Tackling HIE Privacy IssuesEstablishing Trust Takes Time, Analyst Says
It takes time and trust in order to develop health information exchanges, says IDC's Lynne Dunbrack. So how should HIE stakeholders approach such a project? Dunbrack offers three best practices.
Dunbrack, who recently wrote a report on HIE best practices, recommends first that organizations start early, since privacy and security "take a long time to work through those issues," she says in an interview with HealthcareInfoSecurity's Howard Anderson [transcript below].
In setting up HIEs, questions arise such as how data that comes from one organization is used by another. Set up time to go through the business associate agreements and understand the data governance issues, she says.
The next step for HIE stakeholders is to create a privacy and security framework. "If everyone's working from the same framework for privacy and security, there's greater understanding of what the provisions are, how the HIE will protect that data, secure that data and will ensure that the data is kept confidential," Dunbrack says.
Last, organizations should also develop a common business associate agreement, "certainly for an HIE that's sharing data or exchanging data across multiple entities - and it could be upward to hundreds of entities," she says. "Having a common or rationalized business associate agreement is certainly much easier than negotiating one-off business associate agreements."
In the interview, Dunbrack also:
- Says HIE organizers must guard against underestimating the time it takes to tackle privacy and security issues;
- Highlights the need to educate patients about the value of information exchange as well as the technologies used to protect their information;
- Comments on the potential challenges involved with following the privacy and security guidance that the Department of Health and Human Services' Office of the National Coordinator for Health IT recently issued.
As program director for IDC Health Insights' Connected Health IT Strategies program, Dunbrack provides research-based advisory and consulting services for payer, provider, life science and vendor executives. She offers guidance on telemedicine utilizing video conferencing; telediagnostics; online care on demand; remote patient monitoring; mobile health; aging in place; and enabling technologies, such as health information exchange and electronic health records.
Establishing HIEs: Start Early
HOWARD ANDERSON: You recently wrote a report about best practices for establishing sustainable health information exchange. In that report, based on interviews with 45 HIE executives, you offer three tips on privacy and security issues. The first tip you include is to start early. Can you explain what that means?
LYNNE DUNBRACK: When I interviewed the executives for this report, and the year prior when I interviewed I think it was on the order of 30 HIE executives for a best practice report, a vendor short-list report, that our company published back then, the prevailing thing in both reports was that privacy takes a long time to work through those issues, and security as well. But really it comes down to privacy, particularly for organizations that may be working together for the first time in terms of exchanging data. It takes some time to establish trust, to work through the data governance issues, to understand how data might be a source from one organization and then used by another organization. So typically the executives said to us, "Technology was not the gating factor in standing up the HIE." It was really getting all of those business associate agreements in place, understanding the data governance issues, and particularly for HIEs that are RHIOs - Regional Health Information Organizations - or the state-wide initiatives where they actually may be competitors but have come together to collaborate on health information exchange, they have to overcome some of the issues of being competitors but also trying to be collaborators at the same time.
There are still privacy issues for the enterprise HIE that are connecting up on their loosely-affiliated organizations. There's a certain level of trust because they've worked together. When you start getting into RHIOs and state-wide initiatives, the level of effort for addressing privacy and security increases. Organizations found that they really needed to start that process much earlier if they were to stay on track with their milestone and particularly for going live.
Availability of Privacy, Security Framework
ANDERSON: Your second tip in the report was to make a privacy and security framework available to all stakeholders in the HIE. Why is that so important?
DUNBRACK: I think it gets back to that level of trust that I just spoke of. If everyone's working from the same page if you will, the same framework for privacy and security, there's greater understanding of what the provisions are, how the HIE will protect that data, will secure that data, will ensure that the data is kept confidential, and then that goes a long way in developing that trust. And so it's very important that all of the stakeholders understand how the data will be used. Are there plans for secondary use? How might that occur? What are the provisions under which that might occur? Is there downstream compensation for that? It's just important that all stakeholders understand how that data will be shared and how others will consume that data that they're the sources for.
Business Associate Agreements
ANDERSON: The third tip was to rationalize business associate agreements. Can you explain that for us, please?
DUNBRACK: Business associate agreements are the contracts if you will between stakeholders and how that data will be used and how the security provision will be put in place, the privacy policies will be put into place. Certainly for an HIE that's sharing data or exchanging data across multiple entities - and it could be upward to hundreds of entities when you start getting into the ambulatory practices - having a common or rationalized business associate agreement is certainly much easier than negotiating one-off business associate agreements both in terms of being able to manage the compliance and to ensure that the data is being used and shared appropriately, but also quite frankly from a legal perspective, not having to renegotiate each individual business associate agreement. Of course, that will drive off the cost of legal expenses. So in talking with health information exchange executives, they were recommending that the business associate agreements themselves be rationalized, getting back to that framework in security and really starting to build a culture around community consensus for privacy and security.ONC Privacy, Security Guidance
ANDERSON: The Office of the National Coordinator for Health IT just issued detailed privacy and security guidance for federally funded HIEs. Overall, what do you think of the guidance, and based on your interviews with HIE executives for your report, what recommendations in the guidance could prove to be the most challenging to implement?
DUNBRACK: It's always awful to get guidance around privacy and security, and I think one of the big challenges for health information exchanges, in looking at the guidelines from ONC, is the level of specificity around being able to opt-in and opt-out. All of the vendors are able to deal with a straight-up, the patients or consumers can opt-in to the exchange or they can opt-out of the exchange, and that certainly would help them to comply with various state laws which have different requirements for HIEs.
Some states are opt-in and some states are opt-out states, where the next level of challenge will be when the requirements state that the HIE needs to be able to respond to opting out by certain encounter types or by certain encounters or by certain provider types or name providers. That's where it really gets much more challenging.
I think another area of challenge for the HIE that's interesting is that many of our major cities are situated on rivers because of old historic times, that being a way of commerce and travel, and rivers are also very natural state borders so we have state initiatives that straddle two states. Some of the patients may come from one state that's an opt-in state; other patients may come from the neighboring states, an opt-out state, and so how do you then manage when a resident of an opt-in state sees a provider in an opt-out state? Which policy then prevails in terms of does the patient have to opt-in or opt-out and what do you do with their records?
There's a lot of complexity because of the variety of approaches that states have taken on this, and so I think that's probably what the biggest challenge point is, for those states that have either the RHIOs are straddling or the regional efforts are straddling states with a different variety of policies, or just by the virtue of where it's a center that's drawing patients from multiple states. I'm from Boston, and a lot of patients come from Maine, New Hampshire and Vermont to seek specialty care in the Boston hospitals, so how do we deal with those patients and their state's privacy requirements? So it makes for some really interesting conversations and again kind of harkens back to why you want to start early when evaluating and developing your privacy and security frameworks.
Ensuring Public Trust
ANDERSON: Finally, what key steps can HIEs take to help ensure the American public trusts that when their records are exchanged they will remain private? Any final thoughts?
DUNBRACK: I think education is a really important element here in promoting the use of HIEs with patients, so they understand the value in using those, and having those tools made available to them. I think particularly now as consumers are much more used to being able to conduct their business online for other industries, whether it's retail or banking, I think one of the things that frustrate consumers considerably when they enter into the healthcare system is how disjointed and often inaccessible that information is to them. That information may be inaccessible when they have care with one part of the system and then go seek care or get referred to a specialist and they're back repeating their whole life or medical history to the new provider. Education is important, educating consumers particularly about the value propositions, the benefits that they will see from health information exchange, why that's important for them to be active participants in that and hopefully opt-in if they're in an opt-in state or not opt-out if that's the privacy requirement in that state.
Really just underscore how there are technologies and systems in place that will keep their data secure. The organizations themselves have to really not underestimate that patient data is the life line for an organization. Organizations need to work with each other and with their consumers and really not underestimate the level of trust that's required in order to achieve successful exchange of health information.