Search the KHIT Blog

Tuesday, July 12, 2011

Nevada HIE kickoff event

My company has been designated as the not-for-profit administrator of the new Nevada Community Based HealthInsight Health Information Exchange (HIE). Today at Cashman Center in Las Vegas we held an intense day-long kickoff event comprised of founding stakeholders, our HIE consultant firm Strategies for Tomorrow, and key staff of our HIE vendor Axolotl (just recently renamed OptumInsight). Very nice turnout of extremely talented and committed people. It is an ambitious undertaking. Lots to think about and report on.

Below, our Nevada Executive Director Deborah Huber.

Above, our Nevada Vice President of Medical Affairs Jerry Reeves, MD.

I've been designated to serve on the HIE Privacy and Security Task Force, something I will relish. No shortage of issues to be resolved. I'm already Loaded for Bear on the topic.


As our kick-off event concluded, the foregoing was asserted during the final session. I thought "I must have missed something with regard to the final cut of SB 43." Someone else echoed that vocally as well, but the moment passed. I was too busy at the time playing Press Photographer for the event as well as staff participant.

SB 43 is Nevada Senate Bill 43 (PDF), the state's HIE legislation that emerged this year in the wake of Nevada having received ONC funding for a state HIE (which, btw, is not us; a publicly funded and administered NV HIE does not yet exist). The salient excerpt as it pertains to "opting in/out":
Sec. 15. NRS 439.538 is hereby amended to read as follows:

1. If a covered entity transmits electronically individually identifiable health information in compliance with the provisions of:

(a) The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 [,] ; and
(b) Sections 2 to 12, inclusive, of this act and the regulations adopted pursuant thereto, which govern the electronic transmission of such information, the covered entity is, for purposes of the electronic transmission, exempt from any state law that contains more stringent requirements or provisions concerning the privacy or confidentiality of individually identifiable health information.

2. A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out [emphasis mine] of having his or her individually identifiable health information disclosed electronically to other covered entities, except:

(a) As required by the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
(b) As otherwise required by a state law.
(c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health Insurance Program may not opt out [emphasis mine] of having his or her individually identifiable health information disclosed electronically.**

As used in this section: “covered entity” has the meaning ascribed to it in 45 C.F.R. § 160.103.

[** I have to say that it would not break my heart for the ACLU or some other rights entity to successfully challenge this "2nd class citizen" clause.]

My subsequent internal response upon reflection:
Notwithstanding that HIE “opt-in” is not explicitly required by SB 43 (the word “opt” only appears twice in SB 43, each time followed by the word “out” – see Section 15), HealthInsight HIE is nonetheless at liberty to establish affirmative “opt-in” as policy. There are good reasons. See the attached, sent to me the other day by Kahreen Tebeau of the Oregon Health Authority Office of Health IT.

The Nevada Administrative Code (NAC, the NV equivalent of the federal CFRs) may well at some point clarify the vagueness in SB 43 with respect to “opt whatever,” but, IMHO, “…shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities” at 15(b)(2) is not the express semantic equivalent of “opt in.” (but, then, that’s why we have lawyers on the P&S Task Force).

Interestingly, my colleague Kevin Jones pointed me to Section 7 of SB 43. My response:
Nice catch. So, Section 7 looks to possibly be at some odds with Section 15 (“opt out”). Noteworthy is this:

The Director shall by regulation prescribe standards [emphasis mine]:

Sec 7(d) For obtaining consent from a patient before transmitting the patient’s health records to the health information exchange system, including, without limitation, standards for obtaining such consent from a child who has received health care services without the consent of a parent or guardian;

“by regulation” -- Which, as I said, goes eventually to the Nevada Administrative Code (NAC); “obtaining consent” does not, IMO, unequivocally dictate “opt-in.” Grants of “consent” are routinely obtained via active or passive opt-out. What this all says to me is that it is as yet undecided what state “administrative” procedural policy will be.

I've done some tedious probing of the Nevada Administrative Code, looking for anything generally pertaining to "consent" requirements related to health care information in our state. Not finding anything precisely relevant thus far. But, then, IANAL.

OK, it may be useful to consult with SB 43's antecedent, linchpin, ONC-approved HIE Strategic & Ops Plan.

A few salient excerpts pertaining to "consent" and "opting":

4.3.6 Patient/Consumer Engagement
While the initial phases of the NV HIE will likely exclude services that enable patients/individuals to have direct access to the NV HIE information services, during the early phases, the patient/consumer engagement will focus on education. Initial education will likely be directed towards views on how NV HIE increases integration of care for children and those with disabilities and improves outcomes, as well as issues such as guarding private data, information-sharing standards, and personal responsibility.

These initial efforts of patient engagement will be essential to the final opt-in/opt-out/hybrid model for the NV HIE patient data information governance, which has not been finalized due to ongoing legislative activities. [pg 13] Patient/Consumer Smart Media Technology
Nevada will implement HIPAA-compliant ―health information‖ smart media technology (smart cards, flash drives, cell phone patient medical apps) for those individuals who choose to opt-out of the HIE, and as a method of supporting and protecting the electronic exchange of health-related information. [pg 69]

12.1 NV HIE Business and Governance Formation (Stages 1-3)
…In addition to the importance of having a sustainable, non-profit business to govern and operate the HIE services, we believe that the NV HIE Business formation will establish the essential ―rules of the road necessary to implement the information sharing technologies of the envisioned HIE services. For example, how will NV residents opt-out of (and possibly opt back in) having their data shared across the HIE? While this may appear simple on the surface, the question is non-trivial when considering the various channels that may need to be afforded to the individual (e.g., customer portal, primary care office, emergency room, hospital, pharmacy) and how to make patient information providers aware that data sharing is not allowed for a specific individual (with the exception of reportable public health requirements and certain Medicaid/Medicare alternatives). It is these information governance and other similarly complex requirements that will need to be understood and established prior to implementing HIE technologies or certifying existing HISPs/RHIOs for supporting HIE services in the State. [pg 74] Consent
Consumer or patient consent is the process by which consumers control the exchange of their health information through an HIE and can be a tool to allow health care providers access to more complete health information, thereby strengthening the provider‘s ability to provide informed care and improving care coordination amongst providers.

The NV HIE Legal/Policy Workgroup will provide input to the creation of policies that will dictate to what extent, and how consumers should be able to control the exchange of their health information while balancing privacy considerations with the overall vision of the NV HIE and its potential impact on public health, the coordination of care, improved health care quality and ultimately, improved health outcomes as supported by better access to more robust patient data. [pg 82]

(bold/italic/red emphases mine)

How does another Nevada agency treat such things (the DMV)?

Interesting. I guess we can comfortably infer from this that a Nevada agency has the lawful discretion to require explicit, affirmative, documented "opt-in" to override a default presumption of one's having opted out via inaction. Moreover, I take it as a given that the HealthInsight HIE will have to comply with (or exceed) any final NAC consent regulations issued by DHHS pursuant to SB 43.

The issue of whether, to what extent, and how individuals should have the ability to exercise control over their health information represents one of the foremost policy challenges related to the electronic exchange of health information. The current landscape of possible consent models is varied, and the factors involved in choosing among them are complex. States and other entities engaged in facilitating the exchange of electronic health information are struggling with a host of challenges, chief among them the establishment of policies and procedures for patient participation in their exchange efforts. While some have adopted policies enabling patients to exercise individual choice, others have prioritized the needs and concerns of other key stakeholders, such as providers and payers. The purpose of this paper is to discuss in detail the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making.

Core consent options (abbreviated) for electronic exchange include the following:
  • No consent. Health information of patients is automatically included—patients cannot opt out;
  • Opt-out. Default is for health information of patients to be included automatically, but the patient can opt out completely;
  • Opt-out with exceptions. Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included;
  • Opt-in. Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out; and
  • Opt-in with restrictions. Default is that no patient health information is made available, but the patient may allow a subset of select data to be included.
As these definitions illustrate, a range of consent models can be applied in different contexts of electronic exchange in the U.S., and it is possible for there to be further permutations depending on the level of choice granularity allowed. There is also considerable variation in the type of information exchanged, ranging from the more basic (e.g., lab results) to the more mature and complex (e.g., a wide array of health information).

The consent model selected for electronic exchange, as well as the determination of which types of health information to exchange, affects many stakeholders (e.g., patients, providers, and payers). These decisions also have consequences for national policy goals, such as improving the quality of healthcare, promoting public health, engaging patients in their health care, and ensuring the privacy and security of personal health information. This discussion requires not only an appreciation of the sometimes competing interests of various stakeholders, but also consideration of the interests of the individual relative to those of society as a whole.

" is possible for there to be further permutations depending on the level of choice granularity allowed."

Indeed. Let's recap. As I ruminated on amid my June 18th post, ePHI privacy issues traverse four principal categories of concern -- and vary greatly from state to state:
  • Data ownership;
  • Rights of access (and accountability);
  • Disclosure restrictions;
  • Records retention requirements.
There has been much grumbling within the provider community with respect to envisioned "granularity," in particular as it pertains to proposals for patients having disclosure veto power at the datum level (e.g., "yes, you can share my CBC results, but not my latest lipid panel or pap smear or PSA. And forget about my BP or BMI").


"The lawyers freak out," said Calman, agreeing that attorneys, including malpractice lawyers, are often more resistant than doctors to the idea of providing patients with access to their full medical information--and especially the notion of patients being able to include their own comments in their records...[click here for the full article]
Interesting. BTW, I've been studying "privacy" issues since grad school, albeit in a couple of different contexts. See "Privacy and the 4th Amendment amid the "War on Terror".


Well, as of this week we have four words: "Rupert Murdoch Hacking Scandal." Then there's stuff like this:
Today’s globally networked society places great demand on the dissemination and sharing of person-specific data for many new and exciting uses. Even situations where aggregate statistical information was once the reporting norm now rely heavily on the transfer of microscopically detailed transaction and encounter information. This happens at a time when more and more historically public information is also electronically available. When these data are linked together, they provide an electronic shadow of a person or organization that is as identifying and personal as a fingerprint even when the information contains no explicit identifiers, such as name and phone number. Other distinctive data, such as birth date and ZIP code, often combine uniquely and can be linked to publicly available information to re-identify individuals. Producing anonymous data that remains specific enough to be useful is often a very difficult task and practice today tends to either incorrectly believe confidentiality is maintained when it is not or produces data that are practically useless...

- 2001, Dr. Lataya Sweeney (PDF), now with the ONC HIT Policy Committee.
That was a decade ago. Think about how much more data are available today, and how much easier they are to capture, merge, and mine.

A bit more on Dr. Sweeney. And, relatedly, how about this?
Mr. X lives in ZIP code 02138 and was born July 31, 1945.

These facts about him were included in an anonymized medical record released to the public. Sounds like Mr. X is pretty anonymous, right?

Not if you're Latanya Sweeney, a Carnegie Mellon University computer science professor who showed in 1997 that this information was enough to pin down Mr. X's more familiar identity -- William Weld, the governor of Massachusetts throughout the 1990s.

Gender, ZIP code, and birth date feel anonymous, but Prof. Sweeney was able to identify Governor Weld through them for two reasons. First, each of these facts about an individual (or other kinds of facts we might not usually think of as identifying) independently narrows down the population, so much so that the combination of (gender, ZIP code, birthdate) was unique for about 87% of the U.S. population. If you live in the United States, there's an 87% chance that you don't share all three of these attributes with any other U.S. resident. Second, there may be particular data sources available (Sweeney used a Massachusetts voter registration database) that let people do searches to bootstrap what they know about someone in order to learn more -- including traditional identifiers like name and address. In a very concrete sense, "anonymized" or "merely demographic" information about people may be neither. (And a web site that asks "anonymous" users for seemingly trivial information about themselves may be able to use that information to make a unique profile for an individual, or even look up that individual in other databases.)

Many contemporary privacy rules and debates center on the notion of "personally identifiable information" (PII). The PII concept is used by several legal regimes and many organizations' privacy policies; generally, information that identifies a particular person is considered much more sensitive than information that does not....

...research by Prof. Sweeney and other experts has demonstrated that surprisingly many facts, including those that seem quite innocuous, neutral, or "common", could potentially identify an individual. Privacy law, mainly clinging to a traditional intuitive notion of identifiability, has largely not kept up with the technical reality.

Above, from the 2001 Sweeney paper. This goes to the whole "data mining" goal of HIE -- e.g., "CER", "comparative effectiveness research," the "big picture" end of clinical data exchange (ostensibly using "de-identified" data), beyond the more loudly touted initial end of "24/7 anytime-anywhere point-of-care data access."

Below, Dr. Sweeney explains:
For twenty dollars I purchased the voter registration list for Cambridge Massachusetts and received the information on two diskettes [20] in an attempt to complete the re-identification. Figure 15 shows that these data included the name, address, ZIP code, birth date, and gender of each voter. This information can be linked using ZIP code, birth date and gender to the medical information described in Figure 14, thereby linking diagnosis, procedures, and medications to particularly named individuals. The question that remains of course is how unique would such linking be.

The 1997 voting list for Cambridge Massachusetts contained demographics on 54,805 voters. Of these, birth date, which is the month, day, and year of birth, alone could uniquely identify the name and address of 12% of the voters. One could identify 29% of the list by just birth date and gender; 69% with only a birth date and a five-digit zip code; and 97% when the full postal code and birth date were used...

...In Massachusetts, the Group Insurance Commission (GIC) is responsible for purchasing health insurance for state employees. GIC collected de-identified patient-specific data with nearly one hundred fields of information per encounter along the lines of the fields discussed in the NAHDO list for approximately 135,000 state employees and their families. Because the data were believed to be anonymous, GIC gave a copy of the data to researchers and sold a copy to industry [21]. William Weld was governor of Massachusetts at that time and his medical records were in that data. Governor Weld lives in Cambridge Massachusetts. According to the Cambridge Voter list, six people had his particular birth date; only three of them were men; and, he was the only one in his five-digit zip code.

Clearly the risks of re-identifying data depend both on the content of released data and on other related information. Most municipalities and states sell population registers such as voter lists, local census data, birth records and motor vehicle information. There are other sources of population registers such as trade and professional association lists. Such information can often be uniquely linked to de-identified data to provide names, addresses, and other personal information [pp 49 - 51].


Maine Reverts Back to Opt-Out Approach for HIE
Posted by Helen Oscislawski on June 13, 2011

In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet. Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy. Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE. Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository...

The challenges are legion, are they not?

Awesome blog, btw, Ms. Oscislawski.

But, wait, there's MORE!

News from
For state HIE, patient opt-out a thorny technical issue

For all state health IT coordinators, providing patients with privacy and control of their health data is a priority. For many, it's also a legal mandate, with data privacy rules differing from state to state. However, building the IT back-end to support this flexibility in state health information exchanges, or HIEs, isn't a simple undertaking, said speakers in a session at the Health IT Connect conference in Washington D.C...

...The toughest part for state HIE architects who must support partial opt-out policies may very well be giving patients the ability to shield the disclosure of conditions such as HIV/AIDS, substance abuse or behavioral health treatment. Robinson said it's one thing to make an HIV test invisible, but someone seeing a health record might be able to figure out a person has HIV in other ways -- for example, by seeing that he takes a particular medication...

...Amy Zimmerman, chief of health IT for the Rhode Island Department of Health, said her state HIE's consent model is opt-in, with no data going into the HIE unless a patient enrolls. There are three levels of access the patient can choose upon enrolling -- full but temporary access for emergency treatment, the minimum to which all enrollees consent; a "HIPAA consent" level that gives access to all providers in the course of treatment, and a third consent level that gives permissions to individual providers.

It took 18 to 24 months of discussions with community stakeholder groups to arrive at this model, she said. It was a compromise, because in those discussions Rhode Island authorities found that each group -- providers, patients, and a legal advisory board -- were divided in their feelings toward an "all-or-nothing" opt-in approach to sharing patient data...

18 to 24 months? Yikes. We have, uh, like three? Well, in fairness, we're not the "state HIE," either. Our State government HIT entity can't even get their Medicaid provider Meaningful Use attestation portal up and running (rumor is it's going to be yet another year or more, all while an increasing number of states are taking attestations and disbursing incentive funds).

And the hits just keep on comin'...

Medical Privacy Issue: FICO Medication Adherence Score Coming
By George Gombossy | Last updated Jun 24, 2011, 11:05 am

Think you have little privacy now, wait until FICO, the company whose credit scores are frequently used to guage your credit worth, launches a new program that will allow companies to determine how likely you are to take your medicine properly.

In a recent New York Times article, FICO has “developed a new FICO Medication Adherence Score that it says can predict which patients are at highest risk for skipping or incorrectly using prescription medications.”

“We started thinking about how do consumers behave as patients,” Mark Greene, the chief executive of FICO, based in Minneapolis, told the Times. “The problem, from a math standpoint, is not all that different from banking and other industries.”...

Jeez.., I laughed when I saw that headline, even though it's not really funny. I used to work in credit risk modeling and management. See here and here.

Hmmmm... have to wonder where they'll get their data for mining and modeling?


An Indiana man says a blood donation center rejected him as a donor because he appears to be gay--even though he isn't. Aaron Pace, 22, recently visited Bio-Blood Components Inc., in Gary, which pays up to $40 for blood and plasma donations. But during the interview process, he said, he was told he couldn't give blood because he seems gay. Though Pace is "admittedly and noticeably effeminate," according to the Chicago Sun-Times, he says he's straight. "It's not right that homeless people can give blood but homosexuals can't," Pace told the paper. "And I'm not even a homosexual."...
OK, what, you might ask, does that have to do with HIT/HIE?

Well, consider this?

By jsimmons
Created Apr 7 2011 - 10:54am

Using electronic health records (EHRs) to gather data on sexual orientation and gender identity in federally funded surveys could help providers address specific healthcare issues among lesbian, gay, bisexual, and transgendered (LGBT) individuals, according to a new report released by the Institute for Medicine (IOM).

These questions about sexual orientation and gender identity, however, should be standardized to allow for the comparison and combination of data across large studies to analyze the unique needs of the LGBT population, added the report, which was prepared for the National Institutes of Health (NIH) to examine specific research needs.

Among one of the recommendations in the IOM report is that the Office of the National Coordinator (ONC) of Health IT include the collection of data of sexual orientation and gender as part of its Meaningful Use objective for EHRs to record demographics: This would mean that data on sexual and gender minorities would be included within the demographic information in the same way that race, language, and ethnicity data are now collected ...
That will be interesting. The "social conservative" howling, outraged opposition attack lines just write themselves. Beyond that, there will be major discomfort in many provider offices simply asking for such information. I brought it up to a doc yesterday, and she affirmed that concern.


My REC blog is now a bit more than a year old. If you Google "rec blog" without the quotation marks, you get 77.5 million results. The first of which is my blog. Encase the phrase in quotes and the number drops to 50,400. Again, the first of which is mine. Pretty pleased with that.

Didn't cost me a penny. Meta-tags, baby. My relative handful of reciprocal links don't hurt, either, but it's mainly my tags "under the hood."



July 11, 2011

CareSpark Ceases Operations of Regional Health Information Exchange

CareSpark’s Board of Directors voted recently, with regret, to cease operations. CareSpark, despite great effort, was unable to transition from a grant and contract based nonprofit organization to a user subscription and revenue sustained entity. The Board believes this is a great loss to the region and believes that other resources needed to provide exchange services, assist providers in meeting meaningful use requirements and CareSpark’s core mission of regional health improvement through health information sharing will need to develop.

CareSpark was formed in 2005 after a two year health improvement planning process and is a regional 501(3)c non-profit organization to improve health for people in northeast Tennessee and southwest Virginia. In May CareSpark took its services offline to finish developing a new infrastructure that it hoped would meet the needs of local healthcare providers and bring additional value that providers would be willing to support financially. Because the level of financial support for this new infrastructure was not available, it was not brought online. In expectation of this new infrastructure all connections have been terminated.

CareSpark is working to contact the 38 health organizations with whom it had data sharing agreements to arrange a meeting to complete planning for a secure and orderly transition. CareSpark remains committed to safeguarding the data entrusted to it and to be transparent and community focused as it wraps up its affairs over the next several months. In addition to the data participants, CareSpark is contacting all other parties with which it has contractual relationships.

CareSpark is deeply appreciative of the more than 250 volunteers from around the region and beyond who invested their time and talent in this regional collaborative vision that achieved an operational standards-based technical infrastructure, nationally recognized data exchange capabilities and an exceptional community driven governance structure. CareSpark gained national visibility as one of nine communities involved in the development and demonstration of a Nationwide Health Information Network. These milestones were achieved so that no matter where or when a patient received care in the region and beyond, the information would be accessible to diagnose and treat patients optimally to improve care outcomes, lower stifling health care costs and reduce disproportionately high rates of diseases in the region.

During this period of winding up its affairs, the CareSpark Board of Directors remains in place to oversee the proper and orderly dissolution and termination of CareSpark’s business. All alternatives to closing have been, and will continue to be, investigated.

Wow. A cautionary tale.


During one of my earlier posts (last year) I alluded to reports of calls for FDA regulation of EHRs as de facto "medical devices." Well, this was in the news earlier this week:
...the FDA has begun regulating EHRs as medical devices because, according to the agency, health IT has advanced so far that the professional intermediary is no longer required or used. Thus, under the Federal Food, Drug and Cosmetic Act, health IT is characterized as a medical device. Per voluntary reports from patients, clinicians and user facilities, the FDA has cited data indicating 260 reports of health IT-related adverse events, including 44 reported injuries and six reported deaths, resulting in the agency issuing its final rule in February classifying “Medical Device Data Systems” as low Class 1 medical devices, requiring post-market surveillance.

Oh, really? I checked with the FDA.

To answer your question, FDA’s role for EHR is not finalized. Role of FDA and other federal agencies with regards to safety of EHRs is being discussed and led by Office of the National Coordinator ( ONC)

Should you have further questions, please feel free to contact us. Thank you.

VJ Huang
Consumer Safety Officer
International Relations and External Affairs Staff
Division of Small Manufacturers, International and Consumer Assistance, OCER
Center for Devices and Radiological Health
U.S. Food and Drug Administration (FDA)

The operative CFR Final Rule pertaining to "Medical Device Data Systems" at this point is 21 CFR 880 (see page 8647, 2/15/11):
EHR and PHR systems are not included in this rulemaking, and RIS are already regulated and would not be affected by this final rule.

OK. Whatever. See also "Integration of HIT & Medical Devices."


Health Information Exchange moves closer to reality in Nevada
John Seelmeyer, 7/25/2011

Supporters of a system that will allow hospitals, physicians and others in Nevada to share patient information in real time across digital networks are confident they’ve found the right technology to get the job done.

Now they need to get often-competitive, often strongly opinionated hospital executives, physicians and others in the health care industry to break down the walls that have kept them from sharing information in the past.

HealthInsight Nevada, a Las Vegas-based nonprofit that spearheads efforts to improve the quality of health care delivery in Nevada, this month launched its community-based health information exchange in the state...

1 comment: