Tool 1.

Scenarios Guide
 Tool 1. Scenarios Guide
The following 18 scenarios were developed specifically for the privacy and security project
to provide a standardized context for discussing organization-level business practices across
all states and territories. The scenarios represent a wide range of purposes for the exchange
of health information (eg, treatment, public health, biosurveillance, payment, research,
marketing) across a broad array of organizations involved in health information exchange
and actors within those organizations. The product of the “guided or focused” discussions
will be a database of organization-level business practices that will form the basis for the
assessment of variation upon which all other work will be based.

Each scenario describes a health information exchange (HIE) within a given context to
ensure that we cover most of the areas in which we expect to find barriers. Clearly, these
scenarios do not cover the universe of exchanges. However, the purposes and conditions
represented should be more than adequate to get the discussions of privacy and security
policy moving forward.

Exhibit 1 shows a mapping of stakeholder organizations identified in the HIE scenarios. A

shaded box containing an “X” with some additional text indicates stakeholders that are
explicitly identified in the scenario. A yellow box with no text indicates a stakeholder group
that could conceivably weigh in on a scenario. For example, Scenario 1: Patient Care
Scenario A, involves an exchange between the emergency room in Hospital A and an out-of-
state hospital, Hospital B. Both the requesting and releasing organizations are hospitals,
regardless of the actors that may be representing those organizations in the work group
meetings, which may include physicians, nurses, health information management
professionals, and others. The relevant organizations, individuals, and exchanges are
identified at the beginning of each scenario. This should help to guide decisions about
creating the right mix of stakeholders for each work group based on the selected scenarios.

Privacy and Security Assessment of Variation Toolkit 1-1

 Exhibit 1. Scenario by Stakeholder Map
1-2

Privacy and Security Solutions for Interoperable Health Information Exchange

14. Medical and 17. State
10. Long-term 12. Law public health government
7. Community care facilities enforcement/ 13. Professional schools that 15. Quality 16. Consumers (Medicaid,
2. Physician 3. Federal 6. Public Health clinics and and nursing 11. Homecare correctional associations undertake improvement or consumer public health 18. Other,
Scenarios 1. Clinicians groups health facilities 4. Hospitals 5. Payers agencies health centers 8. Laboratories 9. Pharmacies homes and hospice facilities and socieities research organizations organizations departments) specify

X
ER Staff
1. Patient Care - Scenario A (sending and
(Emergent Transfer) receiving)
X
X Substance
2. Patient Care - Scenario B X Primary Care Abuse X
(Sub Abuse) Provider Physician Treatment Client/Patient

X X
3. Patient Care - Scenario C X X Hospital Psych X Transcription
(Access Security) Provider Psychiatrist Unit Nursing Facility Service

X X
4. Patient Care - Scenario D Mamography Outpatient
(HIV and Genetic) Dept. Clinic

X X X X X X X X X
5. Payment Scenario Provider Provider Provider Provider Health Plan Provider Provider Provider Patient

X X X X X X X X X
6. RHIO Scenario Provider Provider Provider Provider Provider Provider Provider Provider Provider
X
IRB,
X X Research X
7. Research Final Scenario Provider Provider Investigator Study Member

X X
8. Law Enforcement Final X Law Patient
Scenario Provider Enforcement Patient's family
X
Privacy and Security Assessment of Variation Toolkit

X Pharmacy
9. Pharmacy Benefit Final Outpatient Benefit X
Scenario A Clinic Manager Patient
X
Pharmacy
10. Pharmacy Benefit Final Benefit X X
Scenario B Manager Employees Company
X
Tertiary X
11. Operations and Marketing Hospital Critical access
Final Scenario A Marketing Dept clinics (sending)
X
Obstetrics
12. Operations and Marketing department X X
Final Scenario B Marketing Patient Company

X X X
13. Bioterrorism Event Final X X X Public Health Law Emergency
Scenario Provider Provider Provider Staff Enforcement Gov't agencies

X
14. Employment Information X X Company HR
Final Scenario ER Staff Employees Dept

X X
15. Public Health Final X X Public Health Law X
Scenario A Provider PCP Staff Enforcement Patient

X X
16. Public Health Final X X Public Health Specialty Care X X
Scenario B Provider Physician Staff Center Lab Staff Public Health
X
X Homeless X X
17. Public Health Final X X Drug Treatment shelter Patient County
Scenario C Provider PCP Center Community Patient's family Program

X
18. Health Oversight Final Public Health X
Scenario Staff Faculty
 Tool 1. Scenarios Guide

Health Information Exchange Scenarios

1. Patient Care Scenario A

The emergent transfer of health information between two hospitals that represent
the 2 stakeholder organizations (ie, Hospital A and Hospital B) when the status of
the patient is unsure. The actors are the staff involved in carrying out the request.
The ER physician is requesting the information on behalf of Hospital A.

Stakeholder organizations and exchanges:

ƒ Hospital emergency room in Hospital A is the organization requesting

information.
ƒ Hospital B is the organization releasing the information.

Patient X presents to emergency room of General Hospital in State A. She has been
in a serious car accident. The patient is an 89-year-old widow who appears very
confused. Law enforcement personnel in the emergency room investigating the
accident indicate that the patient was driving. There are questions concerning her
possible impairment due to medications. Her adult daughter informed the ER staff
that her mother has recently undergone treatment at a hospital in a neighboring
state and has a prescription for an antipsychotic drug. The emergency room
physician determines there is a need to obtain information about Patient X’s prior
diagnosis and treatment during the previous inpatient stay.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Determining status of the patient and chain of responsibility.

2. Practice and policy for obtaining information sufficient for treatment.
3. Practice and policy for handling mental health information.
4. Practice and policy for securing the data exchange mechanism.
5. Practice and policy related to authentication of requesting facility by the
releasing facility.
6. Practice and policy related to patient authorization for the release of
information.

Privacy and Security Assessment of Variation Toolkit 1-3

Privacy and Security Solutions for Interoperable Health Information Exchange

2. Patient Care Scenario B

The scenario involves the nonemergent transfer of records from a specialty

substance treatment provider to a primary care facility for a referral to a specialist.

Stakeholder organizations and exchanges:

ƒ Specialty substance abuse treatment facility (releasing sensitive clinical

records)
ƒ Primary care provider’s organization (eg, doctor’s office, community health
center, public health agency) (requesting clinical records from the substance
abuse facility, releasing information to specialist)

An inpatient specialty substance abuse treatment facility intends to refer client X to

a primary care facility for a suspected medical problem. The 2 organizations do not
have a previous relationship. The client has a long history of using various drugs and
alcohol that is relevant for medical diagnosis. The primary care provider has
requested that the substance abuse information be sent by the treatment facility.
The primary care provider intends to refer the patient to a specialist and plans to
send all of the patient’s medical information, including the substance abuse
information that was received from the substance abuse treatment facility, to the
specialist.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. How does the releasing organization obtain authorization from the patient to
allow release of medical records?
2. What is the process for handling substance abuse medical record data?
3. How does the releasing organization authenticate the health care provider
requesting the information?
4. How is the data exchange secured?

1-4 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

3. Patient Care Scenario C

Stakeholder organizations and exchanges:

ƒ Hospital psychiatric unit (sending) and the skilled nursing facility (receiving)
ƒ Physician (sending) and the transcription service (receiving)
ƒ Transcription service (sending) and the physician (receiving)
ƒ Physician (sending) and the skilled nursing facility (receiving)

At 5:30 p.m., Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate
his patient, recently discharged from the hospital psychiatric unit to the skilled
nursing facility. The hospital and skilled nursing facility are separate entities and do
not share electronic record systems. At the time of the patient’s transfer, the
discharge summary and other pertinent records and forms were electronically
transmitted to the skilled nursing home.

When Dr. X enters the facility, he seeks assistance locating his patient, gaining
entrance to the locked psychiatric unit, and accessing the patient’s electronic health
record to review the discharge summary, I&O, MAR, and progress notes. Dr. X was
able to enter the unit by showing a picture identification badge, but was not able to
access the EHR. As it is Dr. X’s first visit, he has no log-in or password to use their
system.

Dr. X completes his visit and prepares to complete his documentation for the nursing
home. Unable to access the skilled nursing facility EHR, Dr. X dictates his initial
assessment via telephone to his outsourced, offshore transcription service. The
assessment is transcribed and posted to a secure Web portal.

The next morning, from his home computer, Dr. X checks his e-mail and receives
notification that the assessment is available. Dr. X logs into his office Web portal,
reviews the assessment, and applies his electronic signature.

Later that day, Dr. X’s office manager downloads this assessment from the Web
portal, saves the document in the patient’s record in his office, and forwards the now
encrypted document to the long-term care facility via e-mail.

The skilled nursing facility notifies Dr. X’s office that they are unable to open the
encrypted document because they do not have the encryption key.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Agreements for data sharing—business associate agreements.

2. Setting out access and role management policies and practices for temporary
or new access.
3. Determining appropriate access to mental health records.
4. Securing unstructured, possibly nonelectronic patient data.
5. Reliability of other entity security and privacy infrastructure.

Privacy and Security Assessment of Variation Toolkit 1-5

Privacy and Security Solutions for Interoperable Health Information Exchange

4. Patient Care Scenario D

The nonemergent transfer of health information

Stakeholder organizations and exchanges:

ƒ Hospital mammography department (requesting health information)

ƒ Outpatient clinic (receiving request)

Patient X is HIV positive and is having a complete physical and an outpatient

mammogram done in the Women’s Imaging Center of General Hospital in State A.
She had her last physical and mammogram in an outpatient clinic in a neighboring
state. Her physician in State A is requesting a copy of her complete records and the
radiologist at General Hospital would like to review the digital images of the
mammogram performed at the outpatient clinic in State B for comparison purposes.
She also is having a test for the BrCa gene and is requesting the genetic test results
of her deceased aunt who had a history of breast cancer.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Authenticating entities and individuals.

2. Determining processes and laws for release of genetic and HIV information.

1-6 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

5. Payment Scenario

Stakeholder organizations and exchanges:

ƒ Health care provider (hospital or clinic)

ƒ Health plan (payer)
ƒ Patients

X Health Payer (third party, disability insurance, employee assistance programs)

provides health insurance coverage to many subscribers in the region the health
care provider serves. As part of the insurance coverage, it is necessary for the
health plan case managers to approve/authorize all inpatient encounters. This
requires access to the patient health information (eg, emergency department
records, clinic notes).

The health care provider has recently implemented an electronic health record (EHR)
system. All patient information is now maintained in the EHR and is accessible to
users who have been granted access through an approval process. Access to the
EHR has been restricted to the health care provider’s workforce members and
medical staff members and their office staff.

X Health Payer is requesting access to the EHR for their accredited case
management staff to approve/authorize inpatient encounters.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Get patient authorization to allow payer access.

2. Facility needs to determine the minimum necessary and limit to pertinent
time frame.
3. If allowed, access and role management are issues.
4. Determine method for enabling secure remote access if allowed.

Privacy and Security Assessment of Variation Toolkit 1-7

Privacy and Security Solutions for Interoperable Health Information Exchange

6. RHIO Scenario

Note: Each stakeholder should participate in this scenario keeping in mind the type
of data their organization anticipates exchanging with a RHIO.

Stakeholder organizations and exchanges:

ƒ Multiple provider organizations (providing data)

ƒ Multiple RHIOs (receiving data)

The RHIO in your region wants to access patient identifiable data from all
participating organizations (and their patients) to monitor the incidence and
management of diabetic patients. The RHIO also intends to monitor participating
providers to rank them for the provision of preventive services to their diabetic
patients.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Decision to utilize medical record data to monitor disease management.

2. Authorization from patients to allow RHIO to monitor their PHI for disease
management.
3. Determine mode of transferring information and type of information, ie,
identifiable or de-identified information to the RHIO.

1-8 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

7. Research Data Use Scenario

Stakeholder organizations and exchanges:

ƒ Health care consumer (taking part in the study)

ƒ Health care provider (distributing meds and collecting clinical data)
ƒ Research investigator (receiving and analyzing clinical data)
ƒ Institutional Review Board (IRB) (receiving reports on data collection)

A research project on children younger than age 13 is being conducted in a double-

blind study for a new drug for ADD/ADHD. The research is being sponsored by a
major drug manufacturer conducting a double-blind study approved by the medical
center’s IRB, where the research investigators are located. The data being collected
is all electronic, and all responses from the subjects are completed electronically on
the same centralized and shared database file.

The principal investigator was asked by one of the investigators if they could use the
raw data to extend the tracking of the patients over an additional 6 months or use
the raw data collected for a white paper that is not part of the research protocols
final document for his postdoctoral fellow program.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. IRB approval of any significant changes to the research protocol.

2. Research subjects have signed consents and authorization to participate in the
research effort.

Privacy and Security Assessment of Variation Toolkit 1-9

Privacy and Security Solutions for Interoperable Health Information Exchange

8. Scenario for Access by Law Enforcement

Stakeholder organizations and exchanges:

ƒ Health care provider (providing health information)

ƒ Law enforcement
ƒ Patient
ƒ Patient’s family

An injured 19-year-old college student is brought to the ER following an automobile

accident. It is standard to run blood-alcohol and drug screens. The police officer
investigating the accident arrives in the ER, claiming that the patient may have
caused the accident. The patient’s parents arrive shortly afterward. The police officer
requests a copy of the blood-alcohol test results, and the parents want to review the
ER record and lab results to see if their child tested positive for drugs. These
requests to print directly from the electronic health record are made to the ER staff.

The patient is covered under his parent’s health and auto insurance policy.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. County contracts with emergency department to perform blood-alcohol test

draws.
2. Printing of additional copies of medical record reports for parents, insurance
companies, and police.
3. Asking patient if it is okay to talk to parents or give information to parents
about their condition.
4. Communication with primary care provider.

1-10 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

9. Pharmacy Benefit Scenario A

Stakeholder organizations and exchanges:

ƒ Pharmacy benefit manager (PBM) (requesting information)

ƒ Outpatient clinic (receiving request)
ƒ Patient X

The PBM has a mail order pharmacy for a hospital which is self-insured and also has
a closed formulary. The PBM receives a prescription from Patient X, an employee of
the hospital, for the antipsychotic medication Geodon. The PBM’s preferred
alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine (Seroquel),
and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the
PBM sends a request to the prescribing physician to complete a prior authorization in
order to fill and pay for the Geodon prescription. The PBM is in a different state than
the provider’s outpatient clinic.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Patient authorization to share information with the PBM.

2. Agreements for data sharing—business associate agreements.
3. Health care provider must determine minimum necessary access to PHI.
4. If allowed, role and access management are issues.
5. Determine method for enabling secure remote access if allowed.

Privacy and Security Assessment of Variation Toolkit 1-11

Privacy and Security Solutions for Interoperable Health Information Exchange

10. Pharmacy Benefit Scenario B

Stakeholder organizations and exchanges:

ƒ Pharmacy benefit manager (PBM) (requesting information)

ƒ Company A (providing claims information)
ƒ Employees

A PBM (PBM1) has an agreement with Company A to review the companies’

employees’ prescription drug use and the associated costs of the drugs prescribed.
The objective would be to see if PBM1 could save the company money on their
prescription drug benefit. Company A is self-insured and as part of their current
benefits package, they have the prescription drug claims submitted through their
current PBM (PBM2). PBM1 has requested that Company A send their electronic
claims to them to complete the review.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Business associate agreements and formal contracts exist between

Company A and the PBMs.
2. The extent and amount of information shared between the various parties
would be limited by the minimum necessary guidelines.

1-12 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

11. Health Care Operations and Marketing Scenario A

Note: This scenario could be modified to apply to any health care provider (physician
group, home health care agency, etc) wishing to market services to a targeted
subset of patients.

Stakeholder organizations and exchanges:

ƒ Tertiary hospital (requesting study data)

ƒ Critical access hospital (being asked to provide health information)

ABC Health Care is an integrated health delivery system composed of ten critical
access hospitals and one large tertiary hospital, DEF Medical Center, which has
served as the system’s primary referral center. Recently, DEF Medical Center has
expanded its rehab services and created a state-of-the-art, stand-alone rehab
center. Six months into operation, ABC Health Care does not feel that the rehab
center is being fully utilized and is questioning the lack of rehab referrals from the
critical access hospitals.

ABC Health Care has requested that its critical access hospitals submit monthly
reports containing patient identifiable data to the system six-sigma team to analyze
patient encounters and trends for the following rehab diagnoses/procedures:

ƒ Cerebrovascular accident (CVA)

ƒ Hip fracture
ƒ Total joint replacement

Additionally, ABC Health Care is requesting that this same information, along with
individual patient demographic information, be provided to the system marketing
department. The marketing department plans to distribute to these individuals a
brochure highlighting the new rehab center and the enhanced services available.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Decision to conduct marketing using PHI with their consumers.

2. Authorization from consumer to allow IHDS to market to themselves.
3. Determine mode of transferring information and type of information, ie,
identifiable or de-identified information to the marketing department.

Privacy and Security Assessment of Variation Toolkit 1-13

Privacy and Security Solutions for Interoperable Health Information Exchange

12. Health Care Operations and Marketing Scenario B

Stakeholder organizations and exchanges:

ƒ Health care provider (hospital obstetrics department sending data)

ƒ Hospital marketing department (receiving data)
ƒ Local company (purchasing data from marketing department)
ƒ Patients/consumers

ABC hospital has approximately 3,600 births per year. The hospital marketing
department is requesting identifiable data on all deliveries, including mother’s
demographic information and birth outcome (to ensure that contact is made only
with those deliveries resulting in healthy live births).

The marketing department has explained that they will use the patient information
for the following purposes:

1. To provide information on the hospital’s new pediatric wing/services.

2. To solicit registration for the hospital’s parenting classes.
3. To request donations for construction of the proposed neonatal intensive care
unit.
4. To sell the data to a local diaper company to use in marketing diaper services
directly to parents.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Requesting patient consent or permission to use and sell identifiable data for
marketing purposes.
2. Decisions to conduct marketing using patient data.
3. Determining mode of transferring information and type of information, ie,
identifiable or de-identified information to the marketing department.

1-14 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

13. Bioterrorism Event

Stakeholder organizations and exchanges:

ƒ Laboratory (collecting data)

ƒ Health care provider (transmitting data to public health)
ƒ Public health department (receiving data from provider, providing data to
government agencies)
ƒ Law enforcement (receiving data)
ƒ Government agencies (receiving data)
ƒ Patients

A provider sees a person who has anthrax, as determined through lab tests. The lab
submits a report on this case to the local public health department and notifies their
organizational patient safety officer. The public health department in the adjacent
county has been contacted and has confirmed that it is also seeing anthrax cases,
and therefore this could be a possible bioterrorism event. Further investigation
confirms that this is a bioterrorism event, and the state declares an emergency. This
then shifts responsibility to a designated state authority to oversee and coordinate a
response, and involves alerting law enforcement, hospitals, hazmat teams, and other
partners, as well as informing the regional media to alert the public to symptoms and
seeking treatment if feeling affected. The state also notifies the federal government
of the event, and some federal agencies may have direct involvement in the event.
All parties may need to be notified of specific identifiable demographic and medical
details of each case as it arises to identify the source of the anthrax, locate and
prosecute the parties responsible for distributing the anthrax, and protect the public
from further infection.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Providing patient-specific information related to specific symptoms to law

enforcement, CDC, Homeland Security, and health department in a situation
where a threat is being investigated.

Privacy and Security Assessment of Variation Toolkit 1-15

Privacy and Security Solutions for Interoperable Health Information Exchange

14. Employee Health Information Scenario

Stakeholder organizations and exchanges:

ƒ Hospital emergency room (releasing health information)

ƒ Employer human resources department (requesting health information)
ƒ Employee

An employee (of any company) presents in the local emergency department for
treatment of a chronic condition that has worsened but is not work related. The
employee’s condition necessitates a 4-day leave from work for illness. The employer
requires a “return to work” document for any illness requiring more than 2 days
leave. The hospital emergency department has an EHR and their practice is to cut
and paste patient information directly from the EHR and transmit the information via
e-mail to the human resources department of the patient’s employer.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Determining employee agreement to release information.

2. Determining what are the minimum necessary elements which can be legally
transmitted.
3. Ensuring the data is secured as it is transmitted.

1-16 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

15. Public Health Scenario A—Active Carrier, Communicable Disease

Notification

Stakeholder organizations and exchanges:

ƒ Health care provider (primary care physician)

ƒ Public health department
ƒ Law enforcement
ƒ Patient

A patient with active TB, still under treatment, has decided to move to a desert
community that focuses on spiritual healing, without informing his physician. The TB
is classified MDR (multidrug resistant). The patient purchases a bus ticket—the bus
ride will take a total of 9 hours with 2 rest stops across several states. State A is
made aware of the patient’s intent 2 hours after the bus with the patient leaves.
State A now needs to contact the bus company and other states with the relevant
information.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Providing patient-specific information related to a specific communicable

disease to law enforcement, non–health care entities, and health department
in a situation where a threat is being responded to.
2. Ensuring the data is secured as it is transmitted.

Privacy and Security Assessment of Variation Toolkit 1-17

Privacy and Security Solutions for Interoperable Health Information Exchange

16. Public Health Scenario B—Newborn Screening

Stakeholder organizations and exchanges:

ƒ Health care provider (sending initial data to public health and lab, receiving
data on follow up/eligibility)
ƒ State laboratory (receiving data)
ƒ State public health department (receiving data, sending data for program
eligibility)

A newborn’s screening test comes up positive for a state-mandated screening test

and the state lab test results are made available to the child’s physicians and
specialty care centers specializing in the disorder via an Interactive Voice Response
(IVR) system. The state lab also enters the information in its registry, and tracks the
child over time through the child’s physicians. The state public health department
provides services for this disorder and notifies the physician that the child is eligible
for those programs.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. Providing patient-specific information related to specific symptoms of a

disease to a health department in a situation where a targeted disease is
being investigated.

1-18 Privacy and Security Assessment of Variation Toolkit

 Tool 1. Scenarios Guide

17. Public Health Scenario C—Homeless Shelters

Stakeholder organizations and exchanges:

ƒ Primary care provider (sending) and hospital-affiliated drug treatment center

(receiving)
ƒ The hospital-affiliated drug treatment clinic (releasing) and the county
program (requesting for purposes of reimbursement)
ƒ The hospital-affiliated drug treatment clinic (releasing) and the shelter
(requesting to verify the treatment)
ƒ The family member (requesting) and the shelter

Stakeholder entities:

ƒ Health care consumer/patient

ƒ Primary care provider
ƒ Hospital-affiliated drug treatment center
ƒ Homeless shelter
ƒ Patient relative/family member

A homeless man arrives at a county shelter and is found to be a drug addict and in
need of medical care. The person does have a primary care provider, and he is sent
there for medical care. Primary care provider refers patient to a hospital-affiliated
drug treatment clinic for his addiction under a county program. The addiction center
must report treatment information back to the county for program reimbursement,
and back to the shelter to verify that the person is in treatment. Someone claiming
to be a relation of the homeless man requests information from the homeless shelter
on all the health services the man has received. The staff at the homeless shelter is
working to connect the homeless man with his relative.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. The extent and amount of information shared between the various facilities
would be limited by the minimum necessary guidelines.

Privacy and Security Assessment of Variation Toolkit 1-19

Privacy and Security Solutions for Interoperable Health Information Exchange

18. Health Oversight: Legal Compliance/Government Accountability

Stakeholder organizations and exchanges:

ƒ State university faculty (requesting health information)

ƒ State public health agencies (asked to provide health information)

The governor’s office has expressed concern about compliance with immunization
and lead screening requirements among low-income children who do not receive
consistent health care. The state agencies responsible for public health, child welfare
and protective services, Medicaid services, and education are asked to share
identifiable patient-level health care data on an ongoing basis to determine if the
children are getting the health care they need. This is not part of a legislative
mandate. The governor in this state and those in the surrounding states have
discussed sharing this information to determine if patients migrate between states
for these services. Because of the complexity of the task, the governor has asked
each agency to provide these data to faculty at the state university medical campus
who will design a system for integrating and analyzing the data. There is no existing
contract with the state university for services of this nature.

Potential areas of discussion of BUSINESS PRACTICES based on this scenario:

1. What is the practice of the organization to provide appropriate information for

health care oversight activities? These may include:
– Determining minimum amount necessary.
– How to release (electronically or paper—with existing claims data).

1-20 Privacy and Security Assessment of Variation Toolkit