Bringing It All Together: Who Does HIPAA and HIT Belong To

1
Bringing It All TogetherWho Does HIPAA and HIT
Belong To?

• Presented at the
• HIPAA COW Spring 2007 Conference
• Oconomowoc, WI March 30, 2007
• Walter G. Suarez, MD, MPH
• President and CEO
• Institute for HIPAA/HIT Education and Research

2
Introduction

• Since HIPAA implementation started in 2003, a new
  set of national, regional, state and local
  initiatives have emerged
• Focus Adoption of interoperable health
  information technology and infrastructure to
  support the electronic exchange of clinical
  information
• New Vocabulary and Terminology
• Interoperability, Harmonization, Certification
• HIE, HIT, EHRs, PHRs, RHIOs (RHIEs?), NHIN
• AHIC, HISTP, HISPC, CCHIT, SA4eH

?
3
Why are we doing all this?

• Health Care Costs
• 2.2 Trillion in 2006 16 GDP
• 600B spent annually on administrative processes
• Health Care Quality
• Medical errors and patient safety
• 300B spent annually on treatments with no
  health yield
• Health Care Access
• Reduction in variability of health care access
  and delivery
• Consumer-centric Health Care
• Empowerment of consumer involvement in health care

4
Why are we doing all this?

• Strengthening health information privacy,
  security
• Consumer controls on privacy and security
• Higher risks and opportunities for control in an
  ever increasing electronic health information
  environment
• Enhancing Public Health and Population Health
• Improving public healths roles of surveillance,
  prevention
• Improving interface of clinical care and public
  health
• Health education
• Accelerating health knowledge diffusion
• Improving translation of knowledge into practice

5
Levels of Health Information Exchange
Best Care Hospital System
Intra Organizational HIEs
6
Levels of Health Information Exchange
Inter Organizational HIEs within a
RegionNetwork of Networks
Intra Organizational HIEs
7
Levels of Health Information Exchange
Inter RegionalHIEs within a NHINNetwork of
Network of Networks
Best Care Hospital System
Inter Organizational HIEs within a
RegionNetwork of Networks
Intra Organizational HIEs
8
Source Third Annual Survey of HIE Activities at
State, Regional and Local Levels. eHealth
Initiative, September, 2006
9
The National Health IT Strategy
10
The National Health IT Strategy
11
The National Health IT Strategy
12
The National Health IT Strategy
American Health Information Community(Led by HHS
Secretary Michael Leavitt)
Agency for Healthcare Research and Quality (AHRQ)
Office of the National Coordinator
StandardsHarmonizationContractor (HITSP)
ComplianceCertification(CCHIT)
Privacy/SecuritySolutions(HISPC)
NHINPrototypeContractors
State Alliance For eHealth
Continuous Interaction with Multiple Public and
Private Stakeholders
Regional Health Information Organizations (RHIO
s)
Consolidated Health Informatics (CHI)
Private Sector HIT Initiatives
Other Federal HITInitiatives
National Committee on Vital and Health
Statistics
13
AHIC American Health Information Community
American Health Information Community(Led by HHS
Secretary Michael Leavitt)
Chronic Care
Consumer Empowerment
Personalized Health Care Records
Population Health Clinical Care Connections
Quality
Confidentiality, Privacy and Security
Electronic Health Records
AHIC - Federal advisory body chartered in 2005 to
make recommendations to the Secretary of HHS on
how to accelerate the development and adoption of
interoperable health IT and electronic health
records, and assure privacy and security of those
records
14
AHIC Workgroups

• Consumer Empowerment
• Wide spread adoption of a personal health record
  that is easy-to-use, portable, longitudinal,
  affordable, and consumer-centered.
• Electronic Health Records
• Wide spread adoption of certified EHRs,
  minimizing gaps in adoption among providers.
• Population Health
• Facilitate flow of reliable health information
  among population health and clinical care systems
  necessary to protect and improve the publics
  health.
• Confidentiality, Privacy and Security
• Protection of personal health information in
  order to secure trust, and support appropriate
  interoperable electronic HIEs.

15
AHIC Workgroups

• Quality
• Ensure that health IT provides data for
  development of quality measures, automate
  measurement and reporting of quality measures,
  and accelerate use of clinical decision support
  that can improve performance on those quality
  measures. Also, make recommendations for how
  performance measures should align with the
  capabilities and limitations of health IT.
• Chronic Care
• Deploy widely available, secure technology
  solutions for remote monitoring and assessment of
  patients and for communication between clinicians
  about patients.
• Personalized Health Care Records
• Broad, community-based approach to determine how
  health IT can be used for interoperable
  integration of genomic information into personal
  electronic health records

16
NHIN The Nationwide Health Information Network

• Network of Networks of Networks
• Framework for health information network service
  providers
• Interconnecting Regional Health Information
  Exchanges
• Business/Technical Issues
• Standards
• Sustainability
• Security

17
(No Transcript)
18
(No Transcript)
19
HITSP Health Information Technology Standards
Panel

• The mission of HITSP is to serve as a cooperative
  partnership between the public and private
  sectors for the purpose of achieving a widely
  accepted and useful set of standards specifically
  to enable and support widespread interoperability
  among healthcare software applications, as they
  will interact in a local, regional and national
  health information network for the United States.
• The Panel is sponsored by the American National
  Standards Institute (ANSI) in cooperation with
  strategic partners (i.e., HIMSS, others)

20
HITSP Health Information Technology Standards
Panel

• Process
• Partnership of public and private stakeholders
  operating through a neutral and inclusive
  governance model
• Board of Directors, HITSP Panel, Technical
  Committees, and Coordination Committees
• Consensus based process
• Consensus process is used to success for majority
  of TC decisions Voting process needed only when
  consensus process failed
• 300 registered HITSP organizations estimated
  12,000 volunteer hours (through September 2006)
• Product
• A set of Implementation Specifications of
  Harmonized Standards applicable to specific use
  cases

21
HITSP Health Information Technology Standards
Panel
2006
Accepted
2007
22
CCHIT Certification Commission for Health
Information Technology

• Certification Attributes
• Functionality
• Interoperability
• Security

23
CCHIT Certification Commission for Health
Information Technology
CCHIT SCOPE OF WORK
24
HISPC Health Information Security and Privacy
Collaborative
Office of the National Coordinator
Agency for Healthcare Research and Quality (AHRQ)
Privacy/SecuritySolutions (HISPC) RTI Lead
Consultant
Technical Advisory Panel
Sub-Contractors 33 States and Puerto Rico
25
HISPC Basics Project Goals

• Identify variations in organization-level
  business practices and policies, and state laws
  that create barrier to HIE
• Identify practices and policies that serve as
  checkpoints
• Document rationale/driver behind practice/policy
• Identify and develop solutions
• To address barriers and harmonize variations
• Preserving and enhancing the protection of health
  information
• Develop implementation plans for prioritized
  solutions

26
HISPC Basics Project Structure and Process

• 18-month project funded by AHRQ in collaboration
  with ONC
• Lead contractor RTI Internation, Inc.
• 34 subcontractors (33 states Puerto Rico)
  responsible for project implementation within
  each state
• Structured methodologies to gather/analyze data
  within states
• Formation of various state committees and
  workgroups (Steering Committee, Variations
  Workgroup, Legal Workgroup, Solutions Workgroup,
  Implementation Workgroup)
• Involvement of all stakeholders (providers,
  payers, Medicaid, public health, local
  government, university, pharmacy, long term care,
  and Consumer groups)
• Interactive database tool to collect business
  policies and practices from states

27
HISPC Basics Project Structure and Process

• Nine privacy/security domains to analyze
• Authentication, Authorization, Access Control,
  Audit
• Patient and Provider Identification
• Transmission Security and Protection
• Administrative/Physical Security
• State Laws
• Health Information Privacy and Security Policy
• Eighteen Scenarios
• Treatment/Patient Care (4) Payment (1) RHIO
  (1) Research (1) Law Enforcement (1)
  Prescription Drugs (2) Operations/Marketing (2)
  Public Health/BioTerrorism (3) Employee Health
  Info. (1) State Government Oversight (1)
• Regional meetings (October-November, 2006)
• National Conference (March, 2007)

28
HISPC Basics Project Deliverables (States)

• Collection and analysis of business practices,
  policies and state laws (April - November, 2006)
• Interim analysis of variations report (Dec, 2006)
• Interim analysis of solutions report (Feb, 2007)
• Interim implementation plan report (March, 2007)
• Final variations-solutions report (April, 2007)
• Final implementation plan report (April, 2007)

29
HISPC Basics Project Deliverables (RTI)

• National summary of interim analysis of
  variations (February, 2007)
• National summary of interim analysis of solutions
  (March, 2007)
• National summary of interim implementation plans
  (April, 2007)
• National Conference Report (April, 2007)
• National summaries of final variations-solutions
  and implementation plan reports (May, 2007)
• National Project Summary and Recommendations
  Report (May-June, 2007)

30
State Alliance for e-Health

• Created by the National Governors Association
  (2007)
• Purpose
• From a state-specific perspective, address
  barriers to health information exchange and
  adoption of health IT, while preserving privacy,
  security, and consumer protections.
• Build consensus in seeking the harmonization of
  the variations in state policies, regulations,
  and laws, where appropriate, and develop
  standards and/or guidance for modifying such
  policies, regulations, or laws.
• Allow for dialog among states that will fuel
  creativity and partnerships among states and with
  the private sector in the health IT arena.

31
State Alliance for e-Health Working Groups

• Health Information Protection Taskforce
• Focus on addressing state-level issues related to
  preserving the privacy of consumer health
  information while ensuring appropriate and secure
  electronic exchange of consumer health data
  within states and across states.
• Health Care Practice Taskforce
• Focus on state-level issues related to best
  practices and the harmonization of regulatory,
  legal, technical, and professional standards that
  have an impact on the practice of medicine in
  interoperable, electronic HIE.
• Health Information Comm./Data Exchange Taskforce
• Focus ways in which states can enhance publicly
  funded programs through cooperative HIEs with the
  private sector.

32
Many Other National and Regional Efforts

• Agency for Healthcare Research and Quality
• National Health IT Resource Center
• National Committee on Vital and Health Statistics
• Federal Health Architecture/Consolidated Health
  Informatics Initiative
• AHIMA Developing Best Practices and Practical
  Tools for State-level Health Information Exchange
  Initiatives
• e-Health Initiative
• Markle Foundation Connecting for Health /
  Regional Health Information Exchange Framework
• State and Regional Initiatives.

33
Health Information Security and Privacy
Collaborative (HISPC)
And. Lets Talk HIPAA
34
Where is HIPAA?

• Transactions and Code Sets
• Are we done with 4010A1?
• Will we ever see Claim Attachments?
• When will 5010 come?
• And what about ICD10?
• Health Identifiers
• Will we make it to the NPI race?
• What about PlanID?

35
Where is HIPAA?

• Privacy
• Changes coming?
• Minimum Necessary?
• Accounting of Disclosures?
• Applicability to HIEs, RHIE organization, etc
• Security
• Transmission Security, Remote Access
• Whats next?
• Enforcement
• Really.?

36
Health Information Security and Privacy
Collaborative (HISPC)
The Bottom Line
37
Bottom Line

• Still Struggling with HIPAA
• Renewed interest in Privacy and Security
• Pushed by Health IT, EHRs, PHRs, HIEs, etc
• Lots of energy around Health IT
• Lots of interest in advancing adoption of HIT
  EHRs, PHRs, etc
• Lots of interest in making HIEs work, creating
  state/regional HIE organizations
• Federal Government and States investing in health
  IT

38
Bottom Line

• Lots of new structures
• Can we ever keep up?
• A Brand New Approach to Standardization
• Harmonization
• Adoption outside of the normal HIPAA process
• Challenges
• Confusion, Coordination, Duplication, Resource
  Availability, Expertise. And
• Funding! who will pay for maintaining all this?

39

• Thank You!
• Walter G. Suarez, MD, MPH
• President and CEO
• Institute for HIPAA/HIT Education and Research
• Alexandria, VA
• Phone (952) 221-3841
• Email walter.suarez_at_sga.us.com