is taking a look at the current environment and where we're at today and comparing them to the standards and domains that are laid out in the privacy and security framework and what items we need to work toward in the future.
ANDERSON: The guidelines call for HIEs to develop policies and technical approaches that offer individuals more granular consent for information exchange than just having all or none of their information exchanged. Thus, for example, a patient could grant consent for exchanging a portion of their information. I believe you've got a pilot project in this arena. Can you explain that effort and update us on the status?
VANZEE: We were fortunate to receive actually two of the state HIE program challenge grants, and one of those challenge grants is focused on advanced patient query. That's actually broken into two portions, the first being data segmentation as far as looking at how do you take data in a repository and meta tag it and break it up into its different components so that you can move toward a more granular consent or ability to segment data in particular manners. We're working with two very large organizations that are helping and really working and driving this project, the first being the Regenstrief Institute, which is a world-renowned research informatics organization located here in Indianapolis, and we're also working with Indiana University on these projects.
The portion that Indiana University is working on is specific to the consumer consent and the more granular control piece. And with that, we're performing patient interviews to try to determine from the patients' perspective what are their thoughts on health information exchange, what are the items that they feel they should have more granular consent or should have more control over being able to determine who has access to that information.
The other interesting piece that we're trying to balance, as far as giving patients complete control, is we do have a bioethics group through Indiana University that's also looking at what the patients' desires are vs. what's the ethically defensible [approach] from the healthcare side of things, as far as how much granular control a patient should have. We're finding out some interesting things from both the patient side as well as the bioethics side, and our plan is to build some prototype screens and build that within this data segmentation of the repositories to start testing out, from the patient's perspective as well as from the provider and physician perspective, how granular consent could work in a very large repository-type format.
ANDERSON: In the meantime, how are the exchanges in Indiana handling patient consent now?
VANZEE: Like many exchanges, the consent is handled at the local physician level and so because most exchanges do not have direct interaction with patients, it's very difficult to handle that consent at that HIE level. Now, there are some states around the country that do allow patients to sign their consent at the HIE-type level. But at least here in Indiana, it's at the physician or at the entity that the patient has a face-to-face interaction with as far as determining that consent. Typically [that information is kept within] in the consent for treatments of those organizations that an individual signs.
ANDERSON: Just to clarify, is that a patient opt-in or a patient opt-out approach?
VANZEE: We're an opt-out state. Each of those consents is basically a declaration that the person's information is being used for health information exchange as covered under the HIPAA standards. Basically, the patient is giving consent that their information is being used for those purposes. They have the option to opt out, and that information can be shared at the HIE level. But once you opt out, basically all of your records are being removed from the repositories for the ability to share that information with others. I can tell you that's been rarely used here. It's only been used a handful of times where someone has actually opted out of having their information shared.
Addressing the Gaps
ANDERSON: The federal guidance points out that HIEs that are not taking the recommended privacy and security steps outlined in the guidance must develop a strategy, timeline and action plan for addressing these gaps. In general, what do you think are the main areas the HIEs in Indiana will need to work on to address gaps as they continue to link all those HIEs so they can share information?
VANZEE: The pieces that are specific to the patient, as far as the granular consent and the individual access and correction, because, at least right now in Indiana, there's not an actual connection with or interaction between the sub-state HIOs and the individual consumers. Those will be the most difficult ones that we will have to face or develop a roadmap. Most of the other items are internal policy pieces that are already being addressed in some format by the local sub-state HIOs. Our hopes are that we will look across the five here in the state and start to harmonize maybe some of the policies and approaches they take so that we have a more consistent approach across the state. But the other ones are the areas that I feel that we have the greatest gap.
Now, as I mentioned with the advanced patient query challenge grant, we also have another challenge grant where we're doing personal health record pilots - 12 pilot sites - across the state where we're working on patient identification and authentication, as well as data liquidity and providing HIE data down to a personal health record of a patient's choice. And if you look at some of those first few domains that talk about patient control and patient access, we're at least taking some of the initial steps here in laying out the kind of foundation for where I think things will head in the future.
ANDERSON: Over the long haul, how difficult do you think it will be to implement all the steps outlined in the guidance?
VANZEE: I think it will be very difficult, at least initially. We're somewhat fortunate here to be a little bit further along than many other HIEs and HIOs, and so it gives us an opportunity to start working on some of these higher functioning-type items. Many states are just now starting up, and when you look from a financial sustainability piece, many of these items that are called out are not necessarily items that are usually first on your technology roadmap or sustainability roadmap for an HIE. And so I think it will be a challenge for organizations to necessarily meet all of these items. But I think it still goes back to remembering what the intent is of this framework, and it's meant to be a guidance document toward what the future state would be. And so as long as you're continually working toward and improving your infrastructure and general operations and policies, I think that goes a long way in trying to achieve what the intent of the document was.
Privacy, Security Lessons Learned
ANDERSON: When it comes to health information exchange rollouts, Indiana is one of the most advanced states. You've been at this for over a decade. What lessons have you learned so far about how to tackle privacy and security issues and how to educate the public about protection of their information?
VANZEE: It's probably one of the most difficult topics that health information exchanges have to deal with. And surprisingly, healthcare is one of those industries that seems to be lagging behind many other industries when it comes to privacy and security-type issues, as well as there's a higher importance sometimes that's placed privacy and security in healthcare than many other sectors.
And a good example of that would be we're constantly, as a consumer, getting [notices] from our financial institutions that our records have been potentially breached. We just take that as that's something that happens. In healthcare, that happens and that makes national news. It has huge penalties attached to it. And so I think some of it is a stigma issue that we have to educate the populations as far as what does it mean for health information exchange, to be transparent on what we're doing to protect information and to involve them as far as being stewards of their health data.