Comments by Suffolk RHIO Posted on February 1, 2008

Page # Line # Comments/Criticisms Suggested Alternatives
6 3-7 The definition of a RHIO as a "non-governmental, multi-stakeholder organization [participating organization/entity] that exists as a NYS not-for-profit corporation to advance interoperable health IT in the public's interest through a transparent governance structure with an overall mission to improve healthcare quality and safety and reduce costs.", makes elements of this proposed guidance inconsistent. Peer-to-peer would not require a BAA but a contractual agreement/MOU to abide by the policies and procedures of the RHIO.
7 20 Include HIPAA in this sentence. "..., all of which remain a priority for New York State and are encompassed in the policy framework and to meet NYS, DOH and HIPAA ePHI requirements."
9 14 Current laws governing HIE and the resulting business practices were developed in the context of a paper-based health care setting where decisions on what to communicate, how, and to whom are generally made on a one-to-one basis by clinicians. Most major health organizations are electronic, not including private providers. HIPAA Security was set in place for electronic data.
14 22-27 The RHIO is comprised of stakeholders as a "governing body". As stated on page 6, lines 15-17, a business agreement is needed between the stakeholders and the Health Information Service Provider (HISP) a vendor company which develops the health information exchange software and services and/or supports the implementation of such software and services. Additionally, there should be a contract or Memorandum of Understanding (MOU) in place between each of the stakeholders representing their respective organizations. Have a BAA be in place between the RHIO and the vendor for the application and then all the stakeholders/participants in the RHIO should have a contractual agreement or Memorandum of Understanding (MOU) which highlights the principles and practices, policies and procedures, and governance of the RHIO.
14 22-27 The affirmative consent process pertains to provider and payer participants of the RHIO. The consent requirement also pertains to the DOH. It is unclear as to whether the DOH will have to obtain an individuals affirmative consent that specifically references the RHIO prior to accessing his/her personal health information. With regard to the confidentiality of patient health information, the recommendation calls for the patient information to be uploaded and available without prior consent, so requiring affirmative consent to access the patient's information and not to disclose it seems contradictory. The recommendation statets that providers and payers must obtain affirmative consent to access patient information. In addition, providers must have a relationship with the patient and the information being accessed must pertain to that relationship. This implies that patients who consult with a new physician (non-emergency) still must bring all their previous health information along for the first visit, be We are suggesting that if affirmative consent is required to access patient information for providers and payers then to maintain consistency in practice and enhance consumer confidence in the exchange, consent should be obtained by everyone accessing the data, including NYS DOH unless information is de-identified data.
14 22-27 The allowance of a single consent to exchange all health information including sensitive health information (HIV, mental health and genetic – which is presently not guided by any specific NYS legislation) would assist in communication to patients and decreasing implementation costs and confusion. There is no requirement to offer the ability to screen sensitive information. If a patient does not want specific information available through the RHIO and the provider is given the option of withholding that information from the exchange, it seems to work contradictory to the goals of establishing the exchange. Uploading data into the system without first conversing with the patient to determine what is or is not acceptable to the patient to place on the exchange may lead to missing documentation, incomplete medical records and may limit the maximization of clinical communication and access. It is our recommendation that the option of withholding information through the exchange should not be considered.
14-15 30-37, 1-5 Consent process will be dependent upon the structure of the RHIO, that of a BAA or separate owner CDR. Consent will be required by the Peer to Peer or Custodial CDR model. The RHIO, regardless of structure will not be a covered entity Consent must be specific to disclosure to the RHIO even though it is based on the BA model. In current operations, we do not obtain patient consent when transmitting information to BAs. This recommendation is outside the scope of current practice and requirements under law. Of note is that the white paper specifically states on page 15 that "the state should avoid dictating the manner in which RHIOs fit within the HIPAA regulatory scheme and instead create a cohesive regulatory framework that applies directly to RHIOs." Include language in the organization of privacy practices regarding the sharing of information electronically and amend the general consent to a use and disclose information form rather than implement an additional consent form.
15 12-15 Third model- Owner CDR model states the RHIO holding ePHI is not a covered entity and not a Business Associate of the RHIO participants and not required to comply to HIPAA. It is our opinion that this statement should be reevaluated. If a second party is taking ownership of the data for a first party, who is a healthcare provider and it is ePHI, all parties would be subject to HIPAA. The second party who is the custodian of such data falls under the Business Associate clause and is responsible for the privacy and security of such information.
15 24-25 The statement that "…, the State should avoid dictating the manner in which RHIO's fit within the HIPAA regulatory scheme, and instead, create a cohesive State regulatory framework that applies directly to RHIO's." seems contradictory. This is inconsistent with the Business Associate position and the recommended consent process.
15 24-26 There is a dichotomy posed by the position taken that RHIOs are BAs of the participants. In the Privacy Rule 45 CFR Part 164.504 a Business Associate performs services for or on behalf of a CE and the BA agreement outlining terms, conditions and responsibilities of the BA is under the purview of the CE. Yet, in the proposed model, there will be a contractual relationship between the RHIO and the State and the State will establish terms and conditions for operation/organization of the RHIO. Thus, there is a disconnect between the role and responsibilities of a BAA established under the Privacy Rule and what the State is proposing in terms of the State being the governing body of the RHIO. The term 'business associate' is specific to the privacy rule and the ensuing requirements inherent to the business associate relationship are predicated upon this definition and terminology. The structure of the relationship and terms/conditions governing the relationship espoused do not conform to the Privacy Rule. Perhaps the term 'business associate' is being used in a capacity outside the Privacy Rule and the issue is one of semantics. Either there needs to be consistency with the Privacy Rule in terms of the requirements and relationship between the covered entity and RHIO or another term should be applied.
15 24-29 The document states that the State does do not want to mandate how RHIOs and vendors structure their relationships with covered entities. Regardless of this statement, the State appears to be assuming that a RHIO will sign a BAA with any other covered entity. Would the HIPAA form signed by the patient have to reflect that the provider might provide the information to the RHIO? Would the HIPAA form used by each provider and the consent form signed by a patient have to have similar language as to permitted uses? How does the RHIO know that a provider has gotten a patient's consent? Does NYDoH anticipate that "course of treatment" will cover all the exchanges possible within a RHIO and all of its participants and will participants have and/or be able to sign BAA amongst themselves, since it is really them who are exchanging patient information, not the RHIO? What happens if a participant does not fall into a HIPAA category? Please provide clarification.
17 1-8 Allow payer access to RHIO data Payer access to health information for health maintenance should be limited or not considered at this time.
17 1-8, 21-30 The document talks about the purposes that payers and the government have for wanting access to patient information. From a consumer point of view, wouldn't NYDoH and the RHIOs want these uses very narrowly defined so that consumers know exactly what information can be accessed and what it will be used for? If either payers or the government is given carte blanche access, this may have a numbing effect on patient participation. Please provide clarification.
18 13 Every entity must have the patient sign a statement. This creates logistical issues for administration, and confusion to patients who may have to sign the same form numerous times at various facilities. An option of one consent being acceptable for the RHIO, or one consent per organization should be considered.
19 21-26 HIPAA and NYS law applies the RHIO can make it more restricted.  
19 28-38 The consent process would not apply to 'one to one' exchanges of information in which one provider is seeking specific information from another treating provider via the RHIO. It would appear to apply to the seeking of patient information general to the patient overall. This distinction may be confusing to specifically delineate in some circumstances especially when there are multiple providers and multiple purposes. Further clarification is crucial to successful implementation. This construct will be difficult for providers to understand and implement accordingly. Thus, an all or none approach may be more reasonable in that access to patient information for treatment, payment or operations would not require consent other than a general consent for uses and disclosures but consent for other functions may require consent specific to accessing PHI from the RHIO.
19 40-45 In the "one-to-one" exchanges, they require the RHIO to be able to separate these exchanges out "including policies and tools that enable these types of exchanges within the RHIO to be readily distinguishable" in order not to have to get affirmative consent. These requirements in and of themselves may prove too burdensome or be too technically difficult or costly to make the exception worthwhile. It is also unclear exactly what is permissible. Also, it seems odd that a physician would need consent to access a patient's information, but another referring physician could relay this information to the other physician. What information could the referring physician send; just what he/she has or everything available in the RHIO? If the later, this seems overly broad. If the former, how can you segregate this out? Please provide clarification.
20 33-41 The suggestion is to require consent for a payer or provider to access information, but not to disclose it. This is directly the opposite from HIPAA, where a patient allows access. Questions surmount as to whether patients will be comfortable with a system which allows a provider to upload his/her health information, with the only safeguard being that he/she consented to the access, without needing to consent to the actual uploading. If you do not have a CDR, does this mean that you set up the peer to peer capability and wait for consent (see query above as to how you determine whether you have consent and who is responsible for determining this)? In addition, it is unclear whether the RHIOs will have the technical capability (at a reasonable cost) to limit access to sensitive information to certain information as suggested on page 20?. Please provide clarification.
20 33-41 The state specifies that this consent must be on a provider-by-provider basis. Later on they require RHIOs to notify patients that its participants may change and provide them with access to an updated list of participants, but do not say how patients can add entities to their access list, short of going to that provider and signing a consent. Since access to information is the stated goal, this may be a cumbersome process. This will require a patient either to consent to a broad number of providers prospectively (and then worry about improper access and/or make requests to providers to verify that there has not been improper access) or limit access, and defeat the purpose of the RHIO.  
20 33-41 Consent must be obtained prior to access by a provider, not uploading. Thus, a provider may not access a patient's information via the RHIO until he/she has a signed consent in hand to access the information. Thus, for a consulting provider brought in by another provider this effectively means that the provider must have a signed consent from the patient to access their information before they may have even seen the patient. Consent should be obtained prior to disclosure to the RHIO as is consistent with current state law regarding disclosures rather than access. In this way the fact that a patient's information has been uploaded signals their explicit consent to make the information available to those accessing the RHIO.
22 20-25 Under "Treatment," a permitted use includes "contacting healthcare providers and patients with information about treatment alternatives." How does this differ from "a communication about a product or service that encourages recipients to purchase or use the product or service" which is a marketing use on page 23? Please provide clarification.
22 36-37 Access will not be granted to providers who have no record of having treated the patient already at one point in time. How will this impact self-referred patients, consults, referrals etc. It seems that even if the provider obtained a consent these providers will not be permitted access to the RHIO information until they have established a record of care? This is certainly contrary to our current practice in that we disclose information based on provider assertion that they have or will have a treatment relationship and this disclosure is subject to our organization obtaining the General Consent to Use and Disclose Information. Also, what does this mean for multiple provider group practices? Reliance on sanctions and auditing for verifying access based on a 'need to know' rather than limiting access to those who have an established treatment relationship as the later would effectively impose barriers to providers who need information prior to appointments or consults.
22 36-39 The State requires that the entity requesting consent for either use "have had a relationship with the individual who is the subject and the information must pertain to such relationship." This seems to suggest that access is only prospective, and not retroactive, and is limited to a specific relationship (cardiologist can only access information related to that condition). If the use is limited to a specific relationship, will a RHIO have the technology available at a reasonable cost to be able to segregate information and limit access accordingly? Also, how will third parties like the government be able to establish this relationship so as to participate in quality improvement and disease management? Also, if a patient does consent to the use of his/her information for quality improvement and disease management, what happens if he/she changes his/her mind later? Will a participant's inability to obtain prospective information compromise the data? Same issue if participants can opt out of research proje Please provide clarification.
23 19-22 Since the RHIO is the BAA of the provider wouldn't these restrictions be in the BAA or does the state envision that the RHIO requires this of its participants (a reverse BAA between the RHIO and its participants)? Please provide clarification.
23 34-37 If providers can so screen, how will other participants know the record is incomplete? If someone withholds mental health information and is on medication that a provider does not know about, could not this have a material adverse effect? Also, does this materially compromise the integrity of the system itself? Please provide clarification.
24 7-36 There will be 2 separate consent forms for RHIO access: one for TPO and a separate one for marketing, research etc. These consents are not intended to replace the New York State HIPAA Compliant Authorization Form which is required of non-TPO disclosures or disclosures not required by law. In addition, barring some future preemption of PHL Section 18, general consent to Use and Disclose PHI for TPO would still be required for disclosures to non-RHIO sources. In effect, there could potentially be 4 separate forms the patient must complete and the provider must obtain. The document does state that it is possible that NYS DOH may permit the merger of some documents into one form, although whether they will permit this remains to be seen as it has not been our experience to date. We are recommending strong consensus and support within NYS DOH for permitting the merger of forms most notable the merger of a general consent with the DOH "HIPAA Compliant Authorization …" form.
24 40-41 The time limiting of the Consent for 'Level 2' access will have a negative effect on research. Currently, the Privacy Rule and State Law permit limiting the Consent to a date or an event. Typically, a research Consent is event limited to 'conclusion of the research study'. Thus, for example, if a research study receives funding beyond the initial funding periods or the study itself is simply expanded to enhance cohort recruitment the research subjects would need to be re-consented which would be onerous in large studies with hundreds of subjects. We recommend that the consent for Level 2 be valid until revocation by patient. As such studies have already passed a rigorous level of review and there is already processes in place to govern researcher actions and sanctions for violating human subject research protocols thereby mitigating the chance of misuse of information, this additional requirement would not be needed. We also recommend to segregate consent for marketing from research.
26 18-20 Mandatory reporting to the patient of a known or suspected breach of privacy/confidentiality regardless of the information involved is not consistent with current State law. Currently, State Law under the Security Breach and Notification Act only applies to "personal information in combination with any one or more of the following data elements when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: social security number, driver's license number or non-driver identification card; or account number, credit or debit number, in combination with any required security code, access or password which would permit access to an individual's financial account". Mandatory reporting should conform to current state law. The RHIO may notify providers of possible breaches of information and the provider in the exercise of professional discretion may decide whether to notify the patient depending on the data elements, risk, patient status etc. This conforms to most organization's policies across the country in terms of reporting breaches of electronic information. Organizations that maintain an EMR and have such reporting policies may be faced with 2 separate reporting policies for breaches of electronic information depending on whether the electronic information was or was not in the RHIO.
26 18-23 NYS required breach notification is required under very defined circumstances and those circumstances should be recognized by this proposal. Additionally, audit trails should either be available to the patient through the RHIO patient access portal or if that technology is not possible then an access audit trail should only be provided in response to an allegation of unauthorized access or inappropriate access. This will certainly be an issue because then the employee's rights will be violated. Will the patient have the right to sue an individual based on an access audit that is provided to the patient and identifies someone who the patient may not readily identify as someone granted consent to access but could be part of an organization to which affirmative consent was provided? Please provide clarification.
26 35-37 Who is responsible if a payer or provider breaches the terms of a patient's consent? Does the RHIO have to police this and, if so, how does NYDoH anticipate it will do so? Please provide clarification.
29 12-25 Permitting payers direct access to PHI maintained in the RHIO raises the issue of how to uphold a patient's request for restrictions of disclosures to insurers. In an "all or none" approach, this effectively means that to implement the restriction, there would also be a restriction on information for treatment. The net effect would be no uploading or access for any purpose. Although payers will be required to obtain consent for accessing the RHIO, there must be reasonable administrative and technical safeguard to limit the access to only information the patient agrees to and to which the payer is entitled to access. Payer activity should be monitored and audited so that the same degree of control can be exerted as is currently in place in a paper based record world.