Notes On Health Information Exchanges

Notes on Health Information Exchanges Taken from AHIMA Sessions: Privacy and the EHR, Tuesday session Legal Issues in Community Health, Tuesday session Health Information Exchanges and NHIM, Wednesday session Clinical Data Exchange, Wednesday session The first thing deserving mention is that Washington state had identified 300+ barriers to health information exchange. This number has been reduced significantly, but there are still items to be addressed. Of note, companies that employ people in multiple states, or have operations that are close to borders, will have complexity in developing/applying standards. The second most important point is that HIM professionals need to request to be included on the design teams, and this was repeated in at least 2 of the sessions. From one of my courses in the RHIT program, below is an excerpt from an article by Elizabeth S. Roop that was published in “For the Record” Vol. 19 No. 21 P. 18, entitled HIM Professionals: RHIO’s Missing Asset. The Need for HIM One challenge that HIM must overcome to insert itself into the RHIO/HIE process is a lack of awareness among organizers about the assets the profession brings to the table in terms of managing the data exchange process. “It goes back to the fact that a lot of RHIOs and other HIE projects are really driven by physicians. They are trying to do something to connect disparate organizations. If you look at who is writing the grants [to fund exchanges], it tends to be the provider, the practitioner who is driving it, and the first thing they think of is getting the IT infrastructure into place,” says Beth Haenke Just, MBA, RHIA, president and CEO of Just Associates. “That’s fine, but when those types of endeavors get started or initiated, there are core HIMrelated data exchange issues that have to be addressed early in the process. The HIM professional is the one to do that, but until they step up to the table to volunteer, they aren’t going to be able to.” HIM professionals are in the best position to address questions regarding privacy and confidentiality of information that will cross the exchange, as well as identify the most effective way to link medical records between disparate healthcare organizations. Determining the accuracy of the data to be exchanged and establishing processes and procedures to manage the release of information (ROI) between multiple facilities are other assets attributed to HIM professionals. Getting HIM involved early in the development lets RHIOs and HIEs answer critical questions about the accuracy, validity, and integrity of clinical data, as well as what data needs to be exchanged and in what time frame. It also helps guide technical decisions in areas such as field mapping. “Because we understand the content of the data, we can look at [fields to be mapped] and say when it doesn’t make sense. An IT person is going to say that the data went through because they didn’t get an error message,” says Just. “The successful linking of records is the second biggest challenge for RHIOs, next to sustainability. But it is not described as an HIM issue; it is described as a technical issue. “The reason it is an HIM issue is that you don’t know what you don’t know. If you are connecting records in a database from disparate organizations and you don’t have the critical eye that our profession brings to the data itself, you don’t know that you’re not linking 70% [of the data] that should be linked or that you’re overlaying records that should not be linked,” she adds. “IT folks tend to look at it [from the perspective] that they are getting information in and the records are linking. They aren’t looking at the qualitative aspects. That is what HIM brings to the table.” Mon also points to proper use of the master patient index (MPI) and resolving the patient identification challenges RHIOs and HIEs face when data flow from one institution to another as additional areas of strength HIM brings to the process.

C. Zinakova Notes 10/17/08 Page 1 of 6

HIM professionals can also leverage their expertise and understanding of clinical data to guide RHIOs and HIEs in establishing policies and procedures necessary to govern the exchange and use of the health information being shared. “It is not necessarily the volume of information that is being exchanged but handling the differences in various policies and procedures of the participating entities. There has to be a common agreement among the entities about the policies for privacy, security, and confidentiality. Different organizations might have different levels, so it is important to form a RHIO-level set of policies and procedures for doing the actual health information exchange,” says Mon. For example, policies governing whether shared data can be used for purposes other than patient treatment, payment, or operations, or if participating entities can create their own databases with shared information are “key sets of policies and procedures that have to be agreed upon by the health information exchange in the earliest stages,” says Mon.

They stressed the need for interdisiciplinary teams, especially including clinicians, as part of the decision process. Additionally, the teams will need to be educated on the issues as well. For the Boston project, a multi-stakeholder board was created and their support was needed to kick off the project. Consumer advocates (Healthcare for All) said they could endorse project if it contained some type of support. In Dr. Szabo’s session, entitled Legal Issues in Community Health Information Exchange Projects, (of which there are 3 in the Boston area), theirs began as a way of collaborating on prescription medicine. The State didn’t allow for the creation of a database to store Rx history, but the database contains health record information. They use MedsInfo MD to share hx to hospital ER’s. Data source is Rx claims data held by health plans and PBM’s (Pharmacy Benefit Mgrs). PocketScript contains the audit trails. The data sources set a lot of the conditions for access. Each has its own privacy issues: Health Plan Privacy Officers State Attorney General The Physician community was very unhappy. They had to create a formulary for sensitive drugs that could trace back to certain protected diseases, so the db would not be as complete as clinicians preferred. The physicians also wanted flags, but it was determined that flags could be indicative of the information the patient was excluding: e.g. This patient has prohibited information on behavioral health...” Might as well include the records if you’re going to have a flag. This also applied to excluded pharmacology on which inferences can be made based on the particular drug. They decided the ROI was too small because of the cost/benefit scale to be economical. The RIO is passing the hat for funding. One of the elements needed was a listing of physician emails for secure communication via VPN’s. Since most of our physicians don’t use the network email, this will be something to work on. The Massachusetts eHealth initiative was funded by Blue Cross of MA at $50m. They • Installed EMRs and HIE hubs in 3 communities • Training and support was included in the pilot period MAeHC developed “clinical summary” document for the code set

C. Zinakova Notes 10/17/08 Page 2 of 6

The two vendors used for the hub were: Wellogic and Data_____??. This was the eClinical Works was the vendor for the repository for the hub. Felt the public at large had difficulty with the concept because of their lack of trust in the security of technology. Community education is needed as well. With the proper community education at the physician’s office, they had 98% patient constent! Consent was one-time and ongoing until revoked. Providers had to agree that this EHR would be their only record of care. Their RHIO agreed to have consent on a practice-by-practice basis. Patient opts in after affirmative written consent before data can be moved to repository, but they can select which records (by practice) will be included. They can change this at any time. The benefits to the insurance carriers: • Administrative simplification • Better care • More efficient care Note: even though Blue Cross of MA funded this project, they agreed to have no access to the data in the repository. Community Exchange Privacy: • MPI and other tools used to secure the repository. • Physician agmts define appropriate use of data exchange • No “second consent” for puling summary from repository Remember, it is the ‘trusted insider’ who poses the largest threat in the misuse of privacy. Lessons Learned in Boston: • Getting data is like borrowing money – the source sets the rules. • HIPAA is a floor, not a ceiling. • Understand disclosure rules that apply to a data source and data type. • Trust is a bigger barrier than technology. • Consumer input is valuable, and consumer education is needed. • Automating an existing process is easier to “sell” than creating a new data flow where none existed before. • [email protected] 617.439.2642 eHealth Initiative 2008 Survey showed: • 69% of fully operable exchange efforts report reduction in healthcare costs • 52% report positive impacts such as o Reduction in Rx errors o Increased access to test results There are 3 models of HIE • Federated architecture – where the holders of the records retain control and supply the records as requested • Centralized – where there is a repository which maintains the records (incidentally, CMS prefers this method and favors certifying vendors to handle the technology end and maintain the repositories, and leaving the design and management of the system itself in the hands of the the RHIO stakeholders) • Some hybrid

C. Zinakova Notes 10/17/08 Page 3 of 6

The Colorado RHIO (CORHIO) has the federated approach. Participant facilities are Denver Health University and Childrens. A query polls the individual databases and returns whether it finds records for that particular patient. CORHIO used a record locater service and loaded demographic data for a period of 10 years. They used the last 4 of the SSN as an identifier because of multiple patients with the same DOB in their community. Record matching was significantly improved by adding this identifier element. Defaults were easy to identify, and could be manually adjusted. Naming conventions posed exchange issues. They attempted to optimize the record as well. Their record linkage was: 16% auto linked, nearly 20% more linked after manual review. The algorithms were tested and reviewed, and HIM was a heavy participant with the ‘scientists’ in refining the algorithm. CORHIO is a statewide system. It is Interoperable Standardized Shared investment It’s Board of Directors is represented by all stakeholder groups. The POC clinical data exchange (patient and/or provider): Clinical messaging (provider to provider) Population/public health (for provider, payer & public health) Administrative (provider and payer) UHIN – Utah Health Information Network, has been active for 14 years. Their eMPI was outsourced – they didn’t want to manage 10K records! Single sign-on is the same authorization process as ROI. Organizing their interchange matrix changed the process from A to B.

A.

B.

Privacy & Security Concerns: • Last 4 of SSN was made optional, because their ultimate goal was to get more providers using the system. • They had a Data Stewardship Agreement • They had a Data Use Agreement (took forever to flesh out and get unilateral agreement) • Opt-In/Opt-Out policy (this was done in 2 languages and written at the 8th grade level to ensure informed consent) o How the patient was informed varied between each organization o Each org. sends flag to RLS to indicated patient has opted out o Their system is all-inclusive – they did not use a practice-by-practice approach for patient consent and participation. The CORHIO had: Common vocabulary Aggregate records Decision support PT matching

C. Zinakova Notes 10/17/08 Page 4 of 6

They showed a demo of their system. It starts at login, then patient search. 3 searchable items are required to initiate a search. (Until less than 10 names come back on the search, the system will ask for additional information to narrow the search). Audit trail begins when a specific patient is selected. I can’t remember all the column headings on the first screen, but they included: description, date first diagnosed, ICD-9, Facility, Medicator, Radiology. EKG’s had options for EKG Reports and EKG Image. LOINC (Logical Observation Indicator Naming Codes) was used to compile their GUI. They took a statistical reading of the 100 most common tests for their specific participating physicians and facilities, and this was what they included in the options. Others were not included in the HIE. For lab tests, the reference range for the different facilties pops up when you hover over a test with your cursor. The screen is partitioned, so the less common tests are in the bottom, and the most frequently requests tests, CBC etc, are at the top. They said it is much easier to administer an opt-out than opt-in system. One of the first tasks was to standardize the Notice of Privacy Practices and the ROI forms between the participating institutions. They provided extensive identity validity training. They taught that you must have 5 data points that match before merging records. HISPC – Health Information Security and Privacy Collective They said that our state has a good system being tested in 3 cities in Washington. Jeff Hummel at Qualis Health is using the health banking model (which is a private HIE). CORHIO has role-based access control. Sun Microsystems was the access manager used, which was Liberty Alliance based in SAML language. Highlights from the Health Information Exchange and NHIN: A Technology Brief (handouts provided to you of the PowerPoint and the Brief. Many RIO’s have failed because lawyers have been involved and the process is as simple as ROI, which we (HIM) hae been doing for years. We know the legalities and we do it legally, so there is no needf for the duplicity and bottlenecks brought on by involving lawyers. There is no difference between HIE and the bank ATM process!!! Dr. Kolodner’s 2008 Report on the State of Health Information Technology Progress can be viewed in its entirety at http://www.hhs.gobhealthresources/HITStrategicPlanSummary.pdf. The most successful centralized model has standards/rules that have been established by the RIO. Steps that must take place to prepare your organization for participation in a HIE: 1. Update policies and procedures 2. Clean up your MPI 3. Plug leaks – centralize your ROI 4. Use one system 5. Use Electronic Review Record 6. Require internal electronic requests for audit and tracking a. Requestor names must be unique and used the same way each time. b. Internal requesters do not need authorization because it is the nature of their job to have access. c. Using Request IT module, Richmond, VA eliminated the need to manage faxes, spreadsheet requests, etc. All requests were submitted electronically. d. Legal may not accept electronic and may insist on original paper. 7. Require electronic requests from large external requestors a. Can be set up to request electronically if we set it up that way. 8. connect to the community, regional and national exchanges 9. Cost savings of electronic record requests averages $50-75K annually

C. Zinakova Notes 10/17/08 Page 5 of 6

When presenting to the “C Suite” (CIO, CEO, COO, et al.), directors need to think of the projects that improve patient care and the bottom line. They also must ask to be included at all meetings where HIE is being discussed. Remember, this is simply ROI and we are the subject matter experts in this.

C. Zinakova Notes 10/17/08 Page 6 of 6