MBSA

1
MBSA Health Law Section MN E-Health
Initiative andThe MN Health Records Act

• James I. Golden, PhDDirector, Division of Health
  PolicyMinnesota Department of Health
• September 21, 2007

2
Objectives

• What is the e-Health Initiative
• What are the Key Components of Privacy
• What is the MN Privacy and Security Project
• Discussion of Changes to the MN Health Records
  Act (M.S. 144.291-.298)
• Whats Next

3
MN e-Health Initiative

• Established in 2004 as a privatepublic
  collaboration to accelerate the use of health
  information technology in Minnesota
• 26 members representing key stakeholders
  including health care providers, payers, public
  health professionals, and consumers
• Responsible for making recommendations to
  implement a statewide interoperable health
  information infrastructure - including patient
  privacy requirements

4
E-Health Initiative Vision

• To accelerate the use of health information
  technology to
• improve healthcare quality
• increase patient safety
• reduce healthcare costs
• enable individuals and communities to make the
  best possible health decisions

5
Initial Challenges

• Most significant challenges in developing
  recommendations for a statewide interoperable
  health information infrastructure
• Financing
• Governance
• Standards for Data Exchange
• Privacy and Security Issues

6
2005 e-Health Activities

• Integrate MN efforts with national activities
• Framework for Strategic Action from the Office
  of the National Coordinator for Health
  Information Technology
• Develop a MN e-Health framework of four broad and
  ambitious goals
• Goal 1 Inform clinical practice - focus on
  Electronic Health Records
• Goal 2 Interconnect clinicians - focus on health
  information exchange
• Goal 3 Personalize care focus on Personal
  Health Records
• Goal 4 Improve population/public health focus
  on disease surveillance and response systems

7
2006 e-Health Activities

• Shift from Strategic Planning to Implementation
  Planning with a national focus on
• Standards of Interoperability
• Architecture Models for connecting
• Data standards
• Privacy and Security Standards
• Barriers to data exchange
• Patient participation and control

8
MN Privacy and Security Project (MPSP)

• A systematic and comprehensive review of current
  laws and practices that impede the efficient,
  electronic exchange of health data that analyzed
  privacy and security issues to
• Identify the most significant barriers impeding
  the electronic exchange of health information
• Document how concerns impede the exchange of
  health information
• Describe the causes and rationale for the
  barriers
• Develop solutions and implementation plans to
  eliminate or reduce the barriers, while
  maintaining or strengthening patient privacy
  protections

9
What Is Privacy?

• The Privacy Commissioner of Canada described
  Privacy as"...the right to control access to
  one's person and information about one's self.
  The right to privacy means that individuals get
  to decide what and how much information to give
  up, to whom it is given, and for what uses."

10
Informed Consent

• For patients and their health information the
  primary mechanism for exercising privacy is
  Informed Consent
• Traditional components of informed consent
• The patient needs to be provided with relevant
  information to make an evaluation of the benefits
  and risks of consenting to the use or disclosure
  health information
• Information needs to be presented to the patient
  in a clear and understandable fashion that is
  comprehensible
• The patients choice to consent to the use or
  disclosure of health information needs to be a
  voluntary decision and
• The patients consent or authorization needs to
  be documented.

11
Issues in the Consent Process

• Opt-in versus opt-out
• When and how consent is obtained
• Ability to limit the consent
• Specificity of the consent
• Duration of consent
• Ability and mechanisms to revoke/modify a consent
• Educational materials supplied with the consent
  request Benefits and risks
• Documentation of the consent

12
Why Does Privacy Matter?

• Quality of Care
• Without trust that the personal, sensitive
  information shared with doctors will be handled
  with degree of confidentiality, patients will not
  fully participate in their own health care.
• California Health Care Foundation (1999) found
• One in every five people believes their health
  information has been used or disclosed
  inappropriately.
• One in six people engages in some form of
  "privacy-protective" behavior when they seek,
  receive, or pay for health care in this country.

13
MN Privacy and Security Project (MPSP)

• A systematic and comprehensive review of privacy
  laws and practices to
• Identify the most significant barriers to
  information exchange
• Document how barriers impede exchange
• Describe the causes/rationale for the barriers
• Develop solutions and implementation plans to
  eliminate or reduce the barriers, while
  maintaining or strengthening patient privacy
  protections

14
MPSP Findings

• Overarching privacy and security issues
• The implementation of Minnesotas patient consent
  requirements within a health information exchange
  
• Operational difficulties in first providing, and
  then limiting and monitoring external
  organizations electronic access to patient data
• Liability concerns with the inappropriate
  disclosure of patients health information

15
Patient Consent Barriers

• Minnesotas patient consent requirements were
  identified as a major privacy and security
  impediment to the electronic exchange of health
  information, because
• Health care providers cannot agree on when and
  how patient consent is required to exchange
  patients health information.
• Minnesotas patient consent requirements were
  designed for paper-based exchanges of information
  and are not conducive to a real-time, automated
  electronic exchange of information.

16
Patient Consent Requirements

• HIPAA allows the disclosure of patient
  information for treatment, payment, and
  operations without consent
• Minnesota law requires patient consent for the
  disclosure of patient information

17
Minnesotas Patient Consent Requirements

• Patient consent required for nearly all
  disclosures of health records including
  treatment
• Patients need to give written consent
• Consent generally expires within one year
• Limited exceptions to consent
• Medical emergency
• Within related health care entities
• Consents that do not expire
• Disclosures to providers being consulted
• Disclosures to payers for payment

18
Minnesota Patient Consent Liability

• Minnesota law places all liability for
  inappropriate disclosures on the disclosing
  providers
• A violation of patient consent requirements may
  be grounds for disciplinary action against a
  provider by the appropriate licensing board or
  agency
• A person who negligently or intentionally
  releases a health record is liable to the
  patient for compensatory damages caused by an
  unauthorized release, plus costs and reasonable
  attorney's fees

19
MinnesotaPatient Consent Barriers

• Undefined terms and ambiguous concepts in
  Minnesota Statutes, 144.335.
• Difficulties in determining the appropriate
  application of Minnesotas patient consent
  requirements to new concepts in the electronic
  exchange of health information that do not have
  an analogous concept in a paper-based exchange.
• The need to update Minnesotas patient consent
  requirements to allow mechanisms that facilitate
  the electronic exchange of patients information
  while respecting the patients ability and wishes
  for controlling their information.

20
Addressing Patient Consent Barriers

• A workgroup of industry representatives and
  privacy advocates did not reach consensus on a
  set of best solutions, but
• Identified options
• Documented advantages and disadvantages for each
  option
• Connected related options
• MDH developed criteria for evaluating options
• maintain or strengthen patients privacy or
  control over their health records
• improve patient care
• facilitate electronic, real time, automated
  exchange
• not place an undue administrative burden on the
  health care industry
• increase the clarity and uniform understanding of
  the statutory language and consent requirements

21
2007 Revisions to MN Health Records Act

• Major Revisions in Health Human Services
  Omnibus bill
• Improve readability through recodification
• Definitions for new and existing terms
• Health record
• Medical emergency
• Related health care entity
• Health Information Exchange
• Record locator service
• Identifying data

22
Record Locator Service (RLS)

• An electronic index of patient identifying
  information that directs providers in a health
  information exchange to the location of patient
  health records held by providers and group
  purchasers.
• Providers may construct a record locator service
  without patient consent
• Providers must obtain patient consent to access
  patients information in a record locator
  service.

23
Record Locator Service Protections

• Not a government database
• Allows multiple groups of providers to create a
  RLS
• Only providers may access information in a RLS
• Providers must provide patients the ability to
  completely opt-out of the RLS in the consent
  process
• An RLS must maintain an audit log of who accessed
  information
• A RLS is liable for inappropriate disclosures of
  information
• MDH cannot access/receive information from a RLS

24
Representation of Consent

• A provider, or a person who receives health
  records from a provider, may not release a
  patient's health records to a person
  without(1) a signed and dated consent from the
  patient or the patient's legally authorized
  representative authorizing the release(2)
  specific authorization in law or(3) a
  representation from a provider that holds a
  signed and dated consent from the patient
  authorizing the release.

25
Representation of Consent Protections

• Only a health care provider may request a
  patients health record using a representation of
  having obtained patient consent.
• Requesting provider must obtain a signed and
  dated consent from the patient
• The provider releasing health records to another
  provider using a representation of having
  obtained patient consent must document
• identity of the requesting provider
• identity of the patient
• records requested
• date of the request

26
Whats Next

• Development of a Standard Patient Consent for the
  Disclosure of Health Records
• M.S. 144.292, Subd.8 Note This language may
  needed to be modified
• Not required to be used
• Must be accepted by health care providers
• Due January 1, 2008
• Foundation for Interstate, Standard Patient
  Consent for Disclosure

27
Thank You! - Questions

• Minnesota Department of Health
• Jim Golden, PhD
• Director, Division of Health Policy
• 651.201.4819
• james.golden_at_health.state.mn.us