1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

Slides:

Advertisements

Similar presentations

1 HIT Standards Committee Privacy and Security Workgroup: Reformatted Standards Recommendations & Implementation Guidance Dixie Baker, SAIC Steven Findlay,

Advertisements

HIT Standards Committee Privacy and Security Workgroup Recommendations for Electronic Health Record (EHR) Query of Provider Directories Dixie Baker, Chair.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Privacy, Security, Confidentiality, and Legal Issues

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Security Controls – What Works

Information Security Policies and Standards

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

HIT Standards Committee Privacy and Security Workgroup: Standards for Consumer Engagement Dixie Baker, SAIC Steve Findlay, Consumers Union May 26, 2010.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.

HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker Dixie Baker, SAIC Steve Findlay Steve Findlay, Consumers Union December 18,

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair Walter Suarez, Co-Chair June 22, 2011.

HIT Standards Committee Privacy and Security Workgroup: Standards for Consumer Engagement Dixie Baker, SAIC Steve Findlay, Consumers Union April 28, 2009.

Privacy & Security Workgroup NPRM Comments Dixie Baker, Chair Lisa Gallagher, Co-Chair April 24, 2014.

Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

HIT Standards Committee Privacy and Security Workgroup Recommendations on Certification of EHR Modules Dixie Baker, Chair Walter Suarez, Co-Chair December.

Update on Federal HIT Legislation Kirsten Beronio Mental Health America.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair, Privacy and Security Workgroup Walter Suarez, Co-Chair, Privacy and Security.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

HIT Standards Committee Privacy and Security Workgroup: Privacy and Security Workgroup: Update Dixie Baker, SAIC Steve Findlay, Consumers Union March 24,

Eliza de Guzman HTM 520 Health Information Exchange.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

HIT Standards Committee Clinical Operations Workgroup Jamie Ferguson, Kaiser Permanente John Halamka, Harvard Medical School June 23, 2009.

HIT Standards Committee Overview and Progress Report March 17, 2010.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.

1 HIT Standards Committee Hearing on Health Information Technology Security Issues, Challenges, Threats, and Solutions - Introduction Dixie Baker, SAIC.

HIT Standards Committee Privacy and Security Workgroup Task Update: Standards and Certification Criteria for Certifying EHR Modules Dixie Baker, Chair.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

iSecurity Compliance with HIPAA

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Enforcement and Policy Challenges in Health Information Privacy

HIPAA Policy & Procedure Strategies

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

Introduction to the PACS Security

Presentation transcript:

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009

22 Privacy and Security Workgroup Members Dixie Baker, SAIC Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer David McCallie, Cerner Corporation Steve Findley, Consumers Union Gina Perez, Delaware Health Information Network Sharon Terry, Genetic Alliance Wes Rishel, Gartner John Moehrke, HITSP

33 Roadmap 1.Map “ARRA 8” priorities to required privacy and security capabilities 2.Identify privacy and security services required for product certification, and recommend standards –Recommendations presented and approved in July –Presenting update for Committee approval 3.Recommend privacy and security measures for enabling an enterprise to demonstrate meaningful use of a certified EHR product –Presenting recommendations for Committee approval

4 Update to Product Certification Standards* Expanded source references Added HITSP Capabilities for Consumer Services Added WS-Security & XDR Added NOTE allowing for use of REST in SOA implementations Corrected category for ASTM Electronic Authentication Standard Changed readiness levels for SAML and PWP Deleted Common Criteria + 2 duplicates Added timeline Deleted Common Criteria + 2 duplicates Added HITSP Capabilities for Consumer Services Expanded source references Added WS-Security & XDR Corrected category for ASTM Electronic Authentication Standard Changed readiness levels for SAML and PWP Added NOTE allowing for use of REST in SOA implementations Added timeline *See handout

55 Roadmap 1.Map “ARRA 8” priorities to required privacy and security capabilities 2.Identify privacy and security services required for product certification, and recommend standards –Recommendations presented and approved in July –Presenting update for Committee approval 3.Recommend privacy and security measures for enabling an enterprise to demonstrate meaningful use of a certified EHR product –Presenting recommendations for Committee approval

66 Challenges Only objective identified by the Policy Committee is “HIPAA compliance” –All applicants are required by law to operate in compliance with the HIPAA Privacy and Security Rules –Including ARRA provisions, eventually – for now, including ARRA measures Requiring applicants to “recertify” compliance with some HIPAA standards and/or implementation specifications may suggest that some HIPAA requirements are “more important than others” Must avoid prescribing “new law” or “new regulations” Recognition that meaningful use of EHR technology unquestionably brings new privacy and security risks to the provider organization and consumers Effectively addressing these risks is critical to the ultimate objective of furthering the adoption and proliferation of interoperable EHRs and HIEs

7 From Policy Committee: “Meaningful Use” Objectives and Policy Measures Objectives Compliance with HIPAA Privacy and Security Rules and state laws Policy Measures Full compliance with HIPAA Privacy and Security Rules Conduct or update a security risk assessment and implement security updates as necessary Recommend that CMS withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved

88 “Meaningful Use” Measures Recommended by Privacy and Security Workgroup Recommendations include: –Measures representing value that EHR adoption is contributing to an enterprise’s HIPAA compliance –Measures representing changes in the enterprise’s approach to HIPAA compliance, as a result of its having adopted an EHR Countermeasures to new risks Configuration of security and privacy capabilities inherent in the certified product –Measures that can be objectively assessed by HHS

9 “Meaningful Use” Recommended Measures Policy Measure: Full compliance with HIPAA Privacy and Security Rules Demonstration Measures: Update and implement security and privacy policies to specifically address use of the certified EHR product in its operational environment in compliance with HIPAA Privacy and Security Rules and guidelines, including ARRA provisions: –Notification of individuals whose PHI may have been breached –Limiting disclosures to minimum necessary or limited data sets –Providing an accounting of all disclosures –Enabling consumers to request and receive electronic copies of their EHR Configure EHR system and supporting IT infrastructure in compliance with HIPAA Privacy and Security Rules and guidelines (including ARRA)

10 “Meaningful Use” Recommended Measures Policy Measure: Conduct or update a security risk assessment and implement security updates as necessary Demonstration Measures: Conduct or update security and privacy risk assessment, and implement policy, procedures, and system configuration necessary to use the certified EHR meaningfully, including: –Termination of system access of terminated workforce members –Establishment and periodic review of accesses to assure that access is granted to those with permission, and that access is not granted to those who do not have permission –Protection against, detection, and reporting of malicious software –Monitoring of audit trail of system activities –Password-management (if passwords are used for user authentication)

11 “Meaningful Use” Recommended Measures Policy Measure: Conduct or update a security risk assessment and implement security updates as necessary Demonstration Measures: (risk management – continued) –Screen-locking and session termination after pre- established periods of inactivity –Secure hash function to protect the integrity of all PHI transmissions –Encryption of all PHI transmissions, internal or external to the organization, where the possibility of their going over unsecured wireless or cellular networks cannot be ruled out –Encryption of all PHI transmissions that leave the facility and travel in part over shared networks –Encryption of all PHI stored on portable devices and removable media

12 “Meaningful Use” Recommended Measures Policy Measure: Conduct or update a security risk assessment and implement security updates as necessary (cont.) Demonstration Measures: Update and implement Contingency Plan (data backup plan, disaster recovery plan, emergency-mode operations plan, testing and revision procedures, applications and data criticality analysis) that incorporates use of the EHR product Identify and document data and capabilities that are minimally required in order to assure continuity of critical patient care, and establish service-level-agreements (SLAs) consistent with these priorities

13 “Meaningful Use” Recommended Measures Policy Measure: Recommend that CMS withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved Demonstration Measure: To the extent possible, obtain confirmation from the Office for Civil Rights (OCR) that any confirmed HIPAA privacy or security violations have been resolved Obtain an affirmation from the entity at issue that any confirmed HIPAA privacy or security violations have been resolved