Statewide Health Data Utility Act

Summary

This model policy establishes a public-private partnership to operate a state-designated health data utility. A state health data utility can help achieve better patient outcomes, and improve overall health and wellbeing of the people of the state. It can also reduce the cost of health care services by creating a more seamless, transparent, and modernized approach to sharing health information. The health data utility will comply with all federal and state privacy laws and allow for an opt-out for patients who choose not to share their data.

Statewide Health Data Utility Act

Section 1. Declaration of Purpose

A state health data utility can help achieve better patient outcomes, improve the overall health and wellbeing of the people of [STATE], and reduce the cost of health care by creating a more seamless, transparent, and modernized approach to sharing health information.

This bill requires a public-private partnership to be established for the purposes of operating a state-designated health data utility for [STATE]. It will provide data, as allowed by law, to patients and organizations involved in the treatment and care coordination of patients and support the health goals of the community and the state.

Health information requires appropriate governance and policy leadership. As such, the establishment of a health data utility should outline clear data governance to facilitate health information follows the person, and to improve the health of all citizens of [STATE}.

Healthcare providers and entities have been subject to Health Insurance Portability and Accountability Act (“HIPAA”) since 1996, which has driven initial efforts to develop a culture and infrastructure of data governance.  As a holder of personal information, state agencies have a responsibility to demonstrate to the public the state’s commitment to respecting personal privacy.

Likewise, entities that deliver healthcare have a duty to share information, as allowed by law, with other healthcare entities to ensure optimal patient and population health is achieved. To further demonstrate the commitment to privacy, the health data utility will adopt opt out procedures that allow for patients to opt out of data sharing.          

Section 2. Definitions

As used in this chapter, unless the context otherwise requires:

  1. “Board of directors” or “board” means the entity that governs and administers the [STATE] health information network.
  1. “Care coordination” means the management of all aspects of a patient’s care to improve health care quality.
  2. “Department” means the department of public health.
  3. “Designated entity” means the nonprofit corporation designated by the department through a competitive process as the entity responsible for administering and governing the [STATE] health information network.
  4. “Exchange” means the authorized electronic sharing of health information between health care professionals, payors, consumers, public health agencies, the designated entity, the department, and other authorized participants utilizing the [STATE] health information network and [STATE] health information network services.
  5. “Federally Qualified Health Center” means a health care provider that receives grant funding under Section 330 of the Public Health Service Act.
  6. “Health care professional” means a person who is licensed, certified, or otherwise authorized or permitted by the law of this state to administer health care in the ordinary course of business or in the practice of a profession.
  7. “Health information” means health information as defined in 45 C.F.R. §160.103 that is created or received by an authorized participant.
  8. “Health information technology” means the application of information processing, involving both computer hardware and software, that deals with the storage, retrieval, sharing, and use of health care information, data, and knowledge for communication, decision making, quality, safety, and efficiency of clinical practice, and may include but is not limited to:

a. An electronic health record that electronically compiles and maintains health information that may be derived from multiple sources about the health status of an individual and may include a core subset of each care delivery organization’s electronic medical record such as a continuity of care record or a continuity of care document, computerized physician order entry, electronic prescribing, or clinical decision support

b. A personal health record through which an individual and any other person authorized by the individual can maintain and manage the individual’s health information

c. An electronic medical record that is used by health care professionals to electronically document, monitor, and manage health care delivery within a care delivery organization, is the legal record of the patient’s encounter with the care delivery organization, and is owned by the care delivery organization

d. Diagnostic and treatment services, including prescribing and dispensing of medication

e. A decision support function to assist physicians and other health care providers in making clinical decisions by providing electronic alerts and reminders to improve compliance with best practices, promote regular screenings and other preventive practices, and facilitate diagnosis and treatments

f. Tools to allow for the collection, analysis, and reporting of information or data on adverse events, the quality and efficiency of care, patient satisfaction, and other health care-related performance measures.

10. “Health Insurance Portability and Accountability Act” or “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, including amendments thereto and regulations promulgated thereunder.

11. “Hospital” means a licensed hospital as defined in [STATUTORY CITE].

12. “Interoperability” means the ability of two or more individuals, systems, or components to exchange information or data in an accurate, effective, secure, and consistent manner and to use the information or data that has been exchanged, which includes but is not limited to:

a. The capacity to connect to a network for the purpose of exchanging information or data with other users.

b. The ability of a connected, authenticated user to demonstrate appropriate permissions to participate in the instant transaction over the network.

c. The capacity of a connected, authenticated user to access, transmit, receive, and exchange usable information with other users.

13. “[STATE] health information network” or “network” means the statewide health information technology network that is the sole statewide network for this State pursuant to this chapter.

14. “Nursing Facility” means a nursing facility as licensed in section [STATUTORY CITE].

15.“Participant” means an authorized entity described in section [STATUTORY CITE] of this act who has entered into an agreement to authorize, submit, access, or disclose health information through the [STATE] health data utility in accordance with all applicable laws, rules, agreements, policies, standards.

16. “Patient” means a person who has received or is receiving health services from a health care professional.

17. “Payor” means a person who makes payments for health services, including but not limited to an insurance company, self-insured employer, government program, individual, or other purchaser that makes such payments.

18. “Pharmacy” means a licensed pharmacy as defined in [STATUTORY CITE].

19. “Protected health information” means protected health information as defined in 45 C.F.R. §160.103 that is created or received by an authorized participant.

20. “Public health activities” means actions taken by a participant in its capacity as a public health authority under the Health Insurance Portability and Accountability Act or as required or permitted by other federal or state law.

21. “Public health agency” means an entity that is governed by or contractually responsible to a local board of health or the department to provide services focused on the health status of population groups and their environments.

22. “Record locator service” means the functionality of the [STATE] health information exchange that queries data sources to locate and identify potential patient records.

23. “Rehabilitative Services” means rehabilitative services as defined in section [STATUTORY CITE].

 

Section 3. Findings and Intent:

  1. The general assembly finds all of the following:

a. Technology used to support health care-related functions is known as health information technology. Health information technology provides a mechanism to transform the delivery of health and medical care in [STATE] and across the nation to improve individuals’ health care experience, create a healthier population in [STATE], reduce unnecessary tests thereby reducing healthcare costs, and more

b. Health information technology is rapidly evolving to contribute to the goals of improving the experience of care, improving the health of populations, and reducing per capita costs of health care

c. A health information exchange involves the secure electronic sharing of health information across the boundaries of individual practice and institutional health settings and with individuals seeking care.  The broad use of health information technology and a health data utility will improve health care quality and the overall health of the population, increase efficiencies in administrative health care, reduce unnecessary health care costs, and help prevent medical errors

d. All health information technology efforts shall endeavor to represent the interests and meet the needs of consumers and the health care sector, protect the privacy of individuals and the confidentiality of individuals’ information, promote best practices, and make information easily accessible to the members of the patient-centered care coordination team, including but not limited to patients, providers, and payors

e. It is the intent of the general assembly that the [STATE] health data utility nor health information exchange shall not constitute a health benefit network or a health insurance network

 

Section 4.  [STATE] health data utility — principles — technical infrastructure and required participants.

  1. The designated health data utility shall:

a. Aggregate health information from all health care entities broadly needed to support the operation of the medical assistance program (Medicaid) and the data sources identified in section 3.

b. Act as the designated entity for purposes of access to and analysis of health data;

c. Collect and analyze data for purposes of informing the Legislature, the department, patients and communities, health care providers, and health care entities as to the cost of, access to, and quality of health care in [STATE];

d. Act as the collector and reporter of public health data for registry submissions, electronic laboratory reporting, immunization reporting, and syndromic surveillance from an electronic health record, which does not include claims data; and

e. Enable any health care provider or health care entity to access information available within the designated health information exchange to evaluate and monitor care and treatment of a patient in accordance with the privacy and security provisions set forth in the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

f. Enable a patient, to access, through a technology enabled interface, data that is aggregated on behalf of the patient for the purposes of attaining the electronic longitudinal health record.  The electronic longitudinal health record shall include clinical data aggregated by HIE, claims data from the APCD, social referrals from the CIE and designated public health data such as immunizations and laboratory data.

 

2. The [STATE] health information exchange and health data utility shall be administered and governed by a designated entity using, at a minimum, the following principles:

a. Be patient-centered and market-driven.

b. Comply with established national standards.

c. Protect the privacy of consumers and the security and confidentiality of all health information.

d. Promote interoperability.

e. Increase the accuracy, completeness, and uniformity of data.

f. Preserve the choice of the patient to have the patient’s health information available through the network.

g. Provide education to the general public and provider communities on the value and benefits of health information technology.

 

3. Widespread adoption of health information technology is critical to a successful [STATE] health data utility and is best achieved when all of the following occur:

a. The health data utility, through the designated entity, operates in an entrepreneurial and businesslike manner in which it is accountable to all participants utilizing the utilities information and services.

b. The utility provides a variety of services from which to choose in order to best fit the needs of the user.

c. The utility is financed by all who benefit from the improved quality, efficiency, savings, and other benefits that result from use of health information technology.

d. The utility is operated with integrity and freedom from political influence.

 

  1. The [STATE] health technical infrastructure shall provide a mechanism for all of the following:

a. The facilitation and support of the secure electronic exchange of health information between participants.

b. Participants without any electronic health records system

c. The utility shall adopt a disaster recovery process that will allow access health information and function as an repository of electronic health information when an entity experiences a disaster, ransomware or cyber attack or other emergent scenarios to be adopted as part of the disaster recovery plan

d. An individual shall have the right to opt out of the designated health information exchange or the sharing of information. The designated health information exchange shall adopt a patient opt-out policy consistent with the federal Health Insurance Portability and Accountability Act of 1996 and other applicable federal requirements. Such policy shall not apply to mandatory public health reporting requirements.

 

  1. By [DATE], all hospitals, provider clinics, nursing facilities, ambulatory surgical centers, facilities providing rehabilitative services, pharmacies, and federally qualified health centers in the state shall be participants with the designated entity and share all data in accordance with federal interoperability guidance and policies and procedures adopted by the [STATE] Health Information Technology Board pursuant to this chapter.

 

  1. By [DATE] all payors in the state shall be participants with the designated entity and shall share data in accordance with federal interoperability guidance and policies adopted by the [STATE] Health Information Technology Board pursuant to this chapter.

 

  1. By [DATE] all entities engaged in the sharing of community information or social determinants of health shall be participants with the designated entity and shall share data in accordance with federal interoperability guidance and policies adopted by the [STATE] Health Information Technology Board pursuant to this chapter.

 

  1. The Legislature shall appropriate annual funding to carry out and used as matching funds as necessary to carry out the duties of the entities designated in this chapter.

 

Section 5. Designated entity — administration and governance.

  1. The [STATE] health data utility shall be administered and governed by a designated entity operating as a public-private partnership. The designated entity shall be established as a nonprofit corporation. Unless otherwise provided in this chapter, the corporation is subject to the provisions of this chapter. The designated entity shall be established for the purpose of administering and governing the statewide [STATE] health data utility.
  2. The designated entity shall collaborate with the department, but the designated entity shall not be considered, in whole or in part, an agency, department, or administrative unit of the state.

a. The designated entity shall not be required to comply with any requirements that apply to a state agency, department, or administrative unit and shall not exercise any sovereign power of the state.

b. The designated entity does not have authority to pledge the credit of the state. The assets and liabilities of the designated entity shall be separate from the assets and liabilities of the state and the state shall not be liable for the debts or obligations of the designated entity.

c. All debts and obligations of the designated entity shall be payable solely from the designated entity’s funds. The state shall not guarantee any obligation of or have any obligation to the designated entity.

  1. The articles of incorporation of the designated entity shall provide for its governance and its efficient management. In providing for its governance, the articles of the designated entity shall address the following:

a. A board of directors to govern the designated entity.

b. The appointment of a chief executive officer by the board to manage the designated entity’s daily operations.

c. The delegation of such powers and responsibilities to the chief executive officer as may be necessary for the designated entity’s efficient operation.

d. The financial operations of the designated entity including the authority to receive and expend funds from public and private sources and to use its property, money, or other resources for the purpose of the designated entity.

 

Section 6. Health Information Governance & Technology Board

  1. The [STATE] Health Information Technology Board is created. The board shall have twenty-three (23) members and be appointed by the Governor. The members may begin serving immediately after appointment. Members shall be appointed by [DATE] and the Board shall begin meeting on or before [DATE].
  2. Members designated under this chapter shall hold a credential under the [STATE] Code in the corresponding section to their area of practice, except otherwise provided in subsections below. The board shall consist of:

a. One individual who has experience in pharmacy informatics;

b. Two physicians, one of whom shall be a family practice physician, who are in active practice and good standing with the State of [State], appointed from a list of physicians provided by a statewide organization representing physicians;

c. One pharmacist who is in active practice and good standing in the State of [State], appointed from a list of pharmacists provided by a statewide organization representing pharmacists;

d. One alcohol and drug counselor providing services for a state-licensed alcohol and drug abuse addiction treatment program;

e. One health care provider who is board-certified in pain management;

f. One hospital administrator appointed from a list of hospital administrators provided by a statewide organization representing hospital administrators;

g. One dentist who is in active practice and in good standing with the State of [State] appointed from a list of dentists provided by a statewide organization representing dentists;

h. One health care provider who is a licensed behavioral health professional

i. One social care provider who is a social worker and works in a community based organization

j. One nurse practitioner who is in active practice and in good standing with the State of [State] authorized to prescribe medication appointed from a list of nurse practitioners authorized to prescribe medication provided by a statewide organization representing such nurse practitioners;

k. Three representatives of the [STATE] Department of Health and Human Services who have responsibility for one of the following areas: Medicaid Services, Public Health; Behavioral Health, Children & Youth Family Services, or Long-Term Support and Services;

l. One individual who serves as a Chief Information Officer of a health care entity or payor;

m. One licensed attorney in the state with experience in data governance, technology, and health care;

n. One representative of the statewide health information exchange as described in this chapter;

o. One commercial; health care payor representative or an employee of a commercial health care payor;

p. One member of the [STATE] House of Representatives;

q. One member of the [STATE] Senate;

r. Two individuals representing health care consumers; and

s. One privacy officer of the state agency or health care entity.

t. Each member shall be appointed for a five-year term beginning on [DATE], and may serve for any number of such terms; and

u. If, after appointment to the [STATE] Health Information Technology Board, the classification of a member’s credential changes or a member’s credential classification is terminated and if such credential was a qualification for appointment, the member shall be permitted to continue to serve as a member of the board until the expiration of the term for which appointed unless the member loses the credential due to disciplinary action.

 

  1. Board Duties. The purpose of the [STATE] Health Information Governance & Technology Board shall be to determine policies regarding clinical information that shall be included in the clinical data the payor or health care facility captures in its existing electronic health record that is to be shared with the designated health information exchange. Any patient health information shared with the designated health information exchange as determined by policies adopted by the Health Information Technology Board shall be provided in accordance with the privacy and security provisions set forth in the federal Health Insurance Portability and Accountability Act of 1996 and regulations adopted under the act.

 

  1. Data Governance. The Board must undergo data governance and HIPAA training, administered by the designated statewide HIE. The Board will:

a. Actively promoted improved data governance practices across the state;

b. Identify and approve pivotal data governance roles and responsibilities between government agencies and private sector as allowed by applicable federal and state rules and regulations;

c. Advise, review, and approve the Department’s data control, governance, and privacy practices in compliance with federal and state information privacy and security policies, laws, rules and regulations;

d. Drive strategic and timely implementation of agency-wide privacy policies, related procedures and processes to operationalize policy-derived controls and effective risk management methodologies, using industry standards;

e. The Board may seek additional information from an person or entity the board deems relevant to better inform it relevant to its duties.

 

  1. Risk Management. For each information technology system that contains personal information, the Department shall conduct a written risk assessment and mitigation remediation plan in the form of a privacy impact assessment, to be reported to the Board.

The assessment and plan shall:

a. Assess risks to an individual’s right to privacy within the department’s information technology systems where the individual does not possess immediate control over their information;

b. Recommend alternatives to both mitigate the risks and achieve the stated objectives of the department’s systems; and

c. Identify those individuals and offices within the department who shall be directly accountable for the assessment and plan, the system at the time the assessment and plan are compiled, and any approved alternatives and mitigations as a result of the assessment and plan.

d. The assessment and plan shall be approved and may be acted upon by the governance board and submitted to the Chair of the HHS Committee. All assessments and plans conducted before the date of the next Board meeting shall be submitted to the Board for review.

 

Section 7: Data Sources

The following data sources will comprise the health data utility. The Health Information Exchange (HIE), Pharmacy Information Exchange (PIE) All Payor Claims Data Base (APCD), Community Information Exchange (CIE) other referential sources such as public health data and self generated data.

  1. Health information exchange (HIE)

a. Health information exchange is the movement of health care information electronically across organizations within a state, region, community or hospital system. Participants in data exchange are called in the aggregate the health information network.

b. The governing board shall adopt the healthcare information interoperability standards. The minimum standard of sharing will be the latest approved version of USCDI however may be enhanced by the governing board of the health data utility.

  1. Prescription information exchange (PIE)

a. Pharmacy information exchange is the movement of dispensed pharmacy information electronically across organizations within a state,  region, community or hospital system. Participants in the data exchange are called in the aggregate the pharmacy information network.

b. Medications data will include all dispensed medications by pharmacies. The governing board will adopt interoperability standards and data elements necessary to provide real time information to the exchange.

  1. All Payor Claims Database (APCD)

a. Large-scale databases that systematically collect health care claims data from a variety of payor sources which include claims from most health care providers.

b. The governing board shall adopt the interoperability standards of claims data sharing by all designated payors required to share data.

  1. Community Information Exchange (CIE)

a. A CIE is an ecosystem comprised of multidisciplinary network partners that use standardized technical language, a resource database, and an integrated technology platform to deliver enhanced community care planning. Care planning tools enable partners to integrate data from multiple sources and make bi-directional referrals to create a shared longitudinal record.

b. Closed-Loop Referral System: Any system that stores an individual’s personal identifiable information in a database that is shared by a network of healthcare entities, public agencies, and community-based organizations for referral purposes, which includes referrals to entities that are not covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A Closed-Loop Referral System encompasses datasets containing personal referral information captured and stored in a database for use by public and private entities, including community-based organizations, to provide services, update referral activity, and close the loop on a referral by updating downstream systems.

c. The governing board will adopt the interoperability standards for sharing or data from social care entities designated by the board.