Report on TMA Health Information Exchange Policy

Background on Health Information Exchange
Health information exchange or HIE initiatives means a collaboration among health care entities whose mission is facilitating health data exchange on a large scale. HIE has received significant national attention recently, starting with the 2004 directive from President Bush for interoperable electronic health records (EHRs) by 2014. This was followed by establishment of the Office of the National Coordinator for Health Information Technology (ONC) and its subsequent work toward facilitating a nationwide health information network. Other activity has included the Report from the Commission on Systemic Interoperability and federally and locally funded efforts to advance HIE throughout the country. During the past few years, more than 200 local HIE efforts have been initiated, though very few are fully functional. More recently, state-level initiatives have been formed through executive order, state legislation, state agency efforts, and grassroots efforts. The executive order by President Bush in April 2004 established, within the Department for Health and Human Services, a focal point to guide the transformation of the present paper-based health care system to one of interconnected health information technology. This Office of the National Coordinator for Health Information Technology (ONC) has spearheaded national efforts with a framework consisting of four principle initiatives:

• Inform clinicians;
• Interconnect clinicians;
• Personalize care;
• Improve population health.

Inform clinicians focuses on incentivizing adoption of electronic health records. To this end, the federal government is using its purchasing power to provide financial incentives for EHR adoption. One of many initiatives is leveraging purchasing power through the Federal Employees Health Benefits Program to engage health insurers in the push for clinician adoption of health IT. Through the Centers for Medicare & Medicaid Services, the government has contracted with state quality improvement organizations to provide education and information assistance to physicians who treat Medicare beneficiaries.

The federal government is leveraging technology resources and knowledge within its own operations to identify standards and processes that facilitate interoperability. Health and Human Services, the Agency for Health Research and Quality, and others are awarding grants to facilitate development of data and data architecture standards. One of these grants has been awarded to the Certification Commission on Health Information Technology (CCHIT) to develop and implement standards and testing protocols to certify compliance with these standards for electronic health records in ambulatory care. To date, CCHIT has certified 37 commercial EHR products.

The second principle - interconnect clinicians - involves the fostering of regional collaborations, developing a national health information network, and coordinating federal health information systems. It is this second principle for which the policy statements are offered.

Efforts to develop regional organizations for exchange of clinical data are accelerating. In Texas, the most significant effort is the North Texas RHIO project which includes the Tarrant and Dallas County Medical Societies and the DFW Hospital Council. There also are RHIO activities in Tyler, San Antonio, Austin, Goliad, and Houston.

Pursuit of HIE initiatives have occurred at the state level with active involvement of the executive and legislative branches of state government. Governor Perry has issued an executive order for a Texas Health Care System Integrity Partnership, a decision-making body for development of a Texas Health Care System Integrity Authority (THCSIA). The proposed THCSIA will be a public-private organization with three goals:

1. Deliver safer, higher quality care in a more cost-effective way by empowering consumers with information about the price and quality of healthcare available to them;
2. Develop standardized electronic health information infrastructure; and
3. Foster a robust small-employer health insurance market.

Payers are very interested in this initiative and many seek opportunities to access clinical records to facilitate their ability to reduce costs.

HIE-Related TMA Policy
The recognition of this growth in HIE interest has hastened the need for TMA to have policy related to the functioning of these organizations. Current TMA policy states:

265.012     Health Information Technology .  The Texas Medical Association (1) supports legislation and other appropriate initiatives that provide positive incentives for physicians to acquire health information technology (HIT), (2) pursues legislative and regulatory changes through its activities in the federation to obtain an exception to law that permits hospitals and other entities to provide financial assistance to physicians purchasing HIT, and (3) support initiatives to ensure compatibility among all HIT systems (Amended Res. 402-A-05).

105.019     Principles for Protection of Medical Record Privacy . In developing privacy legislation, Texas Medical Association adheres to the following principles for protection of medical record privacy:

(1) Medical information privacy protections should follow the information. Any requirements for the handling, including transmission, of medical information should apply to any entity in possession of or with access to such information regardless of the form in which the information exists or is transmitted (paper, electronic, etc.) Any penalties for the misuse of such information also shall apply to any entity violating privacy laws or regulations.

(2) Employers should not have access to individually identifiable medical information regarding employees. While it is reasonable for employers to receive aggregate information regarding their employee health care utilization and expenditures, they should not have access to individually identifiable information regarding the health care conditions or treatments of their employees, except for legitimate employee health and safety purposes with appropriate privacy safeguards.

(3) Medical information should not be used for nonmedical purposes without the informed and noncoerced consent of the individual involved. The increasing horizontal and vertical integration of the financial services sector of the economy may provide nonmedical entities with access to individual's medical records. These organizations, such as financial institutions and credit reporting entities, should not use individuals' medical records without their informed written consent. Treatment through or membership in a particular health plan should not be contingent upon release of such information against a patient's will.

(4) Medical information should be carefully defined and should include prescription drug information. Records made through the purchase of prescription medications can reveal the medical condition of an individual. For this reason legislation should clarify that prescription drug records are considered protected medical information.

(5) Consideration should be given to special protections for "sensitive health information." Certain conditions, such as HIV, sexually transmitted diseases, psychiatric conditions, and domestic violence, are particularly sensitive and may require special protections. Such protections may include complete prohibition of disclosure outside certain circumstances or additional consent for disclosure.

(6) Consent for the use or release of medical information should meet specific standards. Individuals, and in some cases treating health care professionals, should be required to provide informed consent regarding the use or transfer of medical information. Standards should be established to ensure such consent is understandable and clearly communicated. Individuals should be required to give consent in order to purchase insurance coverage or receive medical treatment or payment for that treatment.

(7) Research activities should be protected, but not at the expense of individual privacy. Information should be required to be deidentified in an acceptable manner to support legitimate clinical research without unnecessary risk to the patient's privacy.

(8) Penalties should be severe and readily enforceable. Databases are extremely valuable in today's marketplace. Given the potential financial gains from selling medical information, penalties must be severe to deter these lucrative activities. There should be clear enforcement directives and the ability of an individual to seek redress in the courts should enforcement measures prove inadequate.

(9) Patients should have the right to their medical records. Patients should have the right to inspect and obtain copies of their medical records except for that information which, in the opinion of the health care professional, would cause harm to the patient or to others (TF Rep. 1-A01).

Overarching Principles for HIE Operation
The following recommendations are consistent with current TMA policy:

1. Patient safety, privacy, and quality of care are the guiding principles of all HIE efforts; cost reduction and efficiency are expected byproducts.

2. Texas Medical Association is a professional organization for physicians and as such recognizes that some parts of patients' medical records represent intellectual property of the physician. HIE efforts should recognize that the physician's work product has value for which he or she has intrinsic ownership, and therefore may control its use. Patient records are the documentation of interactions between physicians and patients. Patient privacy protections that traditionally exist in the patient-physician relationship continue to apply where health information technology is utilized. Physicians must uphold their responsibility to protect and secure all information related to the sacred patient-to-physician relationship.

Rationale : A medical record is a tool of the physician which aids his or her treatment of a patient. Thus, it is the physician's work product and owned by the physician. However, the information belongs to both the physician and the patient. TMA policy supports patient access to copies of the record. "(9) Patients should have the right to their medical records. Patients should have the right to inspect and obtain copies of their medical records except for that information which, in the opinion of the health care professional, would cause harm to the patient or to others (TF Rep. 1-A01)." Note that patients do not have the right to possess their original record. This is consistent with current Texas and federal law. On behalf of its physician members, TMA should be able to develop a list of the things that should and should not be included in health information exchanges.

3. Patients have the right to withhold information. A notice to users that the record is incomplete may be provided when information is withheld from transmissions.

Rationale : As HIT efforts move forward on both the governmental and private fronts, TMA policy requires that if the information is utilized for purposes other than treatment, the patient controls the use of their record. From existing TMA policy: "Medical information should not be used for non-medical purposes without the informed and non-coerced consent of the individual involved. The increasing horizontal and vertical integration of the financial services sector of the economy may provide non-medical entities with access to individual's medical records. These organizations, such as financial institutions and credit reporting entities, should not use individuals' medical records without their informed written consent. Treatment through or membership in a particular health plan should not be contingent upon release of such information against a patient's will."

4. Patient privacy and confidentiality shall be maintained in all HIE efforts by using secure systems and transmission methods.

5. Patients must have complete control over all uses of individually identified medical data. Except for emergencies, their medical data must not be disclosed or disseminated to others without patient consent.

Rationale : There should be no ambiguity in the purpose of a Health Information Exchange. It should be developed and operated in a manner that is focused on patient safety and quality of care. While there are expectations of cost savings, the cost savings should flow from the reductions in duplicated or unnecessary services, reductions in adverse outcomes, and overall improvement in health.

The public as a whole is deeply concerned about the protection of medical records and privacy issues. They are concerned that information will change hands in ways that violate their desire for privacy. It is largely recognized that consumers, if not strongly assured that their clinical information will be protected, will prohibit progress toward the better use of information technology. Physicians have long been trusted with personal health records and should maintain the responsibility of ensuring patient privacy. Accordingly, it is critical that the HIE and all who exchange information with it are focused on security of data transmission and storage. Additionally, patients today have the right to grant or withhold permission to forward their medical records to others. In the paper-based world, it is common to obtain releases from patients to transfer records or to exchange information about the patient among physicians and other clinicians or ancillary systems involved in patient care. In the electronic world, where enormous amounts of data could be transferred with a keystroke (whether they are relevant or not to the matter at hand), the systems need to respect the rights of patients to control who sees their information - and physicians should facilitate that interaction. At the same time, a physician receiving an electronic record has the right to know whether the record transferred is incomplete, to ensure patient safety and engage the patients fully in decisions about their care.

Finally, clinical data that is unrelated to payment, treatment, or operations of a medical practice may be transferred only if all patient identifying information is removed or if the patient grants permission for release of this information. This requirement is consistent with current statute and will be essential to gain the trust of patients to allow data to be shared.

Interoperability Standards

6. Open standards for the interoperable electronic transmission of clinical data should be mutually acceptable to the medical community and compatible with national and regional standards.

Rationale : The goal of an interconnected future will not be achieved without the ability of computers to receive and act on information received from many other computers. The development of standards that lead to such interoperability is a fundamental requirement for the technology-assisted future. The use of such standards must be ubiquitous, however, for the goal to be attained. To maximize the emergence of interoperable systems, the architecture and data elements that are required to enable them must be widely available, at minimal or no cost, and acceptable to stakeholder communities.

Foundational Principles for HIE Participation

7. Participation in the HIE should be the default. Participants should be able to withdraw upon reasonable notice.

8. Any costs of supporting systems providing health information technology incentives to physicians should be borne by all stakeholders, clearly defined, fair, simple to understand, accountable, and should support the financial viability of the considered practice.

9. To assure HIE activity remains focused on the patient interest, HIE governance must be representative of and responsive to the needs and concerns of stakeholders, with particular attention to the concerns of physicians and patients.

Rationale : The HIE must have the trust of the patient or its ability to achieve its purposes will be significantly impaired. By extension, the physician also has to be comfortable that the HIE operates in a way that protects patient information. If no one can be forced to participate in the HIE effort, the entity will have to be trusted in order to gain participation. Similarly, the HIE entity will need to have the right to exclude participants who are not prepared or willing to incorporate basic privacy and security provisions within their operations. To achieve this trust, the governance of the HIE must represent all of the stakeholders with trusted authority. While most HIEs will include clinicians, payers, purchasers, and patient representatives, clinician participation should be a requirement.

10. In order to protect the interest of patients, an HIE must define how and whether it will share information for public health research and surveillance and evaluation of health care quality. When it chooses to allow these uses, it must require that patient information be de-identified unless informed consent has been obtained and can be documented.

11. The HIE must be designed and function to enable and enhance coordinated collaboration for improving health and patient safety. Consideration should be given to special populations who are otherwise incapable of representing themselves (children, disabled, uninsured, homeless, aged, etc.).

12. The patient's Social Security number will not be used as the de facto unique patient identifier.

13. Patient data must be transmitted over a secure network, with provisions for authentication and encryption in accordance with eRisk, HIPAA, and other appropriate guidelines. Standard e-mail services do not meet these guidelines. HIE participants need to be aware of potential security risks, including unauthorized physical access and security of computer hardware, and guard against them with technologies such as automatic logout and password protection.

Rationale : Protecting the privacy and security of sensitive patient information is fundamental to the mission of the HIE.

14. HIE operations will not modify original patient data in any way.

15. The HIE must have a means to audit, track, and use reasonable efforts to assure the integrity of all entities or individuals engaged in receiving and converting transaction data.

16. Dissemination of information identifiable with a specific patient is permissible only when the patient provides express permission to do so. Dissemination of information written by a physician is permissible only when that physician provides express permission to do so.

17. The HIE should maintain and enforce strict conflict of interest policies that require members to disclose all possible conflicts of interest, to recuse themselves from deliberations on matters in which they have a conflict of interest and to abstain from voting on such matters. The HIE must further maintain financial transparency in its operations, acknowledging all material sources and uses of funds.

Rationale : The HIE must assure its information can be relied upon. Its processes assure that information exchanged is from secure, known sources and that any information released is done so properly with an audit trail to assure this is so. To maintain the public trust - and the trust of physicians - the HIE must be free of conflict of interests and its financial operations must be transparent.

18. State support for HIE is important. However, state government's primary role should be to foster coordination of HIE efforts, including providing access to funding or other financial incentives that promote the adoption of health information technologies.

Rationale : State government is a stakeholder in health care in important ways: as payer, employer, provider, public health, policymaker, regulator, and licensing entity for physicians and health care providers. A state can leverage its marketing power as a large payer to foster a uniform approach to negotiating with national organizations in conjunction with or on behalf of communities within the state. States' responsibility for health care goes beyond financing individual care. States have an imperative to ensure availability and quality of health care for a number of different groups (e.g., Medicaid recipients, persons with disabilities, the elderly, children, the underserved, public health). As is the case with public infrastructure, law enforcement, education, and a broad range of other social goods, states invest in the long-term health of all their citizens. Governments typically support infrastructures and fund research and development as public goods. States are arguably in a unique position to improve health care as their citizens migrate among delivery sites and payment structures. States regulate the health care sector in a number of ways: broad policy setting, licensure, implementation and enforcement of regulations, and incentives tied to financing. These roles offer opportunities for promoting public objectives related to HIE statewide and for removing barriers to HIE. The state's public health function and its relationship to county and local health departments put it in a unique position to spur appropriate HIE among physicians, providers, and public health departments for the biosurveillance and detection of bioterrorism, disease outbreaks, and pandemics so that early response can be initiated. Public health departments often already are collecting data (such as immunizations), so they could be valuable sources of data for HIE purposes. Last, but not least, states are in an exclusive position in the intergovernmental system between the federal government and local communities. They have a special role in representing their residents in interactions across their communities, with their neighboring states, and with the federal government.

19. TMA physicians should support partnerships with nongovernmental entities developing HIE solutions with minimal mandates, but only where it leads to physicians' stewardship of the data they produce, and patients' control over data that may identify them.

Rationale : Outside of state government's interactions with HIE initiatives, there will be market-based activities. TMA should support efforts that ultimately lead to ownership of data by patients and physicians. This requirement can be superseded where permission to disclose information is granted by the patient.

Recommendation : Adopt the proposed policy statements to address key principles in the association's health information exchange efforts.

TMA House of Delegates: TexMed 2007