View Source

Session Name: Data Sharing Policies and Protocols

OHIE18 Event Page - ohie.org/OHIE18

Time / Room: 9:30 - 10:30 Faru

Presenter:Brian Dixon; Terry Cullen

Attendees: ( please sign up if you want to be on a policy workgroup)

terry cullen.. thcullen@regenstrief.org

Etherpad: https://notes.ohie.org/2018-08-02_Unconference_Faru_930

What did people want from the session:

standard approach to sharing
security within /for OpenHIE
data sharing policies /data exchange/ data sharing template
MoH guidance
what are the 'best practices' that can be evaluated and re-used
what is the/ a policy development process that can be invoked
what are the policy gaps (TC added this)

Notes:

Introduction and desired outcomes for the session

Not everything is going to be addressed unfortunately

Tech implementation usually runs ahead of policy

See slides on the wiki for most of the presentation, I'll only be documenting extra points (https://wiki.ohie.org/download/attachments/28311574/Cullen_Dixon_OHIE_2018_Data_Sharing.pdf?version=1&modificationDate=1533195013293&api=v2)

Nobody is doing data sharing policies very well in our review of the data policies and procedures

India just published national guidelines, link to be provided by Terry

initial guidance https://mohfw.gov.in/sites/default/files/17739294021483341357.pdf

National Health Stack (published July 2018) http://niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf

india is assuming the development of a 'policy engine' and policy repository

Most countries assume that a patient presenting for treatment counts as consent to use data, very few implement explicit patient consent systems

There has been some work on creating a standard template for consent forms

Robust consent forms have granular selection of data usage (e.g. Clinical care, research, 3rd party health systems, clinical quality and dta aggregation)

Resource: http://regenstriefins.wpengine.com/wp-content/uploads/2016/06/hieframework-version0-8clean-2-4.pdf

Countries involved have all signed consent to use the contents of this resource

Brian's presentation

work is based on trust

framework for governance

governing body

policies and procedures

data sharing agreements

procedures:

Tech ops: to say how the organization will manage the data center where data willbe stored

keep data safe, show the process management to the partners

purpose of use and users:

define the use cases, permitted purposes

identify permitted users and their roles; it will allow to know who to give data access

P&P documentation:

governance charter, partners to agree to share data for specific use cases, data sharing agreement

How to keep data confident, secured and accessible at the same time

Clinical team has access to admitted patient's data for 72 hours

6 mths for patient who scheduled appointment with GP

and 3mths to nurse epidomiologists for patient with notifiable disease

Questions:

how do you engage citizens
1. have people on the governing board
2. public advertisement- here is what we do and why it is important
3. 'lay people' have some concerns about sharing my data
monitoring for appropriate use
1. specific queries that have been developed
2. patients can get transcribed auditlog for their patient data use (and notification to partners that a patient has requested it)
3. thresh holds of queries and use of the data
opting out of the HIE
1. if you opt out, you dont get any data shared
2. granular access is tricky (patients dont want to give access to specific data information sets)
phased approach to patient consent
1. how do we atart a consent maturity process
2. not necessary because patients 'are happy to get care'
3. health sector
  1. legal framework and policy network
  2. implement from where the patient is
  3. information security- less granluar and then move and evolve over time
legislation that reflects the reality of where we are
1. maturity model that is developed
lag in policy- 'pilot policy' development and evaluation
1. test and implement policies
2. use cases
what is our responsibility as HIS people
1. policies, procedures, governance and security- policies may be delayed as the technology advances
HIPAA/GDPR- and what to do with GDPR
1. comparison of GDPR and HIPAA
Policies developed-- who is policy meant for? (guidance and how we learn/how to move forward)
1. usually not based on reality
2. organizational capacity/reality (institution that starts implementing)
3. patient and infrastructure- doesnt allow things to happen
4. use this within an entire health system context

Next Steps:

balance practical experiences with the realities on the ground
1. practical guidance to countries
2. looking at what is available; different laws and studies
3. implement and learn from the guidance
4. risks and risk assessment/ risk tolerance
cross border sharing of data
how do we help each other move forward
1. what is everyone doing and how are they implementing it
2. what are the best practices
capability maturity model that is based on reality
1. where are we, and how do we move forward

SIGN UP FOR MORE INFO/COMMS:

Daniel Futerman (daniel.futerman@jembi.org)