Logo

CalHHS DxF Stakeholder Advisory Group - Data Sharing Agreement Subcommittee Meeting Series - Shared screen with speaker view
Ashish Atreja
23:25
I have joined with Dr. Atreja's link - sorry about my confusion
Kevin McAvey
27:43
Please find all draft materials on our website: https://www.chhs.ca.gov/data-exchange-framework/
Kevin McAvey
27:48
To receive updates on the development of the Data Exchange Framework, email CDII@chhs.ca.gov.
Ashish Atreja
32:18
could you just remove that word - and say that the data gap impacts disportionalteyl
Ashish Atreja
36:08
Access to the data seems appropriate if we can accurately identify the patient - I think the privacy groups will have significant concern over a state controlled central repository vs federated data exchange and access
Jenn Behrens
39:22
My “concern” or area in which I believe we should be particularly mindful is there is a greater implication of privacy risk to individuals from increased exchange/storage of data which could facilitate inappropriate surveillance and decision-making.
Lee Tien
39:57
I agree with Jenn Behrens’ point on privacy (and security, too)
Ashish Atreja
40:30
principle 5 seems to speak (or not speak) to centralized storage of data
Lee Tien
41:00
As well as Ashish Atreja’s comment re “significant concern over a state controlled central repository”
Steven Lane
41:06
Meaningful and valuable access to and exchange and use of health-related data does not require or necessarily warrant the centralized consolidation of data with the associated privacy and security risks that this entails.
Kevin McAvey
41:11
DSA Members: thank you for your feedback on the principles, which remain under deliberation by the Stakeholder Advisory Group. If you have specific suggested edits to the principles, CDII would always appreciate your feedback. Please submit to the chat, to the CDII email, or via email to one of us directly. Thank you all!
Morgan Staines
41:12
Kevin, can't locate the Subcommittee Charter on the wbsite
Kevin McAvey
42:21
Hi Morgan - Please scroll down to the DSA Subcommittee, click on "November 8, 2021", and the final two links are for the charter.
Kevin McAvey
42:31
CLean version: https://www.chhs.ca.gov/wp-content/uploads/2021/12/CalHHS_DxF-DSA-Subcommittee_Charter_v2_Clean_12.13.21.pdf
Lisa Matsubara
43:44
On principle 4 - we will need to be mindful of protecting the privacy of minors and others who may not want information about certain sensitive health care services to their "caregivers" or guardians.
Lisa Matsubara
44:06
accessible to them
Lee Tien
44:17
But if the standards are not legal, how binding are they?
Lee Tien
45:14
And how much can we assure patients that the standards will hold if they are not legally binding? We should be clear on the differences.
Ashish Atreja
45:19
I also believe there may be some conflict as we move outside traditional healthcare providers and organizations
Ashish Atreja
45:36
for what laws and standards are impacted
Lisa Matsubara
45:56
please see my comment above about "proxies"
Deven McGraw
46:19
We can make the requirement to adhere to exchange data using accepted international/national data standards part of the agreement.
Steven Lane
47:01
For the written record, we should determine where in the principles we can identify and acknowledge the needs and rights of legal representatives and authorized proxies to access, exchange and use health-related data on behalf of individuals.
Michelle (Shelly) Brown
50:59
While agnostic on the technology used to process information, we should encourage uniform standards for data structure and vocabulary
Lee Tien
53:00
In my privacy legislative work, we’ve seen policy makers be less than clear on distinctions between pseudonymous and de-identified data
Jenn Behrens
55:57
Agreed, Lee. Good point.
Steven Lane
56:10
Individual/proxy access should be called out specifically.
Steven Lane
56:31
Its role in each scenarios is a bit different.
Michelle (Shelly) Brown
58:33
it should also promote access where exchange is not feasible - e.g. view only access
Steven Lane
59:14
Should add to this list the focused query for or push of specific (minimum necessary) data elements required to support the scenario/use case.
Steven Lane
01:00:39
+! @ Shelly
Lee Tien
01:00:59
All these really heighten the need for access controls, robust authentication, data granularity, and audit trails, to bolster accountability.
Steven Lane
01:02:25
Those raised stakes are not specific to a centralized repository data model but will also apply with access to cloud-based data.
Lisa Matsubara
01:02:31
agree with Lee on importance of access controls
Ashish Atreja
01:04:49
assume Pub/Sub is related to event driven exchange?
Ashish Atreja
01:05:04
Like admit nofitications?
Lee Tien
01:05:18
Minimum necessary is a great concept, but I worry about good mechanisms for implementing it.
Jenn Behrens
01:08:59
Perhaps going down a rathole, but it could be interesting to conduct a risk analysis applying the privacy-engineering discipline to identified workflows, such as the one highlighted in the NISTIR 8062…which could drill down on mechanisms/controls to tackle some of those concepts such as minimum necessary.
Steven Lane
01:09:11
HIPAA specifies certain exchanges where the exchange of Minimum Necessary is a requirement. Providers, at least, have decades of experience with this concept.
Rim Cothren
01:09:49
Yes, Michael (aka "Dr. Atreja"), at least my use of the term pub/sub in the slides would include a standing request for notifications, such as a PCP's request for ED admit notifications on their patient population.
Morgan Staines
01:11:40
The need for robust controls also raises questions about who exercises granular control. I.e., HIPAA permits but does not require most disclosures. When patient authorization is not required, will we assume that the disclosure should be made without the patient's voice?
Lee Tien
01:11:51
How is the system addressing patients who are in certain programs that are protective of their identity (e.g. domestic violence survivors)?
Michelle (Shelly) Brown
01:14:33
treatment to extend to school nurses and clinics not only for K-12 but also college- I realize this may also fall under use case.
Steven Lane
01:15:36
Yes Shelly. Treatment happens in all sorts of different settings that each have their own workflow and privacy issues to consider.
Elizabeth Killingsworth
01:16:01
To me it seems that some comments are suggesting that we extend the definition of Treatment beyond that found in HIPAA, is that actually what we are considering?
Michelle (Shelly) Brown
01:17:35
prior authorization for treatment
Deven McGraw
01:18:04
Not necessarily, Elizabeth - IMO we can still use the definition of HIPAA but just acknowledge that we may need to add purposes for social service sharing vs. assuming that “treatment” (based on HIPAA) would take care of it. Creating a more expansive treatment definition would be one approach - but we could also add purposes that assure sharing for meeting social service needs.
Ashish Atreja
01:19:55
where would SDoH fall in these categories - like housing or food insecurity
Steven Lane
01:20:09
I guess my question is are their services that are not being delivered or accessed because payment-related data exchanges cannot occur.
Elizabeth Killingsworth
01:21:59
From my perspective, HIPAA-defined TPO and public health would make an excellent floor. I don't object to including other items, but I would want to separate that (and possibly put them on a different timeline) from the "traditional" TPO definitions
Deven McGraw
01:23:06
I absolutely would not put individual/proxy access as “sub” to any other priorities. Not consistent with the vision as currently articulated, IMO
Ashish Atreja
01:26:53
Thanks
Deven McGraw
01:28:45
Definition of Health care operations includes the following (per HIPAA) includes a lot of activities. Not sure we want to mandate all of them.
Lee Tien
01:29:53
I share Deven’s concern about the breadth of the HCO def’n
Steven Lane
01:30:50
Providers broadly are anxious about and may be resistant to the required sharing of health-related data for all of these HCO uses.
Steven Lane
01:31:34
In particular, contracting and underwriting are HCO purposes that make providers concerned that data exchange could be used against them or their patients.
Michelle (Shelly) Brown
01:31:57
exchange of data, meaning it is sourced from other providers, should have a very limited role here.
Steven Lane
01:32:33
+1 @ Elizabeth
William (Bill) Barcellona
01:32:36
Providers are concerned that costs of sharing the broad information under the TEFCA definition of business operations could be significant, without generating much value to the healthcare system.
Michelle (Shelly) Brown
01:32:48
HCO - data is most relevant to an organization when it truly concerns their own internal operations, so I would support limited used cases here.
Steven Lane
01:34:31
Some HCO uses involve comparing one's internal operational data to similar (benchmark) data from other organizations. This has not historically been an required reason to access/exchange/use data.
Steven Lane
01:40:19
As with all of these exchange purposes, Public Health includes multiple specific use cases: Clinical Treatment, reporting, case investigation, research, resource planning, etc.
Steven Lane
01:40:44
+ contact tracing
Steven Lane
01:41:45
We also face the significant challenge in CA of different counties/jurisdictions making different requests/demands for data in different formats.
Deven McGraw
01:41:51
Lee is correct that public health defined in the HIPAA Privacy law is limited to sharing with public health authorities or their designees, for purposes relevant to allowing those authorities to do their jobs, essentially. But the issue of whether any recipient of data (public health or otherwise) is subject to appropriate controls regarding how they subsequently use and share information is something we should consider whether we can address as part of the agreement (i.e., agreement to abide by certain privacy & security safeguards even if not otherwise covered by law).
Steven Lane
01:44:05
While we are attempting to identify where we might do something important and innovative iN CA let's consider requiring that exchange for Public Health purposes be bidirectional - allowing providers, individuals and perhaps payers and/or researchers to be able to access data collected and maintained by Public Health.
Lisa Matsubara
01:45:20
We should consider private third-party contractors that a public health agency contracts with for PH purposes and what those contractors can to with regard to retention and use of the data they collect
Steven Lane
01:45:46
Short of innovating in the space of Public Health exchange, let's take this opportunity to raise the floor so as to get all PH jurisdictions across the state up to using modern technologies to exchange and use core data for core purposes.
Michelle (Shelly) Brown
01:47:06
research
Michelle (Shelly) Brown
01:52:09
yes - broaden to include determination of eligibility by local governments - county and city
Elizabeth Killingsworth
01:52:45
I would not mandate research, permit, yes, but not mandate
Steven Lane
01:54:32
Agree that Research uses should be permitted and supported by whatever we put in place at a statewide level, but not required.
William (Bill) Barcellona
01:55:45
I agree with Belinda's points as well. If it is at least permitted that would help establish the floor that Steven was proposing in order to standardize public agency capabilities.
Steven Lane
01:56:04
Research may be public or private, clinical or business-focused.
Elizabeth Killingsworth
02:01:33
Are we, as a group, comfortable with permitting any exchange allowed my law with a narrower list of required exchanges or does anyone wish to limit the permitted purposes further?
Michelle (Shelly) Brown
02:02:07
directly related to the principles to detect and address gaps
Lee Tien
02:06:07
My understanding of public attitudes toward research these days is that the public is more suspicious that “research” is somewhat euphemistic for profitable pharmaceutical research regardless of patient objections.
Michelle (Shelly) Brown
02:06:30
agree
Ashish Atreja
02:07:08
agree, need to determine where the line of optionality lies
Lisa Matsubara
02:07:10
agree
Deven McGraw
02:07:47
Agree with @Elizabeth
Steven Lane
02:08:11
No need to enumerate exchange purposes already permitted by others.
Steven Lane
02:08:32
Research data is NOT always deidentified.
Elizabeth Killingsworth
02:08:42
My goal is the cleanest, easiest to understand document that we can possibly have.
William (Bill) Barcellona
02:09:09
Agree with Elizabeth's point.
Michelle (Shelly) Brown
02:09:14
Agree with @Elizabeth... makes the agreement much simpler... the data needed for use cases can be tailored in a policy and procedure
Steven Lane
02:09:30
Much data required to support research done under the Common Rule is specific to the individual research subject.
Jenn Behrens
02:09:57
Regarding individual access - there are limitations to some records by agencies we are including in this framework for legal, policy and protective reasons - such as certain records by social services
Steven Lane
02:11:52
We should point to the Information Sharing requirements of the ONC Cures Final Rule specifying that (1) providers (2) health information networks/exchanges, and (3) developers of certified HIT MUST exchange data upon request if that access is allowed by HIPAA.
Ashish Atreja
02:12:10
the other aspect of consent is whether is can be conveyed to another organization - in current exchange - data may move from one provider to another and then a 3rd - with provenance - might need to agree to how much that consent moves from org to org in a particular TPO dynamic or other?
Steven Lane
02:14:01
Jennifer - You are doing a great job moderating. Thanks!
Steven Lane
02:15:41
How can we support and advance reciprocal exchange if these other entities are not also required to participate?
Steven Lane
02:17:23
Can we create some incentives for the non-required entities to sign on?
Deven McGraw
02:17:28
Should be a quid pro quo - if you want the benefits of accessing through the network, you have to be willing to share back, subject to any legal constraints
William (Bill) Barcellona
02:18:03
Agree with Deven's point. Wouldn't that help facilitate CalAIM for example?
Steven Lane
02:19:20
The technology hurdle here is really quite low. Anyone with a charged device and Internet access can participate with a low barrier to entry.
Ashish Atreja
02:19:24
Really need to understand patient identity - matching amongst organizations - could be required to exchange, but tighten the patient matching logic to make it almost impossible to find a match - and exchange - may need to weigh in on identity and matching to ensure the reciprocal exchange
Steven Lane
02:19:42
We are no longer limited to 20th Century Big Iron technology solutions.
Steven Lane
02:21:23
This is California, for goodness sakes. Let's get some simple apps out there to support low budget stakeholders to participate in standards-based federated exchange. The technology solutions are readily available.
Michelle (Shelly) Brown
02:23:00
CIEs can serve to fill the gap between sophisticated EHR used by a Covered Entity and a CBO that operates off an Excel spreadsheet. But requiring a CBO to provide data exchange rather than allow them access will deter adoption.
Lee Tien
02:27:19
Is there any way to get the broadband infrastructure $$ to involved local entities?
Steven Lane
02:30:18
f we are to support closed loop referrals between CBOs and providers the CBOs will need to be willing to send as well as to receive days. This data exchange can be skinny at first but will be revolutionalrily impactful.
William (Bill) Barcellona
02:31:04
I agree with Shelley's verbal comments. CalAIM has incentive dollars, for example that would allow smaller providers to ultimately participate in data exchange, after a period of data access.
Steven Lane
02:33:55
This architecture appears to be consistent with how this is being addressed through Carequality today as well as by TEFCA, as we expect it to function in the coming year.
William (Bill) Barcellona
02:35:29
I like your approach Jennifer. I assume that you would include a governing body that would periodically address the need for updates to the P&Ps. Perhaps more than one body, based on differing areas?
Steven Lane
02:37:16
P&Ps in particular will need to have a rapid amendment/update process to respond to changing needs and technology.
Lee Tien
02:41:07
This may be a very dumb question. Who, if anyone, can enforce the DSA? What does the enforcement process look like?
Steven Lane
02:44:47
Thank you all and HAPPY HOLIDAYS!!
Morgan Staines
02:44:47
Lee, that's a fine question. Not a dumb one at all.