NCHIMA 66 th Annual Meeting Managing the Access and Release of - - PowerPoint PPT Presentation

NCHIMA 66th Annual Meeting

Managing the Access and Release of Health Information As Health Information Exchange Initiatives Evolve: A Qualitative Study Susan H. Richardson, DHA, MHSA, RHIA, CPHQ, CHTS‐CP May 5, 2016

HIEs in the United States

Release of Information

Introduction

• The Health Information Exchange (HIE) initiative began as early

as 1998 as part of the push to develop a national health information technology (IT) infrastructure to improve the quality

• f patient care (Bernstein, Dutton, Evans, & Fiori, 2006).
• Former President George W. Bush established the Office of the

National Coordinator for Health Information Technology (ONC) in 2001 to oversee the development of interoperable electronic health records (EHR) to help achieve the goal for every American to have an EHR by 2014 (Johns, 2011).

• Two federal agencies that have funded HIE projects are the

Agency of Health Research and Quality (AHRQ) and the Health Resources and Services Administration (HRSA) (Bernstein et al., 2006)

• The National Alliance for Health Information Technology became

involved in the process of naming, defining and standardizing HIE

• rganizations in 2006 (AHIMA, 2010).

Background of the Problem

• Health Information Management (HIM) professionals are

responsible for the management of the patient’s health information within healthcare organizations. This includes ensuring that the access to the information and the release of the information are managed appropriately (Johns, 2011).

• HIM professionals are ultimately responsible for ensuring the

regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) are adhered to through the development of policies and procedures.

• The management of health information in an environment that

already allows unlimited access by patients, providers, and payers is a concern.

• The HIE initiative compounds the concern because health

information will become more accessible as the push for a national health information infrastructure continues, providing access of health information across different networks.

Literature Review

• The HIE initiative is not a new concept but its evolution has been

stymied by the inability to access data across a continuum. Recent technology and the impetus to improve patient outcomes are forces behind the push to move forward with the HIE initiative (Morrissey, 2011).

• Legislative efforts continue to increase the need for health

information exchanges, which has escalated concerns that the current regulations, such as HIPAA will not be enough to protect

• PHI. “This heightened legislative and regulatory attention

reflects what is happening in American healthcare today: more and new kinds of organizations are involved in the care process‐‐‐ and these organizations have access to patients’ health information” (Dennis, 2010, p.1).

• According to Westerlind (2014), the top most challenging issue

facing organizations is the unauthorized access of patient information, as noted in a KLAS study on privacy and security.

Unauthorized Access

Problem Statement

• As HIE’s evolve, the patient’s privacy and confidentiality will be at
• risk. An increased likelihood of unauthorized access to and

availability of protected health information (PHI) to those without a need to know (AHIMA, 2010) will exist.

• The specific problem is that the HIM professionals’ ability to

manage the access and release of PHI within the healthcare environment will be affected. The responsibility to diligently monitor and control the flow of information accessed and released within the system will become more difficult (Emery & McDavid, 2011).

• There is a lack of information about how to ensure that federal

and state PHI requirements are adhered to, how to separate out protected health information (Eramo, 2011) as patient portals are created through the HIEs (Wiedemann, 2011), as well as how to secure health information that is for purposes other than for treatment, payment, and operations (Wiedemann, 2011).

Problem Statement continued

• Literature specifically addressing how HIM professionals will

manage the increased access to PHI by other entities is lacking. The literature review is limited about how secure health information is within the electronic environment and confirms that concerns exist about the management of patient confidentiality.

• There is an absence of established policies and procedures to

manage the access and release of health information, which is another concern.

Purpose of the Study

• The purpose of this qualitative research study was

to develop a best practice for HIM professionals to manage strategically the access and release of health information as the availability of PHI increases with the ongoing evolution of HIEs.

• HIM professionals’ expectations of how the access

and release of information should be managed within a HIE environment was requested.

• The study provides HIM professionals with the

guidelines to address the privacy and security concerns and challenges for managing the access and release of PHI in a HIE environment.

Significance of the Study

• Anderson (2011) stated that results of a National eHealth

Collaborative survey, which consisted of healthcare providers, governments, and HIE operators identified security and privacy issues as the major concern of HIE initiatives.

• ONC stipulated that HIEs should provide individual access,

allow corrections, be open and transparent, and allow consumers to decide how their PHI will be used, disseminated, and exchanged (AHIMA, 2011). The ONC also require HIEs to allow the collection and use of PHI, limit disclosures to the extent necessary to perform a specific purpose and implement appropriate safeguards.

• The Center for Democracy and Technology (2012)

emphasized that “accountability for compliance with Federal and state health privacy and security protections should be strengthened” (para 6).

Significance to HIM Professionals

• Current HIM skills for managing health information

have been with paper records and within single health care entities.

• Managing electronic health information across

health care systems is a challenge.

• According to AHIMA (2011), HIM professionals need

to be vigilant and stay current with the health care regulations, policies, and information standards.

• The significance of this study was to provide a best

practice so HIM professionals could effectively address and manage the challenges HIEs present in the protection of PHI.

Scope of the Study

• The population for the study included HIM

professionals within the state of North Carolina.

• Participation was limited to the first twenty
• responders. The study consisted of twelve

participants.

• The participants were not pre‐selected.
• Participants were selected based on the following

criteria:

– Responsible for the management of health information, – Employed within a healthcare organization, and – A Member of the North Carolina Health Information Management Association and/or North Carolina Health Information and Communications Alliance.

Scope of the Study continued..

The participants met the following assumptions:

– The participant had sufficient knowledge of the HIE initiative and understood its potential in the availability and accessing of health information, – The participant was aware of the privacy and security rules and regulations that affect release of information, and – The participant in the study had implemented

• r had participated in the planning stages of

implementing an EHR within the organization.

Research Question

Which processes best ensure the security and privacy of health information within the HIE environment?

Conceptual Framework

• The conceptual framework was based upon complexity

theory, which is founded upon the belief that systems are complex (Fryer, 2012).

• Cause and effect does not always apply and all phenomena

cannot be predicted and controlled (Fryer, 2012); however systems will ultimately adapt to the changing environment.

• Wilson (2009) stated that the complexity theory “refers to

patterns and relationships among the parts, and also the unpredictability” (p. 19)).

• The complexity theory appropriately addresses the

changing environment that HIM professionals are confronting as internal and external forces affect the management of health information.

Fryer’s Complex Adaptive Systems Theory

Research Method and Design

• The research method for this study was qualitative

incorporating the Delphi technique.

• The qualitative research method was preferred

because this approach allowed the generation of theories as opposed to the quantitative approach which is designed to test hypotheses (Christensen, Johnson, & Turner, 2011).

• The Delphi technique fitted the design of this study

by providing a structural analytic process for reflections and comprehension (Moustakas, 1994) because this technique incorporates an iterative process collecting and building upon the responses to the previous round of questions (Skulmoski, Hartman, & Krahn, 2007).

Methodology Used: Delphi Technique

Data Results and Analysis

• The outcome of the first round resulted in

five themes providing solid examples of what the participants believed should be included when developing a best practice:

– Development of a HIE Security and Privacy Initiative – Management of Access Controls – Develop Protocols/Policies and Procedures – Tracking and Monitoring – Education and Training

Data Results and Analysis Continued…

• The results from the first round, with the common themes, were

returned to the participants for a second round of responses. Participants were asked to review the information and recommend which response should be retained, as well as justify the reason. The participants’ responses were noted and all items within each theme were retained for the third round.

• The third round provided the participants another opportunity to

narrow down the recommendations by ranking responses according to the most important to the least important. Four or more responses with recommendations ranking as the most important for each element within the theme were retained for inclusion in the fourth round. The results in this round noted the elimination of five elements in the number of recommendations overall.

• The fourth round consisted of the summary of the third round

recommendations retained and participants were asked to review and make comments. All participants agreed to the proposed final recommendations.

Data Results and Analysis Continued…..

The fifth round served as the final validation of the process. All twelve participants agreed with the following recommendations for the development of the best practice:

Conclusions

• According to Sarrico and Hauenstein (2011), hospitals are in a no‐

win situation concerning the electronic transmission of health

• information. The HIE initiative is to provide access to PHI to

improve patient care but healthcare organizations, specifically HIM professionals are committed to ensuring the security and privacy of PHI.

• The results of this study are testament that HIM professionals

have the knowledge needed to ensure that the access and release of information is managed appropriately based on the needs of the patient, providers, and other members of the workforce (AHIMA, 2011).

• The results of the study provided guidelines that HIM

professionals can use to address the future PHI concerns and challenges presented as HIE evolves. The participants’ responses also demonstrated the complexities and variety of approaches for managing the access and release of health information.

Conclusions continued….

• The information obtained addressed the perspective of practicing

health information professionals on the necessary elements needed to ensure the ability to monitor, secure, and control

• nline access to health information by external agencies and
• ther organizations (Emery & McDavid, 2011), as well as

proactively managing through education and training.

• The study addressed the opinions and recommendations of a

representative sample of health information professionals and the Delphi technique provided for impartial and objective recommendations without any influencing factors such as social norms, customs, professional standing or organizational culture.

• The study provided HIM professionals the opportunity to provide

feedback about their concerns and recommendations that were not found specifically addressed in the studies noted within the literature review.

Our Job: Protecting the Patient’s Health Information

Recommendations

• Review organizational policies
• Review state and government

regulations

• Review, with the CIO, the information

systems’ strengths and weaknesses

• Review all new and old technology that

contains information.

Recommendations

References

• AHIMA. (2010, September). Understanding the HIE landscape. Journal of AHIMA, 81(9). 60‐65.
• AHIMA. (2011, May). HIE management and operational considerations. Journal of AHIMA, 82(5). 56‐

60.

• AHIMA. "Management Practices for the Release of Information." Journal of AHIMA 83, no.2

(February 2012).

• Anderson, H. (2011, February 25). Survey: Privacy a top HIE concern. InfoRisk Today.

http://www.inforisktoday.com/survey‐privacy‐top‐hie‐concern‐a‐3383.

• Bing.com (Images)
• Bernstein, W., Dutton, M., Evans, L. & Firori, A. (2006). Health information exchange projects: What

hospitals and health systems need to know. American Hospital Association. Chicago, IL. Retrieved from http://www.aha.org/content/00‐10/AHARHIOfinal.pdf.

• Center for Democracy & Technology. (2012, June 13). Health information exchange brief examines

privacy and security concerns. Published on Center for Democracy & Technology (https://www.cdt.org). Retrieved from https://www.cdt.org/pr_statement/health‐information‐ exchange‐brief‐examines‐privacy‐and‐securityconcerns.

• Christensen, L.B., Johnson, R.B., & Turner, L. (2011). Research Methods, Designs, and Analysis (11th

ed.) Boston, MA: Allyn & Bacon.

• Dennis, J.C. (2010). Privacy: The impact of ARRA, HITECH, and other policy initiatives. Chicago, IL:

AHIMA.

• Emery, S. & McDavid, J. (2011, March). Electronic copy versus electronic access. Journal of AHIMA,

82(3). 40‐41.

• Eramo, L. A. (2011, March). Patient portals and meaningful use: Using portals to meet the patient

access objectives. Journal of AHIMA, 3(82). 42‐43.

References

• Fryer, P. (2012). What are complex adaptive systems? Trojanmice. Retrieved from

http://www.trojanmice.com/articles/complexadaptivesystems.htm.

• Govtech.com. State Plan Models. Retrieved from http://www.govtech.com/health/4‐Approaches‐

to‐Health‐Information‐Exchanges. html: State Plan Models

• HealthIT.gov. HIEs in the US. Retrieved from https://www.healthit.gov/policy‐researchers‐

implementers/state‐hie‐implementation‐status

• Identity Theft Resource Center. (2016, January 25). Retrieved from

http://www.idtheftcenter.org/ITRC‐Surveys‐Studies/2015databreaches.html

• Johns, M.L. (2011). Health information management technology: An applied approach. Chicago, IL:

American Health Information Management.

• Morrissey, J. (2011, February). HIE. H&HN. Retrieved from

http://www.hhnmag.com/hhnmag_app/jsp/articledisplay.jsp?dcrpath=HHNMAG/Article/data/02FE B2011/02HHN_Coverstory&domain=HHNMAG.

• Sarrico, C. & Hauenstein, J. (2011, February). Can EHRs and HIEs get along with HIPAA security

requirements? Healthcare Financial Management, 65(2). Retrieved from MasterFILE Premier.

• Skulmoski, G.J., Hartman, F.T., & Krahn, J. (2007). The Delphi method for graduate research. Journal
• f Information Technology Education. 6:1‐21. Retrieved from Education Research Complete

database files.

• Westerlind, E. (2014, May). Security and privacy perception 2014: High stakes, big challenges. KLAS.

1‐106. Retrieved from www.KLASresearch.com.

• Wiedemann, L.A. (2011, March). Managing external reviewer requests in the HER: Considerations,

requirements, and associated expenses. Journal of AHIMA, 3(82). 40‐41.

• Wilson, M. (2009). Complexity theory. Whitireia Nursing Journal, 16. 18‐24. Retrieved from ProQuest

database files.