Skip to Main Content


  1. Governor

Privacy and Security Work Group Minutes - March 24 2011 

March 24, 2011

Attendees (phone and in-person):

  • Ira Thompson, Infinite Systems Support
  • Dr. Arnold Widen, Office of the Attorney General
  • Vincent Keenan, Illinois Academy of Family Physicians
  • James Anfield, Blue Cross Blue Shield
  • Jay McCutcheon, Southern Illinois University
  • Crystal VanDeventer, Lincoln Land HIE (LLHIE)

Office of Health Information Technology (OHIT)

  • Mark Chudzinski
  • Pamela M. Dones
  1. Introduction

The Chairman, Ira Thompson, opened the meeting at 2 p.m. The meeting was hosted by OHIT at the State of Illinois J.R. Thompson Center in Downtown Chicago, with a telephone conference call-in number. It was noted that notice of the meeting and the agenda were posted on the OHIT Web site and at the Chicago meeting location no later than 48 hours prior to the meeting. Roll was taken, and the ability of those attending by telephone to hear and participate was confirmed.

  1. Reviewed Minutes from Previous Meeting (February 17, 2011)

It was noted, that in the minutes for the last meeting, the name of member Crystal VanDeventer was misspelled. With the understanding that those minutes will be changed to reflect the correction, the minutes of the February 17, 2011, were approved unanimously.

  1. Federal and State Updates

Mr. Mark Chudzinski shared with the group three updates.

  1. CTO. Ivan Handler, CIO of HFS for eight years, has accepted the OHIT CTO position starting April 1, 2011.
  2. Illinois State Legislation
    1. Immunization Registry. HB1338, the Immunization Data Registry Act, has been introduced in the Illinois General Assembly. It changes the current patient "Opt-In" policy for immunization data deposited in the I-Care system, with a patient "Opt-Out" policy for immunization data sent to the new Registry. The Act will require the Department of Public Health (IDPH) to establish a patient consent management system; OHIT anticipates that the future ILHIE will provide such functionality, and has proposed discussion with IDPH to prevent duplicate state efforts. Placed on calendar for Third Reading March 17, 2011.
    2. Mental Health Confidentiality. SB1234 changes the Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110/11) to allow for the disclosure for treatment purposes of patient pharmaceutical records without prior patient consent. OHIT has raised for consideration, by HFS, additional amendments which would facilitate the disclosure of certain data with the ILHIE. Placed on calendar for Second Reading March 15, 2011.
  3. Other State HIE-Related Legislation
    1. California had decided to adopt an "opt-in" patient consent model. It would require notice and affirmative patient consent. View the California Office of Helth Information Integrity's Web site
    2. In Texas, a bill (H.B. No. 300) was introduced that would raise the civil penalty for a pattern and practice of privacy violations from $250,000 to $5 million.
    3. In Kansas, a bill (SB133) had been passed in the Kansas State Senate, and is currently in the Kansas State House, that would harmonize Kansas state medical privacy law with HIPAA (with some exceptions). The new bill would preempt previous Kansas state laws.
  1. General HIE Project Updates

Updates discussed in previous section.

  1. Sub-Committee Project Updates
    1. Legal
      See "Federal and state updates"
    2. Audit

The Chairman introduced and explained a "high-level" audit plan for providers who participate in the ILHIE. This proposal includes cost estimates.

A participant asks whether a physician practice would have to go through the auditing process. The answer was that it would depend on the kind of audit, but that primarily the estimates were meant to apply to the larger providers.

Another participant asked who would perform the proposed audit. As of today, there is no determination as to who will perform audits.

Another participant asked if every provider will need to undergo an audit. The participant is concerned that the provider will feel obligated to invest in an audit for purposes of participating in the ILHIE. He suggested that the audit should be a voluntary process. Other participants agreed that for most small provider groups, audits would be too burdensome.

It was suggested that the audit plan should be a tool for providers to use as a guideline.

In the discussion, it was suggested that if the audit plan is distributed as a voluntary tool, no one will perform the audit; the audit should be scaled down in scope, like a checklist, to make it more accessible to smaller providers. After the provider certifies that it complies with the checklist, then an outside party could verify if the checklist was indeed followed.

A member suggested that audits could be performed by providers who have breaches of security. While another proposed that Regional Extension Centers (RECs) should be in charge of helping providers reach the goals of the audits, by providing the checklists and assistance with technological issues.

The Chairman emphasizes that the purpose of the audits is to make sure that all participants of the ILHIE have the basic security requirements to avoid breaches into the ILHIE. He stressed that OHIT needs to maintain the public trust by ensuring the safety of PHI.

One of the participants recommended that instead of having an audit requirement, providers could be coaxed into abiding by a checklist of basic security requirements by imposing penalties or being held liable for a lawsuit if requirements are not met. In response to the suggestion, another participant questioned if physicians would agree to be part of the ILHIE if they were going to be held liable for noncompliance with the security requirements.

It was proposed that the "Hosting Facility" section on the form be eliminated because vendors should be responsible for auditing these requirements.

A participant asked Mr. Chudzinski if OHIT is working on the agreement form that providers will have to sign to participate in the ILHIE or if a DURSA-type agreement will be adopted. Mr. Chudzinski indicated that there is a DURSA group within OHIT that has been working on this matter. He will share more information on the subject when it is available

  1. Next Meeting Date

The group will reconvene on Thursday, April 21, 2011, at 2 p.m., at the OHIT Office, or via conference call.

The meeting ended at 3:05 p.m.