ONC Privacy and Security Update May 7, 2013 Joy Pritts, JD Chief Privacy Officer.

Slides:



Advertisements
Similar presentations
National HIT Agenda and HIE John W. Loonsk, M.D. Director of Interoperability and Standards Office of the National Coordinator Department of Health.
Advertisements

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
A Plan for a Sustainable Community Behavioral Health Information Network Western States Health-e Connection Summit & Trade Show September 10, 2013.
ONC Policy and Program Update Health IT Standards Committee Meeting February 20, 2013 Jodi Daniel, Office of Policy and Planning, ONC.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance, guidance and.
Project Proposal to IHE: Implementation Guide for Data Segmentation For Privacy (DS4P) over REST Submitted by S&I Framework Data Segmentation for Privacy.
Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.
A San Diego Health Information Exchange San Diego Health Care Association April 26 th, 2012 Jami Young, MPA San Diego Beacon Project Manager.
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
Texas Approach to Supporting Statewide Health Information Exchange January 2013.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.
Informed Consent and HIPAA Tim Noe Coordinating Center.
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Lecture 14 Policy, Legal, and Regulatory Issues in HIS (Chapters 18,19,20)
Presentation to HL7 S&I Framework Data Segmentation for Privacy Initiative 9/25/2013 Johnathan Coleman, CISSP Initiative Coordinator, Data Segmentation.
August 10, 2011 A Leading Provider of Consulting and Systems Engineering Services to Public Health Organizations.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
INTERNET2 COLLABORATIVE INNOVATION PROGRAM DEVELOPMENT Florence D. Hudson Senior Vice President and Chief Innovation.
1 Federal Health IT Ontology Project (HITOP) Group The Vision Toward Testing Ontology Tools in High Priority Health IT Applications October 5, 2005.
Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.
Colorado Children and Youth Information Sharing (CCYIS) Educational Stability Summit April 10, 2015.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange and MU3 RFC Comments April 30, 2013.
Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
State Alliance for e-Health Conference Meeting January 26, 2007.
Data Gathering HITPC Workplan HITPC Request for Comments HITSC Committee Recommendations gathered by ONC HITSC Workgroup Chairs ONC Meaningful Use Stage.
Chapter 6 – Data Handling and EPR. Electronic Health Record Systems: Government Initiatives and Public/Private Partnerships EHR is systematic collection.
State HIE Program Chris Muir Program Manager for Western/Mid-western States.
Interoperability Framework Overview Health Information Technology (HIT) Standards Committee June 24, 2010 Presented by: Douglas Fridsma, MD, PhD Acting.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
Data Segmentation for Privacy Agenda All-hands Workgroup Meeting May 9, 2012.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.
Draft – discussion only Advanced Health Models and Meaningful Use Workgroup June 23, 2015 Paul Tang, chair Joe Kimura, co-chair.
Eliza de Guzman HTM 520 Health Information Exchange.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange and MU3 RFC Comments Summary April 15, 2013.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
January 26, 2007 State Alliance for e-Health January 26, 2007 Robert M. Kolodner, MD Interim National Coordinator Office of the National Coordinator for.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
One Health Information Exchange’s experience in responding to the changing landscape Funding: AHRQ Contract ; State of Tennessee; Vanderbilt.
Health Information Exchange Roadmap: The Landscape and a Path Forward Primary and Behavioral Health Care Integration Program Grantee.
Mariann Yeager, NHIN Policy and Governance Lead (Contractor) Office of the National Coordinator for Health IT David Riley, CONNECT Lead (Contractor) Federal.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Creating an Interoperable Learning Health System for a Healthy Nation Jon White, M.D. Acting Deputy National Coordinator Office of the National Coordinator.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
Kentucky eHealth Summit Michael R. Lardiere, LCSW Vice President Health Information Technology and Strategic Development The National Council for Community.
HIMSS – Chicago – April, 2009 New Jersey - Health Information Technology – NJ HIT Act – Office for Health Information Technology Development - Recovery.
© 2014 By Katherine Downing, MA, RHIA, CHPS, PMP.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Health Information Exchange: Alaska’s Health Pipeline Alaska Bar Association Health Law Section February 2, 2012 Carolyn Heyman-Layne.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Our pledge: reliability, integrity and trust
Project Proposal to IHE IHE ITI Representational State Transfer (REST) Transport Implementation Guide for Data Segmentation for Privacy (DS4P) Submitted.
HITECH Modifications to HIPAA
Randall (Randy) Snyder, PT, MBA Division Director January 27, 2016
Data Security and Privacy Overview: NJDOE’s Approach to Cybersecurity
Enforcement and Policy Challenges in Health Information Privacy
CyberSecure: Your Medical Practice
Health Information Exchange for Eligible Clinicians 2019
Presentation transcript:

ONC Privacy and Security Update May 7, 2013 Joy Pritts, JD Chief Privacy Officer

Office of the National Coordinator for Health Information Technology 1 HITECH Modifications to HIPAA OCR published Final Rule January 25, Compliance date September 23, 2013

Office of the National Coordinator for Health Information Technology 2 HITECH Modifications to HIPAA Some key provisions – Finalizes breach notification rule – Extends use and disclosure provisions of HIPAA Privacy Rule and most requirements of HIPAA Security Rule to business associates – Clarifies patient right to access electronic health information – Patient right to restrict providers disclosing health information to plans when paying out of pocket

Executive Order 13636— Improving Critical Infrastructure Cybersecurity Published February 19, 2013 Health and public health care considered to be a critical infrastructure sector (since 2003) 19/pdf/ pdf 19/pdf/ pdf 4/28/2015 Office of the National Coordinator for Health Information Technology 3

Executive Order 13636— Improving Critical Infrastructure Cybersecurity Increase government sharing cybersecurity information with private sector critical infrastructure and state and local governments NIST to lead development of a framework to reduce cyber risks 4/28/2015 Office of the National Coordinator for Health Information Technology 4

Executive Order 13636— Improving Critical Infrastructure Cybersecurity Identifying critical infrastructure at greatest risk—cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security A very high bar 4/28/2015 Office of the National Coordinator for Health Information Technology 5

NSTIC: Health Related Pilot Overview Resilient Network Systems, in partnership with the American College of Cardiology (ACC), The American Medical Association (AMA), LexisNexis, NaviNet, ActiveHealth Management, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative (NeHC) will implement a Trust Network infrastructure to enable convenient multi-factor, on-demand identity proofing and authentication of patients, physicians and staff on a national scale. The pilot’s use cases will facilitate patient-centered coordination of care among a select group of primary care physicians and cardiologists by enhancing existing automated systems for secure, HIPAA-compliant access to electronic referral (eReferral) and Transfer of Care messaging and an advanced clinical decision support service. 4/28/2015 Office of the National Coordinator for Health Information Technology 6

NSTIC Pilot Participants San Diego Beacon eHealth Community – Select subset of physicians as pilot sites – Interface with their Mirth Mail messaging system with Direct HISP – Access their Axolotl HIE platform Gorge Health Connect – Select subset of physicians as pilot sites – Interface with their Medicity iNexx eReferral system with Direct HISP – Access their Medicity HIE platform Policy Authority Service – Neutral policy authority service on Trust Network will mitigate liability by ensuring alignment of policies and services to comply with relevant regulations and best practices. National eHealth Collaborative (NeHC) – Publish neutral policy authority service on Trust Network to mitigate liability by ensuring alignment of policies and services to comply with relevant healthcare regulations – Coordinate HIE stakeholders to advise on policy and technology requirements for pilot phases, and plans for transition to production and commercialization 4/28/2015 Office of the National Coordinator for Health Information Technology 7

PCC Pilot Overview PCP User at La Clinica (Gorge) RNS Trust Broker RNS Credential Syndicate HTTP/S (with APIs) RNS Internal RNS SAML API RNS Trust Graph Service Policy Authority Mirth Mail Cardiologist at UCSDMC (SD Beacon) DIRECT Protocol Trust Service Connector for ActiveHealth CareEngine® RNS Access Server User Directories (Beacon / Gorge) Trust Network Third Party Authentication / Authorization Services Trust Services (IDP, Discovery, ZK, etc) PCC Pilot Overview ActiveHealth Care Engine Web Service Medicity INexx Direct Gateway 8

Current Status The Direct gateway has been prototyped & preliminarily tested. The ActiveHealth integration is being prototyped now. Agreements in place for use of directories, attribute providers & the eReferral tools. 4/28/2015 Office of the National Coordinator for Health Information Technology 9

Snapshot of OCPO Research Office of the National Coordinator for Health Information Technology 10 Snapshot of OCPO Research & Internal Initiatives Data Segmentation for Privacy Initiative Mobile Device Security Resources Privacy and Security Educational and Training Materials 104/28/2015

Data Segmentation for Privacy: HITECH Mandate Public Health Service Act Sec (2) The HIT Policy Committee shall make recommendations for at least the following areas: ‘‘(i) Technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns, in accordance with applicable law.” 4/28/2015 Office of the National Coordinator for Health Information Technology 11

HITPC Prior Proceedings Tiger Team hearing on technology in Summer 2010 Recommendations September 2010 – Technology is promising but in early stages – Need to further experience and stimulate innovation for granular consent – ONC should make it a priority to further explore – Find evidence (such as through pilots) for models that have been implemented successfully ONC gave HITPC last update Fall /28/2015 Office of the National Coordinator for Health Information Technology 12

Office of the National Coordinator for Health Information Technology 13 Data Segmentation for Privacy Initiative Standards and Interoperability Initiative Strong Community Participation – 306 Participating Individuals – 100 Committed Members – 94 participating Organizations 4/28/2015

Initiative Accomplishments Data Segmentation for Privacy Use Case document. Uses include electronically implementing existing laws including: – 42 CFR Part 2: Federal Confidentiality of Alcohol and Drug Abuse Patient Records regulations protect specific health information from exchange without patient consent. Recipient may not re-disclose without patient consent. – Title 38, Section 7332, USC : Laws protecting certain types of health data coming from covered Department of Veterans Affairs facilities and programs. Types of data include sickle cell anemia, HIV, and substance abuse information. Initiative Accomplishments Office of the National Coordinator for Health Information Technology 144/28/2015

Initiative Accomplishments Implementation Guide describing recommended standards for privacy metadata, organized by transport mechanism: – SOAP: Provides support for NwHIN / eHealth Exchange. – SMTP: Provides support for DIRECT ( – REST: HL7 hData Record Format or IHE Mobile Access to Health Documents (MHD) Profile. Analysis of HITSC recommendations for privacy metadata supporting the PCAST vision for tagged data elements. Executive Summary Document (Community Draft) DS4P Implementation GuideTest Procedures 4/28/2015 Office of the National Coordinator for Health Information Technology 15

Layered Approach for Privacy Metadata “Russian doll” concept of applying metadata with decreasing specificity as layers are added to the clinical data. Privacy metadata uses standards to convey: – Confidentiality of data in clinical payload – Obligations of receiving system – Allowed purpose of use Technical Approach Office of the National Coordinator for Health Information Technology 164/28/2015

DS4P Pilot Status 17 Pilot NameDevelopment Status Data Types/ Policies StatusUse Case Scenarios Scalability VA/ SAMHSA Testing CompleteTitle 38 Section Sickle cell anemia -HIV related information -Substance abuse information As of May 2013 pilot has tested all applicable parts of the DS4P IG Direct and Exchange, incl. Break Glass Capabilities being integrated into iEHR and eHealth Exchange Intended to be offered as enterprise access control service Software & Technology Vendors Association SATVA Requirements Development /Technical Testing 42 CFR Part 2, NY HIV (planned) Production in 2013Direct and Exchange incl. Break Glass Anasazi Exchange and HEALTHeLink agreed to pilot to Anasazi providers NETSMARTTesting with Tampa system 42 CFR Part 2 HIV Status (Public Health) Pilot evaluation results Sep/Oct 2013 Direct and Exchange Plans to work with Illinois HIE, Kansas Health Network and Tampa Bay Network to pilot JERICHO/ University of Texas Requirements Development (Early Stages) 42 CFR Part 2Dec 2013HIE/Exchange Scenarios A provider and government agency are considering participation Greater New Orleans HIE GNOHIE Completing Sprints, Developing Test Cases 42 CFR Part 2Pilot evaluation results Sep/Oct 2013 HIE/Exchange Scenarios Records for approx 215K patients from 10 organizations and 21 clinics 17

Mobile Device Security Resource Center 18 Mobile Device Security Resource Center for Providers and Professionals Tips and information providers and professionals can use to: Protect and secure health information when using a mobile device Understand their organization’s mobile device policies and procedures Five steps organizations can take to manage mobile devices

Materials Available Online 19 Materials Available Online Materials available for download on HealthIT.gov/mobiledevices include:HealthIT.gov/mobiledevices Fact sheets Posters Brochures Postcard

Training Materials Training Materials: Security Video Game Released 20

Helping Providers Integrate Privacy & Security Into Their Culture Helping Providers Integrate Privacy and Security into Their Culture Designed to help health care practitioners and practice staff understand the importance of privacy and security of health information at various implementation stages Developed with assistance from the American Health Information Management Association (AHIMA) Foundation, with input from OCR and OGC Being updated to reflect HITECH changes 21

Office of the National Coordinator for Health Information Technology 22 The End 224/28/2015

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.