Qual-IT - January 2007 | Archived

The benefits of HIT and HIE will only be obtained if the systems based on them are accountable, trusted, and efficient, particularly from the perspective of consumers and providers.  The current laws and business practices affecting health information privacy and security are inadequate for meeting that challenge.  To be successful, HIT strategies will need to utilize a common set of principles, policies, and practices governing access to and use of sensitive personal health information.  Developing such solutions and a coordinated implementation plan, in order to accelerate HIT and HIE efforts across the state, is the focus of New York’s participation in the Health Information Security and Privacy Collaboration (HISPC).

A federally funded initiative designed to address these issues, HISPC is working to document state legal and policy environments, as well as business practices common in health care today.  New York is one of 33 states selected to participate in this project; its leadership here is based on a partnership among the New York State Department of Health and a team of legal and policy experts drawn from Manatt, Phelps & Phillips, Columbia University, and Syracuse University.  Federal funding for the project was supplemented by a grant from the New York State Office of Science, Technology and Academic Research (NYSTAR). 

For New York, the HISPC process was designed to engage a wide range of health care stakeholders across the state to systematically evaluate the laws, policies, and practices affecting privacy and security as HIT and HIE initiatives are implemented.  For the federal Department of Health and Human Services (HHS), HISPC will promote consistency in policies and technical models that will facilitate the development of a national health information network, which will connect health care systems and information across geographic and jurisdictional lines.  In the short term, HISPC’s findings will have practical impact as a guide for the variety of state and regional HIT initiatives being developed across New York. 

On January 11, 2007, the State and its HISPC partners hosted a meeting in which they provided an overview of the policy recommendations included in their interim report.  As a first step, the report proposes establishing a set of common goals to guide policy and systems design:

·        Consumers should be able to easily access their own health information;

·        Treating providers should have access to complete and accurate information for their patients;

·        Multiple stakeholders should have access to aggregated, anonymous forms of health information for research and quality improvement purposes; and

·        Providers and public health officials should report and access information necessary for key public health functions.

Accomplishing these goals, the report notes, will require specific measures to:

·        Educate patients about, and engage them in, the various methods of accessing information;

·        Secure patients’ informed consent;

·        Establish safeguards governing the security, access to, and use of electronic patient health information; and

·        Create a reliable and secure method of identifying and linking patients’ information.

The HISPC interim report also outlines an implementation framework for taking these steps.   First, it says, a “leadership entity” needs to forge consensus on specific policies and methods for achieving these goals and objectives.  The New York eHealth Collaborative (NYeC), it proposes, can play an important role in this process, building on the broad multi-stakeholder input that has already been elicited by HISPC. NYeC could take the lead, for example, in developing standards for patient identification, patient consent, and the authentication of HIT and HIE system users.

(Officially launched this past November at the New York Summit on eHealth, co-sponsored by the United Hospital Fund and the state’s Department of Health, NYeC has received technical support from the Fund since planning for the Collaborative began in January 2006.  The Fund has since provided a grant to cover NYeC’s startup costs; Fund President Jim Tallon is a member of NYeC’s founding board of directors, and Quality Strategies Initiative Project Director Rachel Block is serving as its interim director.)

The report also calls for a system of accreditation and certification for the entities—commonly referred to as regional health information organizations, or RHIOs—involved in HIE.  While certification would not be immediately mandatory, it would be a condition for receipt of state funds and for participation in HIE involving Medicaid data.  It is likely that any future activities designed to link disparate HIE efforts would also require participating organizations to obtain this certification.

Finally, the report calls for the state to clarify existing laws and regulations, and to adopt new laws as needed.  While the report has not yet been made available online, further information on it can be obtained from New York HISPC Project Manager Ellen Flink, at emf02@health.state.ny.us.

The HISPC process will now focus on development of a detailed and coordinated implementation plan, to be completed by April 2007.  The Fund looks forward to playing an active role in this process through its continuing participation in NYeC.

New York State Health Information Security and Privacy Collaboration.  Presentation at the New York Summit on eHealth, November 2006.  Available online at http://www.uhfnyc.org/pubs-stories3220/pubs-stories_show.htm?doc_id=426750

Information about HHS privacy and security activities can be accessed through http://www.hhs.gov/healthit/privacy/

Information about New York’s HIT activities can be accessed through http://nyhealth.gov/technology/