Definition of “Health and Social Services Information” is as follows:“Health and Social Services Information” shall mean any and all information received, stored, processed, generated, used, transferred, disclosed, made accessible, or shared pursuant to this Agreement, including but not limited to: (a) Data Elements as set forth in the applicable Policy and Procedure; (b) information related to the provision of health care services, including but not limited to PHI; and (c) information related to the provision of social services. Health and Social Services Information may include PHI, PII, de-identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), anonymized data, pseudonymized data, metadata, digital identities, and schema.

Once the USCDI+ (“USCDI Plus”) effort bears fruit, it is anticipated to define data classes and elements specific to Public Health (and CMS) beyond those data already included and defined in the core USCDI.

Practices is defined as any act or omission.

Completely agree with Matthew Eisenberg's point

Also endorse Matt’s suggestion to identify and close gaps in the federal rules, and be prepared to modify our state guidance if/when the federal rules expand to cover gaps we have addressed.

I see Helen's point - we have a data sharing requirement - which the federal info blocking rules had to establish - so focusing on what is permissible in terms of withholding or creating obstacles to info blocking - may get us further down the road. Question then is whether we just refer to the federal Info blocking safe harbors or create our own here.

@ Deven I would say to refer to the federal info blocking safe harbors

There are already CA state laws that provide additional exceptions to federal information blocking prohibitions; witness the recent SB1419.

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202120220SB1419

The Federal Regulations define harm as physical harm. I wonder if this definition applies to Social Service Information?

The information blocking requirements and examples arise to avoid numerous practices that have impeded sharing. One can either define in great detail what proper exchange is, or one can define in detail what are inappropriate practices in exchange. I think, either way, this P&P will need that level of detail to avoid repeating history.

@Steve, I would think an exception based on meeting state law requirements would fit under the privacy safe harbor.

@Steven (correcting typo)

ONC has a very helpful FAQ regarding the definition of Substantial Harm: https://www.healthit.gov/faq/which-patient-access-cases-does-preventing-harm-exception-recognize-substantial-harm

Louis Cretaro commented -I think the Child Welfare Programs would have disclosure issues to be considered as well - this brings up a good point...How do we know when the parent or guardian has had their rights removed and now sits in the hands of a ward of the court?

@Lee, under the federal laws, the. privacy safe harbor allow an entity to decline t share data where the patient has requested it be withheld. But the info blocking rules do not create a right for the individual to block information from being shared.

@Deven I was looking at the (b) sub exception in this document, which includes the individual requests in (b)(1) -- perhaps I’m misunderstanding?

Very important point @Deven. The rules allow a data holder to block data based on a patient’s request, but does not require this.

This is important, as it is likely impossible to reliably block all access to data release in the setting of electronic data.

@steven, if the patient doesn't know about it, they won't be able to make the request, is my concern

That sounds more appropriate Helen...

Again, perhaps this P&P should be AIMED at those actors within the DxF that are NOT covered by the Federal Information Blocking regulations?

@Matthew, I would agree

@Matthew, I agree

Matthew's suggestion makes sense to me, too

@Diana - Your point about Public Health Depts/Agencies that fall into the Provider Actor category under Federal Law is important and complex, particularly as we capture more social determinants of health data.

I will also add, as I regularly do, that the state IPA applies to state-level agencies but not local gov't so the rules are not standard within CA

This language seems entirely unnecessary.

+1

+1

+1

Agree Helen -

+1

+1

Feels like we could shorten this to be "follow applicable law" and to the extent you are following applicable law

Agree @Deven

+1 Deven

In my mind/practice, the real, biggest challenges with Privacy come down to State Law regarding adolescent privacy and State and Federal Law regarding Mental & Behavioral Health/Substance Use Disorder care. I would now add information about reproductive health. These will continue to remain the biggest challenges to a CA State DxF.

agree with Matthew

agree with Matthew

@Louis - Interesting point. I guess we could use patient by patient or person by person basis?

One reason why it seems feasible to do federally is that HIPAA permits so much data sharing without the need to first obtain consent

This will be very difficult to actually operationalize? What time frame is specified? Will we revisit the request to opt-out of information sharing at each encounter/touch point?

It seems we need to move on to Monitoring and Auditing.

+1 @ Matthew

Agreed. This one need a redo and we can revisit?

I agree Helen!

Agree Helen

+1

Glad to hear that the team is taking our feedback to heart and will come back with another draft. Thank you!

Second that Leo.

Good question Leo!

What does bi-directional access look like....

QHIOs should be able to provide an inventory of participants without transferring that annual burden to all participants. Why would we add this burden to all participants?

Is this section legally enforceable? I'm not a lawyer. (a) All Participants shall, with advance written notice and during regular business hours, make their internal practices, books, and records relating to compliance with the DSA available to the Governance Entity for purposes of determining the Participant’s compliance with the DSA.

you beat me to that question Matthew

Is this section legally enforceable? +1 Matthew

@matthew, yes because the DxF agreement that entities sign obligates them to comply with the P&Ps.

One lawyer's opinion 🙂

@Devin - Appreciate your opinion but I think this will give many health care organizations pause to signing the DSA?

@matthew, that's clearly where the government's authority to enforce the DXF agreement signing mandate comes into play....

@Matthew, how would you otherwise facilitate compliance across all signatory entities?

@Deven - I understand the need for a Governance Entity to monitor compliance. I just think the need to access "their internal practices, books, and records relating to compliance with the DSA" is vague and may be overly broad?

@Matthew, it's language pretty consistent with the government's authorities under hIPAA -- but would be interesting to see whether it is present in common network agreements like CareQuality, Commonwell, and California's versions of same.

Matthew has a point, and inquiry of that type can be burdensome. Can the Governance Entity not assess compliance by outcomes?

At a minimum the governance entity should have to protect and keep those documents confidential and limited us for examination of compliance purposes.

Minor earthquake over here...

5.1 at 11:42

Here in Walnut Creek as well.

did not feel it in Berkeley

Felt in Alameda

+ in Palo Alto

Hope everybody is ok - I missed this one as am on the East Coast this week.

Yikes. Hope everyone's safe.

On webinar - it was felt in east and south bay

Magnitude 5.1 in Santa Clara Co.

Is there an assumption that participating Social Services Organizations would be using a QHIO/HIO? Not my assumption.

Rim - In practice, there are other methods for sharing Event Notifications (e.g. DIRECT messaging or ITI-41 push) rather than HL7 v2 - so why is this required for QHIO exchange? "Acute care hospitals and QHIOs must use HL7 v2.x ADT messages to send/exchange notifications." We don't send ADT messages to every CA State HIO.

The Gravity Project has developed a Reference Implementation for exchange by FHIR API for those who lack FHIR servers.

https://www.hl7.org/gravity/

I'm routinely reminded that Carequality is a FRAMEWORK rather than a network. Subtle point.

Apologies but I need to drop 30 minutes early. As Steven notes, I will be attending the eHealth Exchange meeting on Thursday 12/15 and will NOT be able to join that date's Committee Meeting. Thanks for the opportunity to participate.

+1 Matt. Carequality today, and TEFCA in the future are the nationwide interoperability frameworks that allow the networks, HIE/HIOs and others to exchange data between themselves.

I think we should try to align with the TEFCA FHIR Roadmap.

Thanks, Matt. I continually forget that Carequality is not a "network", but would still consider them under this "class" and will try to adjust my language.

Absolutely agree that we need to accommodate FHIR-based exchange, as many newer entrants to the digital health and interoperability landscape are developing only in FHIR due to the cost of building multiple versions.

To meet CMS Patient Interop requirements, we have invested significantly in FHIR capabilities. To Leo's point, we would hate to have to build out older technologies when we feel we invested for the future.

Payers and providers are both required to make Electronic Health Information available in response to FHIR queries.

As noted, the real value of notifications is that they give the recipient the opportunity to respond with a request for additional information when appropriate. Notifications in the absence of an automated process to request current information is of limited benefit.

Recipients/subscribers should ideally be able to specify how they would like to receive their notifications - V2, Direct, FHIR push, etc.

Can we place move to slide 48?