Gerry Hinkley Co-Chair, Health Care Industry Team Pillsbury Winthrop Shaw Pittman LLP

Transcription

1 How Regional Extension Centers (RECs), Beacon Programs, Community College Consortia and Health Insurance Exchanges Work and Why Privacy and Security are Important Gerry Hinkley Co-Chair, Health Care Industry Team Pillsbury Winthrop Shaw Pittman LLP HIPAA SUMMIT WEST - HIPAA FOR HIT AND EHRs October 3 6, 2010 San Francisco

2 How R-E-Cs (don t say Wreck ) Work The HITECH Act authorizes a Health Information Technology Extension Program The extension program consists of Health Information Technology Regional Extension Centers (RECs) pursuant to 60 cooperative agreement awards and a national Health Information Technology Research Center (HITRC) The HITRC will build a virtual community of shared learning to advance best practices that support providers adoption and meaningful use of EHRs RECs will be fully operational by December 2010 $643 million ARRA funds for , $42 million thereafter By December 2012, the RECs will be largely self-sustaining and their need for continued federal support in the remaining two years of the program will be minimal 2

3 REC Charters RECs will Provide training and support services to assist doctors and other providers in adopting EHRs Offer information and guidance to help with EHR implementation Give direct, individualized and on-site technical assistance in Selecting a certified EHR product that offers best value for the providers' needs Achieving effective implementation of a certified EHR product Enhancing clinical and administrative workflows to optimally leverage an EHR system's potential to improve quality and value of care, including patient experience as well as outcome of care Observing and complying with applicable legal, regulatory, professional and ethical requirements to protect the integrity, privacy and security of patients' health information 3

4 How Will the HITRC Support Privacy and Security Initiatives of RECs? Office of Provider Adoption Support (OPAS) interacts with each REC to understand unique program goals, opportunities and challenges HITRC s strategy is to harness power nationwide by building virtual communities of practice (CoPs) to share best practices A subset of the CoP is focused on privacy and security Contribute to a more complete understanding of privacy and security needs Reveal unexpected challenges and opportunities Feed strategy and message development Encourage / accelerate buy-in of privacy and security tactics by engaging REC influencers at early stage 4

5 The HITRC Privacy and Security COP Privacy and Security Advisory Council 10 members who meet twice monthly Collect/summarize data on needs related to privacy and security Data from REC operations plans Data from REC meetings Share information about ONC programs/general communications Engage RECs around their privacy and security needs Identify training materials 5

6 The HITRC Privacy and Security COP 2 Focus on priority areas Risk assessments Internal and practice guidance on policies and procedures Create repository of information on liability issues related to technology Office of Provider Adoption Support (OPAS) will Provide experts on various subject matters to work with the CoP on identified training needs Develop materials that RECs can use to support outreach efforts 6

7 Challenges the HITRC and RECs Face in Establishing Consistent National Practices My own private HIPAA The approach to privacy has been localized to the states Inconsistent state laws Local lore and culture The growing demand for information sharing among separate HIEs and across boundaries Increasing consumer awareness of privacy rights Contentiousness over ownership of data 7

8 Challenges the RECs Face Regarding Privacy and Security in Physician Offices Misunderstanding the HIPAA basics 2003 vs HITECH Cost of implementation Office culture HIPAA know-it-alls Managing business associates and subcontractors Complexity of technology the tools are imbedded, but support and implementation are lacking changing passwords establishing role based access Inability to establish physical security 8

9 What s a REC to do? EHR Implementer and Provider Education Emphasis on Security Brochures emphasize Understand your areas of risk by doing a risk assessment, as required by HIPAA Train your staff on proper security techniques Define staff roles and responsibilities Physically secure your portable computing and storage devices Select EHR vendors that provide certified EHR technologies Develop security policies that are simple, understandable and enforceable Know what you must do, under the law, to protect your patients information 9

10 What s a REC to Do? Toolkits Based on state level toolkits (e.g., New York) Guidance the seven circles of security Policies, procedures, training Physical security Passwords/access controls Auditing Network security Back up and recovery Encryption 10

11 How Beacon Communities Work $235 million to support the Beacon Community Program that will include $220 million to build and strengthen health IT infrastructure and HIE capabilities, including privacy and security measures for data exchange, within 17 communities for 36 months To qualify for the Beacon Community Program, applicants will Build off of existing health IT infrastructure and exchange to demonstrate care and cost savings Have rates of EHR adoption that are significantly higher than published national estimates Coordinate with recently announced ONC programs for Regional Extension Centers and State Health Information Exchanges The Beacon Community Cooperative Agreement Program will build infrastructure for health IT and will implement privacy and security measures for the health-care information that's exchanged 11

12 How Beacon Communities will Lead Beacon Communities of Practice will focus on privacy and security COPs will collect and publish best practices from Beacon Communities Why is this important? The Beacon Communities have demonstrated leadership in EHR/HIE deployment Because of the advanced state of development, they have encountered privacy and security issues that the next wave will have to encounter Under he grant program Beacon Communities have an opportunity to refine their work regarding privacy and security ONC will encourage this through the cooperative grant arrangement The collective experience of the Beacon Communities will be persuasive precedent 12

13 How the Community College Consortia Works The Community College Consortia is part of the Health IT Workforce Development Program, administered by ONC The consortia comprises five regional groups of more than 70 member community colleges in all 50 states Received $36 million in grants to develop or improve nondegree health IT training programs that students can complete in six months or less Programs established through this grant will help train more than 10,500 new health IT professionals annually by

14 Programs that Support the Community College Consortia Curriculum Development Centers Program provided $10 million in grants to five domestic institutions of higher education to support health information technology curriculum development Competency Examination Program will provide $6 million to Northern Virginia Community College to develop and administer health IT competency examinations an objective measure to assess basic competency of Individuals trained in non-degree short term programs Members of the work force with on the job training 14

15 How the Community College Consortia Will Lead A significant problem with HIPAA compliance has been the failure of documentation of consistent policies training and re-training of the work force assessment and auditing of compliance at the grass roots The CCC, utilizing a standardized curriculum, will turn out 10,500+ trained HIT professionals annually The potential is there for this newly trained work force to address the failures of HIPAA implementation 15

16 How Insurance Exchanges Work Starting in 2014, states will implement and consumer-centered health insurance marketplaces Designed to provide consumers and businesses with one-stopshopping where they can compare and purchase health insurance coverage The Office of Health Insurance Exchanges (OHIE) of the Office of Consumer Information and Insurance Oversight (OCIIO) is created to guide and oversee the state-based insurance exchanges This office will establish policies and rules governing exchanges, establish and implement planning grants to states, and provide oversight for the exchanges 16

17 How Insurance Exchanges Will Address Security and Privacy Recommendations of the HIT Policy & Standards Committee Enrollment Workgroup New and existing state eligibility and enrollment systems should follow the full complement of fair information practices (FIPs) when handling personally identifiable health information Collection and Use Limitation: state systems should be designed to collect and use the minimum data necessary for an eligibility and enrollment determination balanced with the desire to reuse information for multiple eligibility decisions Data Integrity & Quality: states should establish a minimum threshold level for data matches, adopting a glide path toward achieving advanced probabilistic matching Openness & Transparency: clear, transparent policies about authorizing access and use of data should be provided to the consumer in the Privacy Notice 17

18 How Insurance Exchanges Will Address Security and Privacy Consumers should have timely, electronic access to their eligibility and enrollment data in a format they can use and reuse knowledge of how their eligibility and enrollment information will be used, including sharing across programs to facilitate additional enrollments, and to the extent practicable, control over such uses the ability to request corrections and/or updates of such data Builds upon the HITECH Act provisions giving consumers the right to obtain an electronic copy of their protected health information from HIPAA covered entities, including health plans and clearinghouses 18

19 How Insurance Exchanges Will Address Security and Privacy Consumer Mediated Approach Provide consumer information to consumers in a humanreadable form that allows them to view, print or save data in a format they can use and reuse Enable data to be exported into commonly-used software formats such as spreadsheets, text files Develop separate pathways (the Blue Button ) for download requests from the consumer and download requests via automated processes acting on the consumer s behalf 19

20 How Insurance Exchanges Will Address Security and Privacy Consumer Mediated Approach 2 Limit data use to that specified in the Privacy Notice unless the consumer authorizes additional uses Notice provided to the consumer during the application process will govern the consumer s rights to confidentiality and privacy provided prior to or at the time of collection of personally identified information in a method the consumer can understand notice should clearly indicate all entities that will be permitted to use a consumer s eligibility data, as well as the permissible uses of such data 20

21 How Insurance Exchanges Can Lead Through OHIE guidance opportunities for Application of Fair Information Practices to regulate use, disclosure, auditing and enforcement Putting HIPAA in context for health insurance Uniformity, clarity with respect to notices of privacy practices Consistent application of authorizations by consumers Implementation of minimum necessary in the context of health insurance procurement Restoring consumer confidence regarding use of health information in connection with insurance purchasing 21

22 Take Aways The interplay of the REC, Beacon Communities, Community College Consortia and Health Insurance Exchanges coupled with the State HIE Cooperative Agreement Program can encourage consistency of grass roots Policies, procedures, training Physical security Access controls Auditing Network security Back up and recovery Encryption 22

23 Take Aways 2 Recognition of Best Practices Broadcasting a consistent message regarding privacy and security through training Uniformity and clarity regarding notices of privacy practices Recognition of and understanding of consumer rights Access Use and disclosure Download Implementation of minimum necessary for payment and health care operations 23

24 24 The purpose of this presentation is to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice legal counsel may only be given in response to inquiries regarding particular situations.

25 Contact Information Gerry Hinkley Pillsbury Winthrop Shaw Pittman LLP 50 Fremont Street San Francisco, CA Direct: (415)