Robert F. St. Peter, M.D. President and CEO Kansas Health Institute Kansas Privacy and Security Update AHRQ Annual Research Meeting Washington, DC • September 27, 2007 Robert F. St. Peter, M.D. President and CEO Kansas Health Institute

Kansas HIE Initiatives Overview Context for HISPC among other Kansas initiatives Point out HISPC = Privacy and Security Mention 4 HISPC Working Groups RWJ Information Links Grant

KS Privacy and Security (I) Project Project management team Kansas Health Institute, Governor’s Commission University of Kansas Center for Healthcare Informatics Private attorneys Process for assessing business scenarios and domains Broad stakeholder input Validation continuing today On going validation: Stakeholder and professional associations Governmental agencies at all levels Consumer groups

Major Themes Wide geographic variations in business practices – many parts of rural Kansas have few physicians and hospitals, limited health resources, while some cities have considerable duplication Few physicians’ offices are “wired,” there are no RHIOs, little electronicization outside urban areas HIPAA has been fully integrated into all stakeholder practices – yet some consider it a barrier, some neutral, and some an aid Some physician offices and hospitals have extensive policy manuals, others rely on common practices

Major Barriers Very little use of EMRs among physicians Wide variety of non-interoperable software systems Widely ranging interpretations of HIPAA Varying policies on outside access to medical records complicates interoperability among different stakeholders Obtaining patient consents, re-consents, authorizations of release is cumbersome

Key Findings Patient focus: Business Operations focus: Legal focus: Clarify patient consent Business Operations focus: “Electronicization” Weak policies Narrow policies Patient focus: Establishing patient consent. Clarifying and coordinating patient consent and authorization for data uses and disclosures is a paramount concern. A related issue is how to adequately prepare patients to make informed decisions about the disposition of their clinical data. Business operations focus: Electronicization. The vast majority of health care providers in Kansas have not yet adopted electronic information technologies to manage and store clinical data. Current information safeguards, therefore, are overwhelmingly manual. Adaptation of existing policies and procedures to an interoperable electronic environment presents a significant challenge. Weak policies. Health information exchange security in many places is governed by workgroup behavior norms rather than adherence to formal policies and procedures, even where formal policies and procedures do exist. Though behaviors and policies often coincide, in some cases behavioral norms circumvent policies. Narrow policies. Many providers handle protected health information in non-clinical applications such as billing systems. Formal polices and procedures for protecting information privacy and security are common in such venues. However, these policies and procedures focus mainly on internal business operations and largely do not address information exchanges with outside parties, except for claims submissions for payment. Legal focus: KS LWG analysis of scenarios identified broader legal concerns than were identified by other stakeholders Weak understanding of the law. Most businesses diligently attempt to comply with Kansas law and with their individual interpretations of HIPAA. But state privacy and confidentiality laws are fragmented and are weakly understood. Interpretations of the law vary greatly, so the quality of implementation may be inconsistent and “HIPAA compliance” can become a pretext for unnecessarily complicating or denying requests for HIE. Antiquated state laws. Kansas statutes and administrative regulations are antiquated and largely fail to contemplate electronic health information exchange. Stakeholders seem to be unaware of or unconcerned with the potential legal pitfalls resulting from the interplay between state law and administrative regulation and HIPAA requirements, even though they are keenly aware of the need to honor patient privacy. “HIPAA” may then become the rubric for any restrictions on HIE to maintain patient privacy. Regional focus: Multi-state solutions. Much health information exchange in eastern Kansas is interstate; therefore business and legal solutions must be coordinated regionally. Legal focus: Weak understanding of the law Antiquated state laws Regional focus: Multi-state solutions

Solution Strategies Patient focus: Business Operations focus: Patient/Consumer education Patient IDs, MPI and record locator services Notifications, authorizations, access controls Business Operations focus: Promote adoption of electronic HIE through “Learning communities” of providers HIE/HIT Policy Initiative readiness assessment Strengthen business policies and practices through HIE Resource Center Patient focused solution strategies Patient/Consumer and provider education – information about one’s rights; preparation for granting of informed consent; acquisition of technical skills to navigate and interpret stored information. “Learning communities” – public listening exercises for grass roots solution sharing Pilot projects: Healthe Mid-America / InformationLinks, Kansas Medicaid Community Health Records Patient IDs, master patient indexes and record locator services. Workshops and other public dialogs, followed by development of an “innovation adoption strategy” for assignment of identifiers until best practices emerge or regulations are enacted. Pilot projects: Kansas Immunization Registry / local health departments and other providers, Kansas Health Policy Authority / Kansas State Employee Health Plan / Kansas Insurance Department record consolidation, Advanced ID Card Technology Initiative Patient notifications, authorizations and access controls, including: access to one’s own information and the ability to edit some portion thereof; control over permitted conditions for data disclosure: how much information, to whom, for what purpose, for how long – i.e., patients’ control over the rules; patient notification, accounting and audit of prospective and retrospective data uses and disclosures; patient consent, denial or revocation of consent for specific instances of information use and disclosure – i.e., patients’ responses to specific authorization requests—as well as those of medical power of attorney and other personal representatives. Continue participation in NCVHS Share lessons learned among pilot projects described in 1.b. and 2.b. above to develop a consistent set of policies for patient notifications, authorizations and access controls. Business operations focused solution strategies Electronicization – promote adoption of electronic technology for the management of health information through: “Learning communities” – AAFP Standards development and interoperability HIT/HIE Policy Initiative readiness assessment and roadmap to promote development of RHIOs: governance, finance, clinical issues, technology Pilot projects: Kansas City Regional Electronic Exchange (KCREE), KC CareLink, Browsersoft Strengthening business policies and practices through a Resource Center that could help coordinate day-to-day business expectations and activities “Learning communities” – use state’s role as convener to build consensus around best practices State certification of health information exchange organizations Systems analysis to promote compliance and quality improvement – e.g., 1999 IOM report, “To Err is Human”

Solution Strategies – cont’d Legal focus: Consistent and comprehensive statewide interpretation of HIPAA Identification of state laws and regulations needing modernization to create compliance with HIPAA Lobby for creation of safe harbors Legally focused solution strategies Background: LWG found broader legal concerns from the scenarios presented than were identified by stakeholders HIPAA often used as an excuse to restrict HIE Perception of HIPAA as a “barrier” is misplaced HIPAA could be transformed from “barrier” into an “aid” IF: State laws and regulations were modernization in order to marry state law with HIPAA. Providers and consumers receive education regarding the correct interpretation of HIPAA. This will decrease confusion among providers and consumers Regionally focused solution strategies Medical service area analysis (KHPA) Coordinate with the Missouri Governor’s Technology Taskforce Work with the Missouri Department of Health and Senior Services to extend the reach of both states’ immunization registries Regional focus: Medical service area analysis Coordination with border states, starting with Missouri Immunization registries CareEntrust initiative by employers

KS Privacy and Security (II) Project Legal Review Catalog statutes and regulations related to health information privacy and security Draft statutory language, specifying baseline privacy and security standards HIT/HIE Privacy and Security Coordinating Entity and Educational Toolkit Produce governance documents and principles acceptable to a majority of stakeholders for statewide implementation of health information privacy and security strategies. Develop a curriculum targeted to a specific market segment, a teaching guide and a program evaluation plan. Legal Review: KS has 16 health law attorneys focusing on legal review of KS HIE statutes and regulations. These include attorneys affiliated with private firms, state agencies, and not-for-profit stakeholder organizations (e.g. KHA, KMS, KHI) They have created an excel workbook which is organized by chapter (e.g. Public Health, Insurance, Mental Health) and contains links to each HIE related state law and regulation. The attorneys are analyzing this information to identify which laws require modernization. The same group of attorneys will draft statutory language to manage compliance issues with KS law and HIPAA. The goal is to have KS laws that coordinate with HIPAA and support the same baseline privacy and security standards. HIT/HIE Coordinating Entity: The creation of a public/private partnership that is charged with managing HIE privacy and security standards and strategies is essential to help more KS providers and consumers welcome the adoption of electronic HIE. This entity will be able to serve both providers and consumers needs for understanding more about HIE, the different technologies, and which technologies to adopt.

KS Privacy and Security (II) Teams Planning team produces business plan for a self-sustaining institution with an explicit early focus on privacy and security Convene stakeholders to identify business goals, markets, services, distribution channels. Describe staffing, operations, business alliances, service pricing model (and other revenue sources), success measures Design legal organizational structure and governance Legal team drafts legal organizational documents Recommend governance structure, including relationships to existing organizations, e.g. HIEC, KHPA Three teams were organized to address Kansas’ HISPC II foci: planning, legal and curriculum. The work of these three teams is interwoven. Some of the legal team’s product becomes a source of course content for the curriculum team. The self-sustaining institution designed by the planning team will be available to deliver the course(s) developed by the curriculum team.

Teams – cont’d Curriculum team, in parallel with foregoing activities, develops HIE P&S Educational Toolkit as the first service offering of the Kansas HIE resource center Educational objectives described by Planning team Course content contributed by Legal team Teaching strategies recommend by education experts Multi-state collaboration teams Harmonizing state privacy law: KS, ID, KY, MI, FL, NM, TX Consumer education and engagement: KS, CO, GA, MA, NJ, NY, OR, WA, WV Multi-State: The multi-state collaborative teams met in Denver earlier this month to discuss the needs of each state and to organize plans for moving ahead with HIE work. Harmonizing State Privacy Laws: These states are working on similar issues such as cataloging their state specific HIE laws and regulations, and identifying the gaps and barriers to HIPAA. The team is developing plans for 2008 which include: A state law matrix for all 7 states that maps HIPAA to the individual state laws The goal is to create a tool and analysis plan that other states can use to map their HIE laws The team would like to develop a model law that includes standard definitions for HIE terms and clarifies areas where the majority of states’ laws are misaligned with HIPAA. Consumer Education and Engagement: The collaborative will engage consumers in each state to learn how consumers perceive HIE and what is most important to them. To help develop consumer education materials (e.g. documents, videos) that can be used by each state, the group will inventory existing HIE materials, partner with consumer organizations (e.g. AARP, ACLU, NAMI) and refine these tools to match consumer needs. The collaborative will identify consumer target groups (e.g ethnicity, age, culture, health status) and conduct focus groups to test their newly created education materials

Plans for 2008 Provide resources for 2008 legislative session Continue detailed review of statutes and regs Continue participation in multi-state collaborations to secure new funding for joint activities Organize and staff the HIE Coordinating Entity Roll out first education program for consumers Continue development of additional curricula KS plans to have a comprehensive statutory and regulatory HIE catalog for legislators and attorneys to work with. This can be used to manage KS laws that are not in compliance with HIPAA. Multi-State Collaborative The collaborative groups are meeting Nov. 1st and 2nd to discuss long term goals for 2008 KS plans to continue working with other states to share information on HIE policy development and educational material to create a better understanding of HIE Coordinating Entity The KS HIE Coordinating Entity will begin managing programs and long term goals for HIE standards and education for consumers and providers The work that is done in the national collaboratives will help the entity develop additional curricula and ease the adoption of electronic HIE throughout the state.

Kansas Health Institute Information for policy makers. Health for Kansans.