Logo

CalHHS DxF Stakeholder Advisory Group - Data Sharing Agreement Subcommittee Meeting Series - Shared screen with gallery view
Lane, Steven MD MPH
27:14
https://rce.sequoiaproject.org/common-agreement/
Lane, Steven MD MPH
27:27
https://www.healthit.gov/buzz-blog/interoperability/321tefca-is-go-for-launch
Lane, Steven MD MPH
27:39
https://www.healthit.gov/topic/interoperability/trusted-exchange-framework-and-common-agreement-tefca
Lane, Steven MD MPH
29:46
https://www.hhs.gov/about/news/2022/01/18/onc-completes-critical-21st-century-cures-act-requirement-publishes-trusted-exchange-framework-common-agreement-health-information-networks.html
Jenn Behrens
35:57
RE: TEFCA - I agree that we should review and consider but that we should not require compliancy with TEFCA
Lane, Steven MD MPH
39:21
A lot of work is ongoing to develop standards to be able to provide individuals with granular control over access to specific (sensitive) health information. The supporting technology for this work is in its infancy.
Lane, Steven MD MPH
39:49
See specifically: https://www.drummondgroup.com/pp2pi/
Deven McGraw
40:07
Good points from Lisa M re: “patient representatives” which at a minimum, under law, should be limited to persons legally authorized to make medical decisions. Absolutely need to consider the adolescent use case.
Lane, Steven MD MPH
42:25
There are multiple critical use cases beyond adolescents and reproductive rights. These are being teased out through the PP2PI effort, which is likely to become a formal FHIR accelerator under HL7 and ONC to advance the technical tools necessary to support this important need.
Elizabeth Killingsworth
42:57
I have concerns about opening this up beyond individuals/proxies without a uniform, established consent process. I would recommend that such an expansion, especially as a requirement instead of an optional exchange, be considered at a later time
Jenn Behrens
43:03
The recent ONC LEAP grants looked at some of these use cases and technical feasibility
Ashish Atreja, MD, UC Davis Health
43:25
Overall, I totally agree with the approach of us keeping federal initiatives and specifications in mind as we draft data exchange agreement for CA so a) we are not in conflict b) leverage and build upon work already done rather than duplicating the effort and c) make it easy for organizations who have to comply with Federal mandates (across state data exchanges etc) in addition to California mandates.
Deven McGraw
46:36
+1 to Elizabeth - Individual access should be defined to include individuals and their legal proxies.
Lane, Steven MD MPH
48:07
Agree with Elizabeth and Deven, but want to assure we address the challenge of adolescents and others who share their individual access credentials with their proxies, as this presents a REAL challenge in efforts to actually protect privacy in the real world.
Deven McGraw
48:43
Administrators/executors - if they have the right to obtain records of a deceased person under state law, then they are essentially legal proxies (at least per HIPAA).
Lane, Steven MD MPH
50:08
https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2784190 - Inappropriate Access to the Adolescent Patient Portal and Low Rates of Proxy Account Creation, 9/16/2021
Lane, Steven MD MPH
51:29
As a family physician I can tell you that family members regularly access patient portal information and message providers using the individual's logon credentials.
Elizabeth Killingsworth
51:37
I do agree that the adolescent question is a very difficult, but important, one. I also do not have a great answer for it. In other contexts, I have seen entities respond by simply never including the sensitive data in the initial response. There are obviously issues with this approach
Lane, Steven MD MPH
54:22
In our organization we have decided, at this point, to not display online any potentially sensitive information to the adolescent (except those who are legally emancipated). Others have created multiple adolescent profiles so that those who specifically request access can have this provided.
William (Bill) Barcellona
01:03:24
The agreement should be general and indicate compliance with law. Court appointment is often not required in estate matters and such a requirement could limit necessary activities by the executor or administrator, such as the completion of a death certificate.
Belinda Waltman, MD
01:10:09
Similar to what Shelley is saying and Morgan was saying earlier, another approach would be to tackle this via client-level release of information, which may be necessary for segmented data beyond PHI like Part 2 data, LPS, HIV test results.
Lammot du Pont
01:17:08
Although it is not an inventory of data sharing requirements, CalAIM released a draft of "CalAIM Data Sharing Authorization Guidance" for public comment in December 2021. https://www.dhcs.ca.gov/Documents/MCQMD/CalAIM-Data-Sharing-Authorization-Guidance-For-Public-Comment-December-2021.pdf
William (Bill) Barcellona
01:29:08
The 24 page CalAIM Data Sharing Authorization guidance should be taken into account here. Public comment closed on January 7th and references AB 133 requirements at pages 4-5.
William (Bill) Barcellona
01:35:57
Should we look closely at the 18 section format used in the Common Agreement?
Jenn Behrens
01:37:59
+1 for FHIR
Carrie M. Kurtural
01:41:23
Agreed. We are going to change so much in the future. Health exchange is a transaction like anything and this all might be on the blockchain within the next 5 years. I like being agnostic to not preclude any potential future tech options, but understand the need for a bare minimum standard as Ashish says.
Ashish Atreja, MD, UC Davis Health
01:42:02
FHIR at Scale is now evolving as HL7 accelerator so lot of good standards to help us execute on CalHHS mission https://oncprojectracking.healthit.gov/wiki/pages/viewpage.action?pageId=43614268
Ashish Atreja, MD, UC Davis Health
01:42:13
All- Free and Open standards.
Lee Tien
01:48:26
Relative to Eric R’s point earlier, will there be an enumerated list of Applicable Laws (not necessarily all-inclusive)
Deven McGraw
01:56:09
Are nongovernmental social service agencies covered by 1798.82 of the CA Civil code; or 1798.29 of the Civil Code w/r/t state agencies?
Elizabeth Killingsworth
01:58:17
I do not believe that there should be a tiered approach. My point is that, though many of this may be able to (or do today) comply with these provisions, we have to factor in the rest of the healthcare environment. Having tiers is not productive. There should be a floor set by this agreement that is compliant with law and reasonable for a wide range of entities. For some of us, we will have stricter obligations elsewhere that we must also comply with, but those do not need to be duplicated here
Carrie M. Kurtural
01:58:47
I think social services need to at least be on the same safeguard and breach standards, except they don't have to report / liable to OCR. I agree with Elizabeth.
Carrie M. Kurtural
02:01:49
Second that - I think the breach definition should just be the first sentence. take out the IPA stuff on that last line.. I don't think it's needed, state depts. will harmonize
Deven McGraw
02:02:11
But why would a breach also include sharing information beyond an Exchange purpose? As long as the disclosure of that information is lawful, even if it’s not a prioritized exchange purpose, shouldn’t constitute a “breach”.
Elizabeth Killingsworth
02:03:36
I 100% agree with Deven, though it looks like at least some of that is solved for with the exceptions
Jenn Behrens
02:06:09
I think differentiating b/w PHI and PII after the exchange is live is going to be exceptionally challenging from a functional perspective
Deven McGraw
02:06:37
I wonder if there’s a threshold question of whether we want or need this agreement to set new or even common standards for privacy/security/breach etc. On the one hand, we’re trying to trying to get entities to exchange data even under current conditions. What additional conditions need to be imposed?
Jenn Behrens
02:16:04
I propose that CA offer/provide a Technical Assistance Program to support smaller entities get through onboarding
Lane, Steven MD MPH
02:19:52
Agree with Jenn. We should be raising the floor, supporting those with technical challenges to utilize the tools that exist. As I have said before, the technology itself is no longer expensive nor does it require deep technically competence to access it. We need to help everyone get on board with the basic tools.
Elizabeth Killingsworth
02:23:27
To Steven's point- Agreed that the technology for exchange is readily available, but I do have concerns that, in some/many cases, it is much faster/easier to implement a query functionality for outgoing requests and incoming data than it is to ready one's existing data for sharing and responding to the requests of others.
William (Bill) Barcellona
02:26:36
I agree with your summary Jennifer
Lane, Steven MD MPH
02:26:50
Agree that the first tools that participants need is the ability to pull data via the Carequality framework (which evolves into TEFCA) and to push data/messages via Direct. This can be set-up easily and cheaply, e.g., through https://kno2.com/interoperability-as-a-service/
Ashish Atreja, MD, UC Davis Health
02:31:55
To Lee’s point, there are certifying agencies that can attest compliance with standards and best practices as well. We can leverage them and others for oversight function
Lane, Steven MD MPH
02:37:48
Reminder to committee members that there is a lot of valuable commentary being submitted through the Q&A channel. I believe that the organizers will capture all this content and post it to our website eventually.
Michelle Brown
02:39:28
There needs to be a limit on Health Care Operations... these activities are really for the organization and not about sharing date to promote the wellness of the Client
Lane, Steven MD MPH
02:39:53
Healthcare Operations needs to be broken down and addressed use case by use case.
Lee Tien
02:40:07
+1 to what Michelle said about Health Care Operations
Michelle Brown
02:41:42
good catch.... we need to allow research.
Lee Tien
02:43:07
Agree with Deven’s point about limiting to required responses. I always worry about over-sharing, and including “permitted” throughout makes it seem as though that’s required by the agreement.
Belinda Waltman, MD
02:44:55
If we do streamline the DSA per Deven’s suggestion, we may want a complementary educational/TA/companion guide that does spell out the details, definitions, background, use cases, etc, for those less familiar or just joining this landscape.
Jonah Frohlich
02:47:31
@Belinda: Agree with Deven's proposed approach and your response. I think we may need the state's governance process (TBD) to be responsible for promulgating this kind of state policy and data sharing guidance
Deven McGraw
02:47:49
Thanks to staff for facilitating a great meeting!
Lee Tien
02:47:59
Yes!