Privacy and Security Workgroup: Summary of Big Data Public Hearings February 9, 2015 Deven McGraw, chair Stan Crosley, co-chair.

Slides:

Advertisements

Similar presentations

TISSUE BANKING Challenging to Say the Least

Advertisements

Strategy and Innovation Workgroup October 21, 2014 David Lansky, chair Jennifer Covich, co-chair.

ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.

Privacy and Security Workgroup: Summary of Big Data Public Hearings January 26, 2015 Deven McGraw, chair Stan Crosley, co-chair.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Privacy and Security Workgroup: Summary of Big Data Public Hearings January 12, 2015 Deven McGraw, chair Stan Crosley, co-chair.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

NCVHS Panel 6 WEDI Testimony on Health Plan Identifier June 10, 2014 Laurie Darst, Mayo Clinic, Revenue Cycle Regulatory Advisor WEDI Board of Directors.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Credit Reporting: What’s the role for the state? Fredes Montes Financial Infrastructure The World Bank.

Subject Selection and Recruitment David Wendler Department of Clinical Bioethics NIH, USA.

Privacy and Security Workgroup October 14, 2014 Deven McGraw, chair Stan Crosley, co-chair.

An Introduction to the Ethics Review Procedure for New Ethics Reviewers Lindsay Cooper, Research & Innovation Services 11 March 2010.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Interoperability and Health Information Exchange Workgroup March 10, 2015 Micky Tripathi, chair Chris Lehmann, co-chair.

A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability.

Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.

Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.

The Role of IRBs in Ensuring Ethical Conduct of QI Activities Mary Ann Baily, PhD Columbia IRB Conference April 1, 2011.

ONC Policy and Program Update Health IT Standards Committee Meeting July 17, 2013 Jodi Daniel Director, Office of Policy and Planning, ONC 0.

HIT Policy Committee Accountable Care Workgroup – Kickoff Meeting May 17, :00 – 2:00 PM Eastern.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

Privacy and Security Workgroup: Big Data Public Hearing November 10, 2014 Deven McGraw, chair Stan Crosley, co-chair.

HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.

Authentication, Access Control, and Authorization (1 of 2) 0 NPRM Request (for 2017) ONC is requesting comment on two-factor authentication in reference.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force.

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

Secretary’s Advisory Committee on Human Subjects Protections (SACHRP) Summary of Responses on: Advanced Notice of Proposed Rulemaking (ANPRM) on Holding.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

Draft – discussion only Advanced Health Models and Meaningful Use Workgroup June 23, 2015 Paul Tang, chair Joe Kimura, co-chair.

HIPAA Privacy Rule Access Right: Assessing Fees When an Individual Requests Electronic Access to PHI Privacy and Security Workgroup Stan Crosley, Chair.

The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Discussion of Unpaid Claim Estimate Standard  Raji Bhagavatula  Mary Frances Miller  Jason Russ November 13, 2006 CAS Annual Meeting San Francisco,

Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 22, 2015.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 8, 2015.

Health Insurance portability and Accountability Act (HIPAA)‏

Cris Ross, co-chair Anita Somplasky, co-chair December 1, 2015 Certified Technology Comparison (CTC) Task Force.

© 2004 Moses & Singer LLP HIPAA and Patient Privacy Issues Raised by the New Medicare Prescription Drug Program National Medicare Prescription Drug Congress.

What Institutional Researchers Should Know about the IRB Susan Thompson Senior Research Analyst Office of Institutional Research Presented at the Texas.

HIPAA and Human Subjects Research IRB Member CE May 2014 Slideshow by Sean Horkheimer.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

1 Overview of HIT Policy Committee’s Privacy Hearing Jodi Daniel, JD, MPH Director, Office of Policy and Research Office of the National Coordinator for.

HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,

Electronic Clinical Quality Measures – Session #1 ONC Resource Center.

Interoperability Roadmap Comments Privacy and Security Workgroup March 16, 2015.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Draft – discussion only Consumer Workgroup Christine Bechtel, chair Neil Calman, co-chair December 8, 2014.

ACWG Charge Make recommendations to the Health IT Policy Committee on how HHS policies and programs can advance the evolution of a health IT infrastructure.

Information Sharing for Integrated Care A 5 Step Blueprint.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Update from the Faster Payments Task Force

The HIPAA Privacy Rule: Implications for Medical Research

Health Information Security and Privacy Collaborative (HISPC) Overview

Concerns of a Privacy Advocate – and How to Respond

Healthcare Privacy: The Perspective of a Privacy Advocate

Jeffrey M. Cohen, Ph.D. Associate Dean,

DATA MOVES AT THE SPEED OF TRUST

Informed Consent (SBER)

CUNY Human Research Protection Program (HRPP)

HIPAA Privacy and Security Update - 5 Years After Implementation

Presentation transcript:

Privacy and Security Workgroup: Summary of Big Data Public Hearings February 9, 2015 Deven McGraw, chair Stan Crosley, co-chair

Agenda 2 PSWG Workplan Scope Key Themes Topics to Discuss Data Security in Health Big Data Review: Consent Discussion Backup Slides Topics Previously Discussed Summary of Hearing Testimony Key Themes and Topics in Depth Future Topics

Privacy and Security Draft Workplan MeetingsTask December 5, 2015 Virtual hearing – big data and privacy December 8, 2014 Virtual hearing – big data and privacy January 12, 2015 Big data and privacy in health care January 26, 2015 Big data and privacy in health care February 9, 2015 Big data and privacy in health care February 10, 2015 Joint HITPC/HITSC Meeting; review draft Interoperability Roadmap; PSWG tasking February 23, 2015 Begin discussion of relevant sections of draft interoperability roadmap HITPC Meeting March 10, 2015 Tentative Date to Present Initial Health Big Data Findings to the HITPC PSWG WorkplanScopeKey ThemesSecurityTransparency

Scope 4 In scope: Privacy and security issues – concerns and potential barriers to progress/innovation Potential harmful uses (related to privacy) Out of scope: Data quality/data standards Non representativeness of data? Shouldn’t try to resolve this from the standpoint of increasing “representativeness” of data but should be considered in discussion of harmful uses PSWG WorkplanScopeKey ThemesSecurityTransparency

Key Themes 5 1.Concerns about tools commonly used to protect privacy A.De-identification B.Data Security in Health Big Data C.Patient consent v. norms of use D.Transparency E.Collection/use/purpose limitations 2.Preventing/Limiting/Redressing Harms 3.Legal Landscape A.Gaps or “under” regulation B.“Over-” or “mis-” regulation PSWG WorkplanScopeKey ThemesSecurityTransparency

Topic: Data Security in Health Big Data 6 Panel Testimony and Discussion Panelists: Andrei Stoica – IMS Health, VP of Global Systems Development and Security Denise Anthony – Dartmouth College, Vice Provost for Academic Initiatives, Professor of Sociology Ryan Andersen – Milliman, Director of SaaS Format: 5 min each for testimony Question and answer period – 45 minutes PSWG WorkplanScopeKey ThemesSecurityTransparency

Review: Consent Overview Consent issues within the HIPAA Framework To date discussions have focused on research uses and whether HIPAA and Common Rule requirements appropriately advance innovation and the learning health system while building trust/protecting individuals (patients, consumers) – Low risk research – should this be acceptable without consent and without an IRB waiver? How does this get determined (see subsequent slides) – Consider role of transparency in place of consent when coupled with “appropriate use” definitions, particularly for observational research or health care operations Are there other use cases within HIPAA that need further discussion? (How much of this universe do we need to take on?) 7 PSWG WorkplanScopeKey ThemesSecurityConsent

Review: Consent Overview Consent issues outside of the HIPAA Framework (but how much can we borrow from HIPAA for policies in this environment?) Should consent requirements attach to those uses and disclosures that are outside of what should reasonably be expected given the context? – Do people understand enough of this context? Is there a risk-based framework for policies in this context as well? Data that relates to health is an ever-expanding list – poses challenges to placing more stringent requirements on sharing of “health” data 8 PSWG WorkplanScopeKey ThemesSecurityConsent

Review: Consent Overview Overarching issues for both environments: Concerns about all in or all out – doesn’t give people much in the way of choice – Policy environment and technological capabilities may not be mature enough to enable granularity How can consents be persisted across environments? (for example, HIPAA to non-HIPAA and back again…) Related question: when/how does it get collected? Consent puts burden on individual, so it can’t be the sole or primary protection in either environment; at the same time, it should enable individuals to do what they want to with data – including broad data sharing, if that is their preference 9 PSWG WorkplanScopeKey ThemesSecurityConsent

Review: Consent Recommendations Research uses in the HIPAA environment: Re-iterate/refine initial recommendation for ANPRM: for re-use of clinical or claims data to “contribute to generalizable knowledge,” no need to obtain consent, as long as entity in control of data uses and fair information practices are implemented (for example, security, minimum necessary, etc.). – Any caveats to this? (what are higher risk vs. lower risk use cases? Personal v. non-personal impact?) – How to implement – through guidance on waivers or change to regulation? [Placeholder for other HIPAA use cases] 10 PSWG WorkplanScopeKey ThemesSecurityConsent

Review: Consent Recommendations Non-HIPAA Environment: When should consent be required? (note that edge cases may be easier to define; middle ground may be more difficult) – Based on type of use/disclosure Can “research” uses be prioritized, assuming research is being done “for generalizable knowledge” (e.g., same definition used in HIPAA and in the Common Rule) – Based on higher “privacy” risk – for example, personal v. non-personal impact; level of sensitivity of the data?) – Based on identifiability of the data? Should HIPAA standards apply here? – Based on commercial/profit use? (can we rely on HIPAA sale of data definitions? – Disclosure outside of initial environment vs. internal uses – is this a worthwhile distinction for consent purposes? 11 PSWG WorkplanScopeKey ThemesSecurityConsent

Review: Consent Recommendations Non-HIPAA Environment: Follow Fair Information Practices – not just rely on consent. Conditional consents – should at least be clear to individual so they understand the “terms of the deal” – Should these be disallowed under any circumstances, and if so, what? 12 PSWG WorkplanScopeKey ThemesSecurityConsent

Review: Consent Recommendations Considerations for both HIPAA and non-HIPAA environments: Granular consents: – Desirable but are policies and technical capabilities mature enough to accomplish? Persisting consent across environments 13 PSWG WorkplanScopeKey ThemesSecurityConsent

Background 14

Topic: Consent - Concerns 15 Valued tool for protecting privacy and individual autonomy but: Difficult to obtain informed consent up front for future, valuable big data uses and re- uses Some secondary uses may be unexpected (for example, in data analytics models where the data surface the hypotheses) May be impossible for large scale studies Even allowing opt-out may skew results Lays burden for privacy on individual May work best when not over-utilized (for example, not requiring for “expected” uses) Policy tension with the tech landscape (technologies to enable are evolving but policies may not reflect technical capabilities). See TSSWG meeting slides on consent. standards-workgroup standards-workgroup When is transparency a better strategy for engaging individuals than seeking their individual consent, or even allowing opt-outs? PSWG WorkplanScopeKey ThemesSecurityConsent

Topic: Consent - Recommendations 16 Regulators should evaluate policies governing research uses of health data to determine when/under what circumstances such research uses can be pursued under individual engagement models not confined to opt-in specific authorization of a particular research use. Presume research is defined as is currently done in HIPAA and the Common Rule: “systematic investigation….intended to produce generalizable knowledge” [check wording] Consider whether secondary (with TPO not considered a secondary use) use of information introduces additional risk for individual, depending on context: Is research being done in a controlled environment? Internal vs. external? Are there limitations on who is permitted to see the information, and how much information is exposed (identifiability)? Is research intended for public benefit? (Is the research definition itself sufficient to impose this limitation?) Are there reasonable security protections for the data? Could be accomplished through changes in regulation or guidance under existing regulations But could still have problem of varying interpretations by individual institutions, IRBs PSWG WorkplanScopeKey ThemesSecurityConsent

Topic: Consent - Recommendations 17 Regulators and industry should explore/pursue/implement technology options that enable choice when it is required to be obtained. Downstream restrictions coupled with consent provenance. Transparency to individuals about actual data uses – whether for identifiable or de- identified data – is key, particularly in circumstances where choice is not provided or is more limited. [what action/what actors?] PSWG WorkplanScopeKey ThemesSecurityConsent

Health Big Data Opportunities & the Learning Health System Testimony 18 Must embed learning into care delivery; we still do not have answers for a large majority of health questions Key points: 1.Sometimes there is a need to use fully identifiable data 2.It is not possible to get informed consent for all uses 3.Impossible to notify individuals personally about all uses 4.Can’t do universal opt-out because answers could be unreliable 5.There is likely a standard that could be developed that determines “clearly good/appropriate uses” and “clearly bad/inappropriate uses” Focus on: 1.Minimum necessary amount of identifiable data (but offset by future use needs) 2.Good processes for approval and oversight 3.Uses of data stated publicly (transparency) 4.Number of individuals who have accessed to data minimized (distributed systems help accomplish this) When we use identifiable data, we must store it in highly protected locations – “data enclaves”