Executive Summary

Introduction

Established in June 2006 by RTI International through a contract with the U.S. Department of Health & Human Services (HHS), the Health Information Security and Privacy Collaboration (HISPC) originally comprised 34 states and territories. As phase 3 of the HISPC began in April 2008, HISPC expanded to comprise 42 states and territories and aims to address the privacy and security challenges presented by electronic health information exchange through multistate collaboration.

Each HISPC participant continues to have the support of its state or territorial governor and maintains a steering committee and contact with a range of local stakeholders to ensure that developed solutions accurately reflect local preferences.

Background

In the first phase of the project, the 34 teams followed a defined process:

1. Assess variations in organization-level business policies and state laws that affect health information exchange,
2. Identify and propose practical solutions while preserving the privacy and security requirements in applicable federal and state laws, and
3. Develop detailed plans to implement solutions.

In the second phase of the project, the 34 teams selected a foundational component of their larger implementation plan to be completed in a 6-month timeframe. During this time, additional participation was sought for the HISPC's third phase, and new states and territories joined the original HISPC teams to review high-priority areas where multistate collaboration could foster the development of common, replicable solutions.

The third phase, which began in 2008, comprised seven multistate collaborative privacy and security projects focusing on analyzing consent data elements in state law; studying intrastate and interstate consent policies; developing tools to help harmonize state privacy laws; developing tools and strategies to educate and engage consumers; developing a toolkit to educate providers; recommending basic security policy requirements; and developing interorganizational agreements.

Each project is designed to develop common, replicable multistate solutions that have the potential to reduce variation in and harmonize privacy and security practices, policies, and laws. A cross-collaborative steering committee has been established for Phase 3 to facilitate knowledge transfer among collaboratives and identify points of intersection.

Participating states and territories are summarized in the table below, and a description of each project follows.

	Participating States and Territories
Collaborative	Number	Abbreviations
Consent 1 – Data Elements	11	IN, ME, MA, MN, NH, NY, OK, RI, UT, VT, WI
Consent 2 – Policy Options	4	CA, IL, NC, OH
Harmonizing Privacy Law	7	FL, KY, KS, MI, MO, NM, TX
Consumer Education and Engagement	8	CO, GA, KS, MA, NY, OR, WA, WV
Provider Education	8	FL, KY, LA, MI, MO, MS, TN, WY
Adoption of Standard Policies	10	AZ, CO, CT, MD, NE, OH, OK, UT, VA, WA
Inter-Organizational Agreements	7	AK, GU, IA, NJ, NC, PR, SD

Consent 1 - Data Elements

The primary goals of the Consent 1 - Data Elements collaborative are to

• establish a model for identifying and resolving patient consent and information disclosure requirements across states; and
• develop a foundational reference guide that describes and compares the requirements mandated by state law and any known regional or local consent policies and practices in each participating state.

The collaborative will focus on mandated (state law and regulation) requirements pertaining to consent and disclosure of health information needed in 3 high-priority treatment and/or public health scenarios. By clarifying and documenting consent requirements, the team will work to enable increased interstate electronic health information exchange.

Consent 2 - Policy Options

The primary goals of the Consent 2 - Policy Options collaborative are to

• identify the different consent approaches within and between states; and
• propose policy approaches for consent that facilitate interstate electronic health information exchange.

The collaborative will research the technological, public policy, and legal aspects of intrastate and interstate consent issues, produce tools for other states to use as they develop strategies for adopting consent policies, and provide policy recommendations for nationwide consideration.

Harmonizing Privacy Law

The primary goal of the Harmonizing Privacy Law collaborative is to

• advance the ability of states and territories to analyze and reform, if appropriate, their existing laws related to health information exchange.

The collaborative will develop a common subject-matter taxonomy (a classification of laws based on subject matter categories) to analyze existing laws and identify key areas that require revision of existing law or the adoption of new law. The common taxonomy will provide a framework for comparison, analysis, and, where appropriate, reformation of state laws related to health information exchange.

Consumer Education and Engagement

The primary goal of the Consumer Education and Engagement collaborative is to

• develop a series of coordinated, state-specific projects that focus on targeted population groups to describe the risks and benefits of health information exchange, educate consumers about privacy and security regarding health information exchange, and developmessaging to address consumer privacy and security concerns.

Collaborative products will address the different needs of urban and rural populations, varying literacy levels, and people with special health concerns. These products will also provide a range of materials for states and territories to adapt to meet their own needs.

Provider Education

The primary goals of the Provider Education collaborative are to

• create a toolkit to introduce electronic health information exchange to providers; and
• increase their awareness of the privacy and security benefits and challenges of electronic health information exchange.

The collaborative plans to work with professional medical associations, societies, and educational organizations that represent or serve providers; develop materials, tools, and techniques to better engage providers; raise their interest in electronic health information exchange; and address their privacy and security concerns.

Adoption of Standard Policies

The primary goals of the Adoption of Standard Policies collaborative are to

• develop a set of basic policy requirements for authentication and audit; and
• define an implementation strategy to help states and territories adopt agreed-upon policies.

Through its work, the collaborative will develop processes to help establish trust and bridge the policy differences between health information exchange models.

Interorganizational Agreements

The primary goals of the Interorganizational Agreements collaborative are to

• develop a standardized core set of privacy and security components to include in interorganizational agreements.
• execute said agreements and exchange data through cross-state pilots, wherever possible.

The collaborative plans to identify, and resolve by agreement between states and other entities, those privacy and security practices, procedures, and laws that pose challenges to the interstate exchange of health information.