NCHIMA 66 th Annual Meeting Managing the Access and Release of - PDF document

4/25/2016 NCHIMA 66 th Annual Meeting Managing the Access and Release of Health Information As Health Information Exchange Initiatives Evolve: A Qualitative Study Susan H. Richardson, DHA, MHSA, RHIA, CPHQ, CHTS‐CP May 5, 2016 HIEs in the United States 1

4/25/2016 Release of Information Introduction • The Health Information Exchange (HIE) initiative began as early as 1998 as part of the push to develop a national health information technology (IT) infrastructure to improve the quality of patient care (Bernstein, Dutton, Evans, & Fiori, 2006). • Former President George W. Bush established the Office of the National Coordinator for Health Information Technology (ONC) in 2001 to oversee the development of interoperable electronic health records (EHR) to help achieve the goal for every American to have an EHR by 2014 (Johns, 2011). • Two federal agencies that have funded HIE projects are the Agency of Health Research and Quality (AHRQ) and the Health Resources and Services Administration (HRSA) (Bernstein et al., 2006) • The National Alliance for Health Information Technology became involved in the process of naming, defining and standardizing HIE organizations in 2006 (AHIMA, 2010). Background of the Problem • Health Information Management (HIM) professionals are responsible for the management of the patient’s health information within healthcare organizations. This includes ensuring that the access to the information and the release of the information are managed appropriately (Johns, 2011). • HIM professionals are ultimately responsible for ensuring the regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) are adhered to through the development of policies and procedures. • The management of health information in an environment that already allows unlimited access by patients, providers, and payers is a concern. • The HIE initiative compounds the concern because health information will become more accessible as the push for a national health information infrastructure continues, providing access of health information across different networks. 2

4/25/2016 Literature Review • The HIE initiative is not a new concept but its evolution has been stymied by the inability to access data across a continuum. Recent technology and the impetus to improve patient outcomes are forces behind the push to move forward with the HIE initiative (Morrissey, 2011). • Legislative efforts continue to increase the need for health information exchanges, which has escalated concerns that the current regulations, such as HIPAA will not be enough to protect PHI. “This heightened legislative and regulatory attention reflects what is happening in American healthcare today: more and new kinds of organizations are involved in the care process‐‐‐ and these organizations have access to patients’ health information” (Dennis, 2010, p.1). • According to Westerlind (2014), the top most challenging issue facing organizations is the unauthorized access of patient information, as noted in a KLAS study on privacy and security. Unauthorized Access 3

4/25/2016 Problem Statement • As HIE’s evolve, the patient’s privacy and confidentiality will be at risk. An increased likelihood of unauthorized access to and availability of protected health information (PHI) to those without a need to know (AHIMA, 2010) will exist. • The specific problem is that the HIM professionals’ ability to manage the access and release of PHI within the healthcare environment will be affected. The responsibility to diligently monitor and control the flow of information accessed and released within the system will become more difficult (Emery & McDavid, 2011). • There is a lack of information about how to ensure that federal and state PHI requirements are adhered to, how to separate out protected health information (Eramo, 2011) as patient portals are created through the HIEs (Wiedemann, 2011), as well as how to secure health information that is for purposes other than for treatment, payment, and operations (Wiedemann, 2011). Problem Statement continued • Literature specifically addressing how HIM professionals will manage the increased access to PHI by other entities is lacking. The literature review is limited about how secure health information is within the electronic environment and confirms that concerns exist about the management of patient confidentiality. • There is an absence of established policies and procedures to manage the access and release of health information, which is another concern. Purpose of the Study • The purpose of this qualitative research study was to develop a best practice for HIM professionals to manage strategically the access and release of health information as the availability of PHI increases with the ongoing evolution of HIEs. • HIM professionals’ expectations of how the access and release of information should be managed within a HIE environment was requested. • The study provides HIM professionals with the guidelines to address the privacy and security concerns and challenges for managing the access and release of PHI in a HIE environment. 4

4/25/2016 Significance of the Study • Anderson (2011) stated that results of a National eHealth Collaborative survey, which consisted of healthcare providers, governments, and HIE operators identified security and privacy issues as the major concern of HIE initiatives. • ONC stipulated that HIEs should provide individual access, allow corrections, be open and transparent, and allow consumers to decide how their PHI will be used, disseminated, and exchanged (AHIMA, 2011). The ONC also require HIEs to allow the collection and use of PHI, limit disclosures to the extent necessary to perform a specific purpose and implement appropriate safeguards. • The Center for Democracy and Technology (2012) emphasized that “accountability for compliance with Federal and state health privacy and security protections should be strengthened” (para 6). Significance to HIM Professionals • Current HIM skills for managing health information have been with paper records and within single health care entities. • Managing electronic health information across health care systems is a challenge. • According to AHIMA (2011), HIM professionals need to be vigilant and stay current with the health care regulations, policies, and information standards. • The significance of this study was to provide a best practice so HIM professionals could effectively address and manage the challenges HIEs present in the protection of PHI. Scope of the Study • The population for the study included HIM professionals within the state of North Carolina. • Participation was limited to the first twenty responders. The study consisted of twelve participants. • The participants were not pre‐selected. • Participants were selected based on the following criteria: – Responsible for the management of health information, – Employed within a healthcare organization, and – A Member of the North Carolina Health Information Management Association and/or North Carolina Health Information and Communications Alliance. 5

4/25/2016 Scope of the Study continued.. The participants met the following assumptions: – The participant had sufficient knowledge of the HIE initiative and understood its potential in the availability and accessing of health information, – The participant was aware of the privacy and security rules and regulations that affect release of information, and – The participant in the study had implemented or had participated in the planning stages of implementing an EHR within the organization. Research Question Which processes best ensure the security and privacy of health information within the HIE environment? Conceptual Framework • The conceptual framework was based upon complexity theory, which is founded upon the belief that systems are complex (Fryer, 2012). • Cause and effect does not always apply and all phenomena cannot be predicted and controlled (Fryer, 2012); however systems will ultimately adapt to the changing environment. • Wilson (2009) stated that the complexity theory “refers to patterns and relationships among the parts, and also the unpredictability” (p. 19)). • The complexity theory appropriately addresses the changing environment that HIM professionals are confronting as internal and external forces affect the management of health information. 6

4/25/2016 Fryer’s Complex Adaptive Systems Theory Research Method and Design • The research method for this study was qualitative incorporating the Delphi technique. • The qualitative research method was preferred because this approach allowed the generation of theories as opposed to the quantitative approach which is designed to test hypotheses (Christensen, Johnson, & Turner, 2011). • The Delphi technique fitted the design of this study by providing a structural analytic process for reflections and comprehension (Moustakas, 1994) because this technique incorporates an iterative process collecting and building upon the responses to the previous round of questions (Skulmoski, Hartman, & Krahn, 2007). Methodology Used: Delphi Technique 7