Complicated Game

HISPC Privacy and Security Collaborative Hands off Three Years of Work

The ambitious experiment to identify and lower the privacy and security barriers to health information exchange is winding down. The legacy, say participants, is awareness, resources, and proof that collaboration works. What happens next, however, is uncertain.

by Chris Dimick

The Health Information Security and Privacy Collaboration (HISPC) reported its final recommendations in March, winding down the largest assembly of privacy and security healthcare stakeholders in US healthcare history.

Over the course of nearly three years, groups in 42 states and US territories worked to identify and solve the privacy and security barriers to intrastate and interstate health information exchange. The group leaves behind a diverse array of recommendations and resources focused on facilitating the secure nationwide exchange of personal health information—their attempts to work through a tangle of inconsistent consent agreements, competing state laws, and legal ambiguity.

The $39.5 million project, funded by the Agency for Healthcare Research and Quality and the Office of the National Coordinator for Health Information Technology (ONC), largely wrapped up its work at a national conference March 4 to 6 outside Washington, DC, when the seven multistate collaboratives of the final phase presented their deliverables.

The March conference was initially planned as the end of the project, but within several weeks ONC announced an extension to project directors. This “HISPC Phase 3—Challenge and Innovation Stage” will extend the project until July and allow HISPC participants to test or implement deliverables they generated in the final phase.

The announcement is what many HISPC participants were hoping for, even if the extension is brief. Many are determined to see that their work not be reduced to a report on a shelf. They hope their resources will be used to bring the US closer to the day when a doctor in Miami can retrieve a patient’s complete medical record from a hospital in Seattle.

HISPC’s Legacy: Awareness, Collaboration

HISPC started in 2006 as 34 states and territories working to identify the privacy and security barriers to nationwide health information exchange. Stakeholders from across healthcare came together for the effort.

That first phase concluded in May 2007 with a report that got the issues onto the table and recommended ways forward. In phase 2, which ran from June 2007 to January 2008, state groups began implementing their phase 1 recommendations through state-specific improvement projects.

The focus shifted to regional collaboration in phase 3, and the project grew to include groups in 42 states and territories. State groups broke into seven regional collaborative groups, with each group focused on a different barrier or issue identified in the earlier phases.

The complete impact of the work has yet to be seen, but the fact that so many stakeholders assembled to discuss these vast issues is possibly the project’s biggest accomplishment, according to Linda Dimitropoulos, director of the health sciences program at RTI International and HISPC project manager. RTI contracted with the federal government to run the project.

“I think it was clearly eye-opening for many states,” Dimitropoulos says. “In terms of just educating stakeholders across the country and having them engage in a national conversation, I think was probably one of the bigger successes of the project… To be honest, I don’t think there has ever been a project like this that has reached out to so many stakeholders in so many places across the country.”

Before HISPC, many states had not begun any work on interoperable HIE and did not understand the extent of the barriers, Dimitropoulos says. The universal focus was on health IT adoption—the hardware and software of information exchange—and not the laws, policies, and procedures that govern the exchange itself. HISPC changed that thinking, she says.

“There was this whole process of people becoming aware that to prepare for health information exchange, you really had to look at the environment for privacy in the state and in the organizations within the states as it exists in the paper world to even see if you have the infrastructure in place to have an electronic health information exchange,” Dimitropoulos says.

HIPSC brought together organizations in direct competition that typically might never communicate. This is another major accomplishment, says Bill O’Byrne, state coordinator of electronic health information technology development at the New Jersey Department of Banking and Insurance and cochair of the HISPC Inter-Organizational Agreements (IOA) Collaborative, one of the seven phase-3 groups. The work established links across state lines that will serve as valuable ties as the nation continues to plan electronic health record exchange, O’Byrne says.

Inter-Organizational Agreements Collaborative

O’Byrne’s IOA Collaborative illustrates the arc of the HISPC project, from identification of barriers to a focus on solving one closely defined piece of the puzzle: in this case, creating a standard legal agreement to facilitate the interstate exchange of immunization records among state health departments.

In most states, no formal structure exists that allows one state to exchange public health records with another. When the transfer of public health data is performed, it is agreed upon using specialized legal agreements. Even more variation exists when private organizations exchange public health data with other private entities (a challenge the group also addressed).

Since most public health data are collected in the same way with the same format, the technical issues of exchanging the data are minimal, O’Byrne explains. The hard part comes from working out the legal agreements state health departments need to ensure data will change hands without misuse.

“We found out that the more difficult problem was not the technology, it was having a common agreement that [department of health officials] would actually sign that would be recognized in different states,” O’Byrne says.

A standardized agreement makes it easier for state public health agencies to say yes. “Nobody will turn on any technology for data exchange if the legal aspects are not in place and agreed upon,” O’Byrne says.

The IOA Collaborative developed a core set of privacy and security provisions and pilot tested two model agreements—one agreement for state public health departments, the other for exchange among private entities. The ultimate goal was to get states to begin exchanging records.

The group’s first step was creating a standard data-sharing agreement that would be acceptable to all US states and territories. The collaborative rounded up dozens of current agreements from around the country, reviewed them side-by-side, and extracted similar provisions. The group then took the best language and provisions and distilled them into one standard document for exchange of public health data and one for data exchange between private entities.

The next step was to see if any healthcare organization would sign them. The group had early success. As of mid-February, the departments of health in Iowa, South Dakota, and Guam had signed the public-to-public agreement. It was a random group to start, but they began actively sharing immunization records.

New Jersey and several states, including some states that did not participate in HISPC, were on the brink of signing the following month. The American Immunization Registry Association, which is funded by the Centers for Disease Control and Prevention, recently endorsed the use of the public-to-public agreement—a golden stamp of approval O’Byrne believes will lead to mass adoption by other states. The project extension will allow the group to further promote the agreement.

The IOA project could be expanded beyond immunization records authorizations into other public health registries such as lead screening and communicable diseases, O’Byrne says. That work would have to continue as part of the HISPC phase 3 extension or outside of HISPC if other funding becomes available.

“This becomes very useful information,” O’Byrne says, “because when people travel—and we have an enormous number of snow birds that go from New Jersey down to Florida for the winter—if they could get their public health record down there, just their shot record and what medications they take, that would be a tremendous benefit for these senior citizens.”

Interstate Disclosure and Patient Consent Requirements

Consent laws vary greatly among states, which slows and even discourages the exchange of data. Although HIPAA allows for the disclosure of health information for treatment purposes, some states have enacted more restrictive laws. A person could receive care in two different states, with different requirements on disclosing their records to one another for treatment. The issue is especially problematic for cities that sit on the border of states with differing laws.

Eleven state groups joined the Interstate Disclosure and Patient Consent Requirements Collaborative to help solve this problem by mapping out the different state law requirements for disclosure of health information for treatment purposes. The collaborative, along with an independent HISPC contractor, researched and recorded the consent and data disclosure laws for nearly all 50 states, according to Victoria Prescott, JD, the CEO of Tampa-based McBroom Consulting and the chair of the group. This information was compiled into a reference guide, which healthcare providers can use to compare different state disclosure requirements when requesting patient data from other states.

The reference guide also could provide the basis for an electronic tool that would identify varying disclosure requirements for treatment purposes and make it easier for physicians to exchange data, Prescott says. This tool would be a “disclosure and authorization requirements engine” and could be implemented as part of the infrastructure of the national health information network.

Such an engine could compare states disclosure consent laws, identify any discrepancies, and instruct providers on how to obtain the necessary consent, Prescott says. The engine could even go so far as to generate a form with the necessary requirements.

State laws require some clarification first. Many state laws are “subjective and ambiguous” on consent and disclosure for treatment purposes, Prescott found during the research.

The group offered several recommendations for next steps. A standard list of consent options would need to be adopted nationally, and states would need to select from that list what consent requirements they feel are necessary. That way, the rules engine could compare consent requirements from a list of standard items. The HISPC group has created a preliminary list of standard consent requirements, which it displayed at the March national conference.

Several collaboration members have expressed interest in generating a list of these standardized consent requirements—and getting states to implement them—as a part of post-HISPC work.

The group also researched the implementation of a federal law that would standardize consent and preempt all current state consent laws. Another option would encourage states to work with other states on developing regional consensus on sharing patient data. This regional work could be facilitated by a federal agency, which could help states reach consensus.

“[We are] trying to find a real solution that would meet everybody’s different approaches and different state laws to privacy and consent,” Prescott says. “Then, also, solve the issue of the battle of the forms.”

Consumer Education and Engagement Collaborative

HISPC’s early work identified the need for consumer support of HIE, which hinged in large part on understanding and trusting HIE networks. Most consumers are unaware of what it takes to transport their medical records across state lines, and few fully understand the implications of HIE on privacy and security.

The Consumer Education and Engagement Collaborative worked to fill this education gap, producing online, video, print, and audio products aimed at engaging healthcare consumers in HIE privacy and security. The collaborative designed materials for varying consumer segments, producing products in various languages and changing content to connect with unique audiences, says Jerilyn Heinold, MPH, the collaborative’s director.

While individual states and healthcare organizations have created privacy and security education materials for consumers, they had rarely shared them with other stakeholders. Thus the collaborative’s first step was to create an inventory of materials, Heinold says, an effort led by Kansas representatives. Made up of eight states including Colorado, Georgia, Kansas, Massachusetts, New York, Oregon, Washington state, and West Virginia, a major challenge was creating education material that could be used by very different states with different populations and health IT savvy. The group worked on two simultaneous tracks, one focusing on specific state issues, the other developing education for a national audience.

The education focuses on gaining consumer trust in HIE, while also informing them of their privacy rights and how to identify risks to their information. For example, a project led by Massachusetts researched more than 95 personal health record Web sites, categorized them, and evaluated what consumers should strive for and be aware of when picking a PHR, such as privacy and security requirements and whether users’ data are resold.

A main goal was to ensure products were easily understandable. “Every tool we developed we sent through literacy experts and got it translated so that the average person with an eighth grade reading level could understand it,” Heinold says.

The group, led by Oregon representatives, condensed these simplification methods into a literacy guide that other groups can use to cut down on jargon and complex sentences in public-access privacy and security materials. A hospital writing a cover sheet explaining a consent form could use the guidelines to help patients better understand the implications of the form.

Some of the group’s products include:

• Frequently asked questions about health IT
• Radio and TV public service announcements
• Consumer-friendly Web sites
• Patient rights and privacy tips
• Consumer-focused glossary of health IT terms
• A policy guide to consent and disclosure
• Inventory of consumer education resources

Long Live HISPC?

RTI will prepare a full wrap-up report on the HISPC project, which will be publicly available this summer. The report will list recommendations, tools, and products in the form of an action and implementation guide. The format will enable people to not just read about HISPC’s work, but will guide them on what information and products are available, as well as how to use them, Dimitropoulos says. The report will spell out who the target audience is for each recommendation and give people a practical guide on how to use the information to better their organization or initiative, she says.

As for HISPC, it was originally announced that it would formally disband in March. ONC chose not to exercise an option year that was part of the phase 3 agreement with RTI.

However, the phase 3 extension announced in March—the “challenge and innovation stage” running from April to July—will allow HISPC participants a few more months to test and implement some of their deliverables. The extension will “support collaborative work on short-term innovative projects that build on and advance the deliverables you’ve developed thus far,” according to an e-mail from ONC to the project directors.

Further funding and use of the HISPC work is most likely inevitable, though it is unlikely the new work will continue under the HISPC structure. ONC is not likely to make any decisions on how to continue HISPC’s work until the new leadership of Health and Human Services and ONC is finalized by the Obama administration, according to Don Mon, vice president of practice leadership at AHIMA, who has closely followed HISPC. In early March, President Obama nominated Kathleen Sebelius as head of HHS, and late in the month he appointed David Blumenthal as head of ONC.

HISPC produced a large amount of work that must now be carried forward into the healthcare world. Once official work is completed, the focus should fall on wide dissemination of its recommendations, Dimitropoulos says.

“I think it would be a shame for this to end up on a shelf somewhere, because they have some real practical tools [and] have made a lot of headway…,” she says.

ONC and RTI plan to post all of the HISPC products and recommendations online. Some states have already taken the information they learned and implemented changes intended to improve data sharing, Prescott notes. If part of HISPC’s goal was to raise awareness of HIE privacy and security issues, it has been successful in many states, she says.

HISPC has brought the US one step closer to a nationwide health information network, Dimitropoulos believes. “HISPC has broken a lot of ground and raised awareness in a big way,” she says. “I think it is going to be fairly instrumental, in the work it has done, in getting things up and running.” She believes that the resources coming from the project, especially those being released this year, will have “tremendous impact.”

Privacy and security standards are not the only obstacle to nationwide information exchange; cost, infrastructure, and other barriers also stand in the way. But HISPC was a step in the right direction, Prescott says. She is happy she was a part of the project—one that could lead to lives being saved through better access to health information.

“People die because [providers] don’t have information—it is just a fact,” she says. “People die, so I would like to see that stopped. I want [providers] to have the records they need and not have to worry about breaking the law or making sure the patient is happy with their decision to get those records.”

Chris Dimick (chris.dimick@ahima.org) is staff writer at the Journal of AHIMA.