VHA Health Information Access (HIA) Program, Department of
Download
Report
Transcript VHA Health Information Access (HIA) Program, Department of
VHA
Health Information
Access (HIA)
Program
Mr. Shawn Hardenbrook
Health Information Access
Project Coordinator
[email protected]
May 19, 2008
1
HIA Program
Health Info Access (HIA) Office under the HDI
Information Access & Privacy Office formed in 1Q
FY08
Health Info Access Supervisor’s VA background:
• Social Work Intern
• Master Social Worker
• Research Software Developer
• Clinical Application Coordinator @ 3 sites
• Class III Software Developer
• CAPRI Developer (yes, it’s a VHA product)
• OI&T Developer
• VHA Health Information Access & Privacy Office
HIA Project Coordinator
2
HIA Program
Health Info Access Team Composition:
• 1 Government manager
• 5 Contractors – Washington DC, Bay Pines, and
Salt Lake City
• 3 Government staff – Richmond, Bay Pines,
Memphis
• 1 Additional Contractor to be added in 3Q 2008
• More positions to be added later as team
responsibility grows…
Background of employees includes DoD, IBM,
Research Compliance, Software Quality
Assurance, Policy and Planning, Direct Patient
Care…
3
HIA Program
Program Objectives:
• HIA’s current focus is on “special user” access to
VHA EHR data as well as providing easier, more
efficient access to EHR data while maintaining
proper compliance with VHA privacy and
security.
• The team performs privacy reviews on research
studies seeking approval through ORD (real SSN
requests and non-de-identified data, for example).
Cont’d…
4
HIA Program
Program Objectives (cont’d):
• The team reviews/manages Data Transfer
Agreements (DTA’s), Data Use
Agreements (DUA’s), and MOU’s with
agencies external to VA.
• The team provides consultation for those
seeking EHR data and aren’t sure how to
get it.
5
HIA Program
So why does VHA need yet
another Central Office program
when field sites already control
access to EHR data through their
ISO?...
6
HIA Program
Not every data requestor falls
under a local VA Medical
Center…
7
EHR Access Issues
• A variety of “special users” both in and outside VA
have a need to access electronic health records at
one or more sites.
• Access at multiple sites has traditionally required a
separate access/verify code at each site along with
maintaining education requirements and logging in
every 90 days to prevent expiration of accounts.
(HRC in Kansas will eventually need direct access to
all 120+ VistA systems, for example)
Cont’d…
8
EHR Access Issues (cont’d)
• “Access” can mean various levels of
functionalities and restrictions – difficult to apply
consistently when being managed by multiple
sites.
• Users may need to be restricted to just specific
site(s).
• Users may need to be restricted to just specific
patient(s) – “Need to know” rule.
• Users may or may not need to be prevented from
changing or entering data into the record.
9
Special Users
“Special users” include:
•General Counsel
•Researchers*
•External reviewers*
•Peer Reviewers
•VSO’s*
•VBA
•Board of Veterans Appeals
•Inspector General
•MPI Data Quality Team
•Federal Recovery
Coordinators
•Health Revenue Center
•Suicide Prevention Team
…and others
* = May be non-VA staff
10
Available options for EHR Access
• CPRS: Traditional award-winning GUI interface for
EHR data. Highly complicated for users who need
read-only access. No ability to block entry of EHR
data. Somewhat limited ability to control patientlevel access. No ability to synchronize limited
patient lists and privileges between sites.
• CAPRI: Provides CPRS-like access to EHR data
without entry options and with simplified predefined reports. Provides access to all VHA sites
through a single access/verify code. Provides a
national-level audit trail for all patients accessed
by a user.
Cont’d…
11
Available options for EHR Access (cont’d)
• VistAWeb: Slow, but very pretty interface. Easy
to access from Internet browser without
installation of software. Many search options.
Detailed audit trail, but difficult to access audit
reports for compliance monitoring. Access to
patients is limited to local site unless user is
granted national-level VW access.
(Hurricane Katrina example)
• CPRS Read-Only: Extremely stripped-down
version of CPRS missing most of the features for
which users like CPRS.
12
CAPRI Overview
• Still lots of confusion in VHA about the purpose
of the CAPRI product. YES, it’s a VHA product!
• Designed initially for VBA as GUI replacement for
AMIE roll-n-scroll.
• VBA was not having success getting direct CPRS
GUI access at sites in the 1990’s.
• 2nd largest VistA application code-base.
• Grassroots Class III turned Class I in 2001.
• Has been modified over the years to meet VA
needs.
Cont’d…
13
CAPRI Overview (cont’d)
• Used by multiple “special user” groups.
• Has contained single sign-on capability for over 5
years.
• Contains C&P functionality, but also EHR readonly functionality.
• C&P exam functions for VHA providers are under
active development.
• Approximately 1/4 to 1/3 of monthly C&P exams
are entered by VHA providers in CAPRI.
• 99%+ of C&P exams are processed by VBA using
CAPRI
14
VistAWeb Overview
• Grassroots Class III turned Class I.
• Designed to replace Remote Data Views in
CPRS.
• Built off of CAPRI single sign-on
functionality.
• Used primarily by VHA clinicians but also
by some “special user” groups who need
access to patients at multiple sites.
Cont’d…
15
VistAWeb Overview
• Is integrated inside CAPRI. All CAPRI
users have VistAWeb by default.
• Local sites have provided a link to
VistAWeb on the CPRS Tools Menu for
access to local patients.
• There is also a direct interface through
Internet Explorer – CPRS access not
required.
16
CAPRI/VistAWeb Comparison
CAPRI
•Single sign-on through
VistA account or local
site management
•Client-Server (Delphi)
•Ability to limit patient
lists
•Ability to limit site lists
•Complex restricted list
options
•Multiple administrators
can manage accounts
VistAWeb
•Access controlled
through application
server
•Web-based (Java)
•No ability to limit patient
lists at national level
•Ability to limit site lists
•Sort-of uses local CPRS
restricted list setting
•OI&T management of
accounts
17
CAPRI VistAWeb Comparison (cont’d)
CAPRI
•Provides CPRS ReadOnly access
•Looks like CPRS
•Uses CPRS Broker Calls
•Audits stored in VistA
database
•Provides VistA data
entry functions
•Detailed C&P reports
and displays
•VistA Imaging can be
added relatively easily
VistAWeb
•Provides CPRS ReadOnly access
•Has own look and feel
•Uses CPRS Broker Calls
•Audits stored on
application server
•Strictly read-only, no
entry options
•No C&P functionality
•VistA Imaging not webbased
18
CAPRI Data Entry Functions
•
•
•
•
•
•
•
Basic new patient registration in VistA
Ordering/management of C&P Exams
Requests for paper documentation
Change of address (currently disabled)
VHA Provider C&P Exam templates
Roll-n-scroll access to non-GUI functions
CAPRI does have a read-only mode which
is controlled through security key
assignment. (EHR data is always readonly, despite security keys.)
19
VistAWeb Data Entry Functions
(Yes, this screen is blank on purpose.)
20
CPRS Read-Only
• CPRS Read-Only functionality released 2002 as
rapidly-developed reactionary measure to
immediate business need.
• High user satisfaction with traditional interface,
which is extremely scaled-back for CPRS readonly.
• Does NOT contain single-sign on capability
• No central management of patient lists – a
problem with VA Form 2122 (POA) , VA Form
2122a, and general user management
Cont’d…
21
CPRS Read-Only (cont’d)
• CPRS Read Only Access Directive released 2002,
now expired.
• General Access Directive written, never released.
• Access Handbook not yet written.
• HIA is finalizing a VHA Access Directive, with
Access Handbook to follow.
• HIA prefers CAPRI/VistAWeb to CPRS Read Only
due to central management capabilities and more
CPRS-like interface in CAPRI than is available in
CPRS read-only.
• Does everyone know CPRS Read-Only exists?
22
CPRS Screen Shot
23
CPRS Read-Only Screen Shot
24
CAPRI Screen Shot
25
VistAWeb Screen Shot
26
Health Info Access (HIA)
Health Info Access Program Functions:
• Manages national requests for CAPRI and
VistAWeb access
• Creates/revokes single sign-on accounts
• Audits accounts for privacy/security
requirements
• Assists users in determining right solution for
their needs
Cont’d…
27
Health Info Access (cont’d)
•
•
•
•
Manages national-level restricted site lists
Manages national restricted patient lists
DUA/DTA Liaison
Actively developing tracking/registry system for
user access, research (real SSN, protocol
reviews involving access to national databases),
and DUA/DTA’s.
• …Will be adding more functions as they’re
identified over time…
28
Requesting Access Through HIA
Users interested in access should visit the HIA Homepage
for detailed instructions and an access request form:
http://vaww.vhaco.va.gov/privacy/HIA.htm
Requirements:
• Proof of Cybersecurity Training within past year
• Proof of VHA Privacy Training within past year
• Signed HIA Rules of Behavior
• Signed Access Request Form
29
Requesting Access Through HIA
Once paperwork is gathered, it can be:
• Mailed by snail mail
• If user has PKI -- scanned and emailed to [email protected]
• Submitted to secure fax server via the number found on
the HIA homepage
Approval paperwork is kept electronically and is available
in PDF form, should there be a question about a user’s
access. A central “registry” is being developed which
may eventually be provided to field sites. That’s a bit
down the road.
Certain user groups have different approval processes
which can be custom tailored (to be faster) when these
user communities are identified as repeat customers.
30
Requesting Access Through HIA
Local ISO name and email is required. But access
forms do not need to be processed through the
ISO for VHA users.
HIA will remove access at expiration of training
requirements, until proof is re-submitted. Users
will be notified in advance of impending shut-off.
All access is ultimately at the discretion of the
Director, Health Data & Informatics
31
CPRS, VistAWeb or CPRS
There is not ONE solution for all needs.
• Users who need restricted patient lists for
multiple sites (such as VSO’s) must use
CAPRI
• Users who don’t need data entry can use
VW
• Users without restricted patient lists can
use VW
• Users who need to register new patients
(Federal Recovery Coordinators) must use
CAPRI
Cont’d…
32
CPRS, VistAWeb or CPRS cont’d…
There is not ONE solution for all needs.
• Users who need access at only 1 site can use
CPRS read-only at a local level
• Users who need auditing regularly should use
CAPRI
• Users who need to see C&P activity should use
CAPRI
• Users who’s access changes frequently (EPRP)
should use CAPRI
• GUI management tools for restricted lists exist
for CAPRI but not CPRS – VBA manages over
8,000 of their own national accounts.
33
HIA can be contacted at:
• [email protected]
• VHA OI HDI HIA
• [email protected] (HIA Manager)
Questions?
34