Presentation to HL7 S&I Framework Data Segmentation for Privacy Initiative 9/25/2013 Johnathan Coleman, CISSP Initiative Coordinator, Data Segmentation.

Slides:



Advertisements
Similar presentations
Report to the HITPC Security and Privacy Tiger Team S&I Framework Data Segmentation for Privacy Initiative Pilots 3/10/
Advertisements

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
ONC Privacy and Security Update May 7, 2013 Joy Pritts, JD Chief Privacy Officer.
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
Informed Consent.
Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Electronic Submission of Medical Documentation (esMD) for Medicare FFS Presentation to HITSC Provenance Workgroup January 16, 2015.
Project Proposal to IHE: Implementation Guide for Data Segmentation For Privacy (DS4P) over REST Submitted by S&I Framework Data Segmentation for Privacy.
Beth DeLair, JD, RN DeLair Consulting, LLC. Discussion Topics Background Existing WI Requirements State Efforts to Change Law Senate Bill 487 Changes.
Direct Implementation Perspective 0 Mark Bamberg, Vice President Research & Development MEDfx.
BH07 - Protecting Privacy in an Interoperable World John Leipold, DBA, MBA, COO Valley Hope Association, SATVA Board Member, Former Chair Frances Loshin-Turso,
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.
S&I Data Provenance Initiative Questions for the HITSC on the S&I Data Provenance Initiative November 18, 2014 Julie Anne Chua, PMP, CAP, CISSP Office.
Notice of Proposed Rulemaking (NPRM) Comments Privacy and Security Workgroup Deven McGraw, chair Stan Crosley, co-chair May 1, 2015.
S&I Framework Doug Fridsma, MD, PhD Director, Office of Standards and Interoperability, ONC Fall 2011 Face-to-Face.
S&I Initiative Update Data Access Framework (DAF) 1 HITSC Meeting June 24 th, 2015 S&I Initiative Coordinator- John Feikema.
EsMD Harmonization WG Meeting Wednesday, June 13 th, 2012.
Report to the HITSC Privacy and Security Work Group S&I Framework Data Segmentation for Privacy Initiative 3/20/
EsMD Background Phase I of esMD was implemented in September of It enabled Providers to send Medical Documentation electronically Review Contractor.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session Charter Discussion – 9:30am – 10:00am October 18, 2011.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review July 9, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review July 16, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
Colorado Children and Youth Information Sharing (CCYIS) Educational Stability Summit April 10, 2015.
HITSP’s Scope  The Panel’s mission is to assist in the development of a Nationwide Health Information Network (NHIN) by addressing the standards-related.
Data Segmentation for Privacy Initiative All-Hands Meeting 2 May
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Confidentiality and Drug Courts Carson Fox Esq. Steve Hanson M.S. Ed.
VA-SAMHSA DS4P Pilot Demonstrations Data Segmentation for Privacy Initiative Veterans Health Administration Healthcare Information Governance Emerging.
State Alliance for e-Health Conference Meeting January 26, 2007.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 9, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
VA-SAMHSA DS4P Pilot – Phase 2 HIMSS13 Sprint 4 VA Activities Pilot Project Partnership VA SAMHSA Jericho Systems MITRE HIPAAT Data Segmentation for Privacy.
Data Access Framework (DAF) S&I Initiative Update June 19 th,
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 23, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
Data Access Framework (DAF) The Use of DAF for Clinical Research 1 July 21, 2015 S&I Initiative Coordinator: John Feikema/Johnathan Coleman HHS/ONC Sponsor:
Data Segmentation for Privacy Agenda All-hands Workgroup Meeting May 9, 2012.
Bi-monthly call with NDIIC Joining Prepared for:SAMHSA – OBHITA Team Prepared by:Tony Calice FEI Systems FEI Systems Inc. Copyright All Rights.
“Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 16, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
0 Connectathon 2009 Registration Bob Yencha Webinar | August 28, 2008 enabling healthcare interoperability.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Structured Data Capture (SDC) UCR to Standards Crosswalk Analysis July 11, 2013.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review May 14, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
Data Segmentation for Privacy November 16 th, 2011.
Testing Procedures for DS4P Summary testing approach, addressing requirements traceability, and Scenario 4 update.
Response to the HITSC Analysis and Recommendations on Patient Privacy, Provenance and Identity Metadata S&I Framework Data Segmentation for Privacy Initiative.
Data Access Framework (DAF) Relationship to Other ONC Initiatives 1.
S&I Public Health Education Series: Data Provenance July 9th, 2014 Johnathan Coleman Initiative Coordinator – Data Provenance ONC/OCPO/OST (CTR)
Structured Data Capture (SDC) Gap Mitigation July 18, 2013.
Data Segmentation for Privacy VA/SAMHSA/Mitre/Jericho/HIPAAT Pilot Sprint 7 Review Sprint #7 Technical Objectives – (2 week sprint ending August 24, 2012)
The Patient Choice Project Project Kickoff December 14 th, 2015.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Ongoing/Planned Activities for Week of 4/29 Final UCR Crosswalk due COB 4/30 Hold two working sessions to complete UCR Crosswalk on 4/30 Hold working session.
Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Use Case 2 – CDS Guidance Service Transactions CDS Guidance Requestor 2. CDS Response (Clinical Data, Supporting Evidence, Supporting Reference, Actions,
EsMD Harmonization Use Case 2: Initial Technical Approach XD* and CDA Erik Pupo.
September, 2005What IHE Delivers 1 Basic Patient Privacy Consents IHE Educational Workshop 2007 John Moehrke Lori Forquet.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 30, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review November 5, 2013 Presented by: David Staggs JD, CISSP Jericho Systems Corporation.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Project Proposal to IHE IHE ITI Representational State Transfer (REST) Transport Implementation Guide for Data Segmentation for Privacy (DS4P) Submitted.
HITECH Modifications to HIPAA
Confidential Records and Protected Disclosures
Disability Services Agencies Briefing On HIPAA
Non-HIPAA Governmental Regulation of Healthcare Privacy and Security
US Core Data for Interoperability (USCDI): Data Provenance IG
Presentation transcript:

Presentation to HL7 S&I Framework Data Segmentation for Privacy Initiative 9/25/2013 Johnathan Coleman, CISSP Initiative Coordinator, Data Segmentation for Privacy OCPO/ONC/HHS (CTR) Tel: (843)

Presentation Agenda 2 Purpose and Need for DS4P Technical Approach/Building Blocks S&I DS4P Initiative Artifacts Selected Standards Questions

PURPOSE/NEED FOR DS4P Data Segmentation for Privacy 3

Some healthcare information requires special handling that goes beyond the protection already provided through the HIPAA Privacy rule, which allows health care providers to disclose protected health information without patient consent for treatment, payment and health care operations purposes. Protection through the use of data segmentation emerged in part through state and federal privacy laws which address social hostility and stigma associated with certain medical conditions.* * The confidentiality of alcohol and drug abuse Patient records regulation and the HIPAA privacy rule: Implications for alcohol and substance abuse programs; June 2004, Substance Abuse and Mental Health Services Administration. The Need for Data Segmentation Why Segment Data? 4

An estimated 26% of Americans age 18 and older are living with a mental health disorder in any given year. 46% will have a mental health disorder over the course of their lifetime. An estimated 8% of Americans are in need of drug or alcohol abuse treatment. Patients suffering from serious mental illness have increased rates of co-occurring conditions, which results in a reduced life expectancy of 8-17 years. Why Segment Data? According to recent estimates posted on healthit.gov: 5

42 CFR Part 2: Federal Confidentiality of Alcohol and Drug Abuse Patient Records regulations protect specific health information from exchange without patient consent. Title 38, Section 7332, USC : Laws protecting certain types of health data coming from covered Department of Veterans Affairs facilities and programs. Types of data include sickle cell anemia, HIV, and substance abuse information. Why Segment Data? Heightened Legal Privacy Protections in scope for the S&I DS4P Initiative: 6

45 CFR § (a)(1)(iv): Effective 3/26/2013, this final rule describes how patients may withhold any health information from health plans for services they received and paid for out- of-pocket.* Other State and Federal laws relating to certain conditions or types of data, including: – Mental Health – Data Regarding Minors – Intimate Partner Violence and Sexual Violence – Genetic Information – HIV Related Information. Why Segment Data? Other Examples of Heightened Legal Privacy Protections 7 * May be useful, but patient, not provider, has responsibility for ensuring that downstream recipients know that patient is requesting restriction.

User Story Example (1)  The Patient receives care at their local hospital for a variety of conditions, including substance abuse as part of an Alcohol/Drug Abuse Treatment Program (ADATP).  Data requiring additional protection and consent directive are captured and recorded. The patient is advised that the protected information will not be shared without their consent.

User Story Example (2) 9  A clinical workflow event triggers additional data to be sent to Provider/Organization 2. This disclosure has been authorized by the patient, so the data requiring heightened protection is sent along with a prohibition on redisclosure.  Provider/ Organization 2 electronically receives and incorporates patient additionally protected data, data annotations, and prohibition on redisclosure.

TECHNICAL APPROACH Data Segmentation for Privacy 10

Layered Approach for Privacy Metadata “Russian doll” concept of applying metadata with decreasing specificity as layers are added to the clinical data. Privacy metadata uses standards to convey: – Confidentiality of data in clinical payload – Obligations of receiving system – Allowed purpose of use Technical Approach 11

Types of Privacy Metadata used by DS4P Purpose of Use: –Defines the allowed purposes for the disclosure (e.g. Treatment, Emergency Treatment etc). Obligations: –Refrain Codes: Specific obligations being placed on the receiving system (e.g. do not re-disclose without consent) Confidentiality Codes: –Used by systems to help convey or enforce rules regarding access to data requiring enhanced protection. Uses “highest watermark” approach. Technical Approach 12

- LOINC Document Type/Datatype for CDA - ASC X /5010 for Healthcare Provider & facility types and Healthcare Coverage Type - SNOMED-CT for Protected diagnoses/problems -Query for consent directive location (optional) -Query for consent directive (optional) -HL7 IG for CDA, Release 2: Consent Directives, Release 1 - HL7 Confidentiality Code: for CDA (N,R,V) -HL7 Refrain Code: (e.g. prohibition on re-disclosure without consent) -HL7 Purpose of Use: The purpose for the information disclosure (e.g. support treatment, payment, operations, research, etc.) -URL or XACML Pointer for Policy Reference if needed Requirements of Sending System Technical Approach SENDING SYSTEM: Provider/Healthcare Organization A Add privacy metadata to health information to be disclosed to other organization Identify Information that is further restricted Verify the patient’s privacy consent allows the disclosure of protected information 13

DS4P ARTIFACTS Data Segmentation for Privacy Initiative 14

Data Segmentation for Privacy Use Case document. Implementation Guide describing recommended standards for privacy metadata, organized by transport mechanism: – SOAP: Provides support for NwHIN / eHealth Exchange. – SMTP: Provides support for DIRECT (e.g. S/MIME, or XDR and XDM Messaging for bridging Direct and Exchange environments). – REST: HL7 hData Record Format or IHE Mobile Access to Health Documents (MHD) Profile. Analysis of HITSC recommendations for privacy metadata supporting the PCAST vision for tagged data elements. Executive Summary Document (Community Draft) DS4P IG Test Procedures Initiative Artifacts 15

Over 300 Participating Individuals 98 Committed Members 92 participating Organizations 6 Pilots (1 Federal, 5 Industry): – VA/SAMHSA (Demonstrated at HIMSS 2013 Interoperability Showcase) – NETSMART (Demonstrated at HIMSS 2013 Interoperability Showcase) – Software and Technology Vendors' Association (SATVA) – Jericho / University of Texas – Greater New Orleans Health Information Exchange (GNOHIE) – TeraDact Initiative Participation Strong Community Participation: 16

HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1 HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1 Ballot Dates: August 12 – September 16, 2013 ONC DS4P Implementation Guide (IG) are being used as core input into the HL7 DS4P IG project. The HL7 IG identifies the normative standards that it constrains, and a description of how the IG is compliant with its base normative standards. The HL7 IG includes adequate implementation guidance to developers. All IG non-HL7 standards (including vocabulary) are identified and any gaps addressed, e.g., as future harmonization proposals or as requests to appropriate SDOs HL7 DS4P Project

SELECTED STANDARDS Data Segmentation for Privacy Initiative 18

CapabilityStandard/ProfileSpecific Usage IHE XD* Profiles IHE XDR and XDM Metadata IHE XDS Metadata used as the mechanism to support both SubmissionSet and Document metadata Vocabularies ASC X Used to define type of insurance coverage Healthcare Facility Type Value Set – as defined in HITSP C80 Used to define facility types (and used by systems to determine protected facilities) HL7 RefrainPolicyUsed to convey specific prohibitions on the use of sensitive health information HL7 PurposeofUseUsed to convey a purpose of use HL7 BasicConfidentialityCodeKindUsed to represent confidentiality codes HL7 ObligationCodeUsed to convey specific obligations HL7 ActPolicyTypeUsed to convey a type of policy HL7 SensitivityPrivacyPolicyUsed to convey the sensitivity level of a specific policy Selected Standards 19

CapabilityStandard/ProfileSpecific Usage TransportSOAPTransport-level security TransportSMTP and S/MIME S/MIME attributes are bound to SMTP to provide for the use of secure as the transport mechanism for exchanging patient data Conveying Identity - Cross-Enterprise User Assertion (XUA) - OASIS SAML Specification Version 2.0 IHE XUA Metadata SAML Assertion (SAML Request and Response) Conveying Identity X.509 Digital Certificates PKI to support Direct implementations Patient Consent Structure HL7 Implementation Guide for CDA®, Release 2: Consent Directives, Release 1 Provides representations for expressing privacy preferences and exchanging privacy policies that can be enforced by consuming systems Selected Standards 20

References/Contact Information The full whitepaper by Melissa M. Goldstein, entitled, “Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis” is available at: Thank you! 21 Johnathan Coleman, CISSP, CISM Initiative Coordinator, Data Segmentation for Privacy Principal, Security Risk Solutions Inc. 698 Fishermans Bend, Mount Pleasant, SC Tel: (843) Scott Weinstein, J.D. Office of the Chief Privacy Officer Office of the National Coordinator for Health Information Technology Department of Health and Human Services 21