Interoperable Solutions for Health Information Exchange in Utah: A

Interoperable Solutions forHealth Information Exchange

in Utah:A Final Report.

March 2007

Utah’s Network forPublic Health Electronic Information-

Privacy and Security Project

Submitted by:Lois Haggard, PhD, Project DirectorUtah Department of HealthPO Box 14201Salt Lake City, UT 84111

Submitted to:Cynthia Irvin, PhD, State LiaisonPrivacy and Security Solutions forInteroperable Health ExchangeResearch Triangle InstitutePO Box 121943040 Cornwallis RdResearch Traingle Park, NC

Contract No. 290-05-0015

A Utah Department of Health report for theHealth Information Security and Privacy Collaboration (HISPC), March 2007.

The Utah Department of Health Utah Network for Electronic Public Health Information Privacy andSecurity (Unify-PS) Project expresses its gratitude for the assistance, time and effort of the individu-als and organizations that participated in the Project Work Groups and survey process. Participants’voluntary time and input has been critical to identifying and documenting the privacy and securityconcerns in health information exchange and accomplishing the project objectives.

This project is funded through a grant from the Research Triangle Institute.Contract no. 290-05-0015

Questions or comments regarding this report should be directed to:

Francesca Garcia Lanier, Project CoordinatorUtah Unify-PSUtah Department of Health348 East 4500 SouthSalt Lake City, UT 84107

Email: [email protected]: 801.892.6649

i

Table of ContentsExecutive Summary ........................................................................................................................11.0. Purpose and Scope.................................................................................................................3

1.1. Purpose of Report ..............................................................................................................31.2. Background .......................................................................................................................31.3. Utah Health Information Technology ...................................................................................31.4. Report Limitations ..............................................................................................................6

2.0. Assessment of Variation ..........................................................................................................72.1. Methodology ......................................................................................................................72.2. Summary of Relevant Findings ...........................................................................................72.3. Scenarios ..........................................................................................................................8

2.3.1. Treatment ...............................................................................................................82.3.2. Payment ............................................................................................................... 142.3.3. Regional Health Information Network (RHIO) .......................................................... 152.3.4. Research .............................................................................................................. 152.3.5. Law Enforcement .................................................................................................. 172.3.6. Prescription Drug Use/Benefit ............................................................................... 182.3.7. Healthcare Operations/Marketing .......................................................................... 202.3.8. Bioterrorism .......................................................................................................... 212.3.9. Employee Health................................................................................................... 232.3.10. Public Health ........................................................................................................ 242.3.11. State Government Oversight .................................................................................. 26

2.4 Summary of Critical Observations ..................................................................................... 273.0. Solutions ................................................................................................................................ 28

3.1. Summary of Assessment of Variation .............................................................................. 293.2. Effective Practices ........................................................................................................... 303.3. Variation Not Addressed by Solutions Work Group .......................................................... 31

4.0. Analysis of Solutions .............................................................................................................. 315.0. State Solutions ....................................................................................................................... 32

5.1. Solutions Work Group ..................................................................................................... 325.2. Identifying Solutions ......................................................................................................... 325.3. Inappropriate Scenarios or Exchanges ............................................................................. 345.4. Vetting, Evaluating and Prioritizing Solutions ................................................................... 355.5. Organizing and Presenting Solutions ............................................................................... 355.6. Determination of Feasibility .............................................................................................. 39

6.0. Analysis of Proposed Solutions ............................................................................................. 416.1. Solutions to Variations in Business Practices and Policies ............................................. 41

Technological ................................................................................................................... 41Administrative ................................................................................................................... 48Legislative ........................................................................................................................ 49Educational ...................................................................................................................... 50

6.2. State Privacy and Security Laws/Regulations .................................................................. 516.3. Contradictory Federal and State Laws/Regulations .......................................................... 516.4. Interstate e-Health Information Exchange ......................................................................... 51

7.0 National Level Recommendations ............................................................................................ 51Appendices

A. RTI Standard Scenarios ...................................................................................................... 53B. Participating Stakeholders .................................................................................................. 61C. Business Practice Data ..................................................................................................... 64D. Work Group Members ........................................................................................................ 94E. Business Practice Data Map by Scenario .......................................................................... 98F. Solution Work Group Decision Tree .................................................................................. 117G. Legal Reference Guide ..................................................................................................... 119

References .................................................................................................................................. 133

ii

Executive Summary

Beginning in July of 2006, the Utah Net-work for Electronic Public Health Informa-tion, Privacy and Security (UNIFY-PS)Project began collecting data from Utah’shealthcare community regarding health in-formation exchange business practices,policies, and state laws. This report is thethird in a series that documents the ef-forts of the project workgroups to identifyconstraints on appropriate exchanges ofhealth information, privacy and or secu-rity risks, and solutions that balance pri-vacy and security and facilitate appropri-ate exchanges of health information whileensuring patient rights.

Utah’s healthcare industry is in transitionfrom a paper to an electronic environmentand requires policies supportive of aphased migration. The findings refine andexpand on the two previous interim re-ports; Assessment of Variations and In-terim Solutions offered by the VariationsWorkgroup (VWG) and SolutionsWorkgroup (SWG). As such, the reportconsists of six major sections:

• Background and Purpose• Assessment of Variation• Summary of Key Findings

from Assessment of Variations• Review of State Solution Iden-

tification and Selection Pro-cess

• Analysis of State ProposedSolutions

• National-Level Recommenda-tions

The data for this report was collected froma volunteer nonrandom sample of Utahhealthcare stakeholders that were deter-mined to have knowledge or engage inbusiness practices relevant to each sce-nario. Care was taken to include diverserepresentatives from (urban and rural ar-eas, differing size, profit/nonprofit, inde-

pendent) Utah to provide a comprehensive re-port of interoperability privacy and security.

The VWG met to determine which of the 154business practices collected served as a bar-rier, without judgment, to HIE within the state.From these meetings three key findingsemerged:

1. Health care providers obtained pa-tient authorization to disclose healthinformation for all situations exceptemergency situations.

2. Variations existed regarding themethods used to transmit protectedhealth information with facsimiletransmission being the most com-mon. Variation further existed withregards to beliefs and understandingof transmission security.

3. Rules and statutes varied with re-gards to protected health information(PHI) and, as a result, entities imple-mented business practices accord-ing to a variety of legislative guide-lines. Those guidelines primarily in-cluded either HIPAA or CFR 42 Part2.

The Legal Work Group determined that a fewbusiness practices were driven by state stat-ute. Utah Privacy or Tort Law was cited moreoften as a constraint in that organizationalpractices were defensive measures put inplace to protect against tort litigation.

E-Health in Utah is quickly becoming ac-cepted as a means to improve healthcare,lower costs, and promote healthier commu-nities. It is clear that to continue to moveeHealth forward requires developinginfrastracture capacity to supportinteroperability. Utah’s history of public/pri-vate partnership demonstrates a commitmentto open market solutions. While the proposedsolutions represent only one network, a stra-

1

tegic planning effort must include all playersin the healthcare industry as well as vendorsand other entities that bring vital resourcesto the table. An open dialogue is needed togain common understanding if we are to suc-ceed in communicating with other agenciesand organizations while maintaining privacyand security.

The solutions presented in this document areintended to preserve essential privacy andsecurity protections, establishing a founda-tion for consumer trust with a patient’s bill ofrights and moving forward electronic connec-tivity to permit appropriate exchange of healthinformation.

2

1.0 PURPOSE and SCOPE

1.1 Purpose of ReportDifferent patient care needs andinterpretations of Health InsurancePortability and Accountability Act (HIPAA)have spawned variations in businesspractices and policies across healthcareorganizations that sometimes work toinhibit exchange of clinical information.The purpose of this report is to documentorganizational business policies,practices, and state laws that mayconstrain the private and secure electronicexchange of health information anddiscuss proposed strategies and tofacilitate appropriate health informationexchange between healthcare industrystakeholders.

1.2 BackgroundIn September 2005, the Agency forHealthcare Research and Quality (AHRQ)awarded an 18-month, $11.5 millioncontract to Research Triangle Institute(RTI), International in a national effort toaddress privacy and security policyquestions regarding Health InformationExchange (HIE) 1. The Privacy andSecurity Contract term was then extendedto 19 months, and the funding increasedto $17.23 million. This award is driven bynational efforts to achieve medicalinteroperability as well as explore thepossibility of a National Health InformationNetwork (NHIN). To coincide with theexploration of these technologicaladvances, President Bush released a2004 directive for interoperable electronichealth records by 2014 and subsequentlycreated the Office of the NationalCoordinator for Health InformationTechnology (ONC) 2. Under the contract,RTI, along with the National GovernorsAssociation (NGA) Center for BestPractices, implemented its HealthInformation Security and PrivacyCollaboration (HISPC), under which itsubcontracted with 33 States and PuertoRico to assist them with doing thefollowing:

· Identify variations in organization-

level business privacy and securitypolicies and practices that affectelectronic clinical HIE;

· For those practices that Statesconsidered desirable, documentingand incorporating them into proposedsolutions;

· For those with a negative impact,identify the source(s) of the policy orpractice and propose alternatives;

· Preserve privacy and securityprotections as much as possible in amanner consistent with interoperableelectronic HIE;

· Incorporate State and communityinterests, and promote stakeholderidentification of practical solutionsand implementation strategiesthrough an open and transparentconsensus-building process; and

· Leave behind in States andcommunities a knowledge base aboutprivacy and security issues inelectronic HIE that endures to informfuture HIE activities.

Throughout the summer and fall of 2006, theUtah Privacy and Security Project, UtahNetwork for Electronic Public HealthInformation Privacy and Security (UNIFY-PS),under the direction of the Utah Digital HealthServices Commission (UDHSC) 3, engagedstakeholders from healthcare, lawenforcement, public health, consumer andother realms in a discussion to examineprivacy and security issues related to HIE.

1.3 Utah Health Information TechnologyUtah’s healthcare system, along with that ofthe nation, is moving into the electronic age.The secure sharing of health informationelectronically is referred to as e-Health4, andit is making great strides in Utah to improvehow doctors, hospitals, health insurancecompanies and public health departments aremeeting the healthcare needs of all Utahans.The Utah Department of Health’s ExecutiveDirector, Dr. David Sundwall, has praised thetechnological advances in health informationinteroperability5 and has been appointed toserve on the newly created, and NGA-

3

sponsored, “State Alliance for e-Health.”6

UNIFY, a Utah Department of Health (UDOH)Center for Health Data project funded by theRobert Wood Johnson Foundation, isdeveloping a plan for new systems in theareas of making perinatal electronic medicalrecords (EMR’s) interoperable with the UtahBirth Certificate, the exchange of standardimmunization records between the Utah StateImmunization Information Systems (USIIS)and clinical EMR’s, and disease surveillanceusing electronic laboratory results data. Thetechnology for these avenues ofinteroperability was established by thepartnering of the University of Utah,Intermountain Health Care (IHC), and theUniversity of Pittsburgh following ademonstrated need for syndromicsurveillance during the 2002 Winter Olympicsin Salt Lake City.

In 2004, UDOH was awarded a multi-yearmultimillion dollar contract from AHRQ topartner with the Utah Health InformationNetwork (UHIN) and demonstrate a businesscase for clinical exchange in Utah. Thisfunding is enabling UHIN to leverage itssystems for the exchange of claims data tosupport the transmission of clinical, ratherthan administrative, data. Pilot projects arecurrently underway for the exchange ofdischarge summaries between hospitals andphysicians, patient history and physicalexams between physicians and hospitals,laboratory results between labs andphysicians, and medication histories amonghealth plans, physicians, pharmacies andhospitals.

Similarly, in 2006, the University of Utahestablished the Center for Excellence inPublic Health Informatics as supported by athree-year Center for Disease Control (CDC)grant submitted jointly by researchers at theUniversity of Utah Department of BiomedicalInformatics, IHC, and UDOH staff.Collaborative projects funded through thecenter include real-time clinical electronicnotifiable disease reporting, research on theprevention of deaths and adverse events dueto non-illicit drug use, and improved linkageof patient immunization records in thestatewide immunization registry.

The primary partner of the Utah Departmentof Health in this Privacy and Securityinitiative, HealthInsight, entered into athree-year contract with the Centers forMedicare & Medicaid Services (CMS) inmid-2005 to help physicians assess thebenefits and overcome barriers to adoptingand using Electronic Health Records(EHRs) and other health informationtechnology. As part of the Doctors OfficeQuality Information Technology (DOQ-IT)project, HealthInsight is working withphysicians to understand the potential ofhealth information technology such as e-prescribing, electronic management of labresults, electronic medical image storageand transmission, and deployment of fullelectronic health records for improving carein ambulatory settings where most patientcare is provided. HealthInsight willencourage adoption of HIT by helpingphysicians in Utah and Nevada learn aboutthe clinical advantages of using EHRs formanaging and improving care.

Other active Health Information Technology(HIT) efforts of the Utah Department ofHealth include the Utah Patient SafetyProgram, re-engineering of the MedicaidManagement Information System,Immunization Registration, and theChildren’s Health Advanced RecordsManagement (CHARM), child healthinformation integration program. Inaddition, the Utah Bureau of Epidemiologycurrently collaborates with UHIN to expandthe Remote Outbreak Detection System(RODS), which was implemented duringthe 2002 Salt Lake City Winter Olympicsto conduct syndromic surveillance in Utahemergency rooms and pharmacies.

Utah has a long history as a center for thedevelopment and use of informationtechnology to support health care delivery.3M Health Information Systems wasestablished in Salt Lake City in 1983 andtoday is a world leader in medical recordscoding and computerized patient records.Utah’s largest private health system isIntermountain Healthcare, a pioneer in theuse of computerized patient records inhospitals and the electronic medical record(EMR) in clinical practice. Intermountain

4

Healthcare has ranked as one of thenation’s 100 Most Wired health systemsfor five consecutive years, by AmericanHospital Association’s Hospitals & HealthNetworks magazine. Utah has also beena leader in biomedical informaticsresearch, since the founding of theDepartment of Medical Informatics in 1972at the University of Utah.

Utah also has a somewhat unique twelve-year history of our health care stakeholdercommunity coming together through UHINto agree on standards for the exchangeof electronic health care information. Priorto the nationwide adoption of the HIPAAelectronic data interchange standards,insurers, hospitals, physicians, stategovernment and other stakeholders cametogether and, in a process that took severalyears, developed a consensus onstandards for the exchange of theadministrative data necessary to processelectronic claims. The group of tradingpartners opted to stay within the AmericanNational Standards Institute (ANSI) X12framework and, as a result, influenced thenational standards that were ultimatelyadopted under HIPAA. The tradingpartners eventually became the nonprofitUHIN Board of Directors, which is nowcomprised of representatives of 17insurers, provider organizations and otherinterested parties, including stategovernment. In 2004 the UHIN Boardapproved the formation of a number of newtechnical and governance committees todevelop models for the exchange ofclinical information. As a result, scoresof individuals representing theirorganizations are currently engagedactively in developing a new communityconsensus on the foundations for asystem of clinical exchanges.

A measure of the maturity of HIT initiativesin Utah is that the state’s focus is nowarguably on sustainability. UHIN hasendured as a community resource for theexchange of administrative data in nosmall measure because of its self-sustaining business model. Tradingpartners pay either membership ortransaction fees to participate in the

network of exchanges. Over time, theincreased efficiencies of electronic commercehave resulted in savings to participants, aswell as reductions in the transaction feesnecessary to sustain the network. There is aconsensus in the stakeholder community thatclinical exchanges must be similarly self-sustaining through contributions of thoseengaged in the exchange of clinical healthinformation. A primary focus of stakeholderworkgroups is always developing the businesscase, along with the technical model, for newapplications of health information technology.A second indicator of the maturity of thecommunity’s approach to HIT is theacceptance of the importance of standards asthe basis for the exchange of electronic healthinformation. Currently, 34 community-basedhealth care data standards have been issuedin regulations by the Utah InsuranceDepartment, which is required by state law toadopt standards for health care claims andrelated issues. Each of these has beendeveloped through a voluntary deliberativeprocess that is sponsored by the UHIN Board,but is open to anyone who wishes toparticipate. Again, Utah standards are alldeveloped within the framework of nationalstandards to avoid creating an idiosyncraticregional market. The Utah healthcarestakeholder community has been activelyengaged for over a decade in sorting throughissues associated with HIT. It is a communityaccustomed to reliance on openly developedstandards as the basis for health informationexchange, leaving private technology vendorsthe task of aligning health care applicationswith the standards. Despite this level of HITsophistication in the Utah stakeholdercommunity, the rate of adoption of EMR inUtah has been very similar to the United Statesas a whole. Obviously, there continue to bebarriers to the use of current HIT in clinicalhealthcare; no doubt the same barriers,including privacy and security-related barriers,that health care providers experienceelsewhere. So, it is important that the Utahstakeholder community engages in thisdialogue over the privacy and securityinfrastructure that is necessary to facilitateprogress in the widespread adoption of EMRand other health information technology.

Patients in rural areas of the state also benefit5

from Telehealth (the use of electronicinformation and telecommunicationstechnologies to support long-distance clinicalhealth care and patient education)opportunities that electronic medical recordscan provide. Quality of patient care isexpected to increase when physicians havemore complete information on a patient andcan provide better continuity of care. Forexample, each day in Utah, doctors seenearly 2,000 patients in hospital emergencydepartments5. Emergency departmentdoctors need information on patientmedications, allergies and disease history.Getting the information from a patient’s doctorquickly and efficiently would literally save livesin many cases. The core technology toaccomplish health information exchange isthe EMR. UHIN, which routes electronicinsurance billing transactions for 95 percentof Utah health care providers, estimates that20 percent of Utah physician offices haveadopted EMR systems. In a recentexperiment conducted in Utah and Idaho1,doctors were given hand-held personal digitalassistants (PDAs) programmed with adecision-support tool. The doctors who usedthe PDAs were more likely to prescribeappropriate antibiotics and less likely to overprescribe them. Decision-support systemssuch as this can be built into an EMRsystem. Much of the eHealth activity in Utahinvolves leveraging existing technologies andinformation standards that have beendeveloped through community participationin UHIN. Specific projects are underway toprovide electronic sharing of laboratory resultsfrom the lab to the doctor, hospital dischargenotes from the hospital to the doctor, apatient’s medical and medication history fromone doctor to another, and e-prescribing. Sofar, none of Utah’s planned projects includesmaintaining a central database of patientinformation. In all the Utah eHealth projects,the initial goal is to transform the papertransactions that are already happening orshould be happening and make them moreefficient and secure. The first step issomewhat similar to the difference betweena fax and an email.

As Utah moves e-Health forward, it becomescritical to define with whom, and under whatconditions, HIE interoperability is achieved.

1.4 Report LimitationsServing as an impediment to the datacollection process was the perception, onthe part of the researchers involved, that avested stakeholder interests in HIEultimately may have resulted in aprecautionary approach to definingbusiness practices as barrier, neutral, andaid, as well as providing solutions andsuggesting implementation. It wasdetermined by the researchers that theoutcome of this project could possibly beviewed as an infringement on livelihood ora critique of business model.

Furthermore, it was noted that several ofthe scenarios were not applicable to theexchange of electronic PHI as it occurs inthe state of Utah and that during thecombined Work Group process additionalbarriers were identified and informationcollected. For example, scenarios six and18 were not seen as applicable, a payerwould not request access to medicalcharts (see scenario five - payment), anddisagreement was noted betweenemergency room physicians for handlingrequests for patient information (seescenario one - patient care A).

To further limit the research findings, theVWG asked stakeholders to considerelectronic exchange in what is primarily apaper-based environment. As it stands,HIE on an electronic basis is mostly doneby providers and payers utilizing UHIN toexchange administrative data in theprocessing of claims. Little, if any, clinicaldata is exchanged electronically in thestate of Utah.

6

2.0 ASSESSMENT OFVARIATION

Phase one of this project assessed thedegree to which variation existed amongstakeholder business practices regardingthe exchange of health information. Toaccomplish this, the 18 standardizedscenarios were delivered to 77stakeholders (See Appendix B) and fromthis 142 business practices were derived(N = 142; see appendix C). Thesebusiness practices were further divided intothree categories: Neutral (n = 42), Aid (n= 56), or Barrier (n = 44).

2.1 MethodologySponsored by HealthInsight 8, Utah, andchaired by John Nelson, MD7, theVariation Work Group (See Appendix D)conducted a broad canvas of Utah’shealthcare community and identifiedcurrent privacy and security businesspractices and policies regarding exchangeof personal health information. Membersof this group, along with additionalhealthcare community stakeholders,identified variations in business practicesand policies that presented barriers toelectronic exchange of protected healthinformation (PHI).

The ad-hoc VWG began to recruitstakeholders based on guidance outlinedin the original proposal by RTI Internationaland the NGA. Release of the 18 scenariosindicated that additional stakeholders wereneeded to collect all pertinent businesspractice data. The ad-hoc VWG thenrecruited additional stakeholders to matchthe stakeholder requirement of eachscenario. This allowed for more accurateportrayal of business practice. Multiplemethods to collect business practicesfrom across the state were used withefforts being made to create arepresentative sample of the state (e.g.,rural vs. urban, large vs. small). Over 100stakeholders were contacted bytelephone, with 77 participating in thecollection of business practices. Effortswere made to ensure respondent

confidentiality and anonymity, although theintimate nature of the state often revealedstakeholder identity to varying work groupmembers. Following telephone contact,participating stakeholders received an emailsurvey. The survey contained detailedinstructions, the applicable scenario, andspecific questions tailored to the stakeholders’setting. The questions were designed toinvestigate, in depth, the stakeholders’business practice. Email also provided anopportunity for individual stakeholders toattach applicable policies with their response.In many cases, the variation group membersand project team conducted a follow-up phoneinterview or continued with emailcorrespondence to clarify or confirm thebusiness practice(s) in question. In otherinstances, the project team visitedstakeholders and conducted face-to-facesemi-structured interviews.

2.2 Summary of Relevant Findings- Information use and disclosure for

treatment, payment, and healthcareoperations was understood and, whileallowable under HIPAA withoutauthorization, most providers stillrequested patient authorization aspart of the disclosure process.

- Information transmission or exchangesecurity protocols were in place, butvaried by provider and stakeholderentity. There was a generalacceptance of mail, but fax was theoverriding practice. Some largerentities had the capability ofautomated encryption for emailtransmittal yet not everyone had ameans of secure email capability ortrusted email transmission of PHI.

- Differential application of 42 CFR Part2 consent requirements and HIPAAprovisions for use and disclosure wasdifficult to untangle. When did 42CFR Part 2 apply and under whatconditions?

In a treatment setting most healthcareprofessionals understood the HIPAA treatment,

7

payment, and healthcare operations provisionthat provided for disclosure without patientauthorization. Yet even given that allowance,in a non-emergency situation, providers orfacilities more often than not requested thatpatient authorization be obtained as part ofthe disclosure process. The explanationsfor why this occurred included a requirementby the holder of the record, a defensive orprotective measure against malpractice orprivacy lawsuits, or a good consumer-conscious practice.

Transmission and exchange of informationtypically occurred by whatever means wasmost expedient given the situation.Healthcare providers across the state had ageneral familiarity with exchange partners’methods of communication and adapted towhat was necessary to continue the treatmentof the patient. In Utah, facsimile transmissionwas the most commonly used mode oftransmission. In most long-term carefacilities surveyed it was noted as being theonly means for exchange. Many hospitals,on the other hand, had more sophisticatedsystems with automatic encryption when thestring “PHI” was detected in the subject lineof an email.

2.3. ScenariosBusiness practice data was collected from77 Utah stakeholders (e.g., hospitals,physicians, pharmacies, laboratories, payers,law enforcement, EMS, state agencies,public health and consumers) using 18standardized scenarios. The scenarios detaila mix of health care information exchangesituations including:

patient care (one through four);payment (five);regional health information exchange-

RHIO (six);research data use (seven);access by law enforcement (eight);pharmacy benefits (nine and ten);healthcare operations and marketing

(11 and 12);bioterrorism (13);employee health information (14);public health (15, 16, and 17); andhealth oversight (18).

While all 18 scenarios were not applicableto the state of Utah, responses weremodified or elaborated on if a similar orslight variation of the scenario would bemore likely to take place. Any deviationfrom the original scenario was noted.

2.3.1. TreatmentScenario 1 Patient Care APatient X presents to emergency room ofGeneral Hospital in State A. She has beenin a serious car accident. The patient isan 89-year old widow who appears veryconfused. Law enforcement personnel inthe emergency room investigating theaccident indicate that the patient wasdriving. There are questions concerningher possible impairment due tomedications. Her adult daughter informedthe ER staff that her mother has recentlyundergone treatment at a hospital in aneighboring state and has a prescriptionfor an antipsychotic drug. The emergencyroom physician determines there is a needto obtain information about Patient X’s priordiagnosis and treatment during the previousinpatient stay.

Scenario 2 Patient Care BAn inpatient specialty substance abusetreatment facility intends to refer client Xto a primary care facility for a suspectedmedical problem. The two organizationsdo not have a previous relationship. Theclient has a long history of using variousdrugs and alcohol relevant for medicaldiagnosis. The requested substanceabuse information is being sent to theprimary care provider. The primary careprovider intends to refer the patient to aspecialist and send all of his/her informationincluding the substance abuse informationreceived from the substance abusetreatment facility to the specialist.

Scenario 3 Patient Care C5:30pm Dr. X, a psychiatrist, arrives at theskilled nursing facility to evaluate hispatient, recently discharged from thehospital psych unit to the nursing home.The hospital and skilled nursing facility areseparate entities and do not shareelectronic record systems. At the time of

8

the patient’s transfer, the dischargesummary and other pertinent records andforms were electronically transmitted tothe skilled nursing home.

Upon entering the facility Dr. X seeksassistance in locating his patient, gainingentrance to the locked psych unit andaccessing her electronic health record toreview her discharge summary, I&O, MARand progress notes. Dr. X was able toenter the unit by showing a pictureidentification badge, but was not able toaccess the EHR. As it is Dr. X’s first visit,he has no login or password to use theirsystem.

Dr. X completes his visit and prepares tocomplete his documentation for thenursing home. Unable to access theskilled nursing facility EHR, Dr. X dictateshis initial assessment via telephone to hisoutsourced, offshore transcription service.The assessment is transcribed and postedto a secure web portal.

The next morning, from his homecomputer, Dr. X checks his email andreceives notification that the assessmentis available. Dr. X logs into his office webportal, reviews the assessment, andapplies his electronic signature.

Later that day, Dr. X’s Office Managerdownloads this assessment from the webportal, saves the document in the patient’srecord in his office and forwards the nowencrypted document to the long-term carefacility via email.

The skilled nursing facility notifies Dr. X’soffice that they are unable to open theencrypted document because they do nothave the encryption key.

Scenario 4 Patient Care DPatient X is HIV positive and is having acomplete physical and an outpatientmammogram done in the Women’sImaging Center of General Hospital inState A. She had her last physical andmammogram in an outpatient clinic in aneighboring state. Her physician in State

A is requesting a copy of her complete recordsand the radiologist at General Hospital wouldlike to review the digital images of themammogram performed at the outpatientclinic in State B for comparison purposes. Shealso is having a test for the BrCa gene and isrequesting the genetic test results of herdeceased aunt who had a history of breastcancer.

2.3.1.a. StakeholdersHospitals. The majority of stakeholdersresponding to treatment scenarios one throughfour were hospital affiliated respondents (n =7) including a privacy and quality improvementofficer, an emergency room physician at atertiary hospital, as well as radiological staff,file clerks, and breast care coordinators atseveral tertiary hospitals. Hospitalrespondents were involved in answeringscenarios one and four. The single hospitalstakeholder for scenario three is the managerof the HIPAA privacy office for an integrateddelivery system.

Community Clinics. While the center managerand director of a community clinic alsoresponded to scenario four, the remainder ofcommunity clinics (n = 5) answered scenariotwo. The unique nature of Utah’s healthcaresystem showed an overlap in communityclinics and health centers that serve ashomeless shelters and provide care forsubstance abuse and mental health patients.These respondents included the director of aprivate, nonprofit program and the executivedirector at a state-licensed substance abusetreatment center. Also included in communityclinic and health center respondents were aphysician and medical director whose clinicis part of an integrated delivery system, aswell as an office manager at a residentialeating disorder facility.

Public Health Facilities. The public healthagency that responded to scenario tworeceives a combination of government, privatefoundation, and individual contributions.Respondents for the public health agencyincluded its director and a practicing physicianassistant.

9

Clinicians. The clinician represented thechairman of the department of psychiatry ata tertiary hospital who also maintains a privatepractice and serves as faculty at a medicaland public health school that undertakesresearch.

Long-Term Care Facilities. Respondents toscenario three included the chief executiveofficer at a not-for-profit senior care facilityand the financial service consultant forrehabilitation and extended nursing carefacility.

2.3.1.b. DomainsInformation Authorization and AccessControls. In treatment scenarios one throughfour, the privacy and security domain thatlisted the greatest number of businesspractices was in regards to informationauthorization and access controls (n = 15).It was found that, within this domain, variationexists with regards to the urgency of thescenario, the information being exchanged,and the individual identity of the stakeholdersinvolved.

Access to PHI was granted with the leastamount of difficulty to those working in anemergency medical environment. In thosesituations, security administration policiesand procedures existed that would allow anindividual to access electronic and paper PHIbased upon their role and responsibility. Asthe level of care and priority of treatmentbecame less critical, access andauthorization became more guarded betweenentities called upon to share PHI, specificallyin the instances regarding access tosubstance abuse information.

PHI containing a history of substance abusewas shared, following patient authorization,according to the specifics of 42 CFR Part 2,which details what information is to beexchanged, between what parties, and forwhat period of time. This “minimuminformation sent” was described by aphysician’s assistant as having “little utility”and therefore was disregarded in favor ofobtaining the patient’s history of substanceabuse directly from the patient. This notionof “little utility” was again voiced by a general

care practitioner who indicated that aspecialist would determine whatinformation was needed and initiate therequest for PHI with the substance abusepatient being physically in the specialist’soffice. Just as HIPAA contains a “minimumnecessary” disclosure mechanism and thePrivacy Rule allows for communication ona “need-to-know” basis, 42 CFR Part 2contains a consent-driven disclosuremechanism that requires thecommunication of information within theprogram (or to an entity with directadministrative control over the program) tobe limited to those persons who have aneed for the information in connection withtheir duties that arise out of the provisionof diagnosis, treatment or referral fortreatment of alcohol or drug abuse. (See42 CFR § 2.12).

In a long-term care facility, access toelectronic and paper PHI was dependenton the stakeholder involved. Physiciansand other health care providers withrequired credentials would be grantedtemporary access to their patient recordson a “need to know” basis. The majority ofrespondents to scenario three indicatedaccess to protected health information wasobtained electronically with a login andpassword. In a long-term care facility,access to electronic and paper PHI wasdependent on the stakeholder involved.Physicians and other health care providerswith required credentials would be grantedtemporary access to their patient recordson a “need to know” basis. The majority ofrespondents to scenario three indicatedaccess to protected health information wasobtained electronically with a login andpassword. There was variation notedamong long-term care facilities’ practicesfor granting physicians temporary accessto their facility and records system butfacilities have procedures in place shouldtemporary access be necessary undersuch situations. The sharing of patientinformation differed from entity to entitywith some requiring that a businessassociate agreement be in place andothers indicating such agreements are notnecessary between providers involved inthe treatment of a patient. This was

10

specifically the case when the access ofinformation was between the long-termcare facility and physician whencompared to an exchange betweenphysicians. While a business agreementwas identified as the correct practice whena physician served as a consultant to thelong-term care facility, a businessagreement was not required for aphysician involved in the treatment ofpatients at the long-term care facility.

The long-term care facility could grant ahealth care provider access to patientrecords when appropriate via an electronicsystem at the discretion of the long-termcare facility. Long-term care facilitiesoperating electronic medical recordsrequired technical safeguards includingunique user identification and proceduresfor accessing electronic PHI in anemergency. This were true even if accesswere temporary. (See 45 CFR §164.514:(d)(2)(i); § 164.312).

Information Transmission Security orExchange Protocols. Little variation intransmission and transmission securitywas evident among the majorstakeholders in the health carecommunity of Utah with the exceptionbeing security measures employed bysubstance abuse treatment facilities.Long-term care facilities predominantlyused electronic fax as their method ofchoice for health informationtransmissions as do hospitals, physicianoffices, and other major stakeholders.Less utilized means of transmissionincluded mail, courier, and patient pickup.The large hospitals and the integrateddelivery systems stated having the abilityto use encrypted email, but this methodwas not yet widely used and/or accepted.A stated reason for this was that manyfacilities have policies in place that prohibitemail use for transmitting patientinformation.

The sensitivity of the information beingtransmitted notably influenced the securitymeasures employed. Substance abuseproviders noted that they would verify theentity requesting substance abuse PHI,

ask the receiver to stand by the fax machine,stamp the fax cover sheet with “re-disclosureprohibited,” attach the full CFR 42 Part 2 re-disclosure prohibition with the fax, and requirea follow-up fax acknowledging receipt. Whendisclosing PHI to an individual, one treatmentfacility reported they required a signed receiptthat would be placed in the patient record.These more stringent measures stood incontrast to physicians who reported theyregularly disclosed patient information over thephone once they were confident they weretalking to an appropriate caregiver. Howconfidence was obtained was never fullyverbalized, rather it was suggested that theconversations that took place would be thosethat would only occur between physicians. Assuch, physicians were able to forward patientinformation without patient authorization orconsent (much to consumer surprise, who wasunder the impression that consent wasrequired). What CFR 42 Part 2 does not entailis the transmission of PHI. Only HIPAA givesgeneral guidelines that include: 1. Coveredentities use appropriate administrative,technical, and physical safeguards to protectthe privacy of PHI; and 2. Covered entities tohave policies and procedures in place that arereasonable and appropriate to comply with theSecurity Rule. (See 45 CFR §164.530 (c)(1);§ 164.306).

The electronic methods (CDs and the Internet)are used commonly with other radiology films(e.g., x-rays) in Utah, especially among largefacilities. Mammography films were a uniquecase in Utah as the technology for digitalmammograms has not been fully accepted andimplemented. Until recently, most physiciansdid not feel comfortable with the resolution ofelectronic mammography films and whilesome facilities now have the capability to makeCDs and use the Internet (by PACS, picturearchiving and communication system) totransfer mammography films, they reportedrarely utilizing these methods. It was foundmore common to transfer films by the patientor patient representative hand-carrying themor to send films by U.S. mail. At onemammography file room, the file clerk reportedthat they require a twenty-four hour notice onall film requests to allow for the processing ofthe patient film and record and that anyindividual attempting to obtain the film present

11

an approved form of identification.

User and Entity Authentication. Little variationwas reported regarding the treatmentscenarios when detailing business practicesthat would authenticate a person or entityseeking access to PHI. Hospitals,community clinics, and substance treatmentfacilities commonly accepted a fax requeston letterhead as a form of authentication andoften disclosed information over the phoneas providers are usually familiar with oneanother and referral is common. In onehospital emergency room, a physician notedthat when requests involved emergencysituations, he asked for a national physicianidentification number. In addition, theemergency room physician stated use of theInternet to verify the requesting facility. Thiswas determined to not be an extensivepractice however as that majority of providersquestioned stated that they accept requestsfor PHI as common occurrence. Onesubstance abuse treatment facility reportedusing a signed receipt from the requester ofall medical information at their facility,regardless of delivery method.

While Utah State Code does not requireauthentication, HIPAA specifies that coveredentities receiving a request for patient medicalrecords authenticate the identity of requesterprior to sending medical information. HIPAAdoes not specify what steps are required toverify. If reasonable steps are taken, thedisclosing covered entity is entitled to relyon the verification. See 45 CFR § 164.312(d)(e); § 164.514(h)].

Administrative or Physical SecuritySafeguards. Administrative or physicalsecurity practices to secure patient healthinformation varied widely given the entity andscenario. Training in data security was notedas a requirement for each staff member,including volunteers, at one respondinghospital. Conversely, community clinic/public health agency employees andvolunteers with direct access to patientcharts/records reportedly were required tosign confidentiality agreements prior toaccess while long-term care facilities andmost hospitals require a login and passwordfor all staff with access granted on a “need to

know” basis. No one reported the use ofsharable passwords.

The long-term care facility responding alsostated that they could grant a health careprovider access to patient records whenappropriate. The decision to granttemporary access to the patient record viathe electronic system was found to be atthe discretion of the long-term care facilityand any long-term care facilities operatingelectronic medical records requiredtechnical safeguards including unique useridentification and procedures for accessingelectronic PHI in an emergency. This wasfound to be true even if access weretemporary.

Hospital safeguards were generallyelectronic in nature and included passwordsand security access cards. Access to thefacility and to patient records was linkedto the identity of the individual staff memberthrough electronic identification. Recordssystems in community clinics, publichealth agencies, and long-term carefacilities tended to be paper-based andincluded locked and double locked doors.Substance abuse treatment facilitiesplaced a higher degree of sensitivity on thesubstance abuse PHI by placing it behinddouble locked doors.

Information Use and Disclosure Policy.Utah business practices involving healthcare entities sharing clinical healthinformation in a paper environment did notshow variation across the treatmentscenarios. Data gathered regardinginformation use and disclosure indicatedthat most covered entities preferred to getpatient authorization to disclose patienthealth information with the exception of anemergency situation. Business practicedata showed methods to account fordisclosures including, but not limited to,signed receipts and requests that wouldbe placed in the patients chart, informationexchange logs, and verification of recipient.

State Law Restrictions. Particular toscenario four, Utah Code Ann. §78-25-26stipulates who can be recognized as apersonal representative to authorize access

12

to the medical records and information ofa deceased relative. The release of thegenetic information of a deceased patientis not accessible through the signedauthorization of next of kin unless thatperson is the personal representativeunder Utah State Code. The release isallowable with the authorization of eithera personal representative or the executorof the deceased’s estate. There are noadditional state law restrictions with regardto information types and classes by whichelectronic personal health information canbe viewed and exchanged specific to thetreatment scenarios.

2.3.1.c. ObservationsScenario One. When an emergency roomphysician is involved in an emergencysituation and needs a patient’s medicalinformation, the physician reported effortsare made to access the patient’s medicalinformation without patient authorization.In emergency situations, hospitalsreportedly disclosed information withoutauthorization to a requesting coveredentity once that entity was verified. Thiswas not the case in the remaining threetreatment scenarios. While physiciansand hospitals noted authorization was notrequired, the overwhelming majorityreported they would seek patientauthorization prior to disclosure.

The release of patient information acrossstate lines was not found to be a factor inthe exchange of patient information. It isunclear what the requirements would befrom neighboring states to disclose patientinformation. Hospitals responding withinthe state of Utah reported that in anemergency, the information request wouldbe fulfilled following authentication of therequestor. If not an emergency situationthe practice is to receive patientauthorization to disclose.

Scenario Two. There were differencesbetween providers’ treatment of patientmedical information when substance usewas involved. There was variation reportedin the treatment facilities’, physicians’,and integrated delivery systems’

understanding of 42 CFR Part 2, its relationto HIPAA, and the application of each.Treatment Facilities noted stringentprecautionary measures to safeguard patientsubstance use information. While physicianscommented on limited or restricted access topatient medical files, treatment facilities notedthat patient files were kept in a locked cabinetbehind a double locked door.

There was a general understanding of 42 CFRPart 2 by the treatment facilities respondingto the scenario survey. However, thedifferences in the provisions under HIPAA and42 CFR Part 2 were such that there is a lackof clarity around which regulation applies andunder what conditions. The differences inlanguage and drivers for each regulation addedto the confusion and misapplication of theregulation.

Scenario Three. Long-term care facilities’ hadprocedures in place to grant physicianstemporary access to their facility and recordssystem should temporary access benecessary. The policies and practices differedfrom entity to entity with some requiring thata business associate agreement be in placeand others indicating such agreements are notnecessary between providers involved in thetreatment of a patient. Most informationtransmitted to and from long-term care facilitieswas done by fax.

Scenario Four. The majority of mammogramsin the state were reportedly done on film; thiswas the case in both rural and urban facilities.One integrated delivery system used digitalimages for mammography and a second hadplans to transfer to digital within the next twoyears. However, even at the integrated deliverysystem that used digital imagery, the imageswere printed in hard copy for the physiciansas most institutions and physicians were notcomfortable with digital film. Films weretransmitted or exchanged by mail, courier, orto the patient with signed patient release.There was no stated policy or practice forexchanging information across state lines orwhen dealing with an HIV positive patient asprecautionary measures would not differ giventhis condition. Requests from out of statefacilities required an authorized release thatis faxed or mailed. Utah Code 78-25-26

13

established regulations for release of medicalinformation for a deceased relative.

2.3.2. PaymentScenario 5 PaymentX Health Payer (third party, disabilityinsurance, employee assistance programs)provides health insurance coverage to manysubscribers in the region the healthcareprovider serves. As part of the insurancecoverage, it is necessary for the health plancase managers to approve/authorize allinpatient encounters. This requires accessto the patient health information (e.g.,emergency department records, clinic notes,etc.).

The health care provider has recentlyimplemented an electronic health record(EHR) system. All patient information is nowmaintained in the EHR and is accessible tousers who have been granted access throughan approval process. Access to the EHRhas been restricted to the healthcareprovider’s workforce members and medicalstaff members and their office staff.

X Health Payer is requesting access to theEHR for their accredited case managementstaff to approve/authorize inpatientencounters.

2.3.2.a. StakeholdersClinicians. A Health & Wellness Clinicresponding as the clinician for scenario fivespecialized in the treatment of nerve, muscleand skeletal/spinal conditions. The clinicconsisted of component parts (chiropracticcare, therapeutic massage and acupuncture)to offer a complete alternative health careapproach. The clinic served as a provider formost health insurance companies, as wellas provided diagnosis and treatment ofworkers’ compensation and auto injuries.

Payers. The three payers responding toscenario five were a regional healthcare ITspecialist for a not-for-profit company thatranks as the largest health insurer in itsgeographical area, a privacy officer for thestate retirement system, and a representativefrom state Medicaid. It was after the fact

that the SWG chair and director of Utah’sPublic Employees Health Plan determinedthat scenario five, as described, was notapplicable. The reasons for this aredescribed in 2.4.c. Critical Observations.

Consumer/Consumer Organizations. Theconsumer was a young mother who hadchanged jobs and had seen many differenthealth insurance situations.

2.3.2.b. DomainsInformation Authorization and AccessControls. Both payers and clinicians werein agreement on access to PHI in thepayer setting. The main concept cited byboth was that only the “minimumnecessary” under HIPAA was given to thepayer. How this happened varied basedon the provider’s technological capabilities.In the case of an EHR, special paymentreports were created which gave the payeronly the information it needed. In a paper-based records environment, the informationwas extracted from the paper chart by theprovider and then sent to the payer. In likemanner, the consumer who respondedexpressed concern that only theinformation that is needed should beshared.

Information Use and Disclosure. Variationwas noted in Utah concerning need forconsent to disclose information whendealing with payment issues. The providersgenerally obtained a consent orauthorization for payment purposes.Payers reported that they had access tohealth information under HIPAA “treatment,payment and healthcare operations” andthat consent was not needed. The payersreported the necessity to have agreementsin place in order to work with providers.The consumer believed that anauthorization is required for patientinformation to be disclosed.

2.3.2.c. ObservationsPayers worked with the understanding thatpatient authorization is not needed forpayment purposes. Payers also regularlyengaged in agreements with health careproviders to facilitate the payment process.

14

Health care providers showed variation inwhether they obtained authorization frompatients to allow access to patientinformation for payment purposes.Providers tended to err on the side ofcaution and more often obtained patientconsent. As providers had different levelsof EMR technology and comfort with thistechnology, the process by which payersaccessed patient and billing informationvaried. Both payers and providers reportedlittle variation in the description of whatconstitutes “minimum necessary”according to HIPAA.

It was further noted by the SWG chair anddirector of Utah’s Public EmployeesHealth Program, that he knew of noinstance whereby a payer would seekaccess electronically to a providers EHRdatabase. This rendered scenario fiveobsolete by Utah standards.

2.3.3. RHIOScenario 6 RHIOThe RHIO in your region wants to accesspatient identifiable data from allparticipating organizations (and theirpatients) to monitor the incidence andmanagement of diabetic patients. TheRHIO also intends to monitor participatingproviders to rank them for the provision ofpreventive services to their diabeticpatients.

2.3.3.a. StakeholdersConsumer/Consumer Organizations. TheRHIO responding to scenario six was anonprofit coalition of competing entitiesthat provided secure, electronicinformation exchange connecting everypayer and nearly every healthcare providerin the state of Utah. It operated as a“gateway” or “information highway”exchanging information between differententities. The RHIO did not view, store,edit, or evaluate the quality of data itreceived. Instead, the Utah RHIOfunctioned like a “post office” transferringinformation from the sender to theintended receiver.

2.3.3.b. DomainsThe Utah RHIO operates in a very differentparadigm than what is depicted in the scenario.No business practice data or domains arereported.

2.3.3.c. ObservationsThis RHIO scenario did not describe theservices performed by the Utah RHIO. TheUtah RHIO was a gateway or informationhighway where information was exchangedbetween different organizations. The UtahRHIO did not request or permanently storedata. The Utah RHIO functioned instead likethe post office in getting information routedfrom the sender to the intended receiver. TheUtah RHIO did not perform qualitymeasurements on its members’ data and hasa standards committee that would charter asubcommittee to develop a communitystandardized message should members wantto exchange/submit patient information fromone organization to another.

2.3.4. ResearchScenario 7 Research Data UseA research project on children younger thanage 13 is being conducted in a double blindstudy for a new drug for ADD/ADHD. Theresearch is being sponsored by a major drugmanufacturer conducting a double blind studyapproved by the medical center’s IRB wherethe research investigators are located. Thedata being collected is all electronic and allresponses from the subjects are completedelectronically on the same centralized andshared data base file.

The principle investigator was asked by oneof the investigators if they could use the rawdata to extend the tracking of the patients overan additional six months and/or use the rawdata collected for a white paper that is notpart of the research protocols final documentfor his post doctoral fellow program.

2.3.4.a. StakeholdersClinician. Of the two research investigatorsresponding to scenario seven, one was alicensed registered nurse designated

15

researcher-only with no obligation as facultyor affiliation with any company outside of theuniversity. A medical and public health schoolthat undertakes research employed thisindividual.

Physician Groups. The second researcherresponding to scenario seven was a licensedpediatrician with a university-affiliated practicethat also served as assistant professor ofpediatrics. A medical and public healthschool that undertakes research employedthis respondent as well.

Medical and Public Health Schools thatundertake Research. Responding for theInstitutional Review Board (IRB) was theDirector of the IRB at a medical and publichealth school that undertakes research andserved as the senior compliance consultantof an integrated delivery system. Bothrespondents had numerous years ofexperience serving on institutional reviewboards.

Consumer/Consumer Organizations. Thehealth care consumer responding to scenarioseven was the father of four children and spokedirectly as if his 13 year-old child was involvedin the study as presented by the scenario.

2.3.4.b. DomainsInformation Use and Disclosure. All businesspractices in scenario seven were related tothe privacy and security domain of informationuse and disclosure. The internal policies atthe medical and public health school and atthe integrated delivery system were bothreported as established in accordance to 45CFR HIPAA Privacy Rule.

The two researchers indicated that they (asprincipal investigator) would either pursue IRBapproval for the extended use of data and a“white paper” or require the post-doc hopingto use the data to pursue IRB approvalseparately. One researcher specified thatthis IRB amendment would be requiredregardless of who owned the data the (i.e.the research school or the pharmaceuticalcompany sponsoring the research study).

Variation was noted in the instance of seeking

parental approval for use of data beyondthat originally included in the protocolapproved by IRB. The chair of IRB at themedical and public health school thatundertakes research indicated that a re-consent via a parental permissiondocument and an updated assent forchildren aged seven to 17 would berequired. The senior complianceconsultant noted that the IRB wouldencourage the principal investigator tosubmit approval for a new project that wasdesignated “data-only” and could therebyapply for a waiver of authorization asallowed for by the Privacy Rule. They alsonoted that this scenario would likely nevergain approval by the IRB without the post-doctoral student initiating a new and revisedIRB study document.

While the licensed nurse indicated thattheir business practice would coincide withthe former practice of seeking a re-consentfrom the parent and re-assent from theminor, the pediatrician indicated that theirfirst step would be to return to the originalIRB document and determine if it stipulatedthe length of time for which data could becollected. They also indicated that theywould check the original consent form tosee if a clause was included that allowedfor the use of secondary analysis todetermine if it would be possible to checkwith IRB and ensure compliance ratherthan submit new paperwork.

2.3.4.c. ObservationsWith regards to the research data useprovided in the scenario, the decision toresubmit to the institutional review boardexhibited variation depending on responder.Even though it was implied that the drugcompany owned the data, the decision toresubmit was linked to authorship. If theprincipal investigator did not want to haveties to the secondary analysis he/shewould request the post-doc toindependently submit to IRB. Variation wasalso noted in the requirement of a parentalre-consent and study subjects re-assentfor the use of data beyond that originallyincluded in the protocol approved by IRB.One researcher indicated that approval was

16

required while a second indicated that theywould first search for prior authorization.More variation was demonstrated by theIRB suggestion that the project besubmitted data-only and thereby negatingthe need for a re-consent and re-assent.

2.3.5. Law EnforcementScenario 8 Access by Law EnforcementScenario An injured nineteen (19) year old collegestudent is brought to the ER following anautomobile accident. It is standard to runblood alcohol and drug screens. Thepolice officer investigating the accidentarrives in the ER claiming that the patientmay have caused the accident. Thepatient’s parents arrive shortly afterward.The police officer requests a copy of theblood alcohol test results and the parentswant to review the ER record and labresults to see if their child tested positivefor drugs. These requests to print directlyfrom the electronic health record are madeto the ER staff.

The patient is covered under their parent’shealth and auto insurance policy.

2.3.5.a. StakeholdersHospitals. Representing the hospitalstakeholder for scenario eight was anemergency room physician at a tertiaryhospital and the privacy officer of amedical center. The emergency roomphysician responding to scenarios oneand eight served as a member of the VWGand SWG and as such responded to thescenarios, not in advance, but whilediscussing barriers and variations tobusiness practices identified by theprivacy officer and law enforcementpersonnel. The emergency roomphysician had been given the scenariosprior to the variations work group meetingshowever.

Law Enforcement. One individualrepresenting the law enforcementstakeholder group was a detective that,similar to the emergency room physician,served on the VWG and SWG. In this

capacity, both detective and physician wereable to identify further variation and barriers tobusiness practices identified in scenarios one,eight, and 13. Another respondent to scenarioeight was Chief of Police for a town with apopulation of less than 15,000.

Consumer/Consumer Organizations. Theconsumers for scenario eight were representedby a local undergraduate student and hisfamily and, while consisting of opinion, allowedfor moments of hilarity while demonstratingthat an abundance of television was beingviewed in the household.

2.3.5.b. DomainsInformation Use and Disclosure. Most of thebusiness practices in scenario eight focusedon disclosing patient health information. Aclear chasm existed between law enforcementand the medical community that prohibited theexchange of information. Law enforcementreported that they have officers collect as muchinformation as possible prior to transportingan individual to a hospital. This was seen asa necessary operating procedure becauseonce the individual entered a medical facilitythe difficulties law enforcement experiencedin gathering information increasedsignificantly. In addition, from a lawenforcement perspective, most physicianswere reluctant to talk because they didn’t wantto be involved in any legal proceedings.

Most physicians reported they could notdisclose patient information without legaldocumentation to do so or without the patient’sauthorization.

2.3.5.c. ObservationsScenario eight highlighted the chasm thatexisted between law enforcement and hospitalpersonnel with regards to communication.Hospital physicians were identified by lawenforcement as not willing to discloseinformation without subpoena. This wasbelieved to stem from a desire to avoid legalentanglements. Similarly, hospital physicianswere very careful not to disclose informationto parents and instead opted to let the patientinform parents of their medical information and/or consumption of alcohol. We found no

17

agreement between law enforcement andhospitals regarding who draws for bloodalcohol levels or the subsequent measurethereof. The units of measure for a blooddraw in a hospital were different from thoseof a paramedic, which adds another layer ofcomplexity. Most law enforcement agencieswould maintain business agreements withparamedics to perform blood alcohol drawsat the scene of an accident and lawenforcement was adamant that officers gatheras much information as possible before thepatient arrived at the hospital. The reasonfor this was identified as being a result of little,if any, information being gathered after thepatient entered the hospital without initiatinglegal paperwork.

2.3.6 Prescription Drug Use/BenefitScenario 9 Pharmacy Benefit Scenario AThe Pharmacy Benefit Manager (PBM) hasa mail order pharmacy for a hospital which isself-insured and also has a closed formulary.The PBM receives a prescription from PatientX, an employee of the hospital, for theantipsychotic medication Geodon. ThePBM’s preferred alternatives forantipsychotics are Risperidone (Risperdal),Quetiapine (Seroquel), and Aripiprazole(Abilify). Since Geodon is not on the preferredalternatives list, the PBM sends a request tothe prescribing physician to complete a priorauthorization in order to fill and pay for theGeodon prescription. The PBM is in a differentstate than the provider’s Outpatient Clinic.

Scenario 10 Pharmacy Benefit Scenario BA Pharmacy Benefit Manager 1 (PBM1) hasan agreement with Company A to review thecompanies’ employees’ prescription drug useand the associated costs of the drugsprescribed. The objective would be to see ifthe PBM1 could save the company moneyon their prescription drug benefit. CompanyA is self-insured and as part of their currentbenefits package, they have the prescriptiondrug claims submitted through their currentPBM (PBM2). PBM1 has requested thatCompany A send their electronic claims tothem to complete the review.

2.3.6.a. Stakeholders

Pharmacies. Pharmacy stakeholders wererecruited with the aid of the director of thestate pharmacy association, who identifieda broad sampling of pharmacists. Threepharmacists responded – one from amanaged care environment, one from anurban independent, and one from an urbangrocery store chain. A rural pharmacistdeclined to participate, as he did not feelqualified. In addition to the pharmacyassociation contacts, an atypicalpharmacist was also recruited. Thispharmacist provides chemo, intravenous,in home and outpatient pharmacyservices.

Community Clinics and Health Centers. Anadvanced practice registered nurse (APRN)with a licensed mental health clinicresponded as a community clinicstakeholder for scenario nine. Theresponding practitioner owns the practice.

Consumer/Consumer Organizations.Three consumers participated in thepharmacy scenarios. They included anagent/broker for several self-insuredemployers, an employee of Workman’sCompensation Fund of Utah and a physicaltherapist that specializes in elderly homecare.

2.3.6.b. DomainsAdministrative or Physical SecuritySafeguards. The use of administrative orphysical security safeguards in scenarioten is exemplified by the initiation of abusiness associate agreement “outliningappropriate administrative and physicalsecurity practices” by the consumerorganization to provide the pharmacy withinformation. Similarly, the pharmacydemonstrated the use of administrative orphysical security safeguards by having“established business practices toreasonably ensure physical security,” inthis case, by only using data that has beende-identified.

Physician, pharmacy, and PBM use ordisclosed protected health information fortheir own treatment, payment, or health

18

care operations (“TPO”), because all arepresumably covered entities under HIPAA.[See 45 CFR § 164.506(c)(1)] In scenario9, the physician, pharmacy, and PBMmay each be viewed as a covered entityunder HIPAA because each is a healthcare provider. [See 45 CFR § 160.103(Covered entity)] The term “health careprovider,” in turn, includes any person whoprovides health care or medical or healthservices in the normal course of business.[See 45 CFR § 160.103 (Health careprovider)] Thus, as health care providersunder HIPAA, physician, PBM, andpharmacy can freely interact with patientfor “treatment, payment and healthcareoperations” purposes, including obtainingadditional information from a patient, orgiving additional information to a patient.In addition, as healthcare providers, PBM,pharmacy, and physician can disclosepatient information to each other and toother healthcare providers for treatmentpurposes. [See 45 CFR § 164.506(c)(2)]Thus, PBM, pharmacy, and physician caneach talk to patient and to each otherregarding filling the Geodon prescriptionwithout the need to obtain a patientauthorization.

The PBM1 in scenario 10 is not providinga treatment purpose, but is carrying out ahealth care operations purpose forCompany A. [See 45 CFR § 164.501(Health care operations)] Company A isnot permitted to disclose information toPBM1 for a health care operationspurpose because PBM1 is either not acovered entity under HIPAA and/orbecause PBM1 does not have anindependent relationship with the patient.[See 45 CFR § 164.506(c)(4)]

Given the circumstances illustrated inscenario 10, Company A needs either anauthorization from the patients or needsto enter in a business associateagreement with PBM1 if patient identifyinginformation is to be used. [See 45 § CFR164.502(a)] The requirements of thebusiness associate agreement are setforth in 45 CFR § 164.504(e)(2); thebusiness associate agreement wouldtypically be worded to permit PBM1 to

have access to relevant patient information onlyfor the purposes of carrying out the specificassignment given by Company A. Theminimum necessary rule would require thatonly de-identified/aggregated information beprovided if that is sufficient to carry out PBM1’sassignment. [See 45 CFR § 164.514(d)]

If only de-identified information is provided,HIPAA would not require a business associateagreement. Additional contracts may beentered into between the parties (for example,the services agreement describing theservices to be provided by PBM1 and thepayment by Company A; or a nondisclosureagreement). These additional contracts arenot required by HIPAA.

2.3.6.c. ObservationsIn scenario nine, variation was noted withregards to who contacts the patient to informthat the original prescription authorized is noton the formulary. In some cases the mail orderpharmacy would contact the patient and inother cases it was the physician. Variationwas also reported in the options offered to thepatient given this situation (e.g., pay out ofpocket for original medication or choose analternate medication). Consistency was notedwith regards to the agreement that a pharmacywould receive the “minimum necessary”information to fill their orders.

Variation existed in scenario ten with regardsto whether a business associate agreementwas required to share information betweenparties. The company seeking a costcomparison reported they would require abusiness associate agreement regardless ofwhether the data were de-identified. Thepharmacy benefits manager did not feel anagreement was necessary if the data were de-identified.

HIPAA does not have special rules if theprovider is in a different state than a PBM.Treatment, payment, and health careoperations are not limited by state boundariesand the minimum necessary rule appliesregardless of where the provider and PBM arelocated. State law or different state customsmay impact the interaction between a providerand PBMs in different states. Insurance

19

companies and other payers maycontractually impose pre-authorization,eligibility, or verification requirements onpatients or PBMs. Patients may havedifferent preferences about whether they liketo present with the written prescription or havethe physician’s office submit it directly to thepharmacy.

2.3.7. Healthcare Operations/MarketingScenario 11 Healthcare Operations andMarketing AABC Health Care is an integrated healthdelivery system comprised of ten criticalaccess hospitals and one large tertiaryhospital, DEF Medical Center, which hasserved as the system’s primary referralcenter. Recently, DEF Medical Center hasexpanded its rehab services and created astate-of-the-art, stand-alone rehab center.Six months into operation, ABC Health Caredoes not feel that the rehab center is beingfully utilized and is questioning the lack ofrehab referrals from the critical accesshospitals.

ABC Health Care has requested that itscritical access hospitals submit monthlyreports containing patient identifiable data tothe system six-sigma team to analyze patientencounters and trends for the following rehabdiagnoses/ procedures:

· Cerebrovascular Accident (CVA)· Hip Fracture· Total Joint Replacement

Additionally, ABC Health Care is requestingthat this same information, along withindividual patient demographic information, beprovided to the system MarketingDepartment. The Marketing Departmentplans to distribute to these individuals abrochure highlighting the new rehab centerand the enhanced services available.

Scenario 12 Healthcare Operations andMarketing BABC hospital has approximately 3,600 births/year. The hospital Marketing Department isrequesting identifiable data on all deliveries

including mother’s demographicinformation and birth outcome (to ensurethat contact is made only with thosedeliveries resulting in health live births).

The Marketing Department has explainedthat they will use the PHI for the followingpurposes:

· To provide information on thehospital’s new pediatric wing/services.

· To solicit registration for thehospital’s parenting classes.

· To request donations forconstruction of the proposedneonatal intensive care unit

· They will sell the data to a localdiaper company to use inmarketing diaper services directlyto parents.

2.3.7.a. StakeholdersHospitals. Answering as a hospitalstakeholder for scenario eleven was thenewly hired Director of Public Relations/Marketing for the Orthopedic branch of anintegrated delivery system, professor andChair of the Orthopedic branch justmentioned, a privacy officer at an integrateddelivery system, and two Directors ofNursing at separate medical centers.Representing the hospital stakeholder forscenario twelve was an employee of themarketing department at a tertiary hospital.One solicited respondent from a tertiaryhospital’s obstetrics department wasadvised not to participate by that hospital’sEthics and Compliance Officer.

Clinicians. A responding clinician toscenario twelve was a medical doctor whowas a practicing obstetrician until closingthis practice within the last year. Thisphysician was currently employed by aconsumer organization and also served onmany administrative panels locally andnationally.

Consumer/Consumer Organizations. Tworespondents answered as consumers toscenario twelve, they included an individualemployed as a marketer for apharmaceutical corporation and a patient

20

advisor for a cancer education network.

2.3.7.b. DomainsInformation Use and Disclosure. Thehospitals and physician group respondingto the scenario indicated that directmarketing for the use of increasing revenuewas not a current business practice;instead, these entities responded that theywould utilize marketing as a means ofimproving quality of care. Although theuse of PHI for marketing to increaserevenue was not an identified businesspractice, the ability to do so did exist andconsent from the patient would beobtained either through the admissionpaperwork or subsequently by themarketing department.

One respondent, an integrated deliverysystem, indicated that as a system withmultiple facilities, they were establishedas a single covered entity under HIPAA.As a result, sharing information amongtheir facilities did not require patientauthorization.

Similar responses were obtained fromhospitals responding to scenario twelvein that they shared information internallywith other departments and they hadregistration forms targeted to marketing.The specificity of the registration form didinclude language, however, that allowedfor patients to opt out of a mail list, implyingthat by not choosing to opt out they wereautomatically included. These hospitalsalso indicated that they did not sell patientinformation to outside vendors but insteadlet patients choose to register withvendors. This did not preempt vendorsfrom including information and/or samplekits upon patient discharge.

One hospital responded that it transmittedidentifiable data to a mail house toconduct patient-centered educationalmailings or follow-up mailings to thepatient after discharge.

A consumer responding to scenario twelveobjected to the use and disclosure ofinformation for marketing purposes. The

consumer viewed the practice as a negativepractice and didn’t feel it should exist.

The lack of variation that existed was duelargely to what the activity was and whetherthe hospital viewed it as a marketing activity.Most of the purposes depicted in thescenarios did not constitute marketingaccording to the definition of marketing. [See45 CFR § 164.501] Most facilities thatresponded to the Healthcare Marketing andOperations distinguished the purpose andintent for using patient information: 1. Toinform, which is not marketing, and 2. Topromote, which is marketing. The activitydepicted in scenario eleven did not constitutemarketing but two of the four businesspractices in scenario twelve, fund-raising andselling data, did require authorization. [See45 CFR § 164.514 (f)(1) and § 164.508 (a)(3)]

2.3.7.c. Critical ObservationsScenario eleven was identified as not beingapplicable to the state of Utah. No entitieswere found to market in a fashion similar tothat found in the scenario, in fact, theresponding entities rarely marketed directlyto individuals for identifiable health reasons.General brochures were a more common formof marketing in Utah as concerns wereexpressed about HIPAA and the use of PHI togenerate revenue. In cases where coveredentities did direct market, patient authorizationwas required (usually face-to-face).

One hospital system responding to scenariotwelve reported having a business associateagreement with a mail house that specifiedthe terms and limits of the contract for directmailing. The hospital provided identifiable PHIon a compact disc or electronic file to the mailhouse that was specified for “one time use”and then destroyed. We found no selling ofPHI to outside entities, although somehospitals did use the mail house as outlinedabove and others had an internal marketingdepartment that sent information out. If themarketing was done internally the data wasde-identified.

2.3.8. Bioterrorism

21

Scenario 13 Bioterrorism EventA provider sees a person who has anthrax,as determined through lab tests. The labsubmits a report on this case to the localpublic health department and notifies theirorganizational patient safety officer. Thepublic health department in the adjacentcounty has been contacted and has confirmedthat it is also seeing anthrax cases, andtherefore this could be a possible Bioterrorismevent. Further investigation confirms that thisis a Bioterrorism event, and the Statedeclares an emergency. This then shiftsresponsibility to a designated state authorityto oversee and coordinate a response, andinvolves alerting law enforcement, hospitals,hazmat teams, and other partners, as wellinforming the regional media to alert the publicto symptoms and seek treatment if feelaffected. The State also notifies the FederalGovernment of the event, and some federalagencies may have direct involvement in theevent. All parties may need to be notified ofspecific identifiable demographic and medicaldetails of each case as they arise to identifythe source of the anthrax, locate andprosecute the parties responsible fordistributing the anthrax, and protect the publicfrom further infection.

2.3.8.a. StakeholdersPhysician Groups. The physiciansresponding to scenario thirteen were a semi-retired obstetrician, a general practitioner whoserved as a consultant for the state’s qualityimprovement organization, and an emergencyroom physician at a tertiary hospital. Withthe exception of the emergency roomphysician, difficulty was noted with regardsto identification of symptoms to anthraxexposure. Both the obstetrician and generalpractitioner stated that the difficulties inidentifying anthrax exposure would result inloss of patient life and instead focus onsecondary treatment precautions for otherindividuals exposed.

Law Enforcement. One individualrepresenting the law enforcement stakeholdergroup was a detective that, similar to theemergency room physician, served on thevariations work group. In this capacity, bothdetective and physician were able to identify

further variation and barriers to businesspractices identified in scenarios one,thirteen, and 13. Another respondent toscenario eight was Chief of Police for atown with a population of less than 15,000.The FBI also responded.

State Government (Public HealthDepartments). Individuals from the StatePublic Health Department’s office ofepidemiology and the state’s bioterrorismunit responded to scenario thirteen.Respondents provided state governmentpolicy with regards to course of action inthe case of suspected anthrax exposure.

Consumer/Consumer Organizations. Noconsumer or consumer group respondedto Scenario 13

Other (Fire Department). One respondentwas a firefighter in a district that isstructured under the umbrella of PublicSafety. The department employed 39 full-time fire fighter/EMT/paramedics and onepart-time secretary and housed the Trainingand Operations Chief.

2.3.8.b. DomainsState Law Restrictions. All health careproviders were required to report certaindiseases to either the local or state publichealth department. HIPAA allows forreporting on PHI to public health in 45 CFR§164.512. In general, reporting of diseaseswas pursuant to The CommunicableDisease Act found in Utah Code § 26-6.The provisions of Utah Code § 26-23bspecifically applied to the reporting ofinformation that indicated a bioterror event.HIPAA allows for public health reportingwithout patient authorization. It alsoallowed for both voluntary and mandatorydisclosures to public health. [See 45 CFR§164.512]. HIPAA also allowed a coveredentity to disclose PHI without authorizationwhen necessary to avert a serious threatto health or safety, to disclose to federalofficials involved in national securityactivities, and to correctional or lawenforcement officials. (See 45 CFR §164.512).

22

The Utah Health Code had two provisionsdealing with disease reporting. The gen-eral reporting statute was Utah Code §26-6-6: Duty to report individual suspectedof having communicable disease; and §26-23b-103: Mandatory reporting require-ments - Contents of reports - Penalties.The Utah Department of Health rule thatimplemented these statutes is R386-702.Anthrax was listed among the reportablediseases.

Covered entities could share PHI with lawenforcement as provided for in 45 CFR §164.512(f) and (k). The HIPAA regulationsdid not apply to health information while itwas held by an entity that was not acovered entity. Public health agencieswere generally not governed by HIPAA inthe use and disclosure of healthinformation for their disease eradicationefforts. However, state law limits howpublic health agencies could usepersonally identifiable health information.State law controlling public healthagencies allowed them to shareinformation with law enforcement but waslimited to that necessary to protect theindividual identified in the information andthe peace officers and health carepersonnel involved. In this regard, it wasmore restrictive than the emergencydisclosure provision of 42 CFR §164.512(j).

2.3.8.c. ObservationsThere was consistent response fromstakeholders regarding process andprocedures for a suspected anthraxexposure. Physicians were well informedof their role in the required reportingprocess. The State Laboratory ResponseNetwork (LRN) was the hub departmentin our state, which sent critical informationregarding anthrax cases. Variationexisted in how information was released.The public health department was viewedas a one-way information street: theytook information but did not readily giveit. There were different levels of lawenforcement involvement but themechanisms of notification and theguidelines for sharing information were

unclear.

2.3.9. Employee HealthScenario 14 Employee HealthAn employee (of any company) presents inthe local emergency department for treatmentof a chronic condition that has exacerbatedwhich is not work-related. The employee’scondition necessitates a four-day leave fromwork for illness. The employer requires a “re-turn to work” document for any illness requir-ing more than 2 days leave. The hospitalEmergency Department has an EHR and theirpractice is to cut and paste patient informa-tion directly from the EHR and transmit theinformation via email to the Human Resourcesdepartment of the patient’s employer.

2.3.9.a. StakeholdersHospitals. Responding to scenario 14 andrepresenting the hospital stakeholder groupwas the privacy officer for an integrated deliverysystem. In addition, the HIPAA Director for alarge research hospital also responded to thisscenario. Finally, an emergency roomphysician at a large tertiary hospitalresponded.

Consumer/Consumer Organizations. Adirector of development at a local companythat is self-insured responded on behalf of theconsumers for this scenario. The companywas one of the largest privately heldcompanies in the state.

Other (Human Resources Department). Thehuman resource department was from a small-to-mid sized company with 75 employees.The director of the human resourcesdepartment responded to the scenario.

2.3.9.b. DomainsThere were no reports of variation in the wayhospitals handle “return to work” documents.We found no hospitals in the state that werewilling to send a return to work document viaemail. Most have the patient deliver thedocument to their employer with somehospitals mailing or faxing the form.Consensus was found in this procedure. Theonly variation noted was in the capability of

23

facilities to email health information. Somehospitals reported an ability to process,encrypt and send PHI yet had not integratedthis operating procedure or business practice.Other hospitals did not have technology tobe able to send health information by emailat all.

2.3.9.c. ObservationsHospitals responding to the scenario 14reported that it was not common practice totransmit information via email. In particular,it was stated that a hospital would never ‘cutand paste’ information from the patient EHRsystem into a return to work form or use aprinted page of a patient EHR for return towork purposes. Responding hospitals did notfeel that this was in any way appropriateregarding this situation. The minimumnecessary standard under HIPAA was, for themost part, a critical consideration given that“return to work” information requirements weregeneral in nature.

2.3.10 Public HealthScenario 15 Public Health AA patient with active TB, still under treatment,has decided to move to a desert communitythat focuses on spiritual healing, withoutinforming his physician. The TB is classifiedMDR (multi-drug resistant). The patientpurchases a bus ticket - the bus ride will takea total of nine hours with two rest stopsacross several states. State A is made awareof the patient’s intent two hours after the buswith the patient leaves. State A now needs tocontact the bus company and other stateswith the relevant information.

Scenario 16 Public Health BA newborn’s screening test comes up positivefor a state-mandated screening test and thestate lab test results are made available tothe child’s physicians and specialty carecenters specializing in the disorder via anInteractive Voice Response system. The statelab also enters the information in its registry,and tracks the child over time through thechild’s physicians. The state public healthdepartment provides services for this disorderand notifies the physician that the child iseligible for those programs.

Scenario 17 Public Health CA homeless man arrives at a county shelterand is found to be a drug addict and inneed of medical care. The person doeshave a primary provider, and is sent therefor the medical care, and is referred to ahospital-affiliated drug treatment clinic forhis addition under a county program. Theaddiction center must report treatmentinformation back to the county for programreimbursement, and back to the shelter toverify that the person is in treatment.Someone claiming to be a relative of thehomeless man requests information fromthe homeless shelter on all the healthservices the man has received. The staffat the homeless shelter is working toconnect the homeless man with hisrelative.

2.3.10.a. StakeholdersClinicians. The clinician responding toscenario 17 was a licensed physician’sassistant at a clinic that received fundingfrom a combination of government, privatefoundation, and individual contributions.The clinic employed 29 full or part-time staffand administered primary health careservices to homeless individuals andfamilies in the Salt Lake City area.

Physician Groups. One physician thatresponded to scenario 17 was a familypractitioner employed by a health centerthat was part of a larger integrated deliverysystem. The physician responding toscenarios 16 and 18 was a board certifiedgeneral pediatrician employed by clinicthat staffs 53 providers, approximately 250employees and 18 different specialties. AnIT Director employed by the largest groupof independent physicians in the state ofUtah, practicing in 15 specialties andcurrently having nine locations in UtahCounty, eight clinics in rural communities,and 500 employees responded to scenario15.

Community Clinics and Health Centers.The respondent for scenario 17 was theexecutive director of a clinic that receivedfunding from a combination of government,private foundation, and individual

24

contributions.

Laboratories. One of the respondents forscenario 16, representing a university-owned laboratory, was a physician servingas the medical director. The otherrespondent, representing the state-ownedlaboratory and further employed by agenetic collaborative center, providedcurrent and ongoing education regardingnewborn screening to practitioners andconsumers and maintained quality indelivery of newborn screening services.

State Government (Public HealthDepartments). The manager of a dataintegration program that specialized inlinking child health information fromseveral programs which included: VitalRecords (Birth and Death Certificates),USIIS (Utah Statewide ImmunizationInformation System), Newborn HearingScreening and Baby Watch/EarlyIntervention represented the stategovernment public health department.

Law Enforcement. A detective and Chiefof Police from a town with a population ofless than 15,000 responded to scenarioeight, thirteen and fifteen.

Consumer/Consumer Organizations.Consumer responses to scenario 15 and17 were from an employee of the publichealth department and employees of astate-licensed substance abuse treatmentcenter who had access to a consumerpopulation deemed likely to be able toanswer to the scenario with someauthority.

2.3.10.b. DomainsState Law Restrictions. In the case ofscenario 15, Utah required that all healthcare providers reported certain diseasesto either the local or state public healthdepartment. HIPAA also allowed forreporting of PHI to public health withoutpatient authorization. [See 45 CFR §164.512] In general, reporting of diseaseswas pursuant to The CommunicableDisease Act found in Utah Code § 26-6that also allowed for Utah public health

agencies to disclose disease information topublic health agencies in other states and tothe Centers for Disease Control andPrevention. Utah Code § 26-6-27 permittedpublic health agencies to disclose personallyidentifiable communicable disease informationto other public health agencies to preventdisease spread, however, Utah had no statuteor rule that specifically required a commoncarrier, such as a bus company, to provide amanifest of the passengers to allow for rapididentification of individuals who may have beenexposed to a communicable disease.

While HIPAA did not govern the disclosure ofpersonally identifiable health information bypublic health agencies in the conduct of theirefforts to interrupt the transmission of disease,A health care provider would likely be requiredto provide to local and state health departmentsrelevant medical records regarding an individualwho is subject to isolation or quarantine underthe provisions of Utah Code Title 26, Chapter6b. HIPAA allowed full disclosure of all recordsthat state law requires to be disclosed. [SeeUtah Code § 26-6b-3.4 and Medical records— Privacy protections; 45 CFR § 164.512]

The protected health information held by thestate lab in scenario 16 was not subject toHIPAA, but rather controlled by the ClinicalLaboratory Improvement Amendments (42CFR § 493), which required that the data wentto the correct person. The state lab was partof the State Health Department, thus therewas no barrier to transmitting the data to publichealth for follow-up. The newborn screeningprogram was explicitly authorized under thepublic health statute UCA § 26-10-6 that didnot allow for direct communication with thepatient. The rules and statute directed thatresults be sent to the “medical home” or thepractitioner caring for the child. Therequirements for communicating the resultsto the provider were set forth in R398-1. Therewas no registry of Newborn Screening Data.

The Government Records Access andManagement Act (GRAMA) did not governwho may access personally identifiable healthinformation held by a public health agency aspart of its public health efforts. Theclassification scheme under GRAMAspecifically provided that records classified

25

under a different statute or by federal law wereto be governed by that law. The method thatthe public may use to obtain access to publichealth records would still be governed byGRAMA. Protected health information heldby a Utah governmental entity that was acovered entity subject to HIPAA was notgoverned by GRAMA.

2.3.10.c. ObservationsAs noted in previous scenarios, generalprecautions for transmitting patient healthinformation were in practice. The public healthdepartment in scenario 15 did not disclosethe medical condition (in this casetuberculosis) to law enforcement. As a result,law enforcement expressed dissatisfactionand concern as this policy seemingly putofficers at risk. The public health perspectivewas that law enforcement should continuallypractice universal precautionary measuresand, as such, risk is minimized.

Utah did not notify specialty care centers (asdescribed in scenario sixteen) unless therewere critical results as agreed upon with thespecialist. Utah also did not have or use anInteractive Voice Response System or aregistry for identified and confirmed cases ofabnormal screening. Individually identifiedcases of phenylketonuria (PKU) andgalactosemia were tracked through aMetabolic Clinic. Medical homes are notifiedof eligibility for this clinic upon diagnosis andthe physician contacted the family of the child.

The state of Utah did not have county sheltersas described in scenario seventeen. Further,it did not have a hospital-affiliated drugtreatment clinic to serve the homeless. Utah’shomeless were treated in social-based, notmedical-based, facilities.

2.3.11 State Government OversightScenario 18 Health Oversight ScenarioThe Governor’s office has expressed concernabout compliance with immunization and leadscreening requirements among low-incomechildren who do not receive consistent healthcare. The state agencies responsible forpublic health, child welfare and protectiveservices, Medicaid services, and education

are asked to share identifiable patient levelhealth care data on an ongoing basis todetermine if the children are getting thehealthcare they need. This is not part of alegislative mandate. The Governor in thisstate and those in the surrounding stateshave discussed sharing this information todetermine if patients migrate betweenstates for these services. Because of thecomplexity of the task, the Governor hasasked each agency to provide these datato faculty at the state university medicalcampus who will design a system forintegrating and analyzing the data. Thereis not an existing contract with the stateuniversity for services of this nature.

2.3.11.a. StakeholdersState Government (Public HealthDepartments). For the State GovernmentOversight Scenario, representing the stategovernment public health department, wasthe manager of a data integration programthat specialized in linking child healthinformation from several programs whichcurrently include: Vital Records (Birth andDeath Certificates), USIIS (Utah StatewideImmunization Information System),Newborn Hearing Screening and BabyWatch/Early Intervention. Also respondingfor the state public health department withregards to scenario 18 were state programdata stewards.

Medical and Public Health Schools thatundertake Research. Representing amedical and public health school thatundertook research was a licensedpediatrician with a university-affiliatedpractice that also served as assistantprofessor of pediatrics.

2.3.11.b. DomainsFor Medicaid, a release of data to theuniversity was part of HIPAA “TPO” ifMedicaid required analysis of lead orimmunizations. Authorization for therelease was not required. (See 45 CFR §164.506 (c)(1)). In this case, it wasnecessary for Medicaid to have a businessassociate agreement with the university.[See 45 CFR § 160.103(B)(ii); § 164.504]

26

The university was not allowed to re-disclose the information obtained throughthe business associate agreement (thiscould have been averted if re-disclosurewas part of the contract). If the release ofthe data was not part of TPO, it wouldhave required a HIPAA-compliantauthorization signed by the participantsor with proper IRB research approval.(See 45 CFR § 164.502; §164.512 (i)).

The data held by public health was notsubject to HIPAA but was subject to theconfidentiality requirements of U.C.A. §26-1-17.5 that stated, “A record classifiedas confidential under this title shall remainconfidential and be released according tothe provisions of this title.” The lead datawas collected pursuant to R386-703 (1)(h)and was confidential pursuant to R 386-703-6(1). As such, it could not be releasedwithout a “written consent of the individual.”(See U.C.A. § 26-6-27 (2)(a)).

Immunization data submission wasvoluntary and not comprehensive. Theregistry was governed by state rule. (See.R386-800-3). The participants in thescenario as “publicly funded programs”accessed the information through theirown registration on the database.However, the right to use the data waslimited. (See R386-900-06). Based onthe wording of the scenario it was foundto qualify as being “to confirm compliancewith mandatory immunizationrequirements.”

2.3.11.c. ObservationsThe Department of Health maintained theUtah State Immunization InformationSystems (USIIS) that held records ofchildren’s immunizations. Approximately130 of 350 provider offices had enrolledwith user confidentiality to have accessto USIIS. All office staff of participatingproviders was granted access to USIISthrough an enrollment process. Accesswas renewed annually. Any office staffmember that was terminated or releasedfrom employment was removed fromhaving access. Only authorized health

care users had access to USIIS, this includedresearchers that had a legitimate researchpurpose and had IRB approval for a “look uponly” basis. Utah also added lead poisoningto the injury surveillance and reporting systemin 1990 per Utah Code R386 - 703 (InjuryReporting Rule).

Though Utah had the capacity to map andtrack this kind of information, this scenarioraised the critical issue of data governanceand sharing. As agencies and organizationsworked together to effectively address issuessimilar to those portrayed in scenario 18,sharing information among agencies requiredmore than a request from the governor. Multipleregulations and statutes, which govern howagencies and organization used and disclosedinformation, increased the difficulty ofcommunicating. Common understanding,language, and guidelines were necessary toovercome the regulatory barriers that governedthe ability to share and exchange information.

2.4 Summary of Critical Observations

Interoperability in healthcare systems has thepotential to provide many benefits, even ifdefining interoperability can be a challenge.On more than one occasion our workinggroups posed the question of a definition forinteroperability. As a general notion, wedefined interoperability as “the ability ofinformation systems to work together withinand across boundaries to effectively exchangeand use information.” Promoting the use ofinteroperability was seen as a means ofimproving outcomes and reducing costs byimproving efficiency. In addition,interoperability made possible a concertedeffort to combat bioterrorism, the spread ofdisease, and other homeland securityconcerns.

The question to pose is “What access isneeded for our stakeholders to operate in aninteroperable healthcare environment?” Duringthe course of our data collection, we foundthat Utah’s healthcare system operated in botha paper and an electronic environment. Asthe state moves electronic informationtechnology and e-Health forward, acomprehensive analysis is needed tounderstand the different requirements

27

regulating access to health information.Clear goals are needed to define Utah’s e-Health system and the secure sharing ofhealth information must be among the toppriorities. Further dialogue is necessaryamong all participants involved in designingthis interoperable system. This includeshealth insurers, physicians, hospitals, statehealth departments, local healthdepartments, pharmacies, private industry,and others.

In considering interoperable health informationexchange, it is also important to understandthe stakeholder roles and how their applicablegovernance (or lack thereof) ‘fit’ into aninteroperable system. Maximizing thebenefits of interoperability and maintaining theindividuals right to privacy and security requirea clear working definition with achievablegoals. Involved stakeholder entities mustbecome part of the discussion as we moveforward in the development of an interoperablehealthcare system for Utah.

The reported absence of understanding withregards to regulatory requirements thatgovern individual agencies and partners(private or public) exchanging healthinformation inhibit the exchange process.Furthermore, differing terminologies,standards, and concepts heightened barriersto interoperability, which in turn negativelyimpact secure information exchange in atimely manner. The confusion that existedwithin the stakeholder community withregards to sensitive health informationexchange can also lead to the under-utilization of information and heighten fear oflegal recourse.

While some stakeholders in the medicalcommunity work with a general understandingof HIPAA, the difficulty to exchange andtransfer of information outside of HIPAAlegislation increases significantly. In sum,when the environment is such that theexchange is outside of HIPAA alone, theexchange is as anything but seamless andbarrier-free. Often the health informationexchange process is a formal andcumbersome affair.

3.0 SOLUTIONS

The importance of interoperability in a 21st

century global environment cannot beminimized. To avert public threats,bioterrorism, and to conduct public healthsurveillance requires that public health andlaw enforcement have and provide accessto health information. Traditional publichealth surveillance and investigations werefound to involve time-consuming manualreporting of cases to public health agenciesand phone calls to healthcare providers formore detailed patient information. Thevalue of exchanging existing health dataelectronically, and in a standardizedformat, provides a unique opportunity toleverage existing health data to bettersupport public health functions of diseasedetection, monitoring, and real-timesituational awareness.

The importance of privacy and security withregards to the health care consumer wasat no time understated during the discus-sions of interoperability. Regardless ofwhich workgroup was convened, the topicof consumer protection was voiced repeat-edly. Ultimately, the SWG members de-termined that, prior to any discussion ofimplementation, a patient’s ‘Bill of Rights’should be established to ensure theconsumer’s ability to maintain a sense ofownership over their health information andestablish a foundation to build consumertrust and confidence in e-Health. The coreelements recommended in a consumer ‘Billof Rights’ include the following:

Health care consumers shouldhave the right to:

– Determine who is able to viewtheir shared information;

– Revoke the right if theychoose to do so;

– Request an audit of who hasbeen viewing their information;and

– Be notified of any event thatbreaks these rights, such asbreaking the glass, in emer-gency situations.

28

3.1 Summary of Key Findings from theAssessment of Variation

The privacy and security concernsidentified in the Assessment of Variationreport were a mix of technological,organizational, educational, and legalissues. This was likely due to the natureof the scenarios used to collect thebusiness practice data. Although thesefour categories were delineated to furtheroffer solutions, the categories came underthe auspices of three general findings: anauthorization to disclose, the transmissionand transmission security of protectedhealth information, and the applicabilityof relevant rules and statutes. Furthercritical observations were documented byscenario, by the VWG (see Appendix E).

Prioritizing findings were difficult in onlytwo areas, that of authorization andtransmission/transmission security. Theapplicability of relevant rules and statutes,while not to be disregarded, wassignificant on a lesser scale due to thevast amount of unwritten law in the stateof Utah that guides business practicewhen compared to that which is impliedunder HIPAA and CFR 42 Part 2.Providers seek authorization from thepatient to disclose and transmit patienthealth information, typically via facsimile,to other providers involved in the patient’streatment. Facsimile security protocolswere found to vary in significantly. PHIwas reportedly discussed over the phonebetween providers without patientauthorization to a source that had no otherformal verification than a oral confirmationfrom the voice on the phone. As a result,the items below are ranked in no particularorder with the exception of rules andstatutes.

Authorization to disclose. Disclosingpatient information without authorizationwas found to be allowable under HIPAAfor “treatment, payment and healthcareoperations.” However, most providerschose to get patient authorization prior todisclosing health information. This did notappear to be an education issue, asproviders generally understood this HIPAAprovision and what constituted an allowable

disclosure. For many health care providers,the garnering of patient consent/authorizationwas an effort to ensure the patient’s right toprivacy, minimize the provider’s risk of liability,or a practical procedure to aid the flow ofinformation. In some cases, facilities refusedto release the patient information withoutpatient authorization, even though it wasallowed under HIPAA.

Transmission and transmission security ofProtected Health Information (PHI). There wassubstantial variation in the means oftransmission and security employed. On onehand, some physicians (in a physician officesetting) reported regularly disclosing healthinformation over the phone to other health careprofessionals once they had established acommon level of understanding and trust withthe requestor. On the other extreme,substance abuse providers had developedcomplex procedures for transmission thatinclude: verification, physical safeguards,warnings on paperwork about 42 CFR Part 2,and required acknowledgment receipts.

Long-term care facilities reported use ofelectronic facsimile (fax) as their method ofchoice for health information transmissions.Moreover, hospitals, physician offices, andother major stakeholders used fax regularlybut also reported using mail, courier, andpatient pickup. Selected large hospitals andintegrated delivery systems had the ability touse encrypted email but this method was notyet widely used and accepted. Some facilitiesreported having policies in place that prohibitedemail use at all for transmission of patientinformation. In all but a few instances, faxcontinued to be the predominant method oftransferring health information.

Electronic methods (CDs and the Internet)reportedly were employed with radiology films(e.g. x-rays), especially among large facilities.Mammography films were an exception.Some selected large facilities reported havingthe capability to make CD’s and use theInternet (by Picture Archiving andCommunication System - PACS) to transfermammography films, but rarely used thesemethods. Instead, films were typicallytransferred by in-person pickup with approvedphoto identification or sent by U.S. mail.

29

Applicability of relevant rules and statutes.Difficulty in exchanging health informationincreased when different rules and statutesapply to entities involved in the exchange ofhealth information. Law enforcement was nota covered entity under HIPAA nor was PublicHealth or the State Public Health Laboratories.Although substance treatment facilities werecovered entities, they also complied with 42CFR Part 2, a federal regulation thatheightened protection for treatment records.Primary care providers reported that theydisregarded treatment facilities’ recordsbecause the associated difficulties inaccessing them. HIPAA and 42 CFR Part 2did not align in a manner that was conduciveto health information exchange.

E-Health in Utah is quickly becomingaccepted as a means to improve healthcare,lower costs, and promote healthiercommunities. It is clear that to continue tomove eHealth forward towards aninteroperable system that can communicatewith other agencies and organizations whilemaintaining privacy and security, an opendialogue is needed to gain commonunderstanding.

3.2. Effective PracticesAs the VWG was instructed to classifybusiness practices as barrier, aid, or neutral“without judgment,” most business practiceswere classified as a barrier. The identificationof “effective” business practices did not occuruntil the SWG had convened and utilized adecision-making process to achieveconsensus.

E-Health in Utah is quickly becoming ac-cepted as a means to improve healthcare,lower costs, and promote healthier commu-nities. It is clear that to continue to moveeHealth forward towards an interoperablesystem that can communicate with otheragencies and organizations while maintain-ing privacy and security, an open dialogue isneeded to gain common understanding.

The SWG reassessed each business prac-tice to determine whether the barrier the prac-tice presented was appropriate and neces-sary to maintain privacy and security and to

identify solutions to any challenge for mov-ing to an electronic environment. Fortypercent (n = 58) of the reviewed businesspractices were reclassified by the SWGas an aid, outnumbering those businesspractices that were classified as eitherbarrier (n = 44) or neutral (n = 42). A deci-sion tree process was used to assesseach practice on degree to which privacyand security was maintained and capac-ity for an electronic exchange.

Business practices that sought patient au-thorization or consent to use or disclosehealth information were most commonlyidentified as an aid, regardless of whetherthe use/disclosure was allowable withoutpatient authorization under HIPAA’s treat-ment, payment or healthcare operationsprovision. The concern for privacy andsecurity was mirrored by the SWG con-versation that sought to reconsider CFR42 Part 2, in light of the changingenvironment.and not as a result of the law’sstringent approach to the disclosure ofsubstance abuse information because allpersonal health information is worthy ofhigh standards for security, protection andequal treatment. However, it was writtenprior to the use of electronic media forhealth information access, viewing and stor-age.

The SWG recognized the concern thatcertain types of information (such as thatrelated to sexually transmitted diseases,mental health treatment, chronic disease,genetic testing results and substanceabuse treatment) have a risk for misusethat could cause significant harm to thepatient. However, such misuse is mostlikely to occur when the information is usedand/or disclosed for purposes other thantreatment. The SWG maintained that thebenefit to patients outweighs the risk ofharm when all relevant health information,regardless of type, is made easily avail-able for treatment purposes.

It should also be noted that the SWG de-fined business practices detailing two en-tities entering into a business associatesagreement, in all situations where datawere shared, as an aid because it theo-

30

retically covers the entities not once, buttwice. In addition, this practice, althoughnot necessary under HIPAA, provides pro-tection to both the entity and the con-sumer further illustrated the lengths towhich providers, payers, etc. will go toprevent the misuse of health data as wellas add legal protections.

Information can and should carry inher-ent protections but the benefit of acces-sible personal health information for qual-ity care is to the patient. Utah laws existto provide protections for other sensitivehealth information. Those laws do notplace restrictions on using the informa-tion for legitimate treatment purposes.Examples of Utah laws that specificallyaddress disclosure of sensitive health in-formation include the Mental Health Pro-fessional Practice Act (UC 58-60-114) andGenetic Testing Privacy Act (UC 26-45).

Overall, the SWG determined that theneed to maintain health care consumerprivacy and security outweighed any ben-efits of interoperability or the free exchangeof information. This was further found tobe an overriding determinant rather thanjust occurring in relatively few scenarios.It was also determined that, due to theexpertise and authority of SWG members,the business practice data were often dis-agreed with and negated as being hypo-thetical or as occurring outside the realmof the ‘real world.’ For example, the stake-holder responding to scenario five detaileda business practice that enabled a payerto have electronic access to a cliniciansEHR system. This practice, as deter-mined by the SWG chair, would not takeplace, as payers would limit themselvesto a minimum amount of information. Thispractice would protect both the payer andpractitioner from inadvertent use of con-sumer PHI.

3.3. Identification of Variations NotBeing Addressed by the SWGAll business practices identified by theVWG were addressed by the SWG andgrouped according to practice being abarrier, neutral, or an aid. If the practice

was found to be effective, if it did not violatethe consumer’s rights regarding privacy andsecurity, and if it was electronic or could notbe made electronic, the SWG did notdeliberate further. As a result, no variationsidentified by the VWG went unreported.

4.0 ANALYSIS OFSOLUTIONS

Following the VWG analysis of the 18scenarios and the accompanying identificationof 144 business practices, the LWG (seeAppendix D) convened, per RTI instruction, todetermine which business practices identifiedby stakeholders had state legal drivers.Sponsored by the Utah Attorney General’sOffice, and chaired by Lyle Odendahl, JD 9,the LWG found that no statutory conflictsexisted, however, Utah privacy and commontort law does drive organizational and businesspractice that prohibit HIE according to HIPAA.Furthermore, variation existed as to knowledgeregarding the exchange or disclosure ofprotected health information (PHI) betweencovered and non-covered entities. To illustrate,it was found that law enforcement would oftenrequest PHI, and feel they had a right toreceive said PHI, due to the fact that they werenot a covered entity (i.e. health plan, medicalclearinghouse, health care provider, andprescription drug card sponsor) while coveredentities were not allowed to disclose PHI asHIPAA prevented them from doing so. [See45 CFR 160.103 for the few statutoryexemptions]

It was further decided that the solutionscategories fall into one or more of fourdomains: technical, administrative,educational, and legislative. As such, it wasimportant to reconsider the business practicesidentified as barriers as falling into one or moreof these four domains as well.

5.0 STATE SOLUTIONIDENTIFICATION ANDSELECTION PROCESS

5.1. The State Solutions Workgroup

31

Sponsored by UHIN and chaired by LinnBaker (Executive Director of PublicEmployees Health Plan and member of theUHIN Executive Committee), the SolutionsWorkgroup (see Appendix D) examined thosebusiness practices identified by the VWG anddefined, via decision tree (see Appendix F),which business practices served as barriersto the electronic exchange of PHI. The SWGfurther objectively identified which businesspractices were an aid or neutral to theelectronic exchange of PHI and if thebusiness practices protected the health careconsumer’s privacy and security. If thebusiness practice was determined to be abarrier, or if the health care consumer’s privacyand security was not deemed protected, theSWG sought to determine a solution.

5.2 Identifying SolutionsTo further identify and propose solutions, theSWG further delineated the three key findingsof the VWG (authorization to disclose,transmission and transmission security ofPHI, and applicability of relevant rules andstatutes) into four solution categories assuch:

Technological:· Transmission of PHI. The method

of choice for transmission of PHI inthe state of Utah was the facsimilealthough several stakeholder entitiesalso reported that the use ofgovernment mail and/or courier wasan option. It was also reported thatPHI would be released to the healthcare consumer, or a representativeof the health care consumer, withproper identification. This was mostcommon with regards to radiologicalimages.

· Transmission Security of PHI. Theconsensus among stakeholders wasthat the transmission of PHI viaemail, encrypted or otherwise, wasnot good practice due to privacy andsecurity concerns. Securityprecautions taken when faxing PHIalso varied from the practice(s) ofcalling an entity prior to and followingthe transmission of PHI as well as

maintaining a signed log. Overall,privacy and security concernswere of major importance tostakeholders and the practice offaxing PHI was identified as beingthe most desirable under currentconditions.

· Authentication/Verification. Itwas common practice (in aphysician office or hospital setting)to regularly disclose healthinformation over the phone to otherhealth care professionals as longas there was a common level ofunderstanding and/or trust. Whilea credentials database existedwithin the realm of UHIN, and theDivision of Occupational andProfessional Licensingmaintained some licensinginformation, they were by nomeans considered all-inclusive.

· Locating PHI. Little variation wasfound among stakeholders withregards to locating PHI fortreatment, payment, or healthcareoperations. Most stakeholdersresponding sought to locate thewhereabouts of PHI directly fromthe healthcare consumer, orconsumer representative, whenpossible. It was noted that inemergency situations this wasdifficult, if not impossible, when thehealth care consumer wasincoherent or incapacitated.

· Accessing PHI. Interoperabilityand access to PHI amongstakeholders was often mademore difficult when thestakeholders involved weredeemed competitors. In instanceswhere a stakeholder knew thelocation of PHI, access was notlikely to be granted and instead arequest would be issued. Thisserved as an example of an entityreceiving PHI as a result of a ‘push’from another entity rather than a‘pull.’

32

Administrative:· Authorization to Disclose.

Disclosing patient informationwithout patient authorization wasallowable for “treatment, paymentand healthcare operations” underHIPAA; however most providerschose to get patient authorizationprior to disclosing healthinformation. This was furtherfound to be desirable practice andnot likely to change as themajority of individuals felt theadded precaution was also addedprotection against legal recourseand, as a result, served asadministrative policy.Authorization was furtherconfounded when informationreached the state level, as theDepartment of Health is not boundby regulation to disclose PHI.This was found to be a matter ofcontention between providers andlaw enforcement with regards tosafety of first responders.

· Transmission of PHI. Variationwas not found in the transmissionpolicies and practices amongstakeholder entities as fax wasmost common and administrativepolicy forbid email transmission.

· Transmission Security of PHI.The majority of stakeholdersreported transmitting PHI by usinga cover sheet that displayed theiridentifying letterhead. Themajority of substance abuseclinics responding indicated thatthey would also notify thereceiving entity, by telephone,that a fax was being transmittedand then would follow-up with aphone call to confirm.

· Allowing Access to PHI. Accessto PHI was often granted basedon the nature of the PHI involvedand the purpose of the request.It was found to be commonpractice among stakeholders toestablish a business agreement

prior to allowing access to PHI unlessa conflict of interest was identified(e.g. competing entities), in whichcase PHI would be disclosed ratherthan allowed by access. It was alsofound that an electronic exchange ofPHI was most often done by ‘push’rather than ‘pull’ when followingadministrative protocol. Furtherbarriers to the exchange of informationwere determined to be between non-competing entities within theDepartment of Health. Althoughadministrative policy did allow forlimited sharing, a culture existed thatlimited sharing as a result of perceived‘ownership’ of PHI.

Legislative:· Applicability of Relevant Rules and

Statutes. Difficulty in exchanginghealth information increased whendifferent rules and statutes applied toentities involved in the exchange ofhealth information. Law enforcementis not a covered entity under HIPAA,nor is Public Health or State PublicHealth Laboratories. Althoughsubstance abuse treatment facilitiesare covered entities, they alsocomplied with 42 CFR Part 2, a federalregulation that heightened protectionfor treatment records.

Educational:· Privacy and Security of PHI. Health

care consumers in the state of Utahwere found to be uninformed as to theirrights regarding the usages ofpersonal or protected healthinformation. Many consumersreceived their information from non-news television programs or non-scholarly media outlets and, as aresult, held beliefs that there personalhealth information was either moreprotected or, conversely, lessprotected than it actually was.

· Benefits to HIE. Consumersinterviewed had very little knowledgeregarding the benefits tointeroperability.

33

· Providing education regarding risksand realities of communicablediseases. A chasm was identifiedbetween law enforcement first-responder personnel and medicalpersonnel with regards to thedangers (both perceived andwarranted) of communicable diseasefor first responders.

5.3 Inappropriate Scenarios orExchangesIt was further decided that seven of thescenarios, some previously identified by theVWG, were irrelevant to the state of Utah withregards to information exchange: ScenarioFive – Payment, Scenario Six – RHIO,Scenario Eleven – Healthcare Operations andMarketing A, Scenario Twelve – HealthcareOperations and Marketing B, ScenarioFourteen – Employee Health, ScenarioSeventeen – Public Health C, and ScenarioEighteen – Health Oversight. Although thesescenarios were not found to be applicable toHIE as it occurs in Utah, stakeholders feltthat theoretical exchanges were worthmentioning if they were found to be apossibility.

Scenario Five – Payment. This scenario wasidentified as being unlikely in the state of Utahas stakeholders were not aware of any HealthPayer that would request access to a healthprovider’s EHR to approve/authorize inpatientencounters. That being said, both payersand clinicians were in agreement with themain concept that only the “minimumnecessary” under HIPAA would be given tothe payer.

Scenario Six – RHIO. Monitoring of patientor physician data would not happen in Utahas UHIN is a gateway or information highwaywhere information is exchanged betweendifferent organizations and, as such, it didnot request or permanently store data. UHINinstead functioned like the post office ingetting information routed from the sender tothe intended receiver and did not performquality measurements on its members’ data.Should members want to exchange/submitpatient information from one organization toanother, UHIN’s standards committee could

charter a subcommittee to develop acommunity-standardized message.

Scenario Eleven – Healthcare Operationsand Marketing A. Scenario 11 was identifiedas not being applicable to the state of Utah.No entities were found to market in afashion similar to that found in the scenario,in fact, the responding entities rarelymarket directly to individuals for identifiablehealth reasons. General brochures are amore common form of marketing in Utahas concerns were expressed about HIPAAand the use of PHI to generate revenue. Incases where covered entities direct market,patient authorization would be required(usually face-to-face).

Scenario Twelve. Healthcare Operationsand Marketing B: Further discrepancy wasnoted with regards to scenario 12 as onehospital system responding reported thata business associate agreement with amail house existed that specified the termsand limits of the contract for direct mailing.The hospital provided identifiable PHI on acompact disc or electronic file to the mailhouse that is specified for “one time use”and then destroyed. We found no sellingof PHI to outside entities, although somehospitals use the mail house as outlinedabove and others have an internal marketingdepartment that sends information out. Ifthe marketing is done internally the dataare de-identified.

Scenario Fourteen – Employee Health.Hospitals responding to scenario 14reported that it is not common practice totransmit information via email. In particular,it would never be the situation that ahospital would cut and paste informationfrom the patient EHR system into a returnto work form or use a printed page of apatient EHR for return to work purposes.Responding hospitals did not feel this wasappropriate in this particular situation. Theminimum necessary standard underHIPAA was, for most, a criticalconsideration given that “return to work”information requirements are general innature. The only variation noted was inthe capability of facilities to email healthinformation. Some hospitals have good

34

processes for encrypting and sendingprotected health information yet have notintegrated this in their processes. Otherhospitals do not have technology to beable to send health information by emailat all.

Scenario Seventeen – Public Health C.The state of Utah does not have countyshelters as described in scenarioseventeen nor does it have hospital-affiliated drug treatment clinics that servethe homeless. Its homeless are treatedin social-based, not medical based,facilities. It is also rare that a homelessperson would have a primary careprovider.

Scenario Eighteen – Health Oversight.The Health Oversight scenario details agovernor’s request to establish a databasefor childhood immunizations and bloodlead to determine if individuals seektreatment by ‘migrating’ between states.Though Utah has the capacity to map andcurrently tracks this kind of information,this scenario raises the critical issue ofdata governance and sharing. As agenciesand organizations work together toeffectively address issues similar to thoseportrayed in scenario 18, sharinginformation among agencies may requiremore than a request from the governor(such as an executive order). Multipleregulations and statutes, which governhow agencies and organization use anddisclose information, increase the difficultyof communicating. Common,understanding, language, and guidelinesare necessary to overcome the regulatorybarriers that govern their ability to shareand exchange information.

The elimination of these seven scenariosfor consideration left the remaining elevento be categorized into the four solutionscategories (technical, administrative,legislative, and educational).5.4 Vetting, Evaluating and PrioritizingSolutionsAs the chair of the SWG was Director ofUtah’s Public Employee Health Programand a member of UHIN’s ExecutiveCommittee, one of the SWG members

was the Assistant to the Executive Director ofUHIN, and yet another was in the process ofsecuring funding for an independent bankingmodel, it was determined (although unspoken)that a technical solution category would beprioritized. UHIN’s history in the state of Utahhas been well documented and SWG membersdetermined that there was no need tocontemplate a technical solution that did notdirectly involve UHIN. As a result, theremaining solutions categories were often (ifinadvertently) incorporated into UHIN’sstructure. For example, some AdministrativeSolutions (transmission of PHI, transmissionsecurity of PHI, and allowing access to PHI)were determined applicable to UHIN’sproposed structure as the transmission,security, and access could be accommodatedfor. The remaining two categories (Legislativeand Education) were determined to be,respectively, national and grass roots issuesas Legislative Solutions involved the revisionof HIPAA and the Education Solutions wereprimarily intra-agency.

5.5 Organizing and Presenting SolutionsFollowing SWG review of each businesspractice and the subsequent classification asbarrier, neutral and aid, it was further foundthat scenario business practices fell intomultiple solutions categories and, as such,the SWG re-categorized scenario businesspractices according to applicable solutioncategories:

Technological:· Scenario One Patient Care A:

Transmission of PHI In emergencysituations, hospitals and physiciansdisclosed information via facsimiletransmission or by telephone if therequesting entity identifiedthemselves as a physician or anindividual acting on behalf of aphysician. In such instances it wasfound to be common businesspractice to follow up a telephonerequest with a fax stating the requestin order to document the informationexchange in the patient chart. In mostnon-emergent situations the entityreceiving a request for PHI requested

35

that a consent form, with thepatient’s signature or a patientrepresentative signature, be sent priorto PHI disclosure.

Authentication/Verification While alevel of trust did exist between careproviders when exchanging PHI, onestakeholder conveyed that thepractice of authenticating andverifying a requesting entity was donevia the Internet. Another stakeholderresponded that this was not the normas an exchange of PHI wascommonplace and, at best, a verbalrequest was followed up with a faxrequest that was be placed in thepatient’s chart. While a credentialsdatabase exists, and The Division ofOccupational and ProfessionalLicensing maintains some licensinginformation, they are by no meansconsidered all-inclusive.

Locating PHI In an emergencysituation, a physician made everyeffort to locate a patient’s medicalinformation with a patient’sassistance and authorization (orfamily member’s assistance andauthorization) if the patient wascoherent or if a family member waspresent. In more complicatedsituations, this information gatheringrequired locating PHI from internaland/or external sources. Internally,this entailed searching the hospitaldata banks to determine if the patienthad previously been seen there.Externally, this information gatheringwas often not possible if the patient’smedical history was verballyunattainable from the patient or apatient representative. Regardless,locating PHI was seen as beingimperative to gain a full history of thepatient and treat as appropriate whiledecreasing the chance for medicalerror.

Accessing PHI Electronic externalaccess to PHI was not an option inUtah as no agreements for accessinto individually held EMR databases

were in place between providers.It was further noted that there wasan identified conflict between onetertiary hospital’s inpatient EMRsystem and that same hospital’soutpatient EMR system. Tofurther elaborate, a physicianperforming inpatient surgery andthen seeing the same patient fora follow-up exam in an outpatientsetting, electronic access of theinpatient PHI would not be possibleand a record request would beneeded.

The release of patient informationacross state lines was not foundto be a factor with regards to theexchange of patient information.It is unclear what the requirementswould be from neighboring statesto disclose patient information.Hospitals responding within thestate of Utah report that in anemergency, the informationrequest would be fulfilled followingauthentication of the requestor viafax of requesting entity’sletterhead. If not an emergencysituation the practice is to havepatient authorization to disclose.

· Scenario Two Patient Care B:Transmission Security of PHIWhile the added precautions andprotections afforded to substanceabuse information will be coveredin-depth in the legislative keyfindings, it stands to say that, asa result of CFR 42 Part 2,substance abuse information istreated with more stringentprivacy and security precautionsthan other PHI. An interestingnote however was that thetransmission of substance abuseinformation is done via fax, similarto any and all other categories ofPHI, regardless of addedlegislation. An extra precautionthat select, but not all,stakeholders take whentransmitting substance abuseinformation was that a phone call

36

is made to notify that theinformation is being sent and thenagain to confirm that theinformation was received by theappropriate party.

Authentication/Verification Whilesubstance abuse information isprotected under CFR 42 Part 2,no added precaution ofauthentication or verificationoccured other than would takeplace with other forms of PHI.Stakeholders were found to agreethat the health care communityin Utah (with regards tosubstance abuse information) issmall enough that most allinvolved experience some degreeof familiarity that renders anyauthentication or verificationobsolete.

· Scenario Three Patient Care C:Transmission of PHI Mostinformation transmitted to andfrom long-term care facilities wasreported to occur by by fax withno additional security being inplace.

Allowing Access to PHI Therewas variation among long-termcare facilities’ practices forgranting physicians temporaryaccess to their facility andrecords system but facilities haveprocedures in place shouldtemporary access be necessaryunder such situations. Thesharing of patient informationdiffered from entity to entity withsome requiring that a businessassociate agreement be in placeand others indicating suchagreements are not necessarybetween providers involved in thetreatment of a patient.

· Scenario Four Patient Care D:Transmission of PHI The majorityof mammograms done in Utahwere reportedly film; this was thecase in both rural and urbanfacilities. One integrated delivery

system currently reported the use ofdigital images for mammography anda second plans to transfer to digitalwithin the next two years. However,even at the integrated delivery systemthat uses digital, the images areprinted in hard copy for the physiciansas most institutions and physiciansare not comfortable with digital. Thesefilms were transmitted or exchangedby mail, courier, or the patient withsigned patient release. Thistransmission were contrary to recenttechnological advances that wouldallow, with proper bandwidth, thetransmission of digital images forphysician diagnosis. Moreover, withthe Picture Archival CommunicationSystem (PACS) becoming moreprevalent with regards to digitalimages of mammograms, it wasobserved that the variation intransmission protocol was more theresult of physician comfort level withreading digital images, as it was aninability to transmit.

· Scenario Sixteen Public Health B:Transmission of PHI Utah does nothave an Interactive Voice ResponseSystem or a registry for identified andconfirmed cases of abnormalscreening. Individually identified casesof phenylketonuria (PKU) andgalactosemia patients can be trackedthrough a Metabolic Clinic however.The lack of an Interactive VoiceResponse System indicates that aneed for electronic interoperabilityexists as a paper system is currentlyin place.

Administrative:· Scenario Three Patient Care C:

Transmission of PHI Most informationtransmitted to and from long-term carefacilities was reportedly done by faxas an administrative rule of thumb.

Transmission Security of PHI It wasfurther noted that the majority of long-term care facilities have establishedthe fax as a transmission protocol for

37

security reasons as email is not atrusted means of transmission.

Allowing Access to PHI The sharingof patient information differed fromentity to entity with some requiringthat a business associate agreementbe in place and others indicatingsuch agreements are not necessarybetween providers involved in thetreatment of a patient. Long-termcare facilities required a login andpassword for all staff with accessgranted on a “need to know” basis.They do not have sharablepasswords. The long-term carefacility can grant a health careprovider access to patient recordswhen appropriate. The decision togrant temporary access to thepatient record via the electronicsystem was at the discretion of thelong-term care facility. Long-termcare facilities operating electronicmedical records required technicalsafeguards including unique useridentification and procedures foraccessing electronic PHI in anemergency. This would be true evenif access were temporary.

· Scenario Thirteen Bioterrorism:Authorization to Disclose StateHealth Code regulates public healthagencies use and disclosure ofpersonally identifiable healthinformation. Public health agenciespermits sharing of information withlaw enforcement but is limited to thatnecessary to protect the individual.Information sharing for safety andprotection purposes is not mutuallydefined, however, systems andprocedures are established. Thedegree of sharing is at the discretionof public health officials.

· Scenario Fifteen Public Health A:Allowing Access to PHI Althoughintra-agency access was reported asallowable within the stateDepartment of Health, little exchangewas found to exist in actuality.Conversation and a need for a

solution to this identified practiceoccurred within the SWG as amember was the data steward fortuberculosis data. It was furtheridentified that a request for fundingfrom the state was in place thatwould allow for an updatedintegrated system allowing forgreat control and access topertinent public health informationthat could be utilized to identifypublic health threats.

Legislative:· Scenario Two Patient Care B:

Applicability of Relevant Rules andStatutes PHI containing a historyof substance abuse is shared,following patient authorizationaccording to the specifics of 42CFR, Part 2, which details whatinformation is to be exchanged,between what parties, and forwhat period of time. This“minimum information sent” wasdescribed by a physician’sassistant as having “little utility”and therefore was disregarded infavor of obtaining the patient’shistory of substance abuse fromthe patient. This notion of “littleutility” was again voiced by ageneral care practitioner whoindicated that a specialist woulddetermine what information wasneeded and initiate the request forPHI with the substance abusepatient in the specialist’s office.The type and amount ofinformation disclosed by thesubstance abuse treatment facilityis limited to that which isnecessary and for which thepatient has given consent. 42 CFRPart 2 contains a consent-drivendisclosure mechanism. HIPAAcontains a minimum necessary-driven disclosure mechanism. ThePrivacy Rule allows forcommunications within programson a “need to know” basis. 42 CFRPart 2 requires that thecommunication of information

38

within the program (or to an entitywith direct administrative controlover the program) be limited tothose persons who have a needfor the information in connectionwith their duties that arise out ofthe provision of diagnosis,treatment or referral for treatmentof alcohol or drug abuse (see 42CFR § 2.12). The type andamount of information disclosedby a Substance Abuse TreatmentFacility is limited to that which isnecessary and for which thepatient has given consent. 42CFR Part 2 does not discusstransmission of PHI.

Educational:· Scenario Eight Law Enforcement:

Privacy and Security of PHI Lawsand regulations that governhealthcare entities and lawenforcement are different as is theintent from which those laws arebased. Healthcare entities, withregard to exchange of patientinformation, focus on theprotection of that patient’s privacy.Law enforcement, though notdisregarding the individual’s rightto privacy, must focus on theprotection of the broadercommunity. The VWG diddetermine that, while a differencedid exist regarding theunderstanding of what it meantto be a ‘covered entity, ’ theconsumers responding lack atrue understanding of what rights(or lack thereof) existed withregards to PHI.

To clarify, while law enforcementdemonstrated a tendency tobelieve that, since they were nota ‘covered entity,’ they had a rightto PHI, providers would notdisclose said PHI, as they werea ‘covered entity.’ The consumer,on the other hand, felt as thoughthey controlled who had accessto their PHI and were ignorant

with regards to provisions allowing forthe exchange of PHI for ‘treatment,payment, and healthcare operations.’

· Scenario Fifteen Public Health A:Providing education regarding risksand realities of communicablediseases As noted in previousscenarios, general precautions fortransmitting patient health informationare in place. The public healthdepartment in Scenario 15 is cautiousto not disclose a medical condition(in this case tuberculosis) to lawenforcement. As a result, the lawenforcement expresseddissatisfaction and concern as thispolicy can put officers at adisadvantage. The public healthperspective is to advise lawenforcement to take precautionarymeasures regardless. However, it iscommon practice for law enforcementto take into account relevantinformation and enact precautionarymeasures accordingly. Lawenforcement stakeholders also did notexpress relief when told there was“greater risk of being in a car accidentthan contracting TB while transportinga patient with the windows rolleddown.”

5.6 Determination of FeasibilityGiven the nature of the solution categories andthe expertise of the SWG members, feasibilitywas extensively discussed. A licensedphysician with a graduate degree in medicalinformatics served as a champion for theindependent banking model, the director of amajor payer and member of UHIN’s executivecommittee served as the champion for UHIN’scentral role in the technical solutions, andUHIN’s assistant executive director servedon the SWG led the solutions discussion offeasibility to examine possible flaws andobstacles. It was in this manner that allsolutions forwarded to the ImplementationPlanning Work Group (IPWG) were evaluated.Feasibility of technical solutions are dependenton UHIN’s Executive Boards willingness toadopt and incorporate strategically into UHIN’slong-term workplan.

39

Site UTN Network Members

1 University of Utah, SLC2 Allen Memorial Hospital, Moab3 Beaver Valley Hospital, Beaver4 Central Utah Health Department, Richfield5 Central Valley Medical Center, Nephi6 Montezuma Creek Community Health Center, M.C.7 Monument Valley Health Center, M.V.8 TriCounty Health Department, Vernal9 Uintah Basin Medical Center, Roosevelt10 Gunnison Valley Hospital, Gunnison11 San Juan Hospital, Monticello12 Bear River Health Department, Logan13 Weber-Morgan Health Department, Ogden14 Davis County Health Department, Farmington15 Summit County Health Department, Coalville16 Tooele County Health Department, Tooele17 Salt Lake City-County Health Department, Murray

18 Wasatch County Health Department, HeberCity

19 Utah County Health Department, Provo20 Southeastern Utah Health Department, Price21 Southwest Utah Health Department, St.

George22 Castleview Hospital, Price (no

videoconferencing)23 UDOH - Cannon Building, SLC24 Elaine Skalabrin, M.D. Residence (Telestroke

Emergency), Sandy25 Mountain West Medical Center, Tooele26 Utah Hospital & Health System Association,

SLC27 UNHS Blanding Family Practice, Blanding28 Basin Clinic, Vernal

Figure 1. Utah Telehealth Network Sites.

40

6.0 Analysis of ProposedSolutions

Following a review and reconsideration ofthe VWG findings, those businesspractices identified as barriers to thesecure exchange of PHI were furtherdelegated by the SWG to an applicablesolution category. Current and plannedelectronic projects were incorporated intosolution results where possible and wheredeemed appropriate by the SWG. Theidentified solutions represent the SWGeffort to address identified challenges tothe electronic exchange of healthinformation while maintaining the securityand privacy of that information. They werenot intended as a definitive statement butrather to provide a framework for furtherdialogue regarding appropriate informationexchange in a secure and privateenvironment. Scenarios in whichsolutions categories were heavily identifiedare placed behind the identified barrier inparentheses.

6.1 Solutions to Variations inOrganization Business Practices andPoliciesTechnological:

Identified Barrier. An inability to transmitPHI via secure methods whether by portalor other technology to all areas of thestate.

[Transmission of PHI: Scenario OnePatient Care A, Scenario ThreePatient Care C, Scenario Four PatientCare D, Scenario Sixteen Publichealth B].

Proposed Solution: To continue toestablish an electronic ‘pipeline’ that willinclude rural as well as urban areas.Connectivity would not be established byUHIN, but via Utah Telehealth Network.Paid membership to UHIN will then allowfor transfer of administrative data withproviders and payers from all areas of thestate. The secure transfer of clinical datawould result pending the success of pilottrials currently underway at UHIN.

General context: Rural health care facilitieshave relationships with distant healthcareproviders and payers with which they need toexchange clinical and administrative data.Many rural areas of the state were found tohave limited infrastructure to support high-speed networks. The Utah Telehealth Networkhas worked closely with telecommunicationscompanies, the University of Utah, UtahHealthnet, and the state of Utah to bringservices to rural health care facilities with thedevelopment of the physical infrastructure toallow for connectivity. UHIN’s Web portaltechnology connects participating membersto allow for the exchange of administrativeinformation. In 2004 UHIN became an Agencyfor Healthcare Research and Quality (AHRQ)State and Regional Demonstration grantrecipient. UHIN has expanded its focus toinclude the exchange of clinical healthcaredata and is developing clinically focusedhealthcare transaction standards. Discussionalso took place with regards to the expansionof communication towers that would allow forwireless communication in a securedenvironment.

Extent to which solution is in use: The UtahTelehealth Network links patients to health careproviders across the state, country and worldby using the most current telecommunicationstechnology. Telehealth provides rural patientsand providers with access to services that wereusually available only in more populated urbanareas. The Utah Telehealth Network usesinteractive video to deliver patient care, providecontinuing education to health professionals,facilitate administrative meetings, enabledigital images such as CAT scans and X-raysto be transmitted for second opinions, andallowed for emergency stroke patients toreceive state-of-the-art stroke care during thecritical three-hour window of treatment despitebeing hundreds of miles away from the nearestneurologist (see Figure 1). Also UHIN isinvolved in pilot exchanges of clinical data.Identified Barrier. Inability to properly ensuretransmission security of PHI via facsimile and/or paper transmission and a lack of trustregarding the privacy and security of electronicexchange.

[Transmission Security: Scenario TwoPatient Care B].

41

Proposed Solution: To utilize UHIN for secureclinical exchange as a plausible solution.This is due to the fact that the exchange ofadministrative claim data was already inplace. Accompanying the proposed solutionis expanding interoperability state-wide, thisproposed solution could readily beimplemented with the assurance to providersthat clinical data would operate under thesame auspices currently in place and thetransmission of data via portal could providemore security than that which takes placewith a fax transmission.

General context: Although a SWG memberattempted to initiate discussion regardingfacsimile protocol that could be immediatelyincorporated, the majority of SWG memberschose instead to focus on the future practiceof interoperability and transmission bymethods other than fax. The major consumer

concern regarding interoperability was theconcern of transmission security.

Extent to which solution is in use: The UHINSecurity Education Tool (USET) was cre-ated to assist small healthcare providersin their efforts to understand and developreasonable and appropriate security poli-cies for exchanging administrative claimdata in accordance with HIPAA guidelines.Although using USET does not guaranteeany surety of HIPAA security compliance,it does provide a template for establishingprotocol regarding secure electronic ex-change. UHIN also utilized public key in-frastructure (PKI) at the organizational levelthat enabled computer users to be authen-ticated to each other, and to further usethe information in identity certificates toencrypt and decrypt messages travellingto and from. Due to the fact that adminis-trative claim data is currently being ex-

Figure 2. Short-term concept model for state connectivity.

42

changed in a secure electronic environ-ment, UHIN was determined to be a rea-sonable vehicle for the secure transmis-sion of electronic claim data for partici-pating members pending successful trialexchange.

Identified Barrier. Authentication/verification of provider utilizing electronicportals for the exchange of PHI.

[Authentication/Verification: ScenarioOne Patient Care A, Scenario TwoPatient Care B].

Proposed Solution: Establish a systemor standard protocol for authentication andverification of provider authority to accessPHI. A system similar to this was foundto be operated by UHIN to establish an‘end user’ or ‘super user’ that takesresponsibility for the security of individualsor entities transmitting and/or receivingPHI electronically. The ‘super user’ isestablished through an authenticationprocess by UHIN following a site visit.Once the ‘super user’ is established, thatentity would grant authorization to allowaccess to the UHIN portal. This wouldalleviate UHIN from any authentication/verification of users and placesresponsibility on the ‘super user’ tomaintain a credible system wherebyinappropriate access is prevented.

General context: Authentication wasdetermined essential to prevent theinadvertent or inappropriate release ofinformation. It was further found that allinformation should be accessible only ona need-to-know basis. Ensuring thatinformation was only released after theidentity of the requestor was confirmedwas found to be critical. Identified securitypolicies typically relied on a request faxedon letterhead.

Extent to which solution is in use: UHINpolicy was to visit each participatingmember to authenticate the memberlocation and designate a site-specific rolemanager. The role manager was thenresponsible for verifying physicians andproviders at their location.

Identified Barrier. Locating PHI electronicallyand in ‘real time.’

[Locating PHI: Scenario One Patient CareA].

Proposed Solution: Establish a structure toassist in locating the patient-specific healthinformation contents. This can include a recordlocator, patient record bank, or other type ofcentral patient repository. Furthermore,establish a Utah payer-based memberidentifier that is unique and recognizableacross all participating payers. This voluntarysystem would start within the payercommunity with healthcare entities ultimatelyhaving the option to adopt this unique memberidentifier. It was also suggested that thecommon identifier would remain the samewhen an individual changed plans. Thissolution is further identified as not affectingthe uninsured and it was hoped that Medicarecooperates in accepting the common identifierformat.

General Context: Advances in IT have madepossible the ability to bridge disparateapplications and languages. As informationneeds change and grow in scope andcomplexity the enormous value IT brings is inits ability to link and merge health information.The unique patient identifier has not beendefined in Utah due in part to privacy concernsand because there is as of yet no lawprotecting the individuals privacy beyond thatof HIPAA. Further, the need to coordinatemultiple agencies (HHS, Medicare, CDC) andsystems is necessary to move forward with asingle identifier at the federal level. (SeeFigure 2).

Extent to which solution is in use: Policiesare in place for limited sharing only. However,no common identifier exists. It was found that,due to UHIN’s unique nature, this proposedsolution differed from many other statesparticipating in this study. The notion of acommon identifier or Master Patient Index(MPI) has been contested at the national levelfor fear of privacy and security breaches. Theproposed solution by UHIN is more similar toan Enterprise Master Patient Index (EMPI) dueto the fact that the number would remain withinthe realm of UHIN and the state of Utah. Thissolution was further championed by the SWG

43

Figure 3. Long-term concept model for state-wide connectivity.

44

chair as a result of UHIN’s executivecommittee being largely payer-based andwilling to work in concert with one another.UHIN is piloting clinical data exchangeand developing methods to “push”information out electronically but there iscurrently no mechanism to “pull”information in a timely manner. Onepossible solution to this was identified asbeing private industry developingconsumer-driven health data banks.Although it was stated by a UHINrepresentative that UHIN did not wish toserve as a record locator or informationrepository, it was found conceivable thatin a proposed long-term solution UHINcould allow for the transmission of PHIfrom an identified entity to a requestingentity. (See Figure 3).

Identified Barrier. Accessing PHI.[Scenario One Patient Care A]

Proposed Solution: As most providerentities in the state of Utah are deemedcompetitors, a reluctance exists to allowfor a ‘crosswalk’ enabling access to ahealthcare system’s data repository. Thesolution offers a long-term resolutionwhere by UHIN would serve as the trustedentity responsible for locating andtransmitting PHI between entities. [SeeFigure 3]

General context: Not applicable.

Extent to which solution is in use: Notapplicable.

Short-term Model

The following model was proposed as ashort-term state-wide solution to addressthe technical challenges to the secure andprivate electronic exchange of health in-formation. The goal: to move Utah towardsa single healthcare identifier for all Utahcitizens. Step one involves Utah payersvoluntarily adopting a single numberingsystem known in this document as the“common identifier.” The common identi-fier is a member identification number

using a numbering standard set by the UHINcommunity standard-setting process. UHINwould host the numbering system databaseand would designate blocks of numbers toeach payer voluntarily participating in the pro-cess. Assigning a common identifier to allparticipating payer members will be challeng-ing. One consideration is identifying peoplewith multiple coverage’s under different insur-ance companies to avoid giving them two num-bers. A query system may be needed to iden-tify those person that already have an assignednumber. A longer term option may be to cre-ate a master patient index functionality. Forthe short term, the community wants to ex-plore other options first.

All messages carried by UHIN are appropri-ately encrypted when in transit. UHIN is cer-tified through the Electronic Healthcare Net-work Accreditation Commission (EHNAC) andemploys reasonable and appropriate securityand privacy practices.

Payers may choose to crosswalk their owninternal member identification number(s) to thenew common identifier or replace their propri-etary member identification number with thenew common identifier number.

Figure 2 shows the possible process for a re-quest from provider ‘A’ for medical informationon patient ‘X’ sent to a participating payer viaUHIN using the common member identifier “M”.This process assumes that payers haveadapted their claims information databases tobe able to respond to queries for informationabout a specific member. In the short-termmodel, providers would have already receivedthe common identifier “M” for all members ofparticipating payers and would have recordedthat information in their practice managementsystems (the “M” identifier would also be usedfor billing purposes).

The UHIN community would come together tocreate standard messages for both the requestfor the information (from the provider) and theresponse (from the payer).

The provider making the information requestwould send the standard request message tothe payer via UHIN. The payer would thenlocate the information on that member and

45

Figure 5. Conceptual design of NEDSS Base System.

Figure 4. Emergency response reporting system, NEMSIS/POLARIS.

46

respond with the standard response mes-sage containing whatever information theyhad available on that member.

This short term solution assumes thatsome of the other listed challenges havebeen addressed: that all health care enti-ties are connected to this pipeline and thatphysicians and providers have been au-thenticated through the UHIN member au-thentication process. The short-term so-lution will be evaluated for the value itbrings to the community so that it can bedetermined if it is an economically sus-tainable option.

Long-Term Model

Public and private entities around the stateare moving toward electronic health infor-mation exchange and together are work-ing to improve sharing medical data toenhance quality care. Security and pri-vacy are of critical importance for all stake-holders and consideration must be givento the location, accessibility and owner-ship of medical records. Most providersand public health programs maintain theirown patient records and are often hesi-tant to release them outside of their do-main. A data-sharing orientation must befostered to achieve a connected commu-nity where health information is ex-changed in a secure and private environ-ment.

The high priority for privacy and securityled SWG toward models that employ de-centralized data-sharing arrangements orfederated models of data location. In a de-centralized or federated model, the datareside in the provider system and are ac-cessed directly from the provider’s or in-dividual program (public health) database.

In the long-term solution, an assumptionhas been made that many Utah providerswould have voluntarily adopted the com-mon member identification number pro-mulgated by the payers in the short-termsolution. The value for providers is that itwould assist them in de-duplicating theirown records as well as make it easier to

exchange information with other entities withsome surety that the information being ex-changed was truly about the correct person.In this way, it is hoped that the ‘member’ iden-tifier would move to become more of a ‘pa-tient’ identifier. We would have to determinehow to assign uninsured persons an identi-fier. It is likely that this will require the adop-tion of a full-blown master person index func-tionality by UHIN but that decision would bemade when the need warranted.

Data can be accessed in several ways. [SeeFigure 3] Using the UHIN network among pro-viders, each provider could contact other pro-viders to request the appropriate records us-ing the common identifier, and then receivethose records from the source location. TheUHIN network would maintain a database ofpatient common identifiers (“M”) for every pa-tient in Utah who has a medical record held inone of the databases connected to UHIN. UHINwould monitor the claim traffic already goingthrough the network to create a record of wherepatients have been seen by health care pro-viders. This functionality would have to be con-structed to be compliant with both CFR 42and with patient’s consent to participate in thesystem.

When a patient record request comes toUHIN’s server, UHIN will use the common iden-tifier to point to information sources about thepatient. UHIN will send the request to the in-formation source(s), retrieve any informationfrom the source and return the information tothe requesting member. If a patient is notfound, UHIN will inform the requesting entityof this. The ability to authenticate providerswill be a strong asset in maintaining networksecurity. Additionally, individual providers, ifthey know the information source (such aswhen a PCP has referred a patient to a spe-cialist) could request the needed informationfrom the information source by sending a re-quest message directly to that source viaUHIN without going through the UHIN searchprocess.

In addition, it is envisioned that using payersas a source of information about patients (asdescribed in the Short Term solution) wouldcontinue as an option.

47

The UHIN RHIO is a critical partner in thedevelopment of the infrastructure. Statewideconnectivity is dependent on public/privatepartnership.

The long-term model is envisioned as a state-wide health information infrastructure thatenables healthcare professionals to accessa patient’s medical records from any provideror payer database connected to the networkover a secure Internet connection. The pub-lic private effort transitions from the short-termand proposes to connect healthcare provid-ers and public health across Utah. The long-term solution will be evaluated for the value itbrings to the community so that it can bedetermined if it is an economically sustain-able option.

Administrative

Identified Barrier. Facsimile transmission ofPHI. (Transmission of PHI) (Scenario ThreePatient Care C)

Proposed Solution: For stakeholders to adoptan interoperable means of PHI that does notrely on facsimile transmission as standardbusiness practice and/or administrativeprocedure, technological advancements andsolutions must first be in place.

General Context: Facsimile transmission wasfound to be the most common means of PHItransference (specifically in the case ofnursing homes) although U.S. mail andcourier methods were identified in somecases. The reason for this administrativepolicy was seen to be mistrust in alternatemeans, specifically doubts regarding thesecure transmission of PHI via email.Extent to which solution is in use: Membersof UHIN utilize a secure method of electronicexchange with regards to administrative data.This is accomplished through an agreementamong stakeholders with regards to policyregarding security and standards.

Identified Barrier. Transmission Security ofPHI. [Scenario Three Patient Care C].

Proposed Solution: The use of current UHINtechnology that could be further advanced to

accommodate for the transaction of clinicaldata. The demonstrated security couldimpact an entities decision to rely on PHItransmission in a secure manner that didnot include fax.

General Context: The majority ofstakeholders report transmitting PHI usinga cover sheet that displays their identifyingletterhead. The majority of substanceabuse clinics responding indicate that theywould also notify the receiving entity, bytelephone, a fax was being transmitted andthen would follow-up with a phone call toconfirm. Although stakeholders believe thatthe current method is the most securemeans available, it was confirmed by theSWG that the fabrication of hospitalletterhead is indeed plausible and few, ifany, would go to great lengths to confirmor verify the existence of requesting entityas the medical community relies heavilyon an unspoken amount of trust.

Extent to which solution is in use: UHINmembers are currently practicing thesecure Internet transfer of administrativedata.

Identified Barrier. Transmission security ofPHI. [Scenario Three Patient Care C].

Proposed Solution: While the SWG did viewthat reluctance to allow access to PHIwithout a business agreement as a barrierto the interoperable exchange ofinformation, the also view it as an effectivepractice to protect the privacy and thesecurity of the healthcare consumer. As aresult, it is determined that businesspractices and policies require a businessagreement should remain in place evenwhen such a transaction was allowed forunder HIPAA treatment, payment, andhealthcare operations.

General context: The majority ofstakeholders report transmitting PHI usinga cover sheet that displays their identifyingletterhead. The majority of substanceabuse clinics responding indicate that theywould also notify the receiving entity, bytelephone, a fax was being transmitted andthen would follow-up with a phone call to

48

49

confirm. Although stakeholders believethat the current method was the mostsecure means available, it was confirmedby the SWG that the fabrication of hospitalletterhead was indeed plausible and few,if any, would go to great lengths to confirmor verify the existence of requesting entityas the medical community relies heavilyon an unspoken amount of trust.

Extent to which solution is in use: UHINmembers are currently practicing thesecure Internet transfer of administrativedata.

Identified Barrier. Confusion regardingappropriate information sharing with firstresponders. (Authorization to Disclose)(Scenario Thirteen Bioterrorism)

Proposed Solution: Establish generalprotocols for first responders and whatinformation can be shared when givenresponding situations.

General Context: Improvements incommunication and network developmentis an ongoing process. Public health,EMS, and law enforcement can continueto build relationships to work together todevelop processes to meet theinformation needs.

Extent to which solution is in use:First responders maintain a cohesivepositive relationship in Utah. Emergencymedical services are housed within theState Department of Health and police,fire and EMT are equipped with theNational EMS information System(NEMSIS) that allows for local and nationalreporting of emergency data (See Figure5). NEMSIS along with the Pre-HospitalOn-line Active Reporting System(POLARIS) serve as Utah’s first responderdata system (See Figure 4).

Identified Barrier. Reluctance to allowintra-agency access to PHI. [Allowing Access to PHI - ScenarioFifteen Public Health A]

Proposed Solution: Integrate state public

health data systems to 1) facilitate themonitoring of the health of communities, 2)assist in ongoing analysis of trends anddetection of emerging threats, and 3) provideinformation for setting public health policy.Work together to breakdown cultural barriersand facilitate the sharing of data acrossprograms by establishing practicaladministrative procedures for informationsharing between state programs (see Figure5).

General Context: The data systems thatsupport the state health department lack aholistic perspective of the client. Data systemsare singular information silos supported bycategorical funding streams and, as a result,data cannot be easily exchanged, linked, ormerged by personnel from different programs.Program managers also conveyed that theysaw their program data as a resource and thatthey were responsible for maintaining a highlevel of control for the long-term benefit of theirclients and the program itself. Programmanagers also express multiple concernsabout data sharing that include misleading ormisinterpretation of data, trust, andorganizational transparency

Extent to which solution is in use: Policiesare in place for limited sharing only. A systemsimilar to Figure 4 was in the planning stagespending government funding approval.Separate data sets would remain independentwhile a central reporting database wouldcommunicate with all data sets and flaginstances where health information overlaps.This eliminates the need for multiple systemsthat have little or no communication capabilityand improve the delivery of services to programrecipients.Legislative:

Identified Barrier. PHI governed by HIPAA andCFR 42 Part 2.

[Scenario Two Patient Care B].Proposed Solution: Recommend federallegislation that maintains all PHI be protectedequally.

General Context. There is concern that certaintypes of information such as that related tosexually transmitted diseases, mental healthtreatment, genetic testing results and

50

substance abuse treatment have a risk formisuse that could cause significant harm tothe patient. However, such misuse is mostlikely to occur when the information is usedand/or disclosed for purposes other thantreatment. There is a significant benefit topatients when all relevant health information,regardless of type, is made easily availablefor treatment purposes. Ensuring the adoptionof industry-wide standards for healthinformation exchange that maintain privacyand security can mitigate the risk of harm.Laws can exist to provide protections forsensitive personal health information, withoutplacing restrictions on the use of informationfor legitimate treatment purposes. See MentalHealth Professional Practice Act (UC 58-60-114) and Genetic Testing Privacy Act (UC 26-45).

Extent to which solution is in use: Notapplicable.

Educational

Identified Barrier. Lack of consumerunderstanding with regards to PHI privacy andsecurity laws.

[Privacy and Security of PHI: ScenarioEight Law Enforcement].

Proposed Solution: Increase consumerawareness regarding their rights andresponsibilities.

General Context: The majority of consumersremain uninformed as to what their rights wereregarding the privacy and security of PHI.Many consumers and consumer groups failto understand the concept of treatment,payment, or healthcare operations as allowedfor under HIPAA and believe that their PHIwas not release or viewe without theirconsent.

Extent to which solution is in use: Althoughweb pages exist that explain HIPAA and theprivacy and security rule, individuals are rarelyconcerned with viewing them until they feelthat their rights have been infringed upon.Consumers are well aware that they sign aprivacy and security document while seeingtheir provider but seldom ask questions or

bother to read the documents they sign.

Identified Barrier. Lack of education and/or understanding of risks and realities ofcommunicable diseases. [Providingeducation regarding risks and realities ofcommunicable diseases - Scenario FifteenPublic Health A]

Proposed Solution: Conduct joint trainingevents for law enforcement and publichealth at annual conferences and seminarssponsored by local and state public healthdepartments.

General Context: A chasm exists betweenlaw enforcement first-responder personneland medical personnel with regards to thedangers (both perceived and warranted) ofcommunicable disease for first responders.There is a need to enhance communicationand education between law enforcementand public health regarding communicabledisease transmission and associated risksfor transporting infected persons.

Extent to which solution is in use: Althoughmany first responders receive trainingregarding the risk of working with infectedpersons and need to take generalprecautionary measures, training is anongoing process. Officer cadets receiveinstruction as part of the certification;however, refresher courses are necessaryto keep frontline responders well informedof the true risks and recommendedprecautions to keep themselves and otherssafe.

Identified Barrier. Lack of consumerunderstanding regarding the benefits tointeroperable capability for healthinformation exchange. [General :Allrelavent scenarios]

Proposed Solution: Increase consumerawareness of the benefits to accessiblehealth information.

General Context: Consumer informationcomes from various media outlets includingpopular television shows. News mediahighlights the terrifying tales of securitybreaches. Little information is shared with

51

the consumer regarding the benefits ofhaving available and accessible onespersonal health information.

Extent to which solution is in use: Publiceducation efforts are underway. The UtahDepartment of Health maintains a publicWeb site geared to the consumer anddesigned to inform consumers of theirrights and ways in which their healthinformation can be used to improveconsumer healthcare quality. In addition,many stakeholders have similar effortsunderway. However, little emphasis isplaced on the value or benefit to accessiblepersonal health information.

6.2 Solutions to State Privacy andSecurity Laws/RegulationsLegal Workgroup proceedings determinedthat, with the exception of genetic testing,no business practices were driven by statelegal drivers. Rather, tort or common lawinfluenced the individual stakeholderbusiness practices as advised by mostlegal counsel to provide extra protectionabove and beyond what was allowed forby HIPAA.

The Health Insurance Portability andAccountability Act of 1996 (HIPAA) is afederal statute governing various aspectsof health information. In adopting HIPAA,Congress expressly intended to preemptcontrary state law, unless state law ismore stringent or a specific exceptionapplies. [See42 U.S.C. § 1320d-7]

Collaborative workgroups comprised ofprivate and public representatives havecome together to develop reference guidesto assist public and private healthcareprofessionals and law enforcement tonavigate situations where the right toaccess health information was inquestion. The workgroup applied standardpreemption analysis to selected statelaws that relate to the use or disclosureof health information. The analysis brieflydescribes the law or rule analyzed,indicates whether or not the Utah law orrule is consistent with HIPAA, cites the

specific section[s] of Title 45 of the Code ofFederal Regulations, and provides a briefsynopsis of the preemption analysis and insome instances additional code citations.

Access to private health information using aproper authorization is the easiest and fastestway to obtain documents. The workgroupdeveloped a standard authorization form andoutline of relevant laws to assist lawenforcement officials to expeditiously accessprivate health care information from health careentities in Utah.

6.3 Conflicting Federal and State Laws/RegulationsContradictory legislation between the state andfederal government did not exist with regardsto the state of Utah.

6.4 Interstate e-Health InformationExchangesThe subject of Interstate e-Health Exchangeswas not addressed by the SWG as most SWGmembers were present at the regional meetingand found similar business practices takingplace. It was further determined thatinteroperability was to be more of a long-termsolution between established RHIOs.

7.0 National-levelRecommendations

Issues arose during the discussion of ScenarioTwo Patient Care B with regards to CFR 42Part 2 and HIPAA. It was determined by theSWG that CFR 42 Part 2 was established priorto an era of electronic records and the need forinteroperability and, while valiant in its effortsto add protection to substance abuse data, theregulation is percieved to be dated. It wasfurther agreed upon that there was noconsensus regarding what class of informationrequires “extra” protection.

SWG members agreed that all PHI should beafforded a high standard of protection, privacy,and security regardless of its class.

Appendix A.RTI Standard Scenarios

53

Patient Care Scenario A(The emergent transfer of health information between two healthcare providers when the status of the patient isunsure.)

Stakeholder entities:· Hospital emergency room (requesting health information)

Patient X presents to emergency room of General Hospital in State A. She has been in a seriouscar accident. The patient is an 89 year old widow who appears very confused. Law enforcementpersonnel in the emergency room investigating the accident indicate that the patient was driving.There are questions concerning her possible impairment due to medications. Her adult daughterinformed the ER staff that her mother has recently undergone treatment at a hospital in a neighbor-ing state and has a prescription for an antipsychotic drug. The emergency room physician deter-mines there is a need to obtain information about Patient X’s prior diagnosis and treatment duringthe previous inpatient stay.

Patient Care Scenario B(The non-emergent transfer of records from a specialty substance treatment provider to a primary care facilityfor a referral.)

Stakeholder entities:· Specialty substance abuse treatment facility (sending sensitive clinical records)· Doctor’s office or public health agency (receiving clinical records from the substance abuse

facility)· Client/patient

An inpatient specialty substance abuse treatment facility intends to refer client X to a primary care facilityfor a suspected medical problem. The two organizations do not have a previous relationship. The clienthas a long history of using various drugs and alcohol relevant for medical diagnosis. The requestedsubstance abuse information is being sent to the primary care provider. The primary care provider intendsto refer the patient to a specialist and send all of his/her information including the substance abuseinformation received from the substance abuse treatment facility to the specialist.

Patient Care Scenario C

Stakeholders entities:· Skilled Nursing Facility· Physician· Hospital

5:30pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient, recently dis-charged from the hospital psych unit to the nursing home. The hospital and skilled nursing facility areseparate entities and do not share electronic record systems. At the time of the patient’s transfer, thedischarge summary and other pertinent records and forms were electronically transmitted to the skillednursing home.

Upon entering the facility Dr. X seeks assistance in locating his patient, gaining entrance to the lockedpsych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and

Appendix A. RTI Standard Scenarios

54

progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not ableto access the EHR. As it is Dr. X’s first visit, he has no login or password to use their system.

Dr. X completes his visit and prepares to complete his documentation for the nursing home. Unable toaccess the skilled nursing facility EHR, Dr. X dictates his initial assessment via telephone to his outsourced,offshore transcription service. The assessment is transcribed and posted to a secure web portal.

The next morning, from his home computer, Dr. X checks his email and receives notification that theassessment is available. Dr. X logs into his office web portal, reviews the assessment, and applies hiselectronic signature.

Later that day, Dr. X’s Office Manager downloads this assessment from the web portal, saves the docu-ment in the patient’s record in his office and forwards the now encrypted document to the long-term carefacility via email.

The skilled nursing facility notifies Dr. X’s office that they are unable to open the encrypted documentbecause they do not have the encryption key.

Patient Care - Scenario D(The non-emergent transfer of health information.)

Stakeholder entities:· Hospital mammography department (requesting health information)· Outpatient Clinic (receiving request)

Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in theWomen’s Imaging Center of General Hospital in State A. She had her last physical and mammogram in anoutpatient clinic in a neighboring state. Her physician in State A is requesting a copy of her completerecords and the radiologist at General Hospital would like to review the digital images of the mammogramperformed at the outpatient clinic in State B for comparison purposes. She also is having a test for the BrCagene and is requesting the genetic test results of her deceased aunt who had a history of breast cancer.

Payment Scenario(Note: This scenario is applicable to all healthcare providers.)

Stakeholder entities:· Healthcare Provider (Hospital or Clinic)· Health Plan (Payer)· Patients

X Health Payer (third party, disability insurance, employee assistance programs) provides health insur-ance coverage to many subscribers in the region the healthcare provider serves. As part of the insurancecoverage, it is necessary for the health plan case managers to approve/authorize all inpatient encounters.This requires access to the patient health information (e.g., emergency department records, clinic notes,etc.).

The health care provider has recently implemented an electronic health record (EHR) system. All patientinformation is now maintained in the EHR and is accessible to users who have been granted access

55

through an approval process. Access to the EHR has been restricted to the healthcare provider’s workforcemembers and medical staff members and their office staff.

X Health Payer is requesting access to the EHR for their accredited case management staff to approve/authorize inpatient encounters.

RHIO Scenario(Note: Each stakeholder should participate in this scenario keeping in mind the type of data their organizationanticipates exchanging with a RHIO.)

Stakeholders entities:· Multiple provider organizations· Multiple RHIO’s

The RHIO in your region wants to access patient identifiable data from all participating organizations (andtheir patients) to monitor the incidence and management of diabetic patients. The RHIO also intends tomonitor participating providers to rank them for the provision of preventive services to their diabetic patients.

Research Data Use Scenario

Stakeholder entities:· Health care consumer· Research investigator· Health care provider· Institution Review Board

A research project on children younger than age 13 is being conducted in a double blind study for a newdrug for ADD/ADHD. The research is being sponsored by a major drug manufacturer conducting a doubleblind study approved by the medical center’s IRB where the research investigators are located. The databeing collected is all electronic and all responses from the subjects are completed electronically on thesame centralized and shared data base file.

The principle investigator was asked by one of the investigators if they could use the raw data to extend thetracking of the patients over an additional six months and/or use the raw data collected for a white paperthat is not part of the research protocols final document for his post doctoral fellow program.

Scenario for access by law enforcement

Stakeholder entities:· Healthcare provider (providing health information)· Law enforcement· Patient· Patient’s family

An injured nineteen (19) year old college student is brought to the ER following an automobile accident. Itis standard to run blood alcohol and drug screens. The police officer investigating the accident arrives in

56

the ER claiming that the patient may have caused the accident. The patient’s parents arrive shortlyafterward. The police officer requests a copy of the blood alcohol test results and the parents want toreview the ER record and lab results to see if their child tested positive for drugs. These requests to printdirectly from the electronic health record are made to the ER staff.

The patient is covered under their parent’s health and auto insurance policy.

Pharmacy Benefit Scenario A

Stakeholder entities:· Pharmacy Benefit Manager (requesting information)· Outpatient Clinic (receiving request)· Patient X

The Pharmacy Benefit Manager (PBM) has a mail order pharmacy for a hospital which is self-insured andalso has a closed formulary. The PBM receives a prescription from Patient X, an employee of the hospital,for the antipsychotic medication Geodon. The PBM’s preferred alternatives for antipsychotics are Risperidone(Risperdal), Quetiapine (Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alterna-tives list, the PBM sends a request to the prescribing physician to complete a prior authorization in orderto fill and pay for the Geodon prescription. The PBM is in a different state than the provider’s OutpatientClinic.

Pharmacy Benefit Scenario B

Stakeholder entities:· Pharmacy Benefit Manager (requesting information)· Company A· Employees

A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies’employees’ prescription drug use and the associated costs of the drugs prescribed. The objective would beto see if the PBM1 could save the company money on their prescription drug benefit. Company A is selfinsured and as part of their current benefits package, they have the prescription drug claims submittedthrough their current PBM (PBM2). PBM1 has requested that Company A send their electronic claims tothem to complete the review.

Healthcare Operations and Marketing – Scenario A[Note: This scenario could be modified to apply to any healthcare provider (physician group, home health careagency, etc.) wishing to market services to a targeted subset of patients.]

Stakeholder entities:· Integrated delivery system (requesting study)· Critical access hospital (being asked to provide health information)· Tertiary hospital (being asked to provide health information)

ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and

57

one large tertiary hospital, DEF Medical Center, which has served as the system’s primary referral center.Recently, DEF Medical Center has expanded its rehab services and created a state-of-the-art, stand-alonerehab center. Six months into operation, ABC Health Care does not feel that the rehab center is being fullyutilized and is questioning the lack of rehab referrals from the critical access hospitals.

ABC Health Care has requested that its critical access hospitals submit monthly reports containing pa-tient identifiable data to the system six-sigma team to analyze patient encounters and trends for thefollowing rehab diagnoses/ procedures:

- Cerebrovascular Accident (CVA)- Hip Fracture- Total Joint Replacement

Additionally, ABC Health Care is requesting that this same information, along with individual patient demo-graphic information, be provided to the system Marketing Department. The Marketing Department plans todistribute to these individuals a brochure highlighting the new rehab center and the enhanced servicesavailable.

Healthcare Operations and Marketing - Scenario B

Stakeholder entities:· Healthcare provider (Hospital obstetrics department)· Hospital marketing department· Patients

ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is requestingidentifiable data on all deliveries including mother’s demographic information and birth outcome (to ensurethat contact is made only with those deliveries resulting in health live births).

The Marketing Department has explained that they will use the PHI for the following purposes:

1. To provide information on the hospital’s new pediatric wing/services.2. To solicit registration for the hospital’s parenting classes.3. To request donations for construction of the proposed neonatal intensive care unit

They will sell the data to a local diaper company to use in marketing diaper services directly to parents.

Bioterrorism event

Stakeholder entities:· Healthcare provider· Public health department· Law enforcement· Government agencies· Patients

A provider sees a person who has anthrax, as determined through lab tests. The lab submits a report on

58

this case to the local public health department and notifies their organizational patient safety officer. Thepublic health department in the adjacent county has been contacted and has confirmed that it is alsoseeing anthrax cases, and therefore this could be a possible bioterrorism event. Further investigationconfirms that this is a bioterrorism event, and the State declares an emergency. This then shifts respon-sibility to a designated state authority to oversee and coordinate a response, and involves alerting lawenforcement, hospitals, hazmat teams, and other partners, as well informing the regional media to alert thepublic to symptoms and seek treatment if feel affected. The State also notifies the Federal Government ofthe event, and some federal agencies may have direct involvement in the event. All parties may need to benotified of specific identifiable demographic and medical details of each case as they arise to identify thesource of the anthrax, locate and prosecute the parties responsible for distributing the anthrax, and protectthe public from further infection

Employee Health Information Scenario

Stakeholder entities:· Hospital emergency room (releasing health information)· Employer human resources department (requesting health information)· Employee

An employee (of any company) presents in the local emergency department for treatment of a chroniccondition that has exacerbated which is not work-related. The employee’s condition necessitates a four-day leave from work for illness. The employer requires a “return to work” document for any illness requiringmore than 2 days leave. The hospital Emergency Department has an EHR and their practice is to cut andpaste patient information directly from the EHR and transmit the information via email to the HumanResources department of the patient’s employer.

Public Health - Scenario A(Active carrier, communicable disease notification.)

Stakeholder entities:· Healthcare provider (primary care physician)· Public health department· Law enforcement· Patient

A patient with active TB, still under treatment, has decided to move to a desert community that focuses onspiritual healing, without informing his physician. The TB is classified MDR (multi-drug resistant). Thepatient purchases a bus ticket - the bus ride will take a total of nine hours with two rest stops acrossseveral states. State A is made aware of the patient’s intent two hours after the bus with the patient leaves.State A now needs to contact the bus company and other states with the relevant information.

Public Health – Scenario B(Newborn screening)

Stakeholder entities:· Healthcare provider (physician)

59

· State laboratory· State public health department

A newborn’s screening test comes up positive for a state-mandated screening test and the state lab testresults are made available to the child’s physicians and specialty care centers specializing in the disordervia an Interactive Voice Response system. The state lab also enters the information in its registry, andtracks the child over time through the child’s physicians. The state public health department providesservices for this disorder and notifies the physician that the child is eligible for those programs.

Public Health Scenario C(Homeless shelters)

Stakeholder entities:· Health care consumer· Primary provider· Drug treatment center· Homeless shelter· Patient relative

A homeless man arrives at a county shelter and is found to be a drug addict and in need of medical care.The person does have a primary provider, and is sent there for the medical care, and is referred to ahospital-affiliated drug treatment clinic for his addition under a county program. The addiction center mustreport treatment information back to the county for program reimbursement, and back to the shelter toverify that the person is in treatment. Someone claiming to be a relation of the homeless man requestsinformation from the homeless shelter on all the health services the man has received. The staff at thehomeless shelter is working to connect the homeless man with his relative.

Health Oversight: Legal compliance/government accountability

Stakeholder entities:· State university faculty (requesting health information)· State public health agencies (asked to provide health information)

The Governor’s office has expressed concern about compliance with immunization and lead screeningrequirements among low income children who do not receive consistent health care. The state agenciesresponsible for public health, child welfare and protective services, Medicaid services, and education areasked to share identifiable patient level health care data on an ongoing basis to determine if the childrenare getting the healthcare they need. This is not part of a legislative mandate. The Governor in this stateand those in the surrounding states have discussed sharing this information to determine if patients mi-grate between states for these services. Because of the complexity of the task, the Governor has askedeach agency to provide these data to faculty at the state university medical campus who will design asystem for integrating and analyzing the data. There is not existing contract with the state university forservices of this nature.

60

Appendix B.Participating Stakeholders

61

STAKEHOLDERGROUPS

Clinicians

Appendix B. Stakeholders Responding to Scenarios

Pharmacies

Physician groups

Consumer/ConsumerOrganization

Laboratories

Hospitals

State government(Medicaid, publichealth) depart-

Community clinicsand health centers

Public Healthagencies

Payers

Number and Description of Participants

5 – a psychiatrist, a chiropractic clinician, a licensed RN research investigator, a practicing obstetricianwho serves on administrative panels locally and nationally, and a licensed PA.

7 – A licensed pediatrician researcher, an obstetrician, a general practitioner, an ER physician, a familypractitioner, a pediatrician, and an IT director .

16 – A single working mom, a representative from the state RHIO, a father of 4 children, a local undergradu-ate student and parents, an agent/broker for several self-insured employers, an employee of workman’scompensation fund of Utah, a physical therapist that specializes in elderly home care, a marketing em-ployee for a pharmaceutical corporation, a patient advisor for a cancer education network, a departmentof health employee, a director of development at a local self insured company, an executive director of aclinic, an employee of the department of health, and an employee of a SA treatment center.

16 – A privacy and quality improvement officer, an ER physician at a tertiary hospital, radiological staff, fileclerks, breast care coordinators at several tertiary hospitals, a manager of a HIPAA office at an IDS, an ERphysician, a privacy officer at a hospital, a director of public relations/marketing for an orthopedic branchof an IDS, a professor and chair, a privacy officer at an IDS, two directors of nursing at separate medicalcenters, and an employee of the marketing department at a tertiary hospital.

3 – A regional healthcare IT specialist for a not-for-profit company, a privacy officer for the stateretirement system, a representative from state Medicaid.

2 - A director and a practicing physician’s assistant at a public health agency.

5 - Director of a private, nonprofit program, an executive director at a state-licensed SA treatment center,a physician, a medical director whose clinic is part of an integrated deliver system, an office manager ata residential eating disorder facility.

2 – A medical director for a university owned laboratory, a respondent from the state laboratory.

4 – One urban independent, one managed care, and one urban grocery store pharmacist, and anatypical pharmacist (chemo, in home, iv).

3 - The chief executive officer at a not-for-profit senior care facility, the financial service consultant forrehabilitation and extended nursing care facility, the director of nursing at a long term care facility.

6 – A representative from the office of epidemiology, a representative from the state Bioterrorism office,and the manager of data integration, an immunization program manager.

3 – An officer and chief of police in a mid-sized town, a representative from the FBI.

3 – Director of IRB at local university, a senior compliance consultant of an IDS, and a pediatrician andassistant professor of pediatrics.

Long term carefacilities andnursing homes

Law Enforcement

Medical and Publichealth researchschools

2 – A fire fighter who responds in a Bioterrorism event and an HR director from a small to mid sizedcompany.

Other

62

63

Stakeholder Group (X) (X) (X) (X) (X) (N) (X) (X)

Clinicians X X X X X

Physicians andPhysicians Groups X X X X 14 X X

Federal Health Facilities X

Emergency Medicine X X X X 2 X X

Hospitals / Health Systems X X X X X 16 X

Community Clinics andHealth Centers X X X X 3

Mental Health andBehavioral Health X X X X 3

Long Term Care Facilitiesand Nursing Homes X 3

Homecare and Hospice X X 3

Laboratories 2

Pharmacies / PharmacyBenefit Managers X X 4

Safety Net Providers

Professional Associations Xand Societies X

Quality Improvement Organizations X X 1

Medical and PublicHealth Schools / Research X 3

Public Health Agencies /Departments X X X X 4 X X

Medicaid / Other State Government 1 County Government X X

Regional HealthInformation Organizations X X X 1 X X

Payers X X 3 X

Individual Consumers X 13

Consumer Organizations and Advocates 1

Employers 1

Law Enforcementand Correctional Facilities X X 7

Legal Counsel / Attorneys X X X X 4 X X

Health InformationManagement organizations X X X X

Privacy and Security experts / Compliance officers X X 3

Health IT consultants X 1 Electronic Health Records experts X X X

Technology Organizations / Vendors

Other (specify): _________________________ Other (specify): _________________________ Other (specify): _________________________ Other (specify): _________________________ Other (specify): _________________________ Other (specify): _________________________

HISPC WORK GROUPS OUTREACH TO STAKEHOLDERS

SteeringCommittee

VariationsWorkGroup

Legal WorkGroup

SolutionsWorkGroup

Implementa-tionPlanningWorkGroup

Stakeholdersprovidinginput tovariationsassessment

Stakeholdersprovidinginput tosolutionsdevelopmentand evalua-tion

Stakehold-ersprovidinginput toimplemen-tationplanning

RTI Form:Participating Stakeholders

Appendix C.Utah Business Practice Data

64

Appendix C. Utah Business Practice Data

Patient Care - Scenario A

UT_01_01BP_patient_statusER physician examines patient and obtains patient history. The ER Physician would alsoobtain information from officer on the scene.

Domain Information authorization and access controlsStakeholder HospitalsLegal Driver Emergency Medical Treatment and Active Labor Act requires that.

UT_01_02BP_information_to_treatER physician and nurse gather information directly from patient, if alert and oriented, or fromfamily (adult daughter) if patient is not alert. The ER staff would also check for previous visitsin our facility. This is done electronically or in rural settings by chart pull. ER physicianrequests medical information from neighboring state if needed.

Domain Information authorization and access controlsStakeholder Hospitals

UT_01_03BP_requesting_patient_informationER physician calls hospital in neighboring state to request a copy of the needed informationduring the day; would contact the medical records. After hours would contact ED or housesupervisor. Mental health information would be requested on the phone call if the informationwere needed to treat the patient condition. Follow-up is done by fax.

Domain Information transmission security or exchange protocolsStakeholder HospitalsLegal Driver § 164.506 Uses and disclosures to carry out treatment, payment, or health care operations.

(c) Implementation specifications: Treatment, payment, or health care operations. (2) Acovered entity may disclose protected health information for treatment activities of a healthcare provider.

§ 164.312 Technical safeguards. (d) Standard: Person or entity authentication. Implementprocedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed.

§ 164.514 Other requirements relating to uses and disclosures of protected healthinformation.(h)(1) Standard: Verification requirements. Prior to any disclosure permitted bythis subpart, a covered entity must:(i) Except with respect to disclosures under §164.510,verify the identity of a person requesting protected health information and the authority of anysuch person to have access to protected health information under this subpart, if the identityor any such authority of such person is not known to the covered entity; and (ii) Obtain anydocumentation, statements, or representations, whether oral or written, from the personrequesting the protected health information when such documentation, statement, or repre-sentation is a condition of the disclosure under this subpart.(2) Implementation specifications:Verification.

UT_01_04BP_hospital_authenticationAs an emergency room physician receiving a request from a physician in a neighboring state.I would get the following information - the hospital data (name of facility, fax number, physicianname) over the phone. I would then verify the existence of the facility and physician on theInternet or our hospital database.

65

Domain User and entity authenticationStakeholder HospitalsLegal Driver § 164.506 Uses and disclosures to carry out treatment, payment, or health care operations. (c)

Implementation specifications: Treatment, payment, or health care operations. (2) A coveredentity may disclose protected health information for treatment activities of a health care provider.

§ 164.514 Other requirements relating to uses and disclosures of protected healthinformation.(h)(1) Standard: Verification requirements. Prior to any disclosure permitted by thissubpart, a covered entity must: (i) Except with respect to disclosures under §164.510, verify theidentity of a person requesting protected health information and the authority of any suchperson to have access to protected health information under this subpart, if the identity or anysuch authority of such person is not known to the covered entity; and (ii) Obtain any documen-tation, statements, or representations, whether oral or written, from the person requesting theprotected health information when such documentation, statement, or representation is acondition of the disclosure under this subpart. (2) Implementation specifications: Verification.

§ 164.312 Technical safeguards. (d) Standard: Person or entity authentication. Implementprocedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed. (e)(1) Standard: Transmission security. Implement technicalsecurity measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

UT_01_05BP_transmit_medical_informationThe emergency department would fax requested medical information to the requesting emer-gency room physician. If not an emergent situation, we would obtain a signed release by fax,either from patient if able, or next of kin. We would keep copy of releases, if applicable, and anyfaxes in medical record.

Domain Information transmission security or exchange protocolsStakeholder HospitalsLegal Driver § 164.312 Technical safeguards.(d) Standard: Person or entity authentication. Implement

procedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed.(e)(1) Standard: Transmission security. Implement technicalsecurity measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations. (c)Implementation specifications: Treatment, payment, or health care operations. (2) A coveredentity may disclose protected health information for treatment activities of a health care provider.

§ 164.514 Other requirements relating to uses and disclosures of protected healthinformation.(h)(1) Standard: Verification requirements. Prior to any disclosure permitted by thissubpart, a covered entity must:(i) Except with respect to disclosures under §164.510, verify theidentity of a person requesting protected health information and the authority of any suchperson to have access to protected health information under this subpart, if the identity or anysuch authority of such person is not known to the covered entity; and (ii) Obtain any documen-tation, statements, or representations, whether oral or written, from the person requesting theprotected health information when such documentation, statement, or representation is acondition of the disclosure under this subpart.(2) Implementation specifications: Verification.

UT_01_06BP_receiving_request_for_patient_informationAs an emergency room physician receiving a request for patient information I have the request-ing physician provide patient’s name, date of birth & date of service on their letterhead sent tous by fax. I ask for their telephone number, and then call them back to verify their location.

66

Domain User and entity authenticationStakeholder HospitalsLegal Driver § 164.506 Uses and disclosures to carry out treatment, payment, or health care operations. (c)

Implementation specifications: Treatment, payment, or health care operations.(2) A coveredentity may disclose protected health information for treatment activities of a health care provider.

§ 164.514 Other requirements relating to uses and disclosures of protected health information.(h)(1) Standard: Verification requirements. Prior to any disclosure permitted by this subpart, acovered entity must:(i) Except with respect to disclosures under §164.510, verify the identity ofa person requesting protected health information and the authority of any such person to haveaccess to protected health information under this subpart, if the identity or any such authority ofsuch person is not known to the covered entity; and (ii) Obtain any documentation, statements,or representations, whether oral or written, from the person requesting the protected healthinformation when such documentation, statement, or representation is a condition of thedisclosure under this subpart.(2) Implementation specifications: Verification.

§ 164.312 Technical safeguards.(d) Standard: Person or entity authentication. Implementprocedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed.(e)(1) Standard: Transmission security. Implement technicalsecurity measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

Patient Care - Scenario B

UT_02_01-1BP_patient_authorization_to_release_PCP_to_SPECWe have “release of information” forms readily available. The form must be specific to theinformation being exchanged and the agencies exchanging the information. The primary careprovider has a conversation with the client explaining what the form means and then requests asignature.

Domain Information authorization and access controlsStakeholder Public health agenciesLegal Driver 42 CFR §2.32 Prohibition on redisclosure.Notice to accompany disclosure. Each disclosure

made with the patient’s written consent must be accompanied by the following written state-ment: This information has been disclosed to you from records protected by Federal confidenti-ality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure ofthis information unless further disclosure is expressly permitted by the written consent of theperson to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorizationfor the release of medical or other information is NOT sufficient for this purpose. The Federalrules restrict any use of the information to criminally investigate or prosecute any alcohol ordrug abuse patient.

UT_02_01-2BP_patient_authorization_to_release_PCP_to_SPECI refer patients to the specialist and the specialist determines what information is needed frommy patient record. The specialist initiates the authorization on their end by getting the patient’ssignature authorizing me to release their patient information.

Domain Information authorization and access controlsStakeholder Community clinics and health centersLegal Driver 42 CFR Part 2 §2.12 a federally assisted substance abuse treatment program is restricted from

disclosing information that would identify a patient in a substance abuse treatment programwithout the patient consent. Consent must be obtained even to forward records to anothertreating provider that is outside the substance facility. 42 CFR §2.12. No consent is required ifthe disclosure is made to treating personnel in a medical emergency situation because of acrime on the premises, audit, program evaluation, or pursuant to court order §2.51, 2.52, 2.61.Providers are prohibited from re-disclosing information from a substance abuse treatmentprogram. § 2.3 Thus patient consent is required by 42 CFR Part 2 to release information from

67

the substance abuse treatment program to the primary care provider, and consent would berequired again to sent the information on to the specialist.

UT_02_01BP_patient_authorizationWhen a substance abuse facility refers a patient to a primary care provider, a clinician, casemanager, or counselor asks the patient to sign a 42-C.F.R. compliant release of informationwhich specifies the type of information to be shared, the name of the primary care provider,length of time the release is valid, etc. On our releases it is stipulated that confidential informa-tion not be passed on to parties outside of the scope of the release.

Domain Information authorization and access controlsStakeholder Community clinics and health centersLegal Driver 42 CFR Part 2 §2.12 a federally assisted substance abuse treatment program is restricted from

disclosing information that would identify a patient in a substance abuse treatment programwithout the patient consent. Consent must be obtained even to forward records to anothertreating provider that is outside the substance facility. 42 CFR § 2.12. No consent is required ifthe disclosure is made to treating personnel in a medical emergency situation because of acrime on the premises, audit, program evaluation, or pursuant to court order §2.51, 2.52, 2.61.Providers are prohibited from re-disclosing information from a substance abuse treatmentprogram. § 2.3 Thus patient consent is required by 42 CFR Part 2 to release information fromthe substance abuse treatment program to the primary care provider, and consent would berequired again to sent the information on to the specialist.

UT_02_02BP_determing_information_to_be_sentOnce the substance abuse facility has the patient sign an authorization, not all informationneeds to go. We will only send the minimum necessary that should be sent (treatment plan,medication review). Moreover, we will only send SA information if it has to do with the suspectedmedical problem.

Domain Information authorization and access controlsStakeholder Community clinics and health centers

UT_02_03BP_facility_authenticatingAfter receiving a request for information from a primary care provider we, a substance abuseclinic, would call the provider, especially if they were not known to us. In some cases, we askthem to mail or fax a written request on letterhead.

Domain User and entity authenticationStakeholder Community clinics and health centersLegal Driver § 164.312 Technical safeguards.(d) Standard: Person or entity authentication. Implement

procedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed.(e)(1) Standard: Transmission security. Implement technicalsecurity measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

UT_02_04BP_transmission_non-electronic_SA_to_PCPOnce the release form is signed at the treatment center, the case manager/counselor wouldcopy the necessary records and forward them generally by mail, courier, or have a member fromthe primary care providers office pick them up. They will be in a sealed envelope, and theperson who receives the records will need to sign a receipt.

Domain Information transmission security or exchange protocolsStakeholder Community clinics and health centersLegal Driver § 164.530 Administrative requirements.(c)(1) Standard: Safeguards. A covered entity must have

in place appropriate administrative, technical, and physical safeguards to protect the privacy ofprotected health information.

UT_02_05-1BP_transmission_PCP_to_SPECAs primary care provider I get the information to the specialist so treatment can continue.

68

Generally, I call the specialist to discuss patient history and then fax the medical record to theiroffice. Sometimes it would be mailed.

Domain Information transmission security or exchange protocolsStakeholder Public health agenciesLegal Driver 42 CFR §2.32 Prohibition on redisclosure.Notice to accompany disclosure. Each disclosure

made with the patient’s written consent must be accompanied by the following written state-ment: This information has been disclosed to you from records protected by Federal confidenti-ality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure ofthis information unless further disclosure is expressly permitted by the written consent of theperson to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorizationfor the release of medical or other information is NOT sufficient for this purpose. The Federalrules restrict any use of the information to criminally investigate or prosecute any alcohol ordrug abuse patient.

UT_02_05BP_transmission_electronic_SA_to_PCPWe would obtain a signed “consent to release” information form from patient before sending anyinformation to the specialist. The substance abuse counselor calls the primary care office toverify the number and alert their staff that we will be sending a release form to them. We askthat authorized receiver be near the fax when the data is sent. We receive a faxed response toverify that the information was received. We use a fax cover sheet stamped ”re-disclosedprohibited”. The cover sheet is also printed with the full CFR 42 Part II disclosure prohibition. Atpresent we only transmit by fax, as it is our understanding that email is not acceptable exter-nally.

Domain Information transmission security or exchange protocolsStakeholder Public health agenciesLegal Driver § 164.530 Administrative requirements.(c)(1) Standard: Safeguards. A covered entity must have


42 CFR §2.32 Prohibition on redisclosure. Notice to accompany disclosure. Each disclosuremade with the patient’s written consent must be accompanied by the following written state-ment: This information has been disclosed to you from records protected by Federal confidenti-ality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure ofthis information unless further disclosure is expressly permitted by the written consent of theperson to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorizationfor the release of medical or other information is NOT sufficient for this purpose. The Federalrules restrict any use of the information to criminally investigate or prosecute any alcohol ordrug abuse patient.

UT_02_06BP_verifying_receipt_of_recordWhen our treatment facility sends medical information we get a signed receipt from the re-quester on any and all records received. If they go by mail, by courier, hand delivered or pickedup, they need to be signed for. Receipt is kept in the patient chart.

Domain User and entity authenticationStakeholder Community clinics and health centers

UT_02_07BP_logging_disclosuresAfter the substance abuse facility sends patient information to the primary care physician thecounselor logs the information on a form in the client’s file at the substance abuse facility, evenin the case where the patient has authorized the release.

Domain Information use and disclosure policyStakeholder Community clinics and health centers

UT_02_08BP_recording_access_to_SA_PHIThe treatment facility keeps the original authorization form in patients charts. Any person

69

copying these records must put their name and date that the copies were made on the authori-zation form. We also record the date mailed to primary care provider, or sent/picked up date.Once receipt of delivery is received by us, then we put it with the authorization, and they arekept together at all times.


UT_02_09-1BP_storage_of_SA_PHI_restricted_accessWhen we do receive patient information from a treatment facility it is kept in the patient’s chartwith access to the chart restricted to those employees and volunteers who have been givendirect access. All volunteers and paid employees sign a confidentiality form. Our clinic consid-ers SA information to be highly confidential.

Domain Administrative or physical security safeguardsStakeholder Public health agenciesLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health

information.(d)(1) Standard: Minimum necessary requirements. In order to comply with§164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2)through (d)(5) of this section with respect to a request for, or the use and disclosure of, pro-tected health information.(2) Implementation specifications: Minimum necessary uses ofprotected health information.(i) A covered entity must identify:(A) Those persons or classes ofpersons, as appropriate, in its workforce who need access to protected health information tocarry out their duties; and(B) For each such person or class of persons, the category orcategories of protected health information to which access is needed and any conditionsappropriate to such access.

UT_02_09BP_storage_of_SA_PHIOur substance abuse facility keeps PHI in individual client records, which are double locked (ina locked cabinet behind locked door). Other information, such as immunization records,medication logs, etc., are stored in medical file in the nurse’s office.

Domain Administrative or physical security safeguardsStakeholder Community clinics and health centersLegal Driver 42 CFR §2.16 Security for written records.(a) Written records which are subject to these

regulations must be maintained in a secure room, locked file cabinet, safe or other similarcontainer when not in use; and(b) Each program shall adopt in writing procedures whichregulate and control access to and use of written records which are subject to these regula-tions.

UT_02_10BP_patient_consent_to_treat_PCPAs the primary care physician receiving the referral from the substance abuse treatment facilityI would obtain a “consent to treat” form from the substance abuse client before seeing thepatient.

Domain Information authorization and access controlsStakeholder Public health agencies

UT_02_CS1The primary care provider, nurse assistants, etc., will have access, which is acceptable givenappropriate client consent. The primary care provider should not re-release this informationwithout consent from the client.

Domain Information authorization and access controlsStakeholder Consumers or consumer organizations

UT_02_CS2Most clients feel this is acceptable and necessary. For those trying to stay clean, they wanttheir provider to be sensitive regarding what sorts of medication he/she prescribes so theirsobriety is not compromised.

70

Domain Information use and disclosure policyStakeholder Consumers or consumer organizations

Patient Care - Scenario C

UT_03_01-1BP_business_agreements_LTCOur long term care facility has business associate agreements. However, a medical providerdoes not need to have such an agreement as long as he/she is involved in the provision oftreatment or the plan of care.

Domain Information authorization and access controlsStakeholder Long term care facilities and nursing homes

UT_03_01BP_business_agreements_physicianOur physician office has business associate agreements in place that provide for the sharing ofdata among treatment providers involved in the direct care of patients.

Domain Information authorization and access controlsStakeholder Clinicians

UT_03_02BP_security_training_LTCAll staff (and volunteers) in our psych unit receive training in data security and are required tosign a privacy agreement. Access to electronic records would be a problem, we do not sharepasswords or have available sharable passwords.

Domain Administrative or physical security safeguardsStakeholder CliniciansLegal Driver § 164.310 Physical safeguards. A covered entity must, in accordance with §164.306: (a)(1)

Standard: Facility access controls. Implement policies and procedures to limit physical accessto its electronic information systems and the facility or facilities in which they are housed, whileensuring that properly authorized access is allowed.

UT_03_03BP_access_mental_health-infoIn our long term care facility we would give a treatment provider access to their patient’s record.Our facility grants access based on a need to know. Direct care employees on specific unitsare allowed access to that units patient information. Employees on other units would not haveaccess to the psych unit. In the case of the psych unit, their staff would have a specific loginand password to access that unit’s information.

Domain Administrative or physical security safeguardsStakeholder Long term care facilities and nursing homesLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health

information.(d)(1) Standard: Minimum necessary requirements. In order to comply with§164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2)through (d)(5) of this section with respect to a request for, or the use and disclosure of, pro-tected health information.(2) Implementation specifications: Minimum necessary uses ofprotected health information.(i) A covered entity must identify:(A) Those persons or classes ofpersons, as appropriate, in its workforce who need access to protected health information tocarry out their duties; and(B) For each such person or class of persons, the category orcategories of protected health information to which access is needed and any conditionsappropriate to such access.

UT_03_04-1BP_temporary_electronic_access_to_LTC_recordsWhen a new admission is made to the long term care facility the patient’s doctor would begiven a log-in and password to the electronic medical records program through the IT dept. Acopy of this information is placed in the patient’s chart in case the doctor was to forget or losethat information.


71

Legal Driver § 164.310 Physical safeguards. A covered entity must, in accordance with §164.306:(a)(1)Standard: Facility access controls. Implement policies and procedures to limit physical accessto its electronic information systems and the facility or facilities in which they are housed, whileensuring that properly authorized access is allowed.

§ 164.530 Administrative requirements.(c)(1) Standard: Safeguards. A covered entity must havein place appropriate administrative, technical, and physical safeguards to protect the privacy ofprotected health information.

UT_03_04BP_temporary_access_to_LTC_recordsA physician, psychiatric nurse, nurse practitioner etc. is required to be credentialed andprivileged prior to the time that our long term care facility can accept orders. This includesallowing access to their patient’s mental health record. If a patient or their surrogate, requests anon-credentialed physician or specialist we require documentation of license, education, andother basic information that can be utilized to obtain verification of the person’s credentials. Weusually obtain verification within 24 hrs. after receiving information.


UT_03_05BP_receive_fax_transmission_patient_infoOur long term care facility asks outside entities to notify the intended recipient prior to faxingprotected health information (PHI), in order to assure that the appropriate person removes itfrom the fax machine without disclosure to other people. Unfortunately, few of the outsideentities are consistent about the advance call. There is little use of electronic transmission ofpatient information with the exception of fax.

Domain Information transmission security or exchange protocolsStakeholder Long term care facilities and nursing homesLegal Driver § 164.530 Administrative requirements.(c)(1) Standard: Safeguards. A covered entity must have


§ 164.312 Technical safeguards.(d) Standard: Person or entity authentication. Implementprocedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed.(e)(1) Standard: Transmission security. Implement technicalsecurity measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

UT_03_06BP_transmission_mental_health_data_electronicIn our psych unit we would fax the patient record and would not send it by encrypted email. Therecord would be faxed so that there would be a paper copy in the patient chart. The emaildocument would be encrypted and the facility would need the key. Most likely the facility wouldnot have the key and to alleviate any issues, we would simply fall back on faxing the docu-ments.

Domain Information transmission security or exchange protocolsStakeholder CliniciansLegal Driver § 164.530 Administrative requirements.(c)(1) Standard: Safeguards. A covered entity must have


UT_03_07BP_storage_of_mental_health_phiAll hard copy patient charts are under lock and key when not in direct use by staff in our longterm care facility.

Domain Administrative or physical security safeguardsStakeholder Long term care facilities and nursing homesLegal Driver § 164.530 Administrative requirements.(c)(1) Standard: Safeguards. A covered entity must have

72


Patient Care - Scenario D

UT_04_01BP_authorization_to_release_informationAt our hospital the physician or nurse at our mammography clinic would request an appropriaterelease from the patient to allow for the request of her mammography films from another entity.


UT_04_02BP_authenticate_entitiesOur mammography clinic verifies any entities that request information or an entity from which apatient hand delivers films. We do this by calling the accreditation office - we also call theinstitution if there is a question. Most requests for patient information are physician to physicianby phone when requesting records or patient information.

Domain User and entity authenticationStakeholder Community clinics and health centersLegal Driver § 164.312 Technical safeguards (d) Standard: Person or entity authentication. Implement

procedures to verify that a person or entity seeking access to electronic protected healthinformation is the one claimed (e)(1) Standard: Transmission security. Implement technicalsecurity measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

UT_04_03BP_need_to_knowAs a physician in a hospital mammography department I would not need HIV information toperform a screening mammogram on this patient. HIV should only be released to those healthcare providers that “need to know”. Our hospital follows HIP AA policy.

Domain Information authorization and access controlsStakeholder HospitalsLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health information

(3) Implementation specification: Minimum necessary disclosures of protected health informa-tion (i) For any type of disclosure that it makes on a routine and recurring basis, a coveredentity must implement policies and procedures (which may be standard protocols) that limit theprotected health information disclosed to the amount reasonably necessary to achieve thepurpose of the disclosure.

UT_04_04BP_release_of_deceased_medical_informationAs the physician, the release of genetic information of a deceased patient requires a signedstatement from the deceased relatives next of kin or executor of the decease d’s estate autho-rizing the release of that information. Next of kin is the closest living relative.

Domain State law restrictionsStakeholder HospitalsLegal Driver Utah code 78-25-26 Access to medical records of deceased patient. For purposes of Section

78-25-25, and 45 C.F.R., Parts 160 and 164, Standards for Privacy of Individually IdentifiableHealth Information, a health care provider with medical records of a deceased person mayrecognize the deceased person’s surviving spouse or an adult child as a personal representa-tive.

UT_04_05BP_transmit_mammogram_digitalIn our Integrated Delivery Systems’ radiology departments, the radiology tech copies theimages to a cd for the patient to take with them or the images are made available to thephysician via the internet using the picture archive communication system (PACS). While wehave this capability, it is rarely used as the preferred media is film and we print hard copy filmfor physicians and institutions. We rarely receive digital cd mammogram files from patients.

73

Domain Information transmission security or exchange protocolsStakeholder HospitalsLegal Driver § 164.312 Technical safeguards.(e)(1) Standard: Transmission security. Implement technical

security measures to guard against unauthorized access to electronic protected health informa-tion that is being transmitted over an electronic communications network.

UT_04_06BP_transmit_mammogram_filmIn our radiology department most mammograms are films. We require patient consent torelease and a 24 hour notice to provide patient films for pick-up by the patient or a personalrepresentative with a photo ID and patient authorization. The films are usually sent and receivedby mail or courier.

Domain Information transmission security or exchange protocolsStakeholder HospitalsLegal Driver § 164.508 Uses and disclosures for which an authorization is required (6) Documentation.(vi)

Signature of the individual and date. If the authorization is signed by a personal representative ofthe individual, a description of such representative’s authority to act for the individual must alsobe provided.

§ 164.530 Administrative requirements (c)(1) Standard: Safeguards. A covered entity must havein place appropriate administrative, technical, and physical safeguards to protect the privacy ofprotected health information.

Payment Scenario

UT_05_01-1BP_authorization_to_release_patient_informationIf a payer needs access to EMR to authorize in-patient encounters, we, the payer, would notnecessarily need patient authorization under the assumption that the provider has had thepatient sign a release of information form allowing the provider to send information to the payer.

Domain Information use and disclosure policyStakeholder Payers

UT_05_01BP_authorization_to_release_patient_informationIn our clinic we make sure that all patients, before treatment, have submitted a release (authori-zation form) for access to occur.

Domain Information use and disclosure policyStakeholder Clinicians

UT_05_02BP_Access_control_to_patient_infoWe, a patient clinic, would not grant direct access to a patient’s health information record. If apayer wanted more information for billing purposes, they would have to tell us what informationthey required, the office manager would then code the patient’s information from the record intoa standard format for billing. Patient information is restricted to clinic staff only. The requiredinformation is then submitted to the payer through our RHIO.

Domain Information authorization and access controlsStakeholder Clinicians

UT_05_03BP_sharing_patient_data_agreementAs a payer if we need access to a provider’s Electronic Health Record (EHR) but the EHR hasbeen restricted to the provider’s work force members, office staff only, we would provide sub-stantive evidence of administrative savings and a decrease in lapsed time for payment asincentive for the provider to want to provide access. Then partner with the hospital to establishthe most appropriate way of managing security and privacy.

Domain Administrative or physical security safeguardsStakeholder Payers

74

UT_05_04-1BP_minimum_necessary_required_for_transmissionBecause clinics are covered entities, we, a payer, require record requests to contain at leastthe following information to be within HIPAA guidelines. clients name, ssn, DOB; specific healthinfo; purpose of request; patient signature/date; expiration date; specific identification HCU(health care user number) is requested to disclose; specific identification of recipient of info;specific statement of patient’s rights; a covered entity may not condition failure to sign; poten-tial for re-disclosure w/o privacy protections.

Domain Information authorization and access controlsStakeholder Payers

UT_05_04BP_minimum_necessary_required_for transmissionAs a payer, we have established minimum data needs based on category of service. With thelarger providers we may agree on specific reports, such as discharge summaries, to serve asthe minimum data needed for many of the inpatient claims.

Domain Information authorization and access controlsStakeholder Payers

UT_05_05BP_transmission_of_dataThe mechanism for us, the payer, for receiving the information from the provider is generally notspecified in the patient release. Assuming that we have access to the EMR (electronic medicalrecord) and this access is role based and either limited to specific necessary areas of the EMRor allowed logged specific views depending on the need, that is, specific reports or views couldbe developed within the EMR designed for payers.

Domain Information transmission security or exchange protocolsStakeholder Payers

UT_05_CS3If a clinic has an electronic health record database, then they would be able to put parametersin the system to be able to tell who, when, where, and why did a clinic staff member enter apatient record. Internal audit should be made to make sure clinic staff members are beingethical in every aspect of patient record confidentiality.

Domain Information audits and record and monitor activityStakeholder Consumers or consumer organizations

UT_05_CS4Access should only be allowed for direct care clinic personnel. They would need to have aspecific reason for entering/viewing the records of a patient. Access should only be allowed forbilling related to that specific incident.


UT_05_CS5Any personal health information including name, ssn, etc., would not be sent to any person, orentity, without my clear consent on who it is being sent to, and the allowable information beingsent.


UT_05_CS6If I, a consumer, wanted my information released to a payer, I would sign an authorization format my health care provider’s office.


RHIO Scenario

75

UT_06_01BP_Exchange_phi_between_providersThe RHIO exchanges patient information between two Utah RHIO members. Exchanges ofpatient information for quality measurement purposes between members can be facilitated bythe Utah RHIO, but the RHIO does not monitor, store, or analyze any of this data.

Domain Information transmission security or exchange protocolsStakeholder Professional associations and societies

UT_06_02BP_PHI_RHIO_new_exchange_coordinationThe RHIO is a member based organization. If a business need is identified regarding organiza-tions that would like to exchange/submit patient information from one organization to another, arequest is made to the Utah RHIO Standards Committee for chartering a subcommittee todevelop a community standardized message.


Research Data Use Scenario

UT_07_01-1BP_IRB_approval_post-docAs principal investigator I would have post-doc file his/her own IRB


UT_07_01-2BP_IRB_approval_by_IRBAs the IRB, we require the study to resubmit when there are procedural changes. This includesre-consent via a parental permission document and children aged 7 to 17 would receive anupdated assent document. We would then review the contents of all proposed consents/authorizations for research to determine if they are compliant with both human subjects re-search regulations and the privacy rule.

Domain Information use and disclosure policyStakeholder Medical and public health schools that undertake researchLegal Driver § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is

not required (2) Documentation of waiver approval. For a use or disclosure to be permitted basedon documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section,the documentation must include all of the following:(ii) Waiver criteria. A statement that the IRBor privacy board has determined that the alteration or waiver, in whole or in part, of authorizationsatisfies the criteria.

§ 164.502 Uses and disclosures of protected health information: general rules.(a) Standard. Acovered entity may not use or disclose protected health information, except as permitted orrequired by this subpart or by subpart C of part 160 of this subchapter.

§ 164.508 Uses and disclosures for which an authorization is required. (c) Implementationspecifications: Core elements and requirements.(1) Core elements.

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object isnot required.(i) Standard: Uses and disclosures for research purposes.(1) Permitted uses anddisclosures. A covered entity may use or disclose protected health information for research,regardless of the source of funding of the research, provided that:(i) Board approval of a waiver ofauthorization. The covered entity obtains documentation that an alteration to or waiver, in wholeor in part, of the individual authorization required by §164.508 for use or disclosure of protectedhealth information has been approved by either:A) An Institutional Review Board (IRB), orB) Aprivacy board Have met specified conditions.

UT_07_01BP_IRB_approval_PI

76

As the Principal Investigator, I would amend the study to include the new use of the raw dataand an additional six months tracking for the white paper and submit the amendment to IRB forexpedited process. This occurs whether or not the drug company is maintaining the centralizeddatabase.

Domain Information use and disclosure policyStakeholder CliniciansLegal Driver § 164.502 Uses and disclosures of protected health information: general rules.(a) Standard. A

covered entity may not use or disclose protected health information, except as permitted orrequired by this subpart or by subpart C of part 160 of this subchapter.

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object isnot required.(i) Standard: Uses and disclosures for research purposes.(1) Permitted uses anddisclosures. A covered entity may use or disclose protected health information for research,regardless of the source of funding of the research, provided that: (i) Board approval of a waiverof authorization. The covered entity obtains documentation that an alteration to or waiver, inwhole or in part, of the individual authorization required by §164.508 for use or disclosure ofprotected health information has been approved by either: (A) An Institutional Review Board(IRB), or (B) A privacy board Have met specified conditions.

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object isnot required (2) Documentation of waiver approval. For a use or disclosure to be permittedbased on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of thissection, the documentation must include all of the following: (ii) Waiver criteria. A statement thatthe IRB or privacy board has determined that the alteration or waiver, in whole or in part, ofauthorization satisfies the following criteria:

§ 164.508 Uses and disclosures for which an authorization is required. (c) Implementationspecifications: Core elements and requirements.(1) Core elements.

UT_07_02BP_parental_consent_bypass_PIAs principal investigator, I would see if original consent form specified how long data would becollected. It might be that extending data collection for six months would simply mean checkingwith IRB to ensure compliance. For the use of data for a purpose it was not originally intendedfor, I would again check original consent form to see if it included a clause that allowed for theuse of secondary analysis.

Domain Information use and disclosure policyStakeholder CliniciansLegal Driver § 164.502 Uses and disclosures of protected health information: general rules.(a) Standard. A

covered entity may not use or disclose protected health information, except as permitted orrequired by this subpart or by subpart C of part 160 of this subchapter.

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object isnot required.(i) Standard: Uses and disclosures for research purposes.(1) Permitted uses anddisclosures. A covered entity may use or disclose protected health information for research,regardless of the source of funding of the research, provided that:(i) Board approval of a waiver ofauthorization. The covered entity obtains documentation that an alteration to or waiver, in wholeor in part, of the individual authorization required by §164.508 for use or disclosure of protectedhealth information has been approved by either:A) An Institutional Review Board (IRB), or B) Aprivacy board Have met specified conditions.

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object isnot required.(2) Documentation of waiver approval. For a use or disclosure to be permittedbased on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of thissection, the documentation must include all of the following:(ii) Waiver criteria. A statement thatthe IRB or privacy board has determined that the alteration or waiver, in whole or in part, of

77

authorization satisfies the criteria.

§ 164.508 Uses and disclosures for which an authorization is required. (c) Implementationspecifications: Core elements and requirements.(1) Core elements. A valid authorization underthis section must contain at least the elements.

UT_07_03BP_obtain_parental_re-consent_PIAs principal investigator I (or my post-doc researcher) would ask participants at one of theirpersonal contact visits to sign a new consent form. If no face-to-face contact with the studyparticipants occurs then a letter with an explanation, a phone number to call in case of ques-tions, and a SASE to return the signed consent witnessed by a friend or family member wouldbe forwarded. Subjects under 13 would require both parental consent and subject assent. Theelectronic file should include a verification that there is assigned IRB approval consent andauthorization of file and what version it is and when it was signed. The re-consent would beposted to the database so it could be reviewed.

Domain Information use and disclosure policyStakeholder CliniciansLegal Driver § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is

not required.(2) Documentation of waiver approval. For a use or disclosure to be permittedbased on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of thissection, the documentation must include all of the following:(ii) Waiver criteria. A statement thatthe IRB or privacy board has determined that the alteration or waiver, in whole or in part, ofauthorization satisfies the criteria.

UT_07_04BP_parental_consent_IRB_bypassThe IRB would encourage the principal investigator to submit the new project as a data-onlyproject using existing research data. The investigator could then apply for a waiver of authoriza-tion as permitted in the privacy rule 45 CFR 164.512(I).

Domain Information use and disclosure policyStakeholder Medical and public health schools that undertake researchLegal Driver § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is

not required.(i) Standard: Uses and disclosures for research purposes.(1) Permitted uses anddisclosures. A covered entity may use or disclose protected health information for research,regardless of the source of funding of the research, provided that:(i) Board approval of a waiver ofauthorization. The covered entity obtains documentation that an alteration to or waiver, in wholeor in part, of the individual authorization required by §164.508 for use or disclosure of protectedhealth information has been approved by either:A) An Institutional Review Board (IRB), orB) Aprivacy board Have met specified conditions.

UT_07_CS7If I agreed to have my child participate in a research study and the principle investigator wasasked by one of the investigators if they could use the raw data to extend the tracking of mychild for an additional 6 months and use that data for a white paper that was not part of theoriginal research protocol, as a consumer (parent of 13 year old child), my concern would bethat the findings (specifically my child’s) from the study be used in a way that I was aware ofupfront. I would not want my child’s information used for other ”white papers” or additionalresearch that I did not consent to upfront. Consent for all uses of the data should be obtainedup front. If additional uses are identified after the fact, I would expect the investigator to obtainconsent from myself to use my child’s information.


Scenario for access by law enforcement

UT_08_01BP_blood_alcohol_sample_law_enforcement

78

For law enforcement, if we suspect alcohol is involved we ask permission to obtain an alcohollevel. Failure to comply can result in the loss of driving privilege. In cases where there is a riskof fatality we do not ask permission as we have a contract with county paramedics to do thedraw at the accident site before transport to the hospital. Once the patient enters the hospital itbecomes increasingly difficult to get information without a court order or subpoena.

Domain State law restrictionsStakeholder Other Specified Law Enforcement

UT_08_02BP_patient_statusAs an ER physician my first concern would be to treat the patient.


UT_08_03BP_release_of_medical_information_hospital_to_lawOur hospital does not have a contract with law enforcement for blood draws but we do them ifrequested for our own health treatment purposes only. The results cannot be released withoutpatient’s authorization or a valid legal document. The hospital blood results are usually indifferent unit measures than the unit measures that law enforcement uses.

Domain Information use and disclosure policyStakeholder Hospitals

UT_08_04BP_release_of_medical_information_hospital_to_insuranceOur hospital cannot release medical information without the patient’s authorization. However, ifthe insurance company is part of TPO (treatment, payment, and operations), and when theyrequest medical records, we can release them. There is one caveat, if they contain any sensi-tive material (i.e. drug or alcohol related information) the patient must be contacted and permis-sion given before the medical records can be released.

Domain Information use and disclosure policyStakeholder HospitalsLegal Driver § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is

not required. A covered entity (such as the Hospital) is required to disclose the results of theblood test to the law enforcement official only if the law enforcement official provides a courtorder, a subpoena or summons ordered by a judge, an administrative subpoena or summons,authorized investigative demand, or similar process authorized under state law.

UT_08_05BP_release_of_medical_information_hospital_to_parentOur hospital cannot release medical information to parents without the patient’s authorization.However, if the insurance is on the parents policy, parents can ask for billing information(treatment, payment, and operations), and we can release them.

Domain Information use and disclosure policyStakeholder HospitalsLegal Driver 45 CFR 164.506 allows for the disclosure for “TPO”;

42 CFR Part does not apply - misunderstanding of 42 CFR Part 2. It does not apply becausethe patient is not in a substance abuse treatment program.

UT_08_06-1BP_obtaining_medical_information_from_hospitalFor law enforcement to get a copy of an individual’s medical information that was involved in anaccident investigation, we would have to subpoena the records. We first would try to get theperson’s consent at the accident scene and get as much information as possible from theindividual at the scene. The subpoena process involves serving the subpoena, often waiting twoweeks for a reply. Then we either get a call to let us know the record is ready for pick up or thatit was mailed. The investigator will, in most cases, go to the hospital to get the report.

Domain Information use and disclosure policyStakeholder Other Specified Law Enforcement

79

UT_08_06BP_obtaining_medical_information_from_hospitalAs law enforcement, we can talk to anyone without authorization, but we have a very difficulttime getting information from primary care doctors as they don’t want to have to spend timetestifying in court. In some situations the ER doc will talk “off the record” in a general senseabout the accident and injuries sustained by the individual to compare consistency of injury withfacts gathered to date. The ER docs will also give officers updates on the general status of theindividual but in a very broad sense, (e.g. doing better or not going to make it). The specificdetail or information that would be officially documented for the investigation would be obtainedthrough a subpoena. We try to get relevant information collected before the individual gets to thehospital.


UT_08_CS10From patient perspective: No one can have my information unless I give them access to it.Sometimes we sign so many things I think I’ve given away my first three children and they arenot even born yet. From parent’s perspective: I would talk with the doctor and ask what thestandard protocol is and then the police officers. I believe that the police can ask for the infor-mation and we can refuse. They would have to get a court order to get it, but then they couldplace him, the driver, under arrest. I would be inclined to let him face the consequences of hisaction though.


UT_08_CS8I think the EMTs do it automatically as part of the blood work if it’s for an accident and the copsshow up. So I’d have to say they must have some kind of arrangement. But I know you canalso say no to the police, I saw it on TV. You have to know that they can arrest you, but stillyou can always say no. But since I wasn’t drinking I wouldn’t care if they had the results,unless the lab got it wrong, I saw that on TV too.

Domain State law restrictionsStakeholder Consumers or consumer organizations

UT_08_CS9As a parent, for the doctor to ask the patient if it’s OK to talk in front of his parents is weird.Unless he’s not conscious or can’t communicate, then I guess he’d just talk to us becausewe’d be the next of kin or responsible party - the checkbook.


Pharmacy Benefit - Scenario A

UT_09_01BP_authorization_to_disclose_patient_info_for_prescription_fillAs the health care provider, sharing information with the pharmacy may not be an issue be-cause I only need to give them a new prescription for the new medication if the patient decidednot to pay out of pocket. I don’t need to give them diagnostic information necessarily or anypersonal info they do not already have. In my consent paperwork, that all clients fill out, Ieducate them about other agencies, including their insurance agency, that may need informa-tion about diagnosis and treatment plan information. I explain to them that all insurance agen-cies as part of the terms of coverage have a clause giving them access to that information if theclient uses their insurance to pay for their visit and or medication.

Domain Information use and disclosure policyStakeholder CliniciansLegal Driver Physician, pharmacy, and PBM may each use or disclose protected health information for their

80

own treatment, payment, or health care operations (“TPO”), because all are presumably coveredentities under HIPAA. 45 CFR 164.506(c)(1). Physician, pharmacy, and PBM may each beviewed as a covered entity under HIPAA because each is a health care provider.

UT_09_02BP_PHI_sent_from_PCP_to_pharmacyAs a nurse practitioner, it is my understanding that the pharmacy only requires the medication,patient name and date of birth. They require my state license number and sometimes a DEAnumber. The insurance company may require a diagnostic code to cover medication. If theyrequest more information I discuss it with the client first and get their approval before disclosingfurther information.

Domain Information use and disclosure policyStakeholder CliniciansLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health information.

The “minimum necessary” rule in 45 CFR 164.514(d) applies to the interactions betweenphysician, pharmacy, and/or PBM. If one of the parties requests from the other information notrelevant to treatment, patient, or health care operations, this would generally be prohibited byHIPAA both because the minimum necessary rule would have been violated and because theinteraction would no longer fit within the definition of treatment, payment, or health care opera-tions. The different parties involved must limit the types of persons who receive the patientinformation as well as the types of patient information received.

UT_09_03BP_PHI_sent_from_pharmacy_to_PCPAs a pharmacist the only information about the particular prescription is shared with theprescribing physician. Minimal information is disclosed in the process (name, date of birth,medication, insurance information).

Domain Information use and disclosure policyStakeholder PharmaciesLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health information.


UT_09_04BP_Pharmacy_communication_with_patient_and_physicianAs a pharmacy we would inform the patient that the medication is not on their formulary and noton the preferred alternative list, so we would ask them if they would like to pursue the priorauthorization. If so, we would fax the prescribing physician only the information necessary toobtain the prior authorization.

Domain Patient and provider identificationStakeholder PharmaciesLegal Driver 45 CFR 164.506(c)(1) Physician, pharmacy, and PBM may each use or disclose protected

health information for their own treatment, payment, or health care operations (“TPO”), becauseall are presumably covered entities under HIPAA. 45 CFR 164.506(c)(1). As health care provid-ers and covered entities under HIPAA, physician, PBM, and pharmacy can freely interact withpatient for TPO purposes, including obtaining additional information from patient, or givingadditional information to patient. In addition, as covered entities, PBM, pharmacy, and physiciancan disclose patient information to each other and to other entities for treatment purposes. 45CFR 164.506(c)(2). Thus, PBM, pharmacy, and physician can each talk to patient and to eachother regarding filling the Geodon prescription without the need to obtain a patient authorization.

§ 164.514 Other requirements relating to uses and disclosures of protected health information.The “minimum necessary” rule in 45 CFR 164.514(d) applies to the interactions between

81

physician, pharmacy, and/or PBM.

UT_09_05BP_acknowledgment_receipt_HIPAA_policyWith our pharmacy, the patient receives a copy of the HIPAA rules and regulation along with ourpharmacy’s privacy practices and signs an acknowledgment of receipt.

Domain Information use and disclosure policyStakeholder Pharmacies

UT_09_06BP_PCP_communication_with_patientI, the primary care provider, would verify with the patient that they submitted the prescription andtalk with them about confidentiality. I would also explain that they can get the Geodon but willhave to pay out of pocket or that they could use one of the alternatives. I would explain thesimilarities and differences between the choices and recommend the best alternative.


UT_09_CS11Those individuals that have a need to know to get their job done or to provide care and servicesto patients. There is a risk in allowing everyone access to all information. Safeguards need tobe in place to protect patients as well as those workers involved in providing services.

Domain Information authorization and access controlsStakeholder Consumers or consumer organization

UT_09_CS12The doctor should and the pharmacy should have access to patient information to fill theprescription. It is a current fill and it is generated by the patient. The medication not being onthe formulary should not require a new signature for authorization. It’s the same prescriptiontrying to be filled.


UT_09_CS13I would expect that agreements regarding appropriate levels and type of information as well aswho has access and for what purpose and length of time would exist. I would also expect thatno information could be used for sale or use without the permission of the individual.


UT_09_CS14Information should go to the person that it is intended for only. There should be a mechanism inplace that can provide reasonable assurances that will occur. Sometimes it’s the case that filesare misplaced or a fax is mis dialed. There are several precautions that can be in place tomitigate these occurrences. (encryption, verification of sender/receiver, password protection)

Domain Administrative or physical security safeguardsStakeholder Consumers or consumer organizations

UT_09_CS26I would first check with my insurance to make sure that it was an appropriate benefit under myplan. Then I would call the doctor that wrote the prescription and have the office manager callthe pharmacy to verify that it had been filled. I would follow up with a call to the pharmacy andcheck on the prescription myself.


Pharmacy Benefit - Scenario B

82

UT_10_01-1BP_business_agreements_share_patient_data_pharmacyAs a pharmacist, formal business associate agreements to share data are not needed to reviewdata for proposal purposes as protected health information is not shared. Only data that is de-identified is shared and only that which is the minimum necessary for the review.

Domain Administrative or physical security safeguardsStakeholder PharmaciesLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health information.

The minimum necessary rule would require that only de identified/aggregated information beprovided if that is sufficient to carry out PBM1’s assignment. 45 CFR 164.514(d) .If only deidentified information is provided, HIPAA would not require a business associate agreement.

UT_10_01BP_business_agreements_share_patient_data_companyOur company has formal contracts in place with the pharmacy benefit managers that specifi-cally state the terms and conditions under which data is exchanged and shared. These termsshould include a disclosure by permission agreement only authorized between our companyand the current pharmacy benefit manager (pbm); If our company wants to compare costs withanother pharmacy benefit provider we can enter into an agreement with them to provide thatinformation - a nondisclosure agreement between our company and the pbm that is doing acomparison assessment. Also, we would require a business associate agreement with theHIPAA privacy requirements between the company and the all pbm’s involved.

Domain Administrative or physical security safeguardsStakeholder Consumers or consumer organizationsLegal Driver Company A needs to enter in a business associate agreement with PBM1 if patient identifying

information is to be used. The requirements of the business associate agreement are set forthin 45 CFR 164.504(e)(2); the business associate agreement would typically be worded to permitPBM1 to have access to relevant patient information only for the purposes of carrying out thespecific assignment given by Company A.

UT_10_02-1BP_limits_on_info_shared__pharmacyAs the current PBM sending data to another PBM, even though the data would be de-identified,we would still provide the minimum amount necessary for an appropriate review. If the reviewwould entail trending utilization on an individual employee basis, the data could be linkedgenerically, such as Employee A, Employee B, etc.

Domain Information use and disclosure policyStakeholder PharmaciesLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health information.

The minimum necessary rule would require that only de identified/aggregated information beprovided if that is sufficient to carry out PBM1’s assignment. 45 CFR 164.514(d).

UT_10_02BP_limits_on_info_shared__companyFrom the company’s perspective, any information shared should not initially include identifiablepatient information. It should be quantifiable group (aggregate) information because that is allthe pbm needs to correctly calculate their comparable cost structure.


Healthcare Operations and Marketing - Scenario A

UT_11_01BP_non-direct_marketingOur integrated health care system has no process at this time for obtaining authorization fromour customers because we do not market directly to them. If faced with a situation regardinglack of referrals to a new rehab center, brochures may be distributed based on non-conditionrelated criteria.

Domain Information use and disclosure policy

83

Stakeholder Hospitals

UT_11_02BP_internal_information_sharing_integrated_health_deliveryWe are a large integrated health delivery system with multiple facilities set up as a singlecovered entity under HIPAA for all provider type activities. As such, sharing information amongour facilities and corporate offices for business activities does not require patient authorization.


UT_11_03BP_authorization_for_marketing_informationWhen the marketing department of our integrated delivery system plans to distribute a brochureto the individuals we would run a report of the required diagnoses by diagnosis-related group(DRG) to create a list of those patient names and demographic information needed for contact.If our admission paperwork did not specifically ask for consent for demographic information tobe used by our corporation, then we would require our marketing department to obtain thatconsent from the patients prior to transfer of data.


UT_11_04BP_patient_information_for_marketingAs a small hospital we would not release medical information for the specific purposes ofincreasing revenue from that patient. This would be in violation of my understanding of the intentof the HIPAA statute. On the other hand, if the marketing was done to improve quality of care,perhaps by assessing patient satisfaction with care, or to identify concerns with the entireprocess of care, that would seem appropriate.

Domain Information use and disclosure policyStakeholder Physician groups

UT_11_05BP_third_party_release_for_marketingIf our critical access hospitals were asked to release information for third party marketing wewould: (1) obtain written patient consent that discloses the intended use of the data; (2) refrainfrom releasing information for purposes that are not disclosed to the patient at the time patientconsent was obtained; (3) establish the provider’s ownership rights in the data; (4) define andlimit the purpose for which the third party is being given access to the data; (5) limit the scopeby which the third party may use, disclose, or distribute the data, or prohibit third party disclo-sure and/or distribution altogether; (6) restrict access to patient-identifying information, wherethere is a need for third-party access to patient identifiers; and (7) require indemnification bythird parties for harm the provider suffers as a result of a breach of confidentiality.


Healthcare Operations and Marketing - Scenario B

UT_12_01-1BP_patient_information_useMarketing directors at our hospital know the general parameters by which patient informationcan be used for marketing. When at any time there are questions, a marketing director canseek guidance from the CEO. If the activity is at all questionable, the marketing is forgone.


UT_12_01BP_patient_information_useOur hospital shares patient information internally with other departments. We provide informa-tion to patients on new services or classes and instruction. Our hospital registration form haslanguage that allows patients to choose to opt out of a mail list that provides information sent totheir homes for specified services. We do not sell patient information to outside vendors.

84

However outside vendors can include information/samples in kits that go home with patients.Patients can choose to register should they decide, with the vendors mailing list in a proactivemanner.


UT_12_02BP_patient_information_for_internal_marketingThe marketing department internally uses de-identifiable patient information internally typicallyfor planning or reporting purposes. This is done through an internal hospital department called“Decision and support services.” This department has access to all patient data for the purposeof reporting trend aggregate patient data.

Domain Information use and disclosure policyStakeholder HospitalsLegal Driver § 164.514 Other requirements relating to uses and disclosures of protected health information.


UT_12_03BP_patient_information_use_external_mail_houseOur hospital marketing department transmits identifiable data directly to a mail house toconduct patient-centered educational or follow up mailings to our patients.


UT_12_04BP_business_agreement_third_party_marketingOur hospital marketing department has a business associates agreement with the mail houseto ensure confidentiality

Domain Administrative or physical security safeguardsStakeholder Hospitals

UT_12_05BP_transmit_patient_info_to_mail_listThe hospital marketing department mail list is typically sent via a CD or electronic file over e-mail with instructions for one time usage and destruction of the file after use (this is a commonpractice for mail houses and they readily comply).

Domain Information transmission security or exchange protocolsStakeholder Hospitals

UT_12_CS15I have a very negative opinion of this - Don’t think this should happen.


UT_12_CS16As a patient entering a hospital to give birth I wouldn’t want to be asked about giving permis-sion/authorization when being admitted. There is too much going on to focus on what is beingasked of the patient. It should be at discharge.


UT_12_CS17As a consumer I am concerned about the security of my information. No identifiable patient

85

information should be transferred anywhere. Only general aggregate data and statistics.Domain Administrative or physical security safeguardsStakeholder Consumers or consumer organizations

Bioterrorism event

UT_13_01BP_collect_information_bioterror_investigationAs the local public health department officer, I would collect information from the patient’sphysician including a patient history. I would also collect patient information from the lab.

Domain State law restrictionsStakeholder Public health agenciesLegal Driver 26-23b-103. Mandatory reporting requirements — Contents of reports — Penalties. (1) (a) A

health care provider shall report to the department any case of any person who the providerknows has a confirmed case of, or who the provider believes in his professional judgment issufficiently likely to harbor any illness or health condition that may be caused by: (i)bioterrorism.

UT_13_02BP_notify_possible_exposure_to_stateAs the state health agency, reports of anthrax exposure are submitted to the state by the localhealth department’s organizational patient safety officer. It is unlikely that the local public healthdept in adjacent county would be notified of the initial report. We, the state health agency,would notify CDC and FBI in real-time.

Domain State law restrictionsStakeholder Public health agencies

UT_13_03BP_coordination_bioterror_investigation_federalOur federal law enforcement is involved once the doctor suspects anthrax and submits the testto the lab. From here, the notification takes on a life of its own. The lab, if specimen is positive,notifies the Laboratory Response Network (LRN) - the LRN confirms the sample is positive andit goes to the CDC. The doc is notified as is the state health department. At the same time, thenotification of a positive test is sent to the Strategic Information Operation Center (SIOC). Thisis a major hub of notification- all agencies are notified from here of the result. When an eventoccurs we are notified by local agencies and sometimes by the state. Usually the state is on-site when we arrive. It’s unclear to us who contacts the state but they are always there when anevent similar to this occurs. Our role beyond investigative is to aid with the coordination offederal resources should more be necessary.


UT_13_04BP_coordination_local_bioterror_investigationIn the event of a bioterror investigation as local law enforcement we receive a general alert butnothing with detailed or specific information unless the threat was in the direct local area. Wewould identify or locate individuals and we would receive specific identifiable information on theperson(s) involved along with direct instructions on how to proceed. Our instructions are goingto come from the federal enforcement level and state health officials. For events that are not inour locality we would help to contain or secure an area.


UT_13_05BP_transmit_informationAs local law enforcement officers we often deal with threat investigations and need to notifyother agencies or organizations. Officers pick up the phone and call other organizations and willfollow up with an email transmission of an “Urgent Report” that is sent electronically via emailreleasing only necessary information that will not compromise the investigation.

Domain Information transmission security or exchange protocols

86

Stakeholder Other Specified Law Enforcement

UT_13_06-1BP_public_release_of_informationAs the state health agency we would not disclose the name of the patient or any other pro-tected health information in the case of a suspected bioterror threat. Cases are handled on anindividual basis - If anthrax is confirmed more information would likely be shared but the patientname is not disclosed.


UT_13_06BP_public_release_of_informationFederal law enforcement release of information to the public during a coordinated investigativeeffort would be the responsibility of a joint unified command - this is made up of a representativefrom each head agency involved in the investigation.


UT_13_CS18I would gather information from the INTERNET, listen to the news, call my local doctor. Some-times it feels as though we are living in a vacuum and there is a lack of information - this leadsto disinformation - INTERNET blogs, chat rooms, talk radio - mostly people opinion spun withsome fact. Really a real time national enquirer

Domain Information use and disclosure policyStakeholder Consumers or consumer organization

UT_13_CS19Officials can release only that which is confirmed and it takes time to do that. Otherwise ifinformation was released without caution it would be mass panic.


Employment Information Scenario

UT_14_01BP_generic_or_detailed_return_to_work_formAt our hospital, if the employee requests a generic release from our emergency room, there isusually no need for an authorization. If more detail is required by the requester, the providerdiscusses what MUST be included and documents patient authorization to release the informa-tion. In both cases the provider would talk with the patient and adhere to minimum standardunder HIPAA, with regards to releasing information.


UT_14_02BP_patient_authorization_to_mail_or_fax_infoAt our hospital if the employer will not accept hand carried documentation from the patient, weobtain a signed authorization from the patient and mail or fax the return to work form, verifyingthe employers contact information before sending the letter.


UT_14_03BP_Clarification_or_return_to_work_procedureIf a front line employee in our hospital were faced with this situation and was not familiar withour practices he/she would contact a supervisor or the compliance hotline for assistance. Thepractice of cutting and pasting information directly from an Electronic Health Record (EHR)would not occur at our ED.

Domain Administrative or physical security safeguards

87

Stakeholder Hospitals

UT_14_04BP_Information_included_in_generic_return_to_workOur hospital return to work letter contains the patient’s name, the physician’s name, the lengthof time under the physician’s care for the given illness, and any activity restrictions.


UT_14_05-1BP_transmission_of_return_to_work_by_email_not_allowedIn our hospital most “return to work” documents are either prepared and handed to the patientwhen they are present, or are mailed as needed. We do not share PHI with employers over theInternet.


UT_14_05BP_transmission_of_return_to_work_by_encrypted_email_with_partnersOur hospital does currently permit sending encrypted e-mail messages with PHI to regularbusiness partners, however, e-mail should not be used, regardless of whether it is encrypted, forcommunicating with patients or others.


UT_14_06BP_HR_Company_process_return_to_workIn our company the general process for return to work is: He/she would be given a form from themedical provider stating that the person was now under medical care and it would state thelength of time the person would need to be gone. It would most likely have only limited informa-tion as to the cause of the medical situation. It would be signed and dated by the appropriateperson/institution so the employee could give it to their employer as justification for theirabsence from work. When an employee is off work for four days and is ready to return, werequire them to bring (on first day) a Return to Work Release.

Domain Information use and disclosure policyStakeholder Professional associations and societies

UT_14_07-1BP_Company_transmission_return_to_work_practiceIn our company the work release form must be given to the employee, signed and dated by herprovider, so she can bring it with her or she will not be allowed to return to work.


UT_14_07BP_Company_transmission_return_to_work_practiceIf our HR department were receiving a form by fax or email, the provider of the info would beresponsible to determine the name/position of the person authorized to receive the info. Then ifthey were faxing it I would tell them to call me at the time they planned to fax, and I wouldstand at the fax to receive it. If it is email, I would give them my direct email and then it is stilltheir responsibility to determine the security protocols at their end, for safe data transmittal. Thesafest way is mail.


UT_14_08BP_HR_dept_receipt_of_unrequested_infoOur HR department would put the un requested information in an envelope and give it to theemployee with an explanation that it had come to us un-requested and therefore I would turn itover to the employee. I would remind them that we still require the basic information for theirreturn to work and they would be expected to provide that.

Domain Information transmission security or exchange protocols

88

Stakeholder Professional associations and societies

UT_14_CS20Review the portion of the Electronic Health Record (EHR). If there were items that I was uncom-fortable sharing I would ask the doctor for a release “return to work” instead.


UT_14_CS21With Electronic Health Record (EHR) record no copy is obtained by consumer/patient, unlessspecifically requesting a copy. The patient is left out of this process.


UT_14_CS22Individuals receiving ELECTRONIC HEALTH RECORD (EHR) may or may not have access tothat type or level of personal information. If I chose the ER, I would have to request that informa-tion and provide an email address for my HR rep.


Public Health - Scenario A

UT_15_01BP_clinician_notify_public_healthAs a physician, I would report the case of confirmed active TB to the Public Health Department.Our Notice of Privacy Practice indicates we reserve the right to use any and all patient informa-tion to identify the patient with the Public Health Department in such situations. The Director ofNursing would be the responsible person initiating the contact. A fax with any informationnecessary would be distributed given this is acceptable.


UT_15_02BP_departing_state_notify_arriving_stateAs the Public Health Department in the state patient was departing from, we would first contactthe other state to meet the bus so all travelers could be treated. Typically, if there is a publichealth threat, we phone confirming that a fax is coming and then we fax confidential information.


UT_15_03BP_departing_state_notify_bus_companyAs the Public Health Department in the state the patient was departing from, we would try to getthe manifest from the bus company so we could contact travelers that may have departed thebus prior to final destination (we may need to divulge the TB info but not the individual’s name). Ifany passengers exited the bus in our state we could transport them to a secure TB unit andwould proceed to secure court orders for treatment.


UT_15_04BP_arriving_state_notify_law_enforcementAs the Public Health Department in the state where patient was traveling to, we would provide atemporary order. This would require law enforcement involvement. We would share the orderwith law enforcement but no other information would be shared.


89

UT_15_05BP_law_enforcement_notifiedAs law enforcement, the Public Health Department notifies us that an individual is a threat tothe public. For Law Enforcement to get involved we would need official paperwork in the form ofa subpoena (warrant, declared state of emergency, imminent public threat) in order to act.Public Health would need to initiate the order and then we would supply the muscle. Withoutthe paperwork, Law Enforcement has no legal jurisdiction. In reality our communication chan-nels are not well established at the local level for this type of effort. We receive no additionalinformation beyond what is provided in the order regarding health dangers to officers on thescene.


UT_15_CS23It is expected that the primary care physician inform patients that fall under the condition/disease notification requirements, what information is to be shared, by whom, and under whatconditions. If I had not been informed I would be infuriated to find out that my health informationhad been shared with an untold number of individuals and agencies. Even if informed, instruc-tions would need to be very specific and easy as opposed to just call the Health Department.This would probably lead to endless frustration and wading through front line staff trying tolocate the right person or program.


UT_15_CS24I would submit hard copies of health information in person. I wouldn’t trust email or fax to beconfidential. Plus based on this experience, I’d ask what their agency’s policy is regardingrecords handling, retention, confidentiality, and destruction.

Domain Information transmission security or exchange protocolsStakeholder Consumers or consumer organizations

Public Health - Scenario B

UT_16_01BP_testing_by_reference_labAs a reference lab manager, we receive test orders and specimens from the State HealthLaboratory over a laboratory information system interface. Some limited demographic informa-tion is associated with the order. Test results are returned over the same interface. We do notdirectly notify the physician or patient regarding results and we do not receive orders directlyfrom physicians.

Domain Information transmission security or exchange protocolsStakeholder Laboratories

UT_16_02BP_abnormal_result_processAs the newborn screening unit at the state lab, we would notify the state follow up program ofthe abnormality. We would proceed with a second test to confirm the abnormality.

Domain State law restrictionsStakeholder State government

UT_16_03BP_transmission_lab resultsAll abnormal results obtained from us (newborn screening unit - state lab) are called to theMedical Home. Verbal information is given including symptoms. A letter detailing the abnormal-ity, needed follow up, and including symptoms is faxed or mailed to the Medical Home. Themailer (results) include a detailed description of the results and symptoms.


90

UT_16_04BP_state_public_health_access_to_patient_informationAs the state public health department, we have legal access to all of the identifying informationfor state mandated programs.


UT_16_05BP_State_public_health_notify_parentsAs the health department, our appropriate state program would notify the patient’s parents thatthey are eligible for services and leave a contact number for them with a copy also going to themedical home/ physician in case we have an old address for the patient.

Domain Information use and disclosure policyStakeholder State government

UT_16_06BP_physician_office_health_dept_communicationIn our physician office, information about patients is received by my nurse from the healthdepartment. She then informs me. If I need to let the health department know information Iinform my nurse and she calls the health department. (i.e. positive flu test).


UT_16_07BP_physician_contact_parents_with_resultsAs the physician, I would inform the patient’s parents that their child has this disease. I wouldalso let them know that the state lab would be tracking the health of their child and that therewould be services available through the state.

Domain State law restrictionsStakeholder Physician groups

Public Health Scenario C

UT_17_01-1BP_health_information_sharing_between_facilitiesAs the physician from a clinic that serves homeless persons information can be shared freelyamong all caregivers unless a counselor is discussing some private/legal abuse issues.


UT_17_01BP_health_information_sharing_between_facilitiesAs a not for profit treatment facility who treat homeless, we share with some frequency apredetermined set of patient data with other agencies. The agencies often don’t want more,because it has limited utility. Our data is a hared with the county programs as defined bycontract. When we are functioning as a shelter situation the data sharing is limited in that wewill only respond to requesting agencies that the client has entered into treatment.


UT_17_02BP_homeless_shelter_receiving_request_for_PHI_from_publicAs homeless shelter staff, under the original signed consent form, the case manager wouldnotify the authorized drug treatment staff that a relative is attempting to locate the client. Thetreatment staff could then pass this information on to the client who could then, at their owndiscretion, contact the inquiring relative. This would assume a broad interpretation of CFR 42Part II, because technically the federal regulation governing substance abuse treatmentinformation restricts the disclosure to information specified in the original release.

Domain Information use and disclosure policy

91

Stakeholder Community clinics and health centers

UT_17_03-1BP_release_of_PHI_to_possible_relativeAs a drug treatment center, we would neither “confirm nor deny” the participation of any clientresiding at the treatment.


UT_17_03BP_release_of_PHI_to_possible_relativeAs a primary care provider I would not release any medical or other information to any personclaiming to be a relative without that patient’s knowledge and a release of records/informationsigned by that patient. The release of information would have to be specific pertaining to theinformation being exchanged.


UT_17_CS25I understand and appreciate the reluctance on part of the homeless shelter to release informa-tion regarding my relative, especially since I did not have proper identification. I would hope,however, that instead of being turned away I would be provided with the proper steps to take inorder to contact my relative and see if they are indeed okay.


State Government Oversight

UT_18_01BP_pediatrician_lead_screenAs a pediatrician I screen for risk of lead poisoning at the 1 year well-baby check appointment.I probably should be checking at the two-year check as well. However I have not yet seen apositive lead lab result. It doesn’t seem to be an issue here.

Domain State law restrictionsStakeholder Clinicians

UT_18_02BP_lab_submit_positive_lead_result_to_stateAs the lab that is contracted to conduct the blood lead lab tests for the state, we notifyelectronically the appropriate program manager at the state health department on a weeklybasis. If there are elevated levels we notify immediately. The secure file transfer is accessibleby password. Our lab places an excel spreadsheet on our secure site and the state programmanager can download the file to their system electronically. Utah does not require a universalblood lead testing for children.

Domain State law restrictionsStakeholder Laboratories

UT_18_03BP_establishing_data_sharing_agreement_Public_Health_to_UniversityAs a data steward responsible for immunization data in the Department of Health, before wewould share any data, we would establish data sharing agreements with the university andthen have these agreements reviewed by our legal department prior to obtaining signatures.


UT_18_04BP_university_researcher_access_to_dataAs a data steward responsible for immunization data in the Department of Health, if a re-searcher from the university had a legitimate need to access data in the state immunizationdatabase, they would go through the enrollment process and fill out all the required paperwork

92

(confidentiality forms, user security agreement, etc.). Then, after training, they would begranted access but restricted to “look up only” so no alterations to information could be done.


93

Appendix D.Work Group Members

94

Steering CommitteeChairJoseph G. Cramer, MDCottonwood PediatricsMurray, UT

Rulon BarlowOrem, UT 84058

Scott Barlow, CEOCentral Utah ClinicProvo, UT

Terry HolmesTelNetZ, Inc.Draper, UT

Michael JensenBlanding, UT

Bradley LeBaronCEO/AdministratorUintah Basin Medical CenterRoosevelt, UT

Deb LaMarcheUtah Telehealth NetworkSalt Lake City, UT

R. Chet LoftisSalt Lake City, Utah

Dennis Moser, FACHEUtah Center for Rural HealthCedar City, UT

Mark A. Munger, PharmDUniversity of UtahSalt Lake City, UT

Barry Nangle, PhDDirector, Center for Health DataUtah Department of HealthSalt Lake City, UT

Rod RossEquitable Life & Casualty Insurance3 Triad CenterSalt Lake City, UT

John Nelson, MDMedical DirectorHealthInsightSalt Lake City, UT

Linn J. Baker, DirectorUtah’s Public Employees Health ProgramSalt Lake City, UT

Lyle Odendahl, JDAssistant Attorney GeneralSalt Lake City, UT

Thomas Jackson, VP OperationsHealthInsightSalt Lake City, UT

Lois Haggard, PhDDirector, Office of Public Health AssessmentUtah Department of HealthSalt Lake City, UT

Variations Work GroupChair:John Nelson, MDMedical DirectorHealthInsightSalt Lake City, UT

Kim Batemen, MDCentral Utah PractitionerSalt Lake City, UT

Kevin M.Coonan, MDAdjunct Assistant ProfessorDivision of Emergency MedicineNLM Fellow, Department of Medical InformaticsUniversity of Utah School of MedicineSalt Lake City, UT

Katie GorrisPrivacy Office, Intermountain HealthcareSalt Lake City, UT

Reid L.BarkerExecutive DirectorUtah Pharmaceutical AssociationOrem, UT

Sara V. Sinclair RNChief Executive OfficerSunshine Terrace Foundation, INCLogan, UT

Jan Root, PhDAssistant Executive DirectorUtah Health Information NetworkMurray, UT

Detective Von SteenblikCenterville Police DepartmentCenterville, Utah

Appendix D. Project Work Group Members

95


Dr. Robert P. HuefnerProfessor of Political ScienceUniversity of UtahSalt lake City, UT

Linda Johnson RNProject CoordinatorHealthInsightSalt Lake City, UT


Allan D Ainsworth, PhDExecutive Director, Fourth Street ClinicSalt Lake City, UT

Legal Work GroupChair:Lyle Odendahl, JDAssistant Attorney GeneralSalt Lake City, UT

Liz Winter, JDDeputy General CounselorUniversity of UtahSalt Lake City, UT

Rex Olsen, JDAssistant Attorney GeneralUtah Department of HealthSalt Lake City, UT

Morris Linton, JDSenior CounselIntermountain HealthcareLegal DepartmentSalt Lake City, UT

R.Chet Loftis, JDKirton & McConkieSalt Lake City, UT

Solutions Work GroupChair:Linn J. BakerDirectorUtah’s Public Employees Health ProgramSalt Lake City, UT

David CallVice PresidentDeseret Mutual Benefit AdministratorSalt Lake City, UT

Kevin M.Coonan, MDAdjunct Assistant ProfessorDivision of Emergency MedicineNLM Fellow, Department of Medical InformaticsUniversity of Utah School of MedicineSalt Lake City, UT

Grant HowarthPresident/CEOCommunity Nursing ServicesMidvale, UT


Christie CheslerTB Control/ Refugee Health Program ManagerUtah Department of HealthSalt Lake City, Utah

Dan AndersonLegal CounselPEHPSalt Lake City, UT

Dr. Larry V. Staker MDMedical DirectorDeseret Mutual Benefits AssociationSalt Lake City, UT

Bob Rolfs, MDState EpidemiologistUtah Department of HealthSalt Lake City, UT

Iona ThraenPatient Safety DirectorUtah Department of HealthSalt Lake City, UT

Detective Von SteenblikCenterville Police DepartmentCenterville, Utah

Dave Valenti, MDAmerican College of Emergency Physicians (ACEP)Salt Lake City, UT

Implementation Planning Work GroupChair:Barry Nangle, PhDDirector, Center for Health DataUtah Department of HealthSalt Lake City, UT

96

Val Batemen, MBA, MHAExecutive Vice PresidentUtah Medical AssociationSalt Lake City UT

Richard Melton, PhDDeputy DirectorUtah Department of HealthSalt Lake City, UT


Lyle Odendahl, JDAssistant Attorney GeneralSalt Lake City, UT

Mark Brinton, JDUtah Medical AssociationSalt Lake City UT

Kevin M.Coonan, MDSalt Lake City, UT

Katie GorrisPrivacy Office, Intermountain HealthcareSalt Lake City, UT



97

Appendix E.Scenario Maps

98

Hospital Emergency Room Hospital

State Line

UT_01_01BP_patient_statusUT_01_02BP_information_to_treatUT_01_03BP_requesting_patient_information

UT_01_04BP_hospital_authenticationUT_01_05BP_transmit_medical_informationUT_01_06BP_receiving_request_for_patient_information

Observations: When an emergency room physicians is dealing with an emergency situation and needspatient’s medical information the physician will make efforts to access the patient’s medical informationwithout patient authorization. In an emergency situation hospitals will disclose information without authoriza-tion to a requesting covered entity once that entity is verified. The release of patient information across statelines was a factor in the exchange of patient information.

Appendix E. Business Practice Map by Scenario

Patient Care A

99


Patient Care B

Substance AbuseTreatment Facility

Primary CarePhysician

Specialist Physician

Patient

UT_02_01BP_patient_authorizationUT_02_01-1BP_patient_authorization_to_release_PCP_to_SPECUT_02_01-2BP_patient_authorization_to_release_PCP_to_SPECUT_02_02BP_determing_information_to_be_sentUT_02_03BP_facility_authenticatingUT_02_04BP_transmission_non-electronic_SA to PCPUT_02_05BP_transmission_electronic_SA to PCPUT_02_05-1BP_transmission_PCP to SPECUT_02_06BP_verifying_receipt_of_record

UT_02_07BP_logging_disclosuresUT_02_08BP_recording_access_to_SA_PHIUT_02_09BP_storage_of_SA_PHIUT_02_09-1BP_storage_of_SA_PHI_restricted_accessUT_02_10BP_patient_consent_to_treat_PCP

Observations: There are differences between how a provider uses and discloses patient medical informationwhen substance use is involved. There is variation among treatment facilities, physicians’, and integrateddelivery systems understanding of C.F.R 42 Part 2, it’s relation to HIPAA, and the application of each. Treat-ment facilities note stringent precautionary measures to safeguard patient substance use information. Whilephysicians comment on limited or restricted access to patient medical files and often choose not to requestthose records because of the perceived difficulties in access and use. Treatment facilities note that patientsubstance files are specially protected and kept in a locked cabinet behind a double locked door.

100


Patient Care C

Physician X

Physician OfficeLong-term Care Facility

Out of CountryTranscription Service

Hospital

Patient

UT_03_01BP_business_agreements_physicianUT_03_01-1BP_business_agreements_LTCUT_03_02BP_security_training_LTCUT_03_03BP_access_mental_health-infoUT_03_04BP_temporary_access_to_LTC_recordsUT_03_04-1BP_temporary_electronic_access_to_LTC_records

UT_03_05BP_receive_fax_transmission_patient_infoUT_03_06BP_transmission_mental_health_data_electronicUT_03_07BP_storage_of_mental_health_phi

Observations: There is variation among long-term care facilities practices for granting physicians temporaryaccess to their facility and records system but facilities have procedures in place should temporary accessbe necessary under such situations. The sharing of patient information differs from provider to provider withsome requiring that a business associate agreement be in place and others indicating such agreements arenot necessary between providers involved in the treatment of a patient. Most information transmitted to andfrom long-term care facilities is done by fax.

101


Patient Care D

State AGeneral Hospital

Mammography Department

State Line

Neighboring State “B” Hospital

Outpatient Clinic

Deceased Aunt’s BraCa testresults

UT_04_01BP_authorization_to_re-lease_information

UT_04_02BP_authenticate_entitiesUT_04_03BP_need_to_knowUT_04_05BP_transmit_mammogram_digitalUT_04_06BP_transmit_mammogram_film

UT_04_04BP_release of deceased_medical_information

Observations: The majority of mammograms done in our state are on film; this is the case in both rural andurban facilities. One Integrated Delivery System (IDS) currently uses digital images for mammography and asecond has plans to transfer to digital within the next two years. However, even at the IDS that uses digital,the images are printed in hard copy for the physicians as most institutions and physicians are not comfortablewith digital. Films are transmitted or exchanged by mail, courier, or the patient with signed patient release.There is no implication for exchanging information across state lines or when dealing with an HIV positivepatient as precautionary measures would not differ given this condition. Requests from out of state facilitiesrequire authorized release that is faxed or mailed. Utah Code 78-25-26 establishes regulations for release ofmedical information for a deceased relative.

102

Appendix D. Business Practice Map by Scenario

Payment

Health Plan (Payer)

Health Plan Case Managers

Health Care Provider with EHR

Patient

UT_05_01BP_authorization_to_release_patient_informationUT_05_03BP_sharing_patient_data_agreementUT_05_04BP_minimum_necessary_required_fortransmissionUT_05_04-1BP_minimum_necessary_re-quired_for_transmissionUT_05_05BP_transmission_of_data

UT_05_01-1BP_authorization_to_re-lease_patient_informationUT_05_02BP_Access_control_to_patient_info

Observations: Payers work with the understanding that authorization is not needed for payment purposes.Nevertheless, payers will engage in business agreements with health care providers to facilitate the paymentprocess. Health care providers show variation in whether or not they obtain authorization from patients to allowaccess to patient information for payment purposes. Providers tend to error on the side of caution and moreoften will obtain patient consent. As providers have different levels of EMR technology and comfort with thistechnology the process by which payers accesses patient and billing information varies. Both payers andproviders report little variation in the description of what constitutes “minimum necessary” according to HIPAA.

103


Regional Health Information Organization (RHIO)

RHIO

ProviderOrganization




UT_06_01BP_Exchange_phi_between_providersUT_06_02BP_PHI_RHIO_new_exchange_coordination

Observations: The RHIO scenario does not describe the services performed by the Utah RHIO. The UtahRHIO is a gateway or information highway where information is exchanged between different organizations.The Utah RHIO does not request or permanently store data. The Utah RHIO functions like the post office ingetting information routed from the sender to the intended receiver. The Utah RHIO does not perform qualitymeasurements on its member’s data. The Utah RHIO has a standards committee for chartering a subcom-mittee to develop a community standardized message should members want to exchange/submit patientinformation from one organization to another.

104


Research Data Use

IRB

PrincipalInvestigator

Re-AuthorizationParental Permission

Document

IRB

Post-doc requests raw data for whitepaper

Data-only Waiver:Privacy Rule 45

C.F.R. 164.512(i)

Update Assentdocument

(ages 7 -17)

UT_07_01-1BP_IRB_approval_post-doc

UT_07_03BP_obtain_parental_re-consent_PI

UT_07_01BP_IRB_approval_PIUT_07_01-2BP_IRB_approval_by_IRB

UT_07_01-2BP_IRB_approval_by_IRB

UT_07_02BP_parental_consent_bypass_PI

Observations: The decision to resubmit to IRB is found to be at the discretion of the principal investigator,variation exists in this decision. Even though it is implied that the drug company owns the data the decisionto resubmit is linked to authorship. If the principal investigator does not want to have ties to the secondaryanalysis he/she will request the post-doc to independently submit to IRB. Variation is noted in the require-ment of parental approval for the use of data beyond that originally included in the protocol approved by IRB.Some believe the approval is required and others believe it can be waived.

105


Access by Law Enforcement

Hospital

ER staff

PatientParent’s Insurance

Law Enforcement Officers

Patient’s Parents

Observations: A chasm exists between law enforcement and hospital with regards to communication.Hospital physicians are not willing to disclose information without subpoena to avoid legal entanglements.Hospital physicians are also very careful not to disclose information to parents and instead will opt to let thepatient inform parents regarding their medical information. No agreements between law enforcement andhospitals for blood alcohol levels. Most law enforcement agencies have business agreements with para-medics for blood alcohol draws. Law enforcement officers are careful to gather as much information aspossible before the patient gets to the hospital. Because little if any information can be gathered after thepatient enters the hospital without initiating legal paperwork.

UT_08_04BP_release_of_medical_information_hospital_to_insurance

UT_08_01BP_blood_alcohol_sample_law_enforcement

UT_08_06BP_obtaining_medical_information_from_hospital

UT_08_06-1BP_obtaining_medical_information_from_hospital

UT_08_02BP_patient_statusUT_08_03BP_release_of_medical_information_hospital_to_lawUT_08_05BP_release_of_medical_information_hospital_to_parent

106


Pharmacy Benefit Manager A

Pharmacy Benefits Manager (PBM with mail orderpharmacy- closed formulary

Patient

Out-of -State clinic

Prescribing Physician

UT_09_01BP_authorization_to_disclose_patient_info_for_prescription_fillUT_09_02BP_PHI_sent_from_PCP_to_pharmacyUT_09_03BP_PHI_sent_from pharmacy_to_PCPUT_09_04BP_Pharmacy_communication_with_patient_and_physicianUT_09_05BP_acknowledgement_receipt_hipaa_policyUT_09_06BP_PCP_communication_with_patient

Observations: There is variation in who contacts the patient to inform that the original prescription authorizedis not on the formulary. In some cases the mail order pharmacy will contact the patient and in other cases itis the physician. Variation was reported in the options offered to the patient given this situation (e.g. pay out ofpocket for original medication or choose an alternate medication). Consistent agreement that pharmacyreceives “minimum necessary” to fill their orders.

107


Pharmacy Benefit Manager B

Pharmacy Benefit Manager 1(wants the acquire the contract- reviews drug usage and cost

to provide estimate)

Pharmacy Benefit Manager 2(has the contract)

EmployeesCompany A

Currently contracted withPBM2 - looking for better

benefit/cost

UT_10_01-1BP_business_agreements_share_patient_data_pharmacyUT_10_02-1BP_limits on_info_shared__pharmacy

UT_10_01BP_business_agreements_share_patient_data_companyUT_10_02BP_limits on_info_shared__company

Observations: Variation exists in whether or not a business agreement is required to share informationbetween the parties. The company reported they would require a business associates agreement regard-less of whether the data was de-identified. The pharmacy benefits manager did not feel an agreement wasnecessary if the data was a de-identified.

108


Healthcare Marketing and Operations A

Integrated Delivery System

CAH CAH

CAH CAH

CAH CAH

CAH CAH

CAH

CAH

10 Critical Access Hospitals

Tertiary Hospital

Observations: This scenario is not very applicable in Utah. Not many entities, if any, were found to marketin this fashion. These entities rarely direct market to individuals. General brochures are a more commonform of marketing in Utah as concerns were expressed about HIPAA and the use of PHI to generate revenue.In the case that covered entities would direct market, patient authorization would be required.

UT_11_04BP_patient information_for_marketingUT_11_05BP_third_party_release_for_marketing

UT_11_01BP_non-direct_marketingUT_11_02BP_internal_information_sharing_integrated_health_deliveryUT_11_03BP_authoruzation_for_marketing_information

109


Healthcare Marketing and Operations B

Mail House

Diaper Company

Hospital

Obstetrics Department Marketing Department

- Patient information - Inform public of pediatricwing/services

- Register for parentingclasses

- Solicit donations forneonatal intensive careunit

UT_12_05BP_transmit_patient_info_to_mail_list

Sell data to com-pany to directmarket to newparents

UT_12_01BP_patient_information_useUT_12_01-1BP_patient_information_useUT_12_02BP_patient_information_for_internal_marketingUT_12_03BP_patient _information_use_external_mail_houseUT_12_04BP_business_agreement_third_party_marketing

Observations: One hospital system reported having a business agreement with a mail house that specifiesthe terms and limits of the contract for direct mailing. The hospital provides PHI on CD or electronic file to themail house that is for one time use and then destroyed. We found no selling of PHI to outside entities.Different hospitals use PHI in different ways for marketing purposes. Some use the mail house as outlinedabove and others have an internal marketing department that sends information out. If the marketing is doneinternally the data is de-identified.

110


Bioterrorism

Federal Government

StateEmergency ResponseHazmat,Law Enforcement,EMS,Media, others

State LaboratoryResponse Network -

Local Public Health Department Public Health in adjacent county

Patient (suspectedanthrax exposure)

Provider/Physician

Laboratory

UT_13_02BP_notify_possible_exposure_to_state

UT_13_03BP_coordination_bioterror_in-vestigation_federalUT_13_04BP_coordination_local_bio-terror_investigationUT_13_05BP_transmit_informationUT_13_06BP_public_re-lease_of_informationUT_13_01BP_collect_information_bio-

terror_investigationUT_13_06-1BP_public_re-lease_of_information

Observations: In this state (red), there is real-time notification through the LRN. The LRN (State LaboratoryResponse Network) is the hub (unit) in such situation which sends critical information given a indicatedanthrax case. Variation exists in how information is released and how it is collected. The public healthdepartment is pecieved as a one-way information path, that will take information but not give it. Law enforce-ment is clear about their role and that of public health officials: if the result is positive something happens -public health would act immediately.

111


Employee Healthcare

Hospital - ER physician with EMR

Work Release Document-transmit via email toemployee HR dept.

Company A - HR Dept.

Employee of Company A visits ER-requests ER send Work Release

Document to employer

UT_14_01BP_generic or de-

tailed_return_to_work_formUT_14_02BP_patient_authori-

zation_to_mail_or_fax_infoUT_14_03BP_Clarification_or_re-

turn_to_work_procedureUT_14_04BP_Information_in-

cluded_in_generic_return_to_workUT_14_05BP_transmission_of_return_to_-

work_by_encrypt-ed_email_with_partnersUT_14_05-1BP_transmission_of_re-

turn_to_work_by_email_not_alllowedUT_14_05-2BP_transmission_of_re-

turn_to_work_by_email_possible_encryption

UT_14_06BP_HR_Company_process_return_to_workUT_14_07BP_Company_transmission_return_to_work_practiceUT_14_07-1BP_Company_transmission_return_to_work_practiceUT_14_08BP_HR_dept_recipt_of_unrequested_info

Observations– We found that no hospital transmits info via email from their EMR systems for return towork purposes, nor did any feel this was appropriate. Minimum necessary under HIPAA is critical in thisscenario.

112


Public Health A

State A - Departure State(State Health Department)

State B - Arrival State(State Health Department)

Bus Company

Physician Law EnforcementLaw Enforcement

UT_15_02BP_departing state_notify_arriving_stateUT_15_03BP_departing_state_notify_bus_company

UT_15_01BP_clinician_no-tify_public_health

UT_15_04BP_arriving_state_notify_law_en-forcementUT_15_05BP_law_enforcement_notified

Observations: Poor communication channels between local law enforcement and public health. Informationflows in one direction. Law enforcement enters situations without all information necessary to appropriatelyprotect their officers. The state has resources like a secure TB unit in case of this type of emergency. Thestate has a policy to balance individual liberty interest with the need to protect the public health throughquarantine in the event of a mass exposure to a harmful biologic agent (Policy Utah Code 26-6b).

113


Public Health B

State Laboratory(Newborn Screening -

positive results)

Tests conductedby Reference

Lab

State Public HealthDepartment

Physician

Patient

UT_16_04BP_state_public_health_access_to_patient_informationUT_16_05BP_State_public_health_notify_parents

UT_16_06BP_physician office_health_dept_communicationUT_16_07PB_physician_contact_parents_with_results

UT_16_01BP_testing_by_reference_labUT_16_02BP_abnormal_result_processUT_16_03BP_transmission_lab results

Observations: 1) Utah does not notify the specialty care centers unless there is critical (as agreed uponwhen establishing the follow up protocol for each disorder with the specialists) results. We do not have or usean Interactive Voice Response System. We do not have a registry for our identified and confirmed cases.Identified PKU and galactosemia (gg and Dg) patients can be tracked through the Metabolic Clinic. UDOH isinvolved in a project within the Region looking at developing a registry system, data collection elements, andformat at this time. UDOH does provide some services through the Metabolic Clinic for PKU and galac-tosemia (gg or Dg) only. Medical homes and families are notified of eligibility for this clinic upon diagnosis. 2)The state contacts the parents in addition to the physician. 3) State testing is sent out to a regional lab fornewborn screening testing.

114


Public Health C

Possible Relative

County ShelterPatient Primary Care Provider

Drug Treatment Clinic

Patient

County (reimbursement)

UT_17_01-1BP_health_information_sharing_between_facilitiesUT_17_03BP_release_of_PHI_to_poss-ible_relative

UT_17_03-1BP_release_of_PHI_to_possible_relative

UT_17_01BP_health_information_sharing _between_facilitiesUT_17_02BP_homeless_shelter_receiving_request_for_PHI_from_public

Observations: 1) As the primary care provider I feel this situation is not applicable. We do not have countyshelters and we have no hospital-affiliated drug treatment clinics that serve the homeless. Our homeless aretreated in social-based, not medical-based, facilities. 2) It is very rare that a homeless person would have aprimary care provider. 3) The front end of this scenario did not apply to our state very well

115


Government Oversight

Governor

State Department of Health

Public Health

Medicaid Services

Child Welfare and ProtectiveServices

Education

USIIS

UBLR

Pediatrician

Laboratory

UT_18_02BP_lab_submit_positive_lead_result_to_state

State University Faculty

UT_18_03BP_establishing_data_shar-ing_agreement_Public_Health_to_Uni-versity

UT_18_04BP_university_researcher_ac-cess_to_data

UT_18_01BP_pediatrician_lead_screen

Observations: The Department of Health maintains the Utah State Immunization Information Systems (USIIS)that holds records of children’s immunizations. Approximately 130 of 350 provider offices have enrolled withuser confidentiality to have access to USIIS. All office staff of participating providers are granted access toUSIIS. Access is renewed annually and any office staff that terminate employment or that are released areremoved from having access. Only authorized health care users have access to USIIS. Utah also added leadpoisoning to the injury surveillance and reporting system in 1990 per Utah Code R386 - 703 (Injury ReportingRule).

The state maps and tracks this information and it can easily be share with public officials. USIIS is widelyused.

116

Appendix F.SWG Decision Tree

117

Appendix F. Solutions Work Group Decision Tree

Does this present a barrierto exchange?

Is appropriate privacy andsecurity maintained?

Is it an appropriatebarrier?

Does this promote (Aid)the exchange process?

No

Yes No Yes No

Is theexchangeelectronic?

SolutionNeeded

Is theexchangeelectronic?

Neutral

Yes No

Should theexchange beelectronic?

AppropriateBarrier toElectronicExchange

Yes No

Yes No

SolutionNeeded

AppropriateBarrier to non-

ElectronicExchange

Aid toelectronicexchange

Should theexchange beelectronic?

Yes No

SolutionNeeded

Aid to non-ElectronicExchange

Yes No

Assess exchange

○

○

○

○ ○ ○ ○ ○ ○ ○

○

○

○

○

○

○

○

○

○

○

○

○ ○ ○ ○ ○ ○ ○ ○ ○

< ><

Purpose: Identify and evaluate solutions that:- Eliminate barriers to the appropriate electronic exchange of health information,- Provide health care organizations flexibility in implementing mechanisms for the appropriate

electronic exchange of health information; and- Maintain and provide appropriate privacy and security protections for individuals’ health information.

· Barrier: Identified obstacles to the exchange of health information.

· Appropriate Barrier: Obstacles to the exchange of health information that are appropriate andmaintain security and privacy.

· Aid: A business practices that promote the exchange of health information and maintainsappropriate security and privacy.

· Neutral: Business practice has no impact on the exchange of health information.

Yes

SolutionNeeded

118

Appendix G.Legal Reference Guide- Utah State Office of the At-

torney General11

119

Appendix G. Legal Reference GuideUtah Statute HIPAA Cite

UCA 26-1-17.5(1)Release of confidential records governed by this title

164.502 - Uses and DisclosuresSummary/Preemption Analysisii: Consistent / Analysis of this section is dependent on review of othersection of this title. As is discussed in later sections of this analysis, it appears that UDOH covered entitiescan comply with both HIPAA and Title 26.

UCA 26-1-17.5(2) Sharing immunization records with schools

164.512(b)(i) - Public Health ExceptionSummary/Preemption Analysis: Consistent / HIPAA permits disclosure of PHI/IIHI by a covered entity forpublic health activities. Most sharing of immunization records will not be covered by HIPAA as this functionin UDOH is performed by a non-covered entity.

UCA 26-1-30Powers and duties of department 164.512(a) and (b)Summary/Preemption Analysis: Consistent / Conduct of public health activities is supported by theHIPAA privacy rule.

UCA 26-2-3 to –28, except for –23 belowVital Records 164.512(a) and (b); 160.203(c)Summary/Preemption Analysis: Consistent / Collection of vital records is a core public health functionrequired by law and consistent with HIPAA’s requirements.

UCA 26-2-23Records required to be kept by health care institutions – Information filed with local registrar and department

160.203(c), 164.512(a)Summary/Preemption Analysis: Consistent / Hospitals are clearly covered entities under HIPAA. Thisstatute requires hospitals to collect and report vital records. HIPAA authorizes release of PHI without patientconsent for this type of public health activity. Covered entities can comply with this state law and HIPAA.

UCA 26-3-2Voluntary collection of health data 164.512(b)Summary/Preemption Analysis: Consistent / Section 512(b) of HIPAA authorizes covered entities torelease data to public health authorities where the authority is authorized to receive the data. This voluntaryreporting section authorizes the Department to receive a data report. It will protect covered entities thatchoose to voluntarily report.

UCA 26-3-4Quality and publication of statistics as practicable 160.203Summary/Preemption Analysis: Consistent / But for the qualification in this statute that publishingstatistics only occur when it is practicable, HIPAA requirements may have been in conflict. If a UDOHcovered entity determines that a statistical report has identifiable data, then the report would not be practi-cable.

120

i All references are found in 45 CFR. For example a listing of 160.203 refers to 45 CFR 160.203ii Consistent indicates that the state statute does not appear to directly conflict with HIPAA. Inconsistent indicates that the state

statute and the HIPAA rule appear to be in direct conflict. Consistent in part indicates that the state statute and the HIPAA rule apearto be consisent in part and inconsistent in part. Further analysis required indicates that a conclusion as to whether the state statuteand HIPAA are consistent could not be reached and that further information and analysis is required. Beyond scope indicates thatthe state statute does not appear to intersect with HIPAA. For example, the statute may relate only to a non-covered entity (e.g.,Department of Insurance).

i


UCA 26-3-6Department may participate with other agencies to develop uniform standards for management of healthinformation. 164.502Summary/Preemption Analysis: Consistent / One of the primary goals of HIPAA was the standardizationof health transactions between covered entities.

UCA 26-3-7(1)Disclosure of health data – Consent required 164.502, 164.508, 164.502(g)Summary/Preemption Analysis: Consistent in part / All of the 26-3-7 areas start with the premise that theDepartment may not release identifiable data unless allowed by one of the exceptions in this section. HIPAA requires that either the subject of the PHI or an appropriate representative consent to disclosurebefore releasing data, except for the 512 exceptions, such as public health. To the extent that thesesections can be interpreted as consistent with HIPAA requirements, they will not be preempted.

(a) the individual – this is consistent with HIPAA and will permit using a HIPAA compliant consent form.(b) the next-of-kin if the individual is deceased – HIPAA defers to state law on who is authorized to act

on behalf of a deceased person. Under most circumstances next-of-kin are not authorized, absentcourt appointment to act on behalf of a deceased person. This section is not consistent with HIPAAand should not be followed by UDOH covered entities.

(c) the parent or legal guardian if the individual is a minor or mentally incompetent – HIPAA defers tostate law in this circumstance also. Unlike this statute, HIPAA distinguishes between emancipatedand un-emancipated minors and makes it clear that a parent cannot authorize disclosure of a minorchild’s records if the child is authorized to make a treatment decision without the parents consent. In this latter circumstance, this section is not consistent with HIPAA and should not be followed byUDOH covered entities.

(d) a person holding a power of attorney covering such matters on behalf of the individual – So long asthe “covering such matters” language in this statute is interpreted to mean that the person has beengranted authority to make health care decisions, then this section is consistent with HIPAA.

UCA 26-3-7(2)Disclosure to another Government Entity. 164.512Summary/Preemption Analysis: Consistent in part / This section is very much like a business associateagreement under HIPAA. The data must be used for the purpose for which it was collected. The govern-ment entity must agree not to further release the data and to safeguard the data. If the disclosure furthers atreatment, payment or operations activity of a covered entity, then the release would be allowed as abusiness associate relationship between the covered entity and the other government entity. If not, and therelease is not permitted by one of the 512 exceptions, then for that circumstance this section would beinconsistent with HIPAA and should not be followed by a UDOH covered entity.

UCA 26-3-7(3)Disclosure for Research or Statistical Purposes 164.512(i)Summary/Preemption Analysis: Consistent / So long as UDOH rules continue to require an InstitutionalReview Board approval prior to allowing release of identifiable data for research, this section is consistentwith HIPAA.

UCA 26-3-7(4)Disclosure for Audit, Evaluation or Investigation of the Department 164.506(a), 164.512(a),(d)Summary/Preemption Analysis: Consistent in part / Any release pursuant to this section that falls withinthe scope of treatment, payment or operations of the covered entity, may be accomplished pursuant to abusiness associate agreement and stay in compliance with HIPAA. Disclosures that are for health oversight

121


activities authorized by law are also permitted by HIPAA. Other releases in this area would not be consis-tent with HIPAA and should not be permitted by UDOH covered entities.

UCA 26-3-7(5)Disclosure for Disease Surveillance 164.512(a),(b)Summary/Preemption Analysis: Consistent / The releases discussed in this area are all within existingstate law for disease surveillance or other authorized public health activities.UCA 26-3-7(6)Disclosure to Health Care Provider to Protect Patient or Others Closely Associated with the Patient

164.506(a)Summary/Preemption Analysis: Consistent in part / UDOH covered entities may disclose PHI about apatient for the patient’s own treatment under HIPAA. The language of this section authorizes a release, sothe public health exception would validate any release within the scope of that exception. To the extent thatany other contemplated release to protect others was required by law, HIPAA would also be consistent. Other releases would be inconsistent and should not be allowed by UDOH covered entities.

UCA 26-3-7(7)Disclosures for Payment 164.506(a)Summary/Preemption Analysis: Consistent / HIPAA allows releases for payment activities of coveredentities.

UCA 26-3-7(8)Disclosure to the Subject of the Identifiable Health Data

164.502Summary/Preemption Analysis: Consistent / People generally have the right to access their own healthdata upon appropriate verification of identity under HIPAA.

UCA 26-3-8Discretion of department to make disclosures under 26-3-7

164.502Summary/Preemption Analysis: Consistent in part/ UDOH covered entities retain discretion on whether topermit a release of data in many circumstances. However, in the case of the right of the individual to accesshealth data, UDOH covered entities would not have discretion and in this case this statute is inconsistentwith HIPAA.

UCA 26-3-10Department measures to protect security of health data

164.530(c)Summary/Preemption Analysis: Consistent / The requirements of this section to safeguard identifiablehealth data mirror HIPAA requirements.

UCA 26-4-11, -14, -17, -23, -26, -27:Medical Examiner Receipt and Release of Records 160.203(c), 164.512(a),(g),Summary/Preemption Analysis: Consistent / The Medical Examiner is not a covered entity. Release andretention of records by the Medical Examiner is therefore not covered by HIPAA. The sections dealing withmandatory reporting to the Medical Examiner by covered entities is permissible under the 512 exceptions.

UCA 26-6-6:Communicable Disease Reporting 164.5129(A)Summary/Preemption Analysis: Consistent / Mandatory state reporting requirements, including communi-

122


cable diseases, is permitted under HIPAA.

UCA 26-6-18VENEREAL DISEASE - CONSENT OF MINOR TO TREATMENT

164.502(g)(3).Summary/Preemption Analysis: Consistent / HIPAA defers to state law regarding a minor’s power understate law to make the medical decision. The CE may not notify parent without minor’s consent.

UCA 26-6-27(1)Information received by the Department regarding communicable or reportable disease confidential

160.203(c), 164.512Summary/Preemption Analysis: Consistent / Communicable disease information is received and man-aged by entities within the UDOH that are not covered by HIPAA. If any local health department entityreceiving data is part of a covered entity, the provisions in this section are not contrary to HIPAA and providein some instances more protection of this data.

UCA 26-6-27(2)Release of Communicable Disease Information 160.203(c), 164.512Summary/Preemption Analysis: Consistent / Unlike UCA 26-3-7 which covers all data voluntarily suppliedto the Department, this section is limited to communicable or reportable disease information. Most entitiesin state and local government dealing with this information will not be covered entities. However, even if theywere covered entities, the broad public health and abuse reporting exceptions in HIPAA would permit thissharing of data.

UCA 26-6-29:Violation for release of communicable or reportable disease information

160.203(c)Summary/Preemption Analysis: Consistent / HIPAA permits state laws that are more protective to remainenforceable. Any covered entity can comply with both this section and HIPAA.

UCA 26-6-30Exclusions from confidential requirements 164.512Summary/Preemption Analysis: Consistent / This section merely says that the provisions of this chapterdo not apply in certain circumstances. For covered entities, HIPAA would still apply in all circumstances,so there is no problem complying with this section.

UCA 26-6a-5Reporting of possible communicable disease exposures to EMS personnel, reporting test results to patients

164.512(a),(b)(iv)Summary/Preemption Analysis: Consistent in part / This mandatory public health reporting in this sectionis permissible under HIPAA. 26-6a-5(1)(d) mandates that a facility receiving a patient tested for AIDS or HIVinfection withhold that information from a patient and allow Department personnel to provide those testresults. The situations where HIPAA permits withholding information from a patient are quite limited andwould not permit this blanket withholding of information. For covered entities, this section is preempted.

UCA 26-6a-7Penalty for violation of confidential requirements‘ 160.203Summary/Preemption Analysis: Consistent / States are free to be more protective of data.

UCA 26-6a-8

123


Patient notification and counseling 160.203Consistent - Mandated counseling in this section does not violate any HIPAA provision.

UCA 26-6b-5 and -6Quarantine, isolation and voluntary treatment 164.512Consistent - Covered entities may comply with releasing information necessary to support public healthinterventions in this area due to the section 512 HIPAA exceptions.

UCA 26-8a-203Emergency Medical Services Data collection 164.512Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA.

UCA 26-8a-253Statewide trauma registry and quality assurance program 164.512Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA.

UCA 26-18-103Drug Utilization Review Board – Responsibilities 164.506(a); 164.512(d)Summary/Preemption Analysis: Consistent / The activities of the Drug Utilization Review Board arepermitted as either a health oversight activity or as part of the treatment, payment or operations of govern-ment funded medical programs. Access to PHI by the board to conduct activities required by Utah law ispermitted by HIPAA.

UCA 26-18-104Confidentiality of records held by the DUR 164.508Summary/Preemption Analysis: Consistent / The confidentiality requirements of this section are inharmony with HIPAA requirements.

UCA 26-19-18Release of medical billing information regarding Medicaid recipient’s restricted

164.502Summary/Preemption Analysis: Inconsistent / This section seeks to restrict patient access to their ownmedical records to support third party liability collections undertaken on behalf of government fundedmedical programs. HIPAA does not permit this restriction and covered entities in Utah should not follow thissection.

UCA 26-21-9Application for license – Information required – Public records

160.202 (definition of “contrary”), 160.203, 164.512(a)Summary/Preemption Analysis: Consistent / Licensing activities in the UDOH are not conducted bycovered entities. The reporting required by this section is permitted by HIPAA under the 512(a) exception.

UCA 26-21-20Mandate for Hospitals to Provide Itemized List of Charges

164.502Summary/Preemption Analysis: Consistent in part / Two areas of this law are not consistent with HIPAA. The overall requirement to provide an itemized list of charges at the hospital’s expense is permissible,except in the case of an “agent”. This term is not defined and could be inconsistent with HIPAA’s require-ment of limiting access to the patient or someone authorized to make health care decisions on behalf of the

124


patient. Section (5), like 26-19-18 limits access by Medicaid recipients to their own medical records. Thisrestriction is inconsistent with HIPAA and should not be followed by covered entities.

UCA 26-23a-2Injury reporting requirements 164.512(a)Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA.

UCA 26-23b-103Detection of Public Health Emergencies - Mandatory reporting requirements

164.512(a)Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA.

UCA 26-23b-104Public Health Emergencies: Authorization to report 160.203(c), 164.512(b)Summary/Preemption Analysis: Consistent / This section authorizes reporting of medical observations bycertain providers that suspect an epidemic disease or bio-terrorism event may be involved. The public healthexception in 164.512(b) expressly recognizes authorized, but not required, reporting as valid under HIPAA. This section becomes mandatory in the event a public health emergency is declared.

UCA 26-23b-108Investigation of suspected bioterrorism and communicable diseases-requirement to destroy records

160.203(c), 164.512(a), 164.512(j)Summary/Preemption Analysis: Consistent in part / For all UDOH activities this section is valid, sincenone of the entities involved in this activity are covered by HIPAA. If a local health department engaged inthis activity is part of a covered entity, then the covered entity may need to retain the records consistent withthe entities policy for retention of records regarding treatment of a patient.

UCA 26-25-1 to -5Health Oversight Reporting 160.203(c), 164.512(d)Summary/Preemption Analysis: Consistent in part / Health oversight activities authorized by law mayreceive data from covered entities without the patient’s permission under 164.512(d). Subsection (3) makesit clear that the purpose of the releases authorized by this state law is improvement of health care. Mostentities receiving data under this would not be covered entities. If a covered entity receives data under thissection, and includes that data in the facility’s designated record set, access to identifiable data would begoverned by HIPAA requirements and the provisions of this section that would deny access under circum-stances where HIPAA permits access would be preempted

UCA 26-33a-104, -106, -108, -109, -111Health Data Committee - purpose, powers and duties of the committee

164.512(a)Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA.

UCA 26-45-103, -104Genetic Privacy Act -Restrictions on employers and insurers 160.203Summary/Preemption Analysis: Consistent / State laws that afford additional protection to a patient’sexpectation of health information privacy are permitted under HIPAA so long as a patient’s access is notunduly restricted. This law provides greater protection for a patient’s PHI, in that it prohibits disclosures of

125


the genetic test results to employers or health plans (except in very restricted circumstances), as well asimposes minimum necessary restrictions on PHI release to health plans for payment purposes. This lawdoes not allow the CE to honor an authorization signed by the patient to release genetic tests results to theemployer or health plan. This does not cause a preemption issue because the privacy regulations do notcompel the CE to honor an authorization by the patient.

UCA 26A-1-114: Powers and duties of local health departments 164.512Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA. In addition public health activities are seen as a national priority and HIPAA is intendedto not interfere with traditional public health activities.

UCA 30-2-9Family Expenses 164.522(a)Summary/Preemption Analysis: Consistent / CE may disclose information to patient’s spouse if spouseis involved in paying medical bills. HIPAA does not prohibit a disclosure to a spouse if the CE needs todisclose it for its own payment activities, unless the patient has requested a restriction to the disclosure,and the CE agreed. 67 Fed. Reg. 53182,53203

UCA 31A-31-101 to -108Insurance Fraud Act - Reports to Government Agencies and Insurers

164.512(d), 164.506(c)Summary/Preemption Analysis: Consistent / This act authorizes health care providers to share informa-tion about insurance fraud with various government agencies, including the Department of Insurance and theAttorney General’s Office. The Health Oversight reporting provisions of HIPAA at 164.512(d) permit this. Reports to insurers are also permitted by HIPAA as operations when both parties have a relationship withthe patient.

UCA 53-3-303(14)(c)Reporting impaired driver 164.512Summary/Preemption Analysis: Consistent in part / A health care professional is granted immunity for agood faith report on an impaired driver. Nothing in this section requires reporting. If the report is authorizedby one of the section 512 exceptions, such as to avoid an imminent danger and the report is made tosomeone that can intervene, then this section is not impacted. In all other circumstances, the CE shouldobtain patient consent before making the report.

UCA 58-13-5(3)(h)Mandatory Report to Division of Occupational and Professional Licensing of health care provider abusingalcohol or drugs 165.512Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA. Covered entities should be aware that HIPAA does not preempt the stricter standardsimposed by 42 CFR Part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records) for any providerparticipating in a treatment program covered by that section. Analysis of whether 42 CFR Part 2 preemptsthis section of state law is beyond the scope of this analysis.

UCA 62A-3-206Long-term Care Ombudsman 164.512(d) 160.203(b)Summary/Preemption Analysis: Consistent / This Utah law is not contrary to HIPAA; a covered entitymay comply with both. According to the DHHS Administration on Aging (see AOA-IM-03-01) the LTCOP is a“health oversight agency” and the Privacy Rule does not preclude release of residents’ clinical records to theLTCOP with or without authorization of the resident or residents’ legal representative. The UCA provision

126


regarding written permission is more protective of an individual’s privacy than HIPAA.

UCA 62A-3-207LTCOP files are confidential, disclosure at ombudsman’s discretion.

160.102Summary/Preemption Analysis: Consistent / The LTCOP is not a covered entity, therefore HIPAA doesnot preempt its use/disclosure of health information. GRAMA applies.

UCA 62A-3-303Adult Protective Services access to facilities and records 164.512(c), 160.203(c)Summary/Preemption Analysis: Consistent / HIPAA defers to state law regarding reporting abuse orneglect, and a covered entity may comply with both. A covered entity may disclose PHI about a suspectedvictim of abuse or neglect to a protective services agency to the extent the disclosure is required by law, andthe disclosure complies with and is limited to the requirements of such law. The covered entity is required toinform the individual that the report is being made unless the covered entity believes informing the individualwill place the individual at risk of serious harm, or unless they’d be informing the individual’s personalrepresentative, they believe the PR is responsible for the neglect or abuse, and informing the PR would notbe in the individual’s best interest.

UCA 62A-3-304Caretaker, facility or institution may not use its confidentiality standards as a basis for failure to report toAPS 164.512(c), 160.203(c)Summary/Preemption Analysis: Consistent / HIPAA defers to state law regarding reporting abuse orneglect, and a covered entity may comply with both. A covered entity may disclose PHI about a suspectedvictim of abuse or neglect to a protective services agency to the extent the disclosure is required by,complies with and is limited to the requirements of law.

UCA 62A-3-305requires persons to notify Adult Protective Services intake or the nearest law enforcement agency of abuse /neglect. 164.512(a)(1) 164.512(c) 160.203(c)Summary/Preemption Analysis: Consistent / HIPAA defers to state law regarding reporting abuse orneglect, and a covered entity may comply with both. A covered entity may disclose PHI about a suspectedvictim of abuse or neglect to a protective services agency to the extent the disclosure is required by law, andthe disclosure complies with and is limited to the requirements of such law. The covered entity is required toinform the individual that the report is being made unless the covered entity believes informing the individualwill place the individual at risk of serious harm, or unless they’d be informing the individual’s personalrepresentative, they believe the PR is responsible for the neglect or abuse, and informing the PR would notbe in the individual’s best interest.

UCA 62A-3-311.1The Division of Aging and Adult Services maintains a data base for reports of vulnerable adult abuse / neglectfor specified purposes 160.102Summary/Preemption Analysis: Consistent / The Division of Aging and Adult Services is not a coveredentity, therefore HIPAA does not preempt its use/disclosure of health information. GRAMA applies.

UCA 62A-3-312The DAAS data base and case files are classified as protected under GRAMA; disclosures are limited tospecified individuals. 160.102Summary/Preemption Analysis: Consistent / The Division of Aging and Adult Services is not a coveredentity, therefore HIPAA does not preempt its use/disclosure of health information. GRAMA applies.

127


UCA 62A-4a-116The Division of Child and Family Services maintains protected records in a Management Information Sys-tem; disclosures are limited to specified individuals. 160.102Summary/Preemption Analysis: Consistent / The Division of Child and Family Services is not a coveredentity, therefore HIPAA does not preempt its use/disclosure of health information. GRAMA applies.

62A-4a-116.1 and 116.2DCFS maintains protected records in a Licensing Information System; disclosures are limited to specifiedindividuals. 160.102Summary/Preemption Analysis: Consistent / The Division of Child and Family Services and the Office ofLicensing are not covered entities, therefore HIPAA does not preempt their use/disclosure of health informa-tion. GRAMA applies.

UCA 62A-4a-116.5DCFS sends a notice to a person with respect to whom it makes a finding of abuse/neglect/dependency,and the person has the right to request a copy of the report.

160.102Summary/Preemption Analysis: Consistent / The Division of Child and Family Services is not a coveredentity, therefore HIPAA does not preempt its use/disclosure of health information. GRAMA applies.

62A-4a-202.3When DCFS takes a child into protective custody, the investigation includes a review of any reports of pastabuse/neglect involving the child, siblings, and other children in the household, interviews of health careproviders, and a medical examination of the child. 164.512(b) 160.203(c)Summary/Preemption Analysis: Consistent / UCA §62A-4a-202.3 is not preempted by HIPAA. A coveredentity may disclose PHI to appropriate governmental authority authorized by law to receive reports of childabuse or neglect. HIPAA permits a covered entity to comply with both UCA and HIPAA.

62A-4a-205An interdisciplinary team, including a mental health representative, creates a treatment plan that provides forthe health, safety and welfare of a child in temporary DCFS custody, including the health and mental healthcare to be provided to the child. The plan is provided to the GAL, natural and foster parents.

160.102Summary/Preemption Analysis: Consistent / DCFS is not a covered entity, therefore HIPAA does notpreempt its use/disclosure of health information. GRAMA applies. The mental health representative may ormay not be part of a covered entity. Even if covered, the mental health representative may help create atreatment plan without wrongfully using or disclosing PHI.

62A-4a-403Requires persons to notify DCFS or the nearest law enforcement agency of abuse / neglect.

164.512(a)(1) 164.512(b) 160.203(c)Summary/Preemption Analysis: Consistent / 62A-4a-403 is not preempted by HIPAA. A covered entitymay disclose PHI to appropriate governmental authority authorized by law to receive reports of child abuseor neglect. HIPAA permits a covered entity to comply with both UCA and HIPAA.

62A-4a-404Requires persons to notify DCFS at the time of birth when the child has fetal alcohol syndrome or fetal drugdependency 164.512(a)(1),(b) 160.203(c)Summary/Preemption Analysis: Consistent / A covered entity may disclose PHI to appropriate govern-

128


mental authority authorized by law to receive reports of child abuse or neglect, and disclosures required bylaw that comply with and are limited to the requirements of such law. HIPAA permits a covered entity tocomply with both UCA and HIPAA.

62A-4a-405Requires persons who believe a child died from abuse/neglect to notify law enforcement. The medicalexaminer shall disclose his report to specified persons. 164.512(a)(1),(b) 160.203(c)Summary/Preemption Analysis: Consistent / A covered entity may disclose PHI to appropriate govern-mental authority authorized by law to receive reports of child abuse or neglect, and disclosures required bylaw that comply with and are limited to the requirements of such law. HIPAA permits a covered entity tocomply with both UCA and HIPAA.

62A-4a-406Permits photos to be taken of child’s injuries and authorizes all medical records pertinent to an investigationto be disclosed to DCFS & law enforcement. 164.512(b) 160.203(c)Summary/Preemption Analysis: Consistent / A covered entity may disclose PHI to appropriate govern-mental authority authorized by law to receive reports of child abuse or neglect. HIPAA permits a coveredentity to comply with both UCA and HIPAA.

62A-4a-407Permits a physician examining a child, who believes the child’s life/safety is in danger, to take the child intoprotective custody and notify DCFS. 164.512(b); 160.203(c)Summary/Preemption Analysis: Consistent / A covered entity may disclose PHI to appropriate govern-mental authority authorized by law to receive reports of child abuse or neglect. HIPAA permits a coveredentity to comply with both UCA and HIPAA.

UCA 62A-4a-409DCFS pre-removal investigation shall use an interdisciplinary team whenever possible, including health andmental health representatives, to assist with diagnostic, treatment, and coordination services.

160.102 164.512(a)(1)Summary/Preemption Analysis: Consistent / DCFS is not a covered entity, therefore HIPAA does notpreempt its use/disclosure of health information. GRAMA applies. Health or mental health representativesmay use or disclose PHI to assist with diagnostic, treatment, and coordination services, as required by 62A-4a-409.

UCA 62A-4a-801 to -802Safe Relinquishment of a Newborn Child 164.504,164.512Summary/Preemption Analysis: Consistent / Hospitals are authorized to receive a newborn child from aparent or the parent’s designee. Hospitals are required to render appropriate care and transfer the child tothe Division of Child and Family Services. Hospitals will receive medical information either from the parent orin the course of treating the child. If the hospital gathers information that suggests abuse or neglect, lawrequires reporting this information to DCFS. The same applies to reports to Vital Records.

UCA 62A-7-121Youth offender records are the property of the Division of Youth Corrections and shall be returned to it whenthe youth offender is terminated from the program. 164.512, 164.524Summary/Preemption Analysis: Consistent in part / This law will require covered entities under contractwith the Division of Youth Corrections to release all records to the Division as required by law. This statute,if applied by the DYC to require covered entities to turn over original treatment records and not to retain anycopies, would deny patient access to records as required by 164.524. It would also inhibit the ability of a

129


covered entity to assist in the treatment of a patients who either returns for additional treatment or seeks tohave records sent to a new provider that needs information about past treatment activity. It would furtherleave the covered entity unable to defend itself against claims of malpractice. In this situation. HIPAA wouldpreempt this section of state law.

UCA 63-2-107Governmental Records Act does not apply to government entities covered by HIPAA.

Parts 160 and 164Summary/Preemption Analysis: Consistent / The workgroup identified GRAMA as having preemptionproblems in the fall of 2002. This section of law was adopted during the 2003 Legislative session. Govern-ment covered entities follow HIPAA.

UCA 63-25a-416 to -418Crime Victim’s Reparation- Applicant waiver of privilege and requirement to supply medical or psychologicalreports 164.524Summary/Preemption Analysis: Beyond Scope / The Crime Victims’ Reparations Board is not a coveredentity under HIPAA. If an applicant fails to submit to tests or to supply necessary information, the onlyremedy is to deny the claim. This section implicates no covered entity’s duties under HIPAA. UCA 64-13-27(1)Department of Corrections centralized record of offenders 160.103Summary/Preemption Analysis: Beyond Scope / This centralized record will contain health records aboutindividuals. The Department of Corrections is not a covered entity, thus this section is beyond the scope ofHIPAA.

UCA 64-13-27(2)Department of Corrections Records are the property of the Department.

164.512, 164.524Summary/Preemption Analysis: Consistent in part / This law will require covered entities under contractwith the Department of Corrections to release all records to the Department as required by law. Thisstatute, if applied by the DOC to require covered entities to turn over original treatment records and not toretain any copies, would deny patient access to records as required by 164.524. It would also inhibit theability of a covered entity to assist in the treatment of a patients who either returns for additional treatmentor seeks to have records sent to a new provider that needs information about past treatment activity. Itwould further leave the covered entity unable to defend itself against claims of malpractice. In this situation.HIPAA would preempt this section of state law.

UCA 64-13-36Department of Corrections Testing of prisoners for AIDS and HIV Infection

160.103Summary/Preemption Analysis: Beyond Scope / This centralized record will contain health records aboutindividuals. The Department of Corrections is not a covered entity, thus this section is beyond the scope ofHIPAA.

UCA 67-4a-301Report of Abandoned Property to Deputy State Treasurer 164.512(a)Summary/Preemption Analysis: Consistent / Covered entities may hold abandoned property subject tothis act and be required to report PHI in response to the requirements of this law. State laws that mandatereporting by covered entities are permitted by HIPAA.

UCA 67-4a-701130


Treasurer May Examine Records to Verify Compliance 164.512Summary/Preemption Analysis: Consistent / HIPAA also permits the examination of records pursuant tosection 512(a) to the extent required by law.

UCA 76-5-504Notification of HIV and AIDS status of offender to victim 164.512Summary/Preemption Analysis: Consistent / State laws that mandate reporting by covered entities arepermitted by HIPAA. To the extent that local health departments conduct this activity through a coveredentity, release of information to a victim would be permitted without the patient’s consent.

UCA 76-7-304(2)Informing parent or spouse prior to abortion 164.502(g)(3)Summary/Preemption Analysis: Further Analysis Required / A doctor performing an abortion to a minormust notify the parent, if possible. Under UCA 78-14-5(4)(f) any female has power to consent where preg-nancy or childbirth is involved. Further analysis of the interaction of this state law and HIPAA is required.

UCA 76-7-325Informing Parent or Spouse Prior to Providing Contraceptives.

164.502(g)(3)Summary/Preemption Analysis: Further Analysis Required / Any person providing contraceptives to aminor must notify the parent, if possible. Under UCA 78-14-5(4)(f) any female has power to consent wherepregnancy or childbirth is involved. Further analysis of the interaction of this state law and HIPAA is re-quired..

UCA 78-14-5(4)(f)CONSENT INVOLVING PREGNANCY OR CHILDBIRTH 164.502(g)(3)Summary/Preemption Analysis: Further Analysis Required / HIPAA defers to state law regarding aparent’s access to the records of an unemancipated minor. Further analysis is needed to determine whethera CE may notify the parent without the minor’s consent.

UCA 78-25-25Patient Access to Medical Records 164.524Summary/Preemption Analysis: Consistent / The workgroup identified this section as having preemptionproblems in the fall of 2002. The old section of this law was repealed and the current language substitutedduring the 2003 Legislative session. All health care providers, regardless of whether they are covered byHIPAA must grant access to patients and their personal representatives, absent a judicial or other restrictionauthorized by law. Providers may charge a reasonable copying fee.

Administrative RulesSummary / Preemption Analysis

R612-2-3Worker’s Compensation Rules- Health Care Providers- filing initial examination of industrial patient’s injury,follow up disclosures of SOAP or progress notes, return to work forms

164.512(6)(l)Summary/Preemption Analysis: Consistent / Privacy regulation allows for disclosures for workers’compensation or other similar programs, established by law

R612-2-22

131


Access to medical records, charging for copies and obtaining copies of medical records in industrial cases 160.203

Summary/Preemption Analysis: Beyond Scope / The Industrial Commission is not a covered entity, thusthis section is beyond the scope of HIPAA. Amendments adopted in July 2003, grant very broad accesspursuant to this rule. The agency and the Administrative Rules Review Committee are examining changesto this section. Some have suggested that the fee schedule set by this rule could be a benchmark forcovered entities on what is a reasonable charge. The Workgroup took no position on this suggestion.

132

1 Privacy and Security Solutions for Interoperable Health Information Exchange National Conference (n.d.)Retrieved February 15, 2007 from http://healthit.ahrq.gov/portal/server.pt?open=514&objID=5562&mode=2&holderDisplayURL=http://prodportallb.ahrq.gov:7087/publishedcontent/publish/communities/a_e/ahrq_funded_projects/rti_public_page/main.htmlFoundation ofResearch and Education of American Health Information Management Association. Development of StateLevel Health Information Exchange Initiatives: Final Report. September 1, 2000

2 Foundation of Research and Education of American Health Information Management Association. Devel-opment of State Level Health Information Exchange Initiatives: Final Report. September 1, 2006

3 The Utah Digital Health Service Commission is an eleven member public-private commission appointedby the governor. See Utah code 26-9f-104.

4 Broderick, M., Smaltz, D. H. (2003, May). HIMSS SIG White Paper. Retrieved February 18, 2007www.himss.org/content/files/ehealth_whitepaper.pdf

5 UDOH Receives Grant to Improve the Exchange of Electronic Health Information (2006, 5) RetrievedFebruary 15, 2007 from http://health.utah.gov/uthealthnews/20060524-HealthInfoGrant.htm

6 Utah Department of Health Executive Director to Serve on State Alliance for e-Healthy (2007, 1) http://health.utah.gov/uthealthnews/2007/20070111-eHealth.htm

7 HealthInsight is participating in several other health information technology projects and was a founder of,and serves on, the Board of the Utah Health Information Network (UHIN). UHIN was the recipient of one offive grants provided by AHRQ in 2004 to begin establishing regional health information networks. Theprincipal investigator on that grant was Scott Williams, MD (replaced as PI by UHIN assistant to theexecutive director Jan Root) who also served as the VP, Medical Affairs for HealthInsight (now Dr. KimBateman). HealthInsight is also responsible for the evaluation of that grant and is leading a subgroup toinvolve practicing physicians while having hosted a stakeholder conference to discuss the effect of HIT onquality and cost. HealthInsight has been partnering with the University of Utah for several years on aproject to create Web and PDA-based decision support software for use by rural physicians. The CDCand AHRQ have provided funding for this project. The technology has been adopted by physicians in Utah,Idaho and Nevada and has successfully decreased the use of unnecessary antibiotics in those commu-nities where it has been tested. Under funding from AHRQ, HealthInsight has also been working with theUniversity of Utah primary care clinics to increase the use of certain preventive tests through the use ofdecision support tools designed specifically for their current EMR. The pilot has been successful and theUniversity and HealthInsight are seeking additional funding to expand the program to independent clinicsin Utah.

8 John Nelson, MD served as the 159th President of the American Medical Association (AMA) from June2004 to June 2005. A recognized and influential leader in Utah’s public health activities, Dr. Nelson is aformer deputy directory of Utah’s Department of Health and has served on the governor’s task forces onchild abuse and neglect and teenage pregnancy prevention. A board-certified ob-gyn, Dr. Nelson has aprivate ob-gyn practice in Salt Lake City. He is a diplomat of the American Board of Obstetrics andGynecology and a fellow of the American College of Obstetricians and Gynecologists.

9 Lyle Odendahl, JD has represented UDOH at administrative hearings and served as administrative lawjudge. He has advised UDOH programs on requirements for compliance with the HIPAA Privacy andSecurity rules; has experience working with health industry groups to build coalitions and to negotiatedraft legislation and served as legal advisor to the Health Policy Commission to develop and draft healthcare reform legislation. In addition he was a gubernatorial appointment to the Information Practices ActTask Force that developed the Utah Government Records Access Management Act(GRAMA) and lectured on records privacy issues before the National Association of Government Archivesand Records Administrators.

10 Nangle, B. & Talboys, S. (September 2002). Identifying Sharable Data in the Utah Department of Health.Obtained 12/12/2006 from http://charm.health.utah.gov/publications.html.

11 HIPAA Preemption Anaylsis. Utah State Office of the Attorney General. November 17, 2003.

REFERENCES

133

Interoperable Solutions for Health Information Exchange in Utah: A

Documents

Transcript of Interoperable Solutions for Health Information Exchange in Utah: A