• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Scenarios

Page history last edited by PBworks 17 years, 10 months ago

Health Information Exchange Scenarios (18) as of 20060710

Ohio has been asked to review the following 18 scenarios. HPIO would like you to review them below and our analyses in pdf format here.

Please open the pdf of the analyses and review it prior to making comments.

 

These are the steps for a first time visitor to comment: you may want to print this out

1) Click on the Login link in the box above

2) Type “hispc” in the Password box

3) Type in Your Name (please be honest)

4) Type in Your Email (please be honest)

5) Click on the [Log in] button; you will return to the home page

6) Click on the [Comments] tab above

7) Enter your comment

8) Click on [enter comment] button

9) Be sure to log out.

Returning visitors

1) Simply login (upper right corner of this page)

2) Provide your password (it may rember your username; if not enter it), click on Log In

3) Click on the [Comments] tab that appears near the top center

If you would like to comment on any of these, please use this link Comments here and log in with your email address and this reader's password "hispc" (no quotes). You then MUST return to this page and click on the Comments tab at the top.

Please start with the scenario number you are responding to and the procedure or obstacle you are addressing.

 

 

1. Patient Care Scenario A

The emergent transfer of health information between two healthcare providers when the status of the patient is unsure.

 

Stakeholder entities: Hospital emergency room (requesting health information)

 

Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who appears very confused. Law enforcement personnel in the emergency room investigating the accident indicate that the patient was driving. There are questions concerning her possible impairment due to medications. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient X’s prior diagnosis and treatment during the previous inpatient stay.

 

SUGGESTED BUSINESS PRACTICES:

1. Determining status of the patient and chain of responsibility

2. Process around obtaining information sufficient for treatment.

3. Process for handling mental health information.

4. Securing the data exchange mechanism.

5. Authentication of requesting facility.

 

 

2. Patient Care Scenario B

The non-emergent transfer of records from a specialty substance treatment provider to a primary care facility for a referral.

 

Stakeholder entities:

• Specialty substance abuse treatment facility (sending sensitive clinical records)

• Doctor’s office or public health agency (receiving clinical records from the substance abuse facility)

• Client/patient

 

An inpatient specialty substance abuse treatment facility intends to refer client X to a primary care facility for a suspected medical problem. The two organizations do not have a previous relationship. The client has a long history of using various drugs and alcohol relevant for medical diagnosis. The requested substance abuse information is being sent to the primary care provider. The primary care provider intends to refer the patient to a specialist and send all of his/her information including the substance abuse information received from the substance abuse treatment facility to the specialist.

 

SUGGESTED BUSINESS PRACTICES:

1. Authorization from patient to allow release of sensitive PHI.

2. Process for handling substance abuse PHI.

3. Authentication of requesting healthcare provider.

4. Securing the data exchange mechanism.

 

3. Patient Care - Scenario C

Stakeholders:

• Skilled Nursing Facility

• Physician

• Hospital

 

5:30pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient, recently discharged from the hospital psych unit to the nursing home. The hospital and skilled nursing facility are separate entities and do not share electronic record systems. At the time of the patient's transfer, the discharge summary and other pertinent records and forms were electronically transmitted to the skilled nursing home.

 

Upon entering the facility Dr. X seeks assistance in locating his patient, gaining entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR. As it is Dr. X's first visit, he has no login or password to use their system.

 

Dr. X completes his visit and prepares to complete his documentation for the nursing home. Unable to access the skilled nursing facility EHR, Dr. X dictates his initial assessment via telephone to his outsourced, offshore transcription service. The assessment is transcribed and posted to a secure web portal.

 

The next morning, from his home computer, Dr. X checks his e-mail and receives notification that the assessment is available. Dr. X logs into his office web portal, reviews the assessment, and applies his electronic signature.

 

Later that day, Dr X’s Office Manager downloads this assessment from the web portal, saves the document in the patient’s record in his office and forwards the now encrypted document to the long-term care facility via e-mail.

 

The skilled nursing facility notifies Dr. X’s office that they are unable to open the encrypted document because they do not have the encryption key.

 

SUGGESTED BUSINESS PRACTICES:

1. Agreements for data sharing - business associate agreements.

2. Setting out access and role management policies and practices for temporary or new access

3. Determining appropriate access to mental health records.

4. Securing unstructured, possibly non-electronic patient data.

5. Reliability of other entity security and privacy infrastructure

 

4. Patient Care - Scenario D

The non-emergent transfer of health information

Stakeholder entities:

• Hospital mammography department (requesting health information)

• Outpatient Clinic (receiving request)

 

Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women’s Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a neighboring state. Her physician in State A is requesting a copy of her complete records and the radiologist at General Hospital would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison purposes. She also is having a test for the BrCa gene and is requesting the genetic test results of her deceased aunt who had a history of breast cancer.

 

SUGGESTED BUSINESS PRACTICES:

1. Authenticating entities and individuals.

2. Determining processes and laws for release of genetic and HIV information.

 

5. Payment Scenario

Note: This scenario is applicable to all healthcare providers.

 

Stakeholder Entities:

• Healthcare Provider (Hospital or Clinic)

• Health Plan (Payer)

• Patients

 

X Health Payer (third party, disability insurance, employee assistance programs) provides health insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage, it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to the patient health information (e.g., emergency department records, clinic notes, etc.).

 

The health care provider has recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR and is accessible to users who have been granted access through an approval process. Access to the EHR has been restricted to the healthcare provider’s workforce members and medical staff members and their office staff.

 

X Health Payer is requesting access to the EHR for their accredited case management staff to approve/authorize inpatient encounters.

 

SUGGESTED BUSINESS PRACTICES:

1. Get patient authorization to allow payer access.

2. Facility needs to determine the minimum necessary and limit to pertinent timeframe.

3. If allowed, access and role management are issues.

4. Determine method for enabling secure remote access if allowed.

 

6. RHIO Scenario

Note: Each stakeholder should participate in this scenario keeping in mind the type of data their organization anticipates exchanging with a RHIO.

 

Stakeholders:

• Multiple provider organizations

• Multiple RHIO's

 

The RHIO in your region wants to access patient identifiable data from all participating organizations (and their patients) to monitor the incidence and management of diabetic patients. The RHIO also intends to monitor participating providers to rank them for the provision of preventive services to their diabetic patients.

 

SUGGESTED BUSINESS PRACTICES:

1. Decision to utilize PHI to monitor disease management.

2. Authorization from patients to allow RHIO to monitor their PHI for disease management.

3. Determine mode of transferring information and type of information i.e. identifiable or de-identified information to the RHIO

 

7. Research Data Use Scenario

Stakeholder entities:

• Health care consumer

• Research investigator

• Health care provider

• Institution Review Board

 

A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD. The research is being sponsored by a major drug manufacturer conducting a double blind study approved by the medical center’s IRB where the research investigators are located. The data being collected is all electronic and all responses from the subjects are completed electronically on the same centralized and shared data base file.

 

The principle investigator was asked by one of the investigators if they could use the raw data to extend the tracking of the patients over an additional six months and/or use the raw data collected for a white paper that is not part of the research protocols final document for his post doctoral fellow program.

 

SUGGESTED BUSINESS PRACTICES:

1. IRB approval of any significant changes to the research protocol

2. Research subjects have signed consents and authorization to participate in the research effort.

 

8. Scenario for access by law enforcement

Stakeholder entities:

• Healthcare provider (providing health information)

• Law enforcement

• Patient

• Patient’s family

 

An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is standard to run blood alcohol and drug screens. The police officer investigating the accident arrives in the ER claiming that the patient may have caused the accident. The patient’s parents arrive shortly afterward. The police officer requests a copy of the blood alcohol test results and the parents want to review the ER record and lab results to see if their child tested positive for drugs. These requests to print directly from the electronic health record are made to the ER staff. The patient is covered under their parent's health and auto insurance policy.

 

SUGGESTED BUSINESS PRACTICES

1. County contracts with emergency department to perform Blood Alcohol test draws.

2. Printing of additional copies of medical record reports for parents, insurance companies, and police.

3. Asking patient if it's OK to talk to parents or give information to parents about their condition

4. Communication with primary care provider.

 

9. Pharmacy Benefit Scenario A

Stakeholder Entities:

• Pharmacy Benefit Manager (requesting information)

• Outpatient Clinic (receiving request)

• Patient X

 

The Pharmacy Benefit Manager (PBM) has a mail order pharmacy for a hospital which is self-insured and also has a closed formulary. The PBM receives a prescription from Patient X, an employee of the hospital, for the antipsychotic medication Geodon. The PBM’s preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine (Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the provider’s Outpatient Clinic.

 

SUGGESTED BUSINESS PRACTICES:

1. Patient authorization to share information with the pharmacy benefit manager.

2. Agreements for data sharing – business associate agreements.

3. Healthcare provider must determine minimum necessary access to PHI.

4. If allowed role and access management are issues.

5. Determine method for enabling secure remote access if allowed.

 

10. Pharmacy Benefit Scenario B

Stakeholder Entities:

• Pharmacy Benefit Manager (requesting information)

• Company A

• Employees

 

A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies’ employees’ prescription drug use and the associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug benefit. Company A is self insured and as part of their current benefits package, they have the prescription drug claims submitted through their current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review.

 

SUGGESTED BUSINESS PRACTICES:

1. Business associate agreements and formal contracts exist between Company A and the Pharmacy Benefit Managers.

2. The extent and amount of information shared between the various parties would be limited by the minimum necessary guidelines.

 

11. Healthcare Operations and Marketing - Scenario A

Note: This scenario could be modified to apply to any healthcare provider (physician group, home health care agency, etc.) wishing to market services to a targeted subset of patients.

 

Stakeholder entities:

• Integrated delivery system (requesting study)

• Critical access hospital (being asked to provide health information)

• Tertiary hospital (being asked to provide health information)

 

ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and one large tertiary hospital, DEF Medical Center, which has served as the system’s primary referral center. Recently, DEF Medical Center has expanded its rehab services and created a state-of-the-art, stand-alone rehab center. Six months into operation, ABC Health Care does not feel that the rehab center is being fully utilized and is questioning the lack of rehab referrals from the critical access hospitals.

 

ABC Health Care has requested that its critical access hospitals submit monthly reports containing patient identifiable data to the system six-sigma team to analyze patient encounters and trends for the following rehab diagnoses/ procedures:

• Cerebrovascular Accident (CVA)

• Hip Fracture

• Total Joint Replacement

 

Additionally, ABC Health Care is requesting that this same information, along with individual patient demographic information, be provided to the system Marketing Department. The Marketing Department plans to distribute to these individuals a brochure highlighting the new rehab center and the enhanced services available.

 

SUGGESTED BUSINESS PRACTICES

1. Decision to conduct marketing using PHI with their consumers.

2. Authorization from consumer to allow IHDS to market to themselves.

3. Determine mode of transferring information and type of information, i.e., identifiable or de-identified information to the marketing department

 

12. Healthcare Operations and Marketing - Scenario B

Stakeholder entities:

• Healthcare provider (Hospital obstetrics department)

• Hospital marketing department

• Patients

ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is requesting identifiable data on all deliveries including mother’s demographic information and birth outcome (to ensure that contact is made only with those deliveries resulting in health live births).

 

The Marketing Department has explained that they will use the PHI for the following purposes:

1. To provide information on the hospital’s new pediatric wing/services.

2. To solicit registration for the hospital’s parenting classes.

3. To request donations for construction of the proposed neonatal intensive care unit

4. They will sell the data to a local diaper company to use in marketing diaper services directly to parents.

 

SUGGESTED BUSINESS PRACTICES

1. Ask patient permission to use and sell identifiable data for marketing.

2. Decision to conduct marketing using PHI with their consumers.

3. Determine mode of transferring information and type of information, i.e., identifiable or de-identified information to the marketing department

 

13. Bioterrorism event

Stakeholder entities:

• Healthcare provider

• Public health department

• Law enforcement

• Government agencies

• Patients

 

A provider sees a person who has anthrax, as determined through lab tests. The lab submits a report on this case to the local public health department and notifies their organizational patient safety officer. The public health department in the adjacent county has been contacted and has confirmed that it is also seeing anthrax cases, and therefore this could be a possible bioterrorism event. Further investigation confirms that this is a bioterrorism event, and the State declares an emergency. This then shifts responsibility to a designated state authority to oversee and coordinate a response, and involves alerting law enforcement, hospitals, hazmat teams, and other partners, as well informing the regional media to alert the public to symptoms and seek treatment if feel affected. The State also notifies the Federal Government of the event, and some federal agencies may have direct involvement in the event. All parties may need to be notified of specific identifiable demographic and medical details of each case as they arise to identify the source of the anthrax, locate and prosecute the parties responsible for distributing the anthrax, and protect the public from further infection.

 

SUGGESTED BUSINESS PRACTICE:

1. Providing patient specific information related to specific symptoms to law enforcement, CDC, Homeland Security, and health department in a situation where a threat is being investigated.

 

14. Employee Health Information Scenario

Stakeholder entities:

• Hospital emergency room (releasing health information)

• Employer human resources department (requesting health information)

• Employee

 

An employee (of any company) presents in the local emergency department for treatment of a chronic condition that has exacerbated which is not work-related. The employee’s condition necessitates a four-day leave from work for illness. The employer requires a “return to work” document for any illness requiring more than 2 days leave. The hospital Emergency Department has an EHR and their practice is to cut and paste patient information directly from the EHR and transmit the information via email to the Human Resources department of the patient's employer.

 

SUGGESTED BUSINESS PRACTICES:

1. Determining employee agreement to release information.

2. Determining what are the minimum necessary elements which can be legally transmitted.

3. Ensuring the data is secured as it is transmitted.

 

15. Public Health - Scenario A

Active carrier, communicable disease notification

Stakeholder entities:

• Healthcare provider (primary care physician)

• Public health department

• Law enforcement

• Patient

A patient with active TB, still under treatment, has decided to move to a desert community that focuses on spiritual healing, without informing his physician. The TB is classified MDR (multi-drug resistant). The patient purchases a bus ticket - the bus ride will take a total of nine hours with two rest stops across several states. State A is made aware of the patient's intent two hours after the bus with the patient leaves. State A now needs to contact the bus company and other states with the relevant information.

 

SUGGESTED BUSINESS PRACTICES:

1. Providing patient specific information related to a specific communicable disease to law enforcement, non-healthcare entities, and health department in a situation where a threat is being responded to.

2. Ensuring the data is secured as it is transmitted.

 

16. Public Health - Scenario B

Newborn screening

Stakeholder entities:

• Healthcare provider (physician)

• State laboratory

• State public health department

A newborn’s screening test comes up positive for a state-mandated screening test and the state lab test results are made available to the child’s physicians and specialty care centers specializing in the disorder via an Interactive Voice Response system. The state lab also enters the information in its registry, and tracks the child over time through the child’s physicians. The state public health department provides services for this disorder and notifies the physician that the child is eligible for those programs.

 

SUGGESTED BUSINESS PRACTICE:

1. Providing patient specific information related to specific symptoms of a disease to a health department in a situation where a targeted disease is being investigated.

 

17. Public Health Scenario C

Homeless shelters

Stakeholder entities:

• Health care consumer

• Primary provider

• Drug treatment center

• Homeless shelter

• Patient relative

 

A homeless man arrives at a county shelter and is found to be a drug addict and in need of medical care. The person does have a primary provider, and is sent there for the medical care, and is referred to a hospital-affiliated drug treatment clinic for his addition under a county program. The addiction center must report treatment information back to the county for program reimbursement, and back to the shelter to verify that the person is in treatment. Someone claiming to be a relation of the homeless man requests information from the homeless shelter on all the health services the man has received. The staff at the homeless shelter is working to connect the homeless man with his relative.

 

SUGGESTED BUSINESS PRACTICES:

1. The extent and amount of information shared between the various facilities would be limited by the minimum necessary guidelines.

 

18. Health Oversight: Legal compliance/government accountability

Stakeholder entities:

• State university faculty (requesting health information)

• State public health agencies (asked to provide health information)

 

The Governor’s office has expressed concern about compliance with immunization and lead screening requirements among low income children who do not receive consistent health care. The state agencies responsible for public health, child welfare and protective services, Medicaid services, and education are asked to share identifiable patient level health care data on an ongoing basis to determine if the children are getting the healthcare they need. This is not part of a legislative mandate. The Governor in this state and those in the surrounding states have discussed sharing this information to determine if patients migrate between states for these services. Because of the complexity of the task, the Governor has asked each agency to provide these data to faculty at the state university medical campus who will design a system for integrating and analyzing the data. There is not existing contract with the state university for services of this nature.

 

SUGGESTED BUSINESS PRACTICES

What is the practice of the organization to provide appropriate information for healthcare oversight activities. These include:

- determining minimum amount necessary

- how to release (electronically or paper - with existing claims data)

 


submit system related comments to the .

visits to this page

Comments (8)

Anonymous said

at 12:00 pm on Sep 19, 2006

Patient identifier needs to be established.
Emergency situation needs defined to override release of PHI

Anonymous said

at 12:01 pm on Sep 19, 2006

Scenario #2: Authorization should be required to validate request of information. Standardization of transmission needs to be improved.

Anonymous said

at 12:03 pm on Sep 19, 2006

Scenario #3: Patient identifier needs to be established. Why didn't Dr. X obtain a consent from his patient before he discharged her to the nursing home? Standardization of transmission needs to be improved.

Anonymous said

at 12:04 pm on Sep 19, 2006

Scenario #4: Need patient identifier.

Anonymous said

at 12:05 pm on Sep 19, 2006

Scenario #5: Minimum necessary standard should be withheld. Standardization of transmission needs to be improved.

Anonymous said

at 12:06 pm on Sep 19, 2006

Scenario #6: Require signed release or de-identify information.

Anonymous said

at 12:08 pm on Sep 19, 2006

Scenario #8: Patient is a non-minor-his authorization to relase information should be required. Law enforcement should only access drug test results, not the whole medical record.

Anonymous said

at 2:28 pm on Oct 12, 2006

Scenario #6 "The RHIO in your region wants to access patient identifiable data from all participating organizations (and their patients) to monitor the incidence and management of diabetic patients. The RHIO also intends to monitor participating providers to rank them for the provision of preventive services to their diabetic patients." RHIOs have established role based access to health information, thus only a health care provider could access the disease information, for treatment, payment, or operation. It would be best practice to permit the individual health care provider with information on their universe of patients. Identifiable data would be subject to research provisions, IRB approvals etc. The rating of health care provider(s) responsible to/for each patient in their use of protocols for treatment is likely to alienate them as standard protocols are not always well established and the HCP is not solely responsible for disease management. Effective health information exchange is intended to improve the quality of patient care by providing comprehensive information at the point of care.

You don't have permission to comment on this page.