Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

Slides:



Advertisements
Similar presentations
A Plan for a Sustainable Community Behavioral Health Information Network Western States Health-e Connection Summit & Trade Show September 10, 2013.
Advertisements

Quality Measures Vendor Tiger Team January 30, 2014.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Connecticut Ave NW, Washington, DC Understanding Patient Engagement in Stage 2 MU: Direct, HIPAA, VDT, and Patient Engagement.
Privacy & Security Tiger Team: Accounting of Disclosures Recommendations November 18, 2013 Office of the National Coordinator for Health Information Technology.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
1 Privacy and Security Tiger Team Meeting Discussion Materials Topics Patient Authentication Hearing Questions for RFC on Meaningful Use Stage 3 October.
Notice of Proposed Rulemaking (NPRM) Comments Privacy and Security Workgroup Deven McGraw, chair Stan Crosley, co-chair April 27, 2015.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Informed Consent and HIPAA Tim Noe Coordinating Center.
HIT Policy Committee Accountable Care Workgroup – Kickoff Meeting May 17, :00 – 2:00 PM Eastern.
Privacy and Security Tiger Team Comparison of Stage 2 Proposed Rules w/Health IT Policy Committee previous privacy & security recommendations Preliminary.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 3,
Data Gathering HITPC Workplan HITPC Request for Comments HITSC Committee Recommendations gathered by ONC HITSC Workgroup Chairs ONC Meaningful Use Stage.
Functional Model Workstream 1: Functional Element Development.
HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.
Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.
Privacy and Security Tiger Team Today’s Discussion: Non-Targeted Query Virtual Hearing Testimony July 10, 2013.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
State Alliance for e-Health Conference Meeting January 26, 2007.
Privacy & Security Tiger Team: Accounting of Disclosures Recommendations December 2, 2013 Office of the National Coordinator for Health Information Technology.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
State HIE Program Chris Muir Program Manager for Western/Mid-western States.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
HIT Policy Committee Privacy & Security Tiger Team Update Deven McGraw, Co-Chair Center for Democracy & Technology Paul Egerman, Co-Chair June 25, 2010.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange March 12, 2013.
Notice of Proposed Rulemaking (NRPM) Comments Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair May 18, 2015.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Patient Matching Recommendations February 2,
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,
1 Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topics Governance RFI Prioritized Questions June 4, 2012.
HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange March 18, 2013.
Larry Wolf Certification / Adoption Workgroup May 13th, 2014.
Component 11/Unit 2a Meaningful Use of the Electronic Health Record (EHR)
Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 8, 2015.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,
Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Initial Impressions on November 29 Hearing December 5, 2012.
Scalable Trust Community Framework STCF (01/07/2013)
Draft Provider Directory Recommendations Begin Deliberations re Query for Patient Record NwHIN Power Team July 10, 2014.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014.
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
Medicaid EHR Incentive Program Updates eHealth Services and Support September 24, 2014 Today’s presenter: Nicole Bennett, Provider Enrollment and Verification.
Data Gathering HITPC Workplan HITPC Request for Comments HITSC Committee Recommendations gathered by ONC HITSC Workgroup Chairs ONC Meaningful Use Stage.
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Pennsylvania Health Information Exchange NJHIMSS - DVHIMSS Enabling Healthcare Transformation Through Information Technology September, 2010.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
VERMONT INFORMATION TECHNOLOGY LEADERS
EHR Incentive Program 2018 Program Requirements
Health IT Policy Committee Workgroup Evolution
Concerns of a Privacy Advocate – and How to Respond
Healthcare Privacy: The Perspective of a Privacy Advocate
Enforcement and Policy Challenges in Health Information Privacy
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Jeremy Grant Coordinator Better Identity Coalition
Presentation transcript:

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013

Tiger Team Charge The Tiger Team is charged with making short-term and long-term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that will help build public trust in health information technology and electronic HIE, and enable their appropriate use to improve healthcare quality and efficiency, particularly as related to ARRA and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security. 2

Topics Covered Stage 2 of Meaningful Use (specifically, policies related to the view/download/transmit functionality) Patient’s right to request an amendment to information in an EHR Improving accuracy in patient matching Consent 3

View/Download/Transmit Transparency (transmittal letter of August 16, 2011) –Providers participating in the Meaningful Use program should offer patients clear and simple guidance regarding use of view and download (short notice with links to more information) –Patients should be prompted to confirm that they want to complete a download or transmit transaction (at least initially – could give patients the capability to turn this off) –Markle Common Framework and MyHealtheVet Blue Button provide good models –Did not ask for this to be in certification for CEHRT – Tiger Team members did not want a rigid, one-size-fits all approach to this (wanted to give providers some flexibility) 4

View/Download/Transmit Security (transmittal letter of April 18, 2011) –Eligible Providers & Hospitals should deploy audit trails for the patient’s portal and at least be able to provide these to patients on request (will need to be part of certification). –Patient portals should include mechanisms to ensure information can be securely downloaded to a third party authorized by patients. –Certified EHRs should include a capability to detect and block programmatic attacks or attacks from a known but unauthorized persons (such as through auto lock-out after a number of unsuccessful log-in attempts). 5

View/Download/Transmit Data Integrity (transmittal letter of April 18, 2011) –Patient portals should include appropriate provisions for data provenance, which is accessible to the user, when the user accesses the data and included with the information upon download and transmit Further discussion needed to flesh out the details (for example, what information is needed to be included in provenance both for access and download/transmit; balancing accessibility with user interface issues). 6

View/Download/Transmit Identity proofing/authentication (approved by HIT PC on January 8, 2012; follow up to initial recommendations in transmittal letter of April 18, 2011) –ONC should develop & disseminate best practices for identity proofing and authentication for patient access to portals. –Such best practices should follow some key principles, including that protections be commensurate with risk and solutions be easy for patients and consumers (be consistent with what they are willing to do and not set the bar too high) –Best practices should evolve over time in response to innovation (and potential solutions developed as part of the NSTIC multistakeholder process) 7

View/Download/Transmit Identity proofing/authentication (transmittal letter of May 3, 2013; update to initial recommendations in transmittal letter of April 18, 2011) –Providers can ID proof in person but should also offer a remote solution (such as knowledge-based authentication, done in- house or using outside service). Remote ID proofing could be combined with out-of-band confirmation. –Providers should be strongly encouraged to use more than user ID and password to authenticate – but not something too burdensome for consumers to use (not NIST level of assurance 3, but more like “2.5,” similar to what is customarily used in on-line banking). Also disseminate best practices in password management. –Re: patient use of DIRECT, patient should provide DIRECT address to provider; no need for additional requirements on patients 8

Patient’s Right to Request an Amendment Followed right in HIPAA Privacy Rule (45 CFR ): –Patients can request (from the source) an amendment or to append information indicating a dispute about information in the record. If amendment made, providers must make reasonable efforts to inform & provide amendment to persons (including BAs) that the provider knows received the information and may rely on on it to the patient’s detriment). A provider who receives an amendment from another provider must make the change. 9

Patient’s Right to Request an Amendment* Certified EHR Technology should have capability in MU Stage 2 to support patient-requested amendments to health information per HIPAA. Specifically the systems should make it technically possible for providers to: –Make amendments to a patient’s health information in a way that is consistent with the entity’s obligations with respect to the legal medical record (i.e., there should be the ability to access/view the original data and to identify any changes to it). –Append information from the patient in the event of a dispute and any rebuttal from the entity regarding disputed data. CEHRT should have the ability by MU Stage 3 to transmit patient-requested amendments, updates or appended information to other providers to whom the data in question has been previously transmitted. * Transmittal letter of July 25,

Improving Accuracy in Patient Matching* Recommendations arose out of public hearing that took place in December Addressing this requires a comprehensive solution, involving both humans and technology (not an issue fixed by a number) Data fields commonly used in matching should be standardized Providers & HIEs should internally evaluate and seek to improve matching accuracy ONC should develop, promote and disseminate best practices Patients can and should be allowed to play a role in improving data quality * Transmittal letter of February 8,

Consent* Based on principle that clinician/physician-patient relationship is locus of trust in health information exchange, and that patients should not be surprised to learn where their information is disclosed. Patients should have meaningful choice re: whether their information is shared in exchange arrangements where their providers/IDSs no longer control decisions over whether their information is disclosed. Meaningful choice include the opportunity to make the choice in advance, with full transparency of risks and benefits ONC should study/pilot technology approaches to enable patients to make more granular choices *Transmittal letter of August 19,