Updated HIE Guidance Focuses on TrustNew Insights on Privacy and Security Policies, Practices
The Markle Foundation's updated guidance on health information exchange privacy and security policies and practices is designed to help "develop an environment of trust," says Laura Bailyn, the foundation's senior director for health initiatives.
The foundation has updated its Common Framework, launched in 2006 to spell out the elements of a comprehensive approach for secure health information sharing, Bailyn explains in an interview with Information Security Media Group's Howard Anderson (transcript below).
The update, known as Policies in Practice, provides advice and insights on privacy and security issues, including obtaining patient consent for exchanging their records and providing patients with access to information.
Federal regulators are in the early stages of drafting a Nationwide Health Information Network Governance Rule, which will set voluntary standards for HIEs. In the meantime, the new Markle guidance offers timely assistance in establishing policies and practices, Bailyn says.
In the interview, Bailyn describes the five major elements of Policies in Practice, including:
- An update on relevant laws and regulations developed in the past five years;
- Suggestions on how to handle the issue of gaining patient consent for exchanging their information;
- Insights on giving patients access to their health information, including details on secure downloads.
- An outline of a governance structure for information exchange. Bailyn is hopeful that key elements of this section could influence the NwHIN Governance Rule;
- Tips on technology procurement, including ensuring technology can adequately support privacy policies.
The foundation soon will add updated model contract language for data sharing agreements, Bailyn notes.
As senior director at the Markle Foundation, Bailyn, an attorney, helps shape the foundation's work in health as well as new areas of program exploration. The foundation works to accelerate the use of information and information technology to address critical public needs, particularly in health and national security. Bailyn has an extensive background in technology and a broad range of policy issues. She formerly worked as a business consultant for Apple Inc. She also practiced law in the intellectual property and technology group at Skadden, Arps, Slate, Meagher & Flom LLP.
HOWARD ANDERSON: Please describe the Markle Foundation and its healthcare projects.
LAURA BAILYN: The Markle Foundation believes that emerging communications media and information technology create unprecedented opportunity to improve people's lives. Markle works to realize that potential by accelerating the use of information and information technology to address critical public needs, particularly in health and national security. We collaborate with innovators and thought-leaders from the public and private sectors, whose expertise lie in the areas of information technology, privacy, civil liberties, health and national security.
Policies in Practice
ANDERSON: Back in 2006, the Foundation introduced the Markle Common Framework which laid out the initial elements of a comprehensive approach for secure health information sharing, based on what you called Fair Information Practice Principles. You recently unveiled a Policies in Practice document to update that framework. What's the goal behind the update, and what's the targeted audience for it?
BAILYN: As the health information sharing environment has evolved, both through experience as well as regulatory updates, we engaged in a series of conversations with implementers in the field to find out how they were using the Markle Common Framework and what additional resources they might need. Policies in Practice were developed in response to those conversations to address the range of priority issues identified by the implementers in the field.
The target audience is anyone undertaking health information sharing. At present, as a result of the federal investments, there's a growing HIE community. However, anyone who holds health information and chooses to share it can benefit from these resources.
ANDERSON: Tell us a little bit more about how it was drafted. Who was involved in drafting this new document?
BAILYN: The Policies in Practice were developed through a collaborative process by the Markle Connecting for Health HIE Advisory Committee, a diverse group of state health IT leaders from across the country, as well as legal experts, technology experts and consumer representatives. The full list of advisory committee members can be found on our website.
5 Major Elements
ANDERSON: I understand the Policies in Practice edition contains five major elements. Could you provide a brief overview of those elements, with a particular focus on the privacy and security issues they tackle?
BAILYN: The five resources that we developed are key laws and regs, consent, individual access, governance and procurement. The key laws and regulations document highlights relevant privacy laws over the last five years and addresses them in the targeted policy areas of the Markle Common Framework. Issues addressed in that Policies in Practice document pertain to new obligations for business associates, enhanced penalties, new breach notification rules and additional restrictions on the use of protected health information.
The consent resource provides context for implementing the privacy principle of individual participation and control. This is one of the Fair Information Practice Principles. It suggests ways for health information sharing efforts to establish their own policies and best practices. Policies for providing individuals with meaningful and well-informed choices about information sharing, including via consent, are essential but can only be effective when considered within the entirety of the information sharing needs, policies and protections of an organization.
This resource offers a three-step process for consideration when addressing the issue of consent. Rather than starting with consent, it recommends that the issue is actually addressed last. The first step is to initiate a policy-setting process based on sound governance principles. The second step is to consider all of the FIPPs-based privacy principles together to develop a set of specific base-line policies, and then the third step would be to address the FIPPs-based privacy principle of individual participation and control, as well as openness and transparency when determining policies with respect to consent.
The individual access document identifies and specifies opportunities for addressing individual access and engagement in relation to health information sharing. The download capability is recommended as a starting point for health information sharing efforts in addressing individual access. Convenient access to one's own personal health information is a building block to helping people live healthier lives and obtain higher quality and more cost-effective care.
Consumer access to personal health information must be implemented with sound privacy and security safeguards in place, and our Policies in Practice document on the download capability provides information as to how to go about implementing such a private and secure download capability.
The governance document clarifies the objectives of governance, detailing attributes of the governance process and providing specific guidance with respect to the role of consumers. Policies and procedures that are developed through a collaborative process that seeks early input and broad participation have a greater likelihood of being understood and supported by those they're designed to serve. Governance takes both leadership and the establishment of a process to support it. When well-executed, the articulation of the common vision, support for common goals and well-understood accountability among participants, results in greater trust. Confidence and trust in governance processes can improve the performance and impact and long-term viability of the entities engaged in health information sharing.
Finally, the procurement document details important elements to apply in technology procurement efforts so that the required policies are part of the acquisition and implementation of the technology. Privacy comes into play in this document in that we make the recommendation to develop your privacy policies ahead of time and then have the policy and technology procurement roles go hand-in-hand so that the technology can enable the intended policies.
Updates to Guide
ANDERSON: I understand more information soon will be added to the Policies in Practice guide. Can you describe what's going to be added?
BAILYN: We're going to be updating the model contract. There was first a model contract released in connection with the Markle Common Framework in 2006. It was designed to help health information sharing efforts develop data sharing agreements that implement the Policies in Practice informed by the Markle Common Framework. While the resource is not meant to be a substitute for legal advice, it includes specific language that can be amended or used directly by attorneys who are advising health information sharing efforts. Some of the issues that are addressed in the model contract include the administration of data-sharing agreements and authorizing system users. The updated model contract will reflect changes to the legal and regulatory environment as well as integrate lessons learned and best practices that have emerged as health information sharing efforts have used the model contract in similar contractual agreements over the past years.
In addition, we anticipate that both the key laws and regulations resource and the FAQs will be living documents and will continue to be updated as the legal environment changes and as additional questions about the Markle Common Framework arise.
ANDERSON: That model document - when might that be available?
BAILYN: We're expecting that to be released in the next month or two.
Insights for HIEs
ANDERSON: To wrap up, federal regulators are in the early stages of drafting potential guidelines for health information exchanges in a nationwide health information governance rule. Is your new Policies in Practice resource designed to provide some insights that HIEs and others can put to use while awaiting this federal guidance? Is that the intent?
BAILYN: To some extent, yes. Our Policies in Practice resource on governance was drafted really to demystify what governance means and provide a very broad overview of guidance on how to develop a sound governance framework. The governance resource may inform the current RFI on governance that was recently issued by ONC [Office of the National Coordinator for Health IT]. In particular, the principles we lay out that should be used when developing governance to achieve trusted interoperability can be used as broad guidelines or success factors to consider when developing the mechanisms that are more specifically going to be proposed in the [NwHIN Governance Rule]. The principles include broad participation, representation, accountability and transparency, as well as effectiveness and flexibility. So in that respect, it's very broadly written. Finally, we emphasize the need for consumer engagement in any governance regime, an element that also may be important to consider when reviewing the RFI and the later rule.
ANDERSON: Just to summarize Policies in Practice, this new resource is something that health information exchanges and others involved in data exchange can use to help make certain decisions regarding their policies?
BAILYN: Exactly. If you have a health information sharing effort, wherever you are in your trajectory of developing your processes or your organization, you'll have to develop a set of policies and then a set of practices based on those policies to engage in health information sharing, and do it in a private and secure manner that enables you to be interoperable with other entities that are sharing health information and develop an environment of trust both for the users within that network of sharing as well as the patients whose information is being shared.
The Markle Common Framework for health information sharing that was initially developed started to look at what types of policies would need to be put in place in order to create that environment of trust. And now the Policies in Practice document that we have just released really updates those initial documents for the current health information sharing environment, taking into consideration the updates in the law and lessons learned by those who have now been in the field for a number of years doing it.