California's Next Generation Health Information Exchange (HIE): A Privacy and Security Policy Framework for Exchange of Structured Cancer Data

Health Information Organizations (HIO's), like the Health Information Home (HIH), are subject to a variety of state and federal laws and regulations as well as institutional policies. The overarching goal of INteroperability to Support Practice Improvement, Disease REgistries, and Care Coordination (INSPIRE) is to improve the acquisition and exchange of patient data for high impact conditions (cancer) and high impact populations in order to support care coordination as well as to advance and support electronic public health reporting and Meaningful Use. California Health eQuality (CHeQ) is a program of the Institute for Population Health Improvement (IPHI) at the University of California, Davis (UC Davis). Among its key activities, CHeQ is tasked with expanding the capacity of public health electronic reporting and supporting Meaningful Use objectives. CHeQ in collaboration with INSPIRE is working on a proof of concept Health Information Exchange (HIE) and Health Information Organization (HIO) that would further these goals.;CHeQ enlisted a privacy and data security expert to assist with requirements gathering for processes and technology to ensure they are consistent with privacy and security laws as well as best practices. Three Use Cases are outlined for the proof of concept. The first Use Case is internal sharing of cancer data among University of California Regents' medical center providers and specialists for treatment purposes. The next Use Case looks at how expansion of the collection and sharing of cancer data among institutionally unrelated providers and specialists for treatment purposes. The third Use Case involves the HIH to complete the cancer registry reporting on behalf of the providers and specialists and to demonstrate Meaningful Use objectives for cancer registry reporting on behalf of the providers. Methodologically, the privacy and security analysis began with research of literature to identify a logical model that would allow the addition of use cases as the HIH grows and expands its capabilities. The framework selected and used in this analysis was developed for Comparative Effectiveness Research (CER) (Kim, McGraw, Mamo & Ohno-Machado, 2013). These privacy and security matrices focused on using data for research purposes but at its core were Fair Information Practice Principles (FIPPs) upon which many state and federal laws are currently based. The result is a comprehensive policy framework (Table 1) that outlines requirements by Use Case and indicators for when the following options should reasonably be implemented. The choice for each policy is to adopt current UC Regents policy, create a new policy or revise current policy.;Keywords: cancer continuity of care document, privacy, data security, policy framework, health information exchange, California Medical Information Act, California Office of Health Information Integrity.