1. Kansas Privacy and Security Update AHRQ Annual Research Meeting Washington, DC September 27, 2007 Robert F. St. Peter, M.D. President and CEO Kansas Health Institute

2. Kansas HIE Initiatives Overview Kansas Insurance Department Standardized Practitioner Credentialing Gov’s Commission Privacy & Security Project Privacy & Security Steering Committee Variations Working Group Legal Working Group Solutions Working Group Implementation Working Group HIT/HIE Policy Summit Initiative HIT/HIE Steering Committee Clinical Working Group Technical Working Group Financial Working Group Governance Working Group Advanced ID Card Initiative ID Card Steering Committee Kansas Dept. of Health and Environment Public Health Information eXchange RWJ Information Links Grant

3. KS Privacy and Security (I) Project Project management team  Kansas Health Institute, Governor’s Commission  University of Kansas Center for Healthcare Informatics  Private attorneys Process for assessing business scenarios and domains  Broad stakeholder input  Validation continuing today

4. Major Themes Wide geographic variations in business practices – many parts of rural Kansas have few physicians and hospitals, limited health resources, while some cities have considerable duplication Few physicians’ offices are “wired,” there are no RHIOs, little electronicization outside urban areas HIPAA has been fully integrated into all stakeholder practices – yet some consider it a barrier, some neutral, and some an aid Some physician offices and hospitals have extensive policy manuals, others rely on common practices

5. Major Barriers Very little use of EMRs among physicians Wide variety of non-interoperable software systems Obtaining patient consents, re-consents, authorizations of release is cumbersome Widely ranging interpretations of HIPAA Varying policies on outside access to medical records complicates interoperability among different stakeholders

6. Key Findings Patient focus:  Clarify patient consent Business Operations focus:  “Electronicization”  Weak policies  Narrow policies Legal focus:  Weak understanding of the law  Antiquated state laws Regional focus:  Multi-state solutions

7. Solution Strategies Patient focus:  Patient/Consumer education  Patient IDs, MPI and record locator services  Notifications, authorizations, access controls Business Operations focus:  Promote adoption of electronic HIE through “Learning communities” of providers HIE/HIT Policy Initiative readiness assessment  Strengthen business policies and practices through HIE Resource Center

8. Solution Strategies – cont’d Legal focus:  Consistent and comprehensive statewide interpretation of HIPAA  Identification of state laws and regulations needing modernization to create compliance with HIPAA  Lobby for creation of safe harbors Regional focus:  Medical service area analysis  Coordination with border states, starting with Missouri Immunization registries CareEntrust initiative by employers

9. KS Privacy and Security (II) Project Legal Review  Catalog statutes and regulations related to health information privacy and security  Draft statutory language, specifying baseline privacy and security standards HIT/HIE Privacy and Security Coordinating Entity and Educational Toolkit  Produce governance documents and principles acceptable to a majority of stakeholders for statewide implementation of health information privacy and security strategies.  Develop a curriculum targeted to a specific market segment, a teaching guide and a program evaluation plan.

10. KS Privacy and Security (II) Teams Planning team produces business plan for a self-sustaining institution with an explicit early focus on privacy and security  Convene stakeholders to identify business goals, markets, services, distribution channels.  Describe staffing, operations, business alliances, service pricing model (and other revenue sources), success measures  Design legal organizational structure and governance Legal team drafts legal organizational documents  Recommend governance structure, including relationships to existing organizations, e.g. HIEC, KHPA

11. Teams – cont’d Curriculum team, in parallel with foregoing activities, develops HIE P&S Educational Toolkit as the first service offering of the Kansas HIE resource center  Educational objectives described by Planning team  Course content contributed by Legal team  Teaching strategies recommend by education experts Multi-state collaboration teams  Harmonizing state privacy law: KS, ID, KY, MI, FL, NM, TX  Consumer education and engagement: KS, CO, GA, MA, NJ, NY, OR, WA, WV

12. Plans for 2008 Provide resources for 2008 legislative session Continue detailed review of statutes and regs Continue participation in multi-state collaborations to secure new funding for joint activities Organize and staff the HIE Coordinating Entity Roll out first education program for consumers Continue development of additional curricula

13. Information for policy makers. Health for Kansans. Kansas Health Institute