PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011.

Slides:

Advertisements

Similar presentations

National HIT Agenda and HIE John W. Loonsk, M.D. Director of Interoperability and Standards Office of the National Coordinator Department of Health.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Confidentiality and HIPAA

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Privacy, Security, Confidentiality, and Legal Issues

Surviving a Privacy Exam Barbara B. Fitch 2 nd VP–Market Conduct & Compliance National Life Insurance Company October 3, 2005.

Health Insurance Portability & Accountability Act (HIPAA)

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Capability Cliff Notes Series PHEP Capability 6—Information Sharing What Is It And How Will We Measure It?

Licensing Division Reengineering Project Requirements Workshop Copyright Owners 1/26/2011.

Chapter 7 Database Auditing Models

Stephen S. Yau CSE , Fall Security Strategies.

HEDIS Audit – Appropriate Monitoring and Oversight of Vendors Presenter: Yolanda Strozier, MBA Project Manager, EQRO Services.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

OASIS PRIVACY MANAGEMENT REFERENCE MODEL EEMA European e-identity Management Conference Paris, June 2012 John Sabo, CA Technologies Co-Chair, OASIS.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.

Gershon Janssen 11 th October 2011 London Privacy Management Reference Model International Cloud Symposium 2011.

Session ID: Session Classification: Dr. Michael Willett OASIS and WillettWorks DSP-R35A General Interest OASIS Privacy Management Reference Model (PMRM)

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in 2015 and Beyond.

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Imagine a health system that focuses on health, not just health care. Imagine a sustainable health system with one goal: to improve the lives of the people.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Altman IM Ltd | | process | verify | convert | route | connect Prism Software’s solutions provide advanced workflow.

Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:

Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)

1 Designing a Privacy Management System International Security Trust & Privacy Alliance.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

PMRM Revision Discussion Slides Illustrations/Figures 1-3 o Model, Methodology, “Scope” options Functions, Mechanisms and “Solutions” Accountability and.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Query Health Abstract Model Diagrams. Query Network Community of participants that agree to interact with each other. There will be many networks; requestors.

Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

The Medical College of Georgia HIPAA Privacy Rule Orientation.

1. Scope of Application 2. Use Case Actors Data Flows Touch Points Initial PI 3. PI - at Touch Points In Internal Out 4. PI - Operational Privacy Policies.

Principles Identified - UK DfT -

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Health Care: Privacy in a Digital Age

Analysis of Privacy and Data Protection Laws and Directives

HIPAA Security Standards Final Rule

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

Drew Hunt Network Security Analyst Valley Medical Center

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

Presentation transcript:

PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011

Copyright © International Security Trust and Privacy Alliance (ISTPA)

Privacy Management Reference Model Services n Core Policy Services l Agreement- agreements, options, permissions l Control – policies – data management n Presentation and Lifecycle Services l Interaction - manages data/preferences/notice l Agent - software that carries out processes l Usage - data use, aggregation, anonymization l Access - individual review/updates to PI n Privacy Assurance Services l Certification - credentials, trusted processes l Audit - independent, verifiable accountability l Validation - checks accuracy of PI l Enforcement - including redress for violations Copyright © International Security Trust and Privacy Alliance (ISTPA)

Syntax for each Service: Functions n DEFINE [SVC] operational requirements n SELECT [SVC] (input, process, and output) data and parameters n INPUT [SVC] data and parameter values in accordance with Select n PROCESS [SVC] data and parameter values within Functions n OUTPUT [SVC] data, parameter values, and actions n LINK [SVC] to other (named) Services n SECURE [SVC] with the appropriate security function s Each USE CASE invokes a sequence of Service “calls” Each Service call executes a sequence of Functions (drawn from these seven Function categories) Copyright © International Security Trust and Privacy Alliance (ISTPA)

Emergency Responder Use Case: On Site Care

ACTOR: ECS PI-In [detailed PI required] Source (Actor) Requirements Services Incident ReportExternal sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification Situational Awareness Report External Sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification Patient EHR Information Service Provider and other Healthcare systems  HIPAA security and privacy rules  HITECH  3 rd party inherited policy agreements  Security  Control  Audit  Interaction  Validation  Certification  Usage Situation Assessment On-site Care/Incident Commander  General scene information  None Data Flows TO a Single Actor (ECS) with PMRM Service Invocations

ECSIncident ReportExternal sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification Consider one ‘row’ in the table:

External Source connects to the ECSSECURITY: establish confidential communication (encryption) CERTIFICATION: check External Source credentials INTERACTION: Provide privacy notice to the External Source, if appropriate Incident Report is transmitted to the ECSVALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Incident Report Tabular, time-line flow of Service invocations: Services Operational Requirements Time Line

ECS Situational Awareness Report External Sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification External Source connects to the ECSSECURITY: establish confidential communication (encryption) CERTIFICATION: check External Source credentials INTERACTION: Provide privacy notice to the External Source, if appropriate Situation Awareness Report is transmitted to the ECS VALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Situation Awareness Report Services Operational Requirements Time Line Additional Row: Question: Separate analysis needed for each policy domain (eg, OnStar)?

ECS Patient EHR Information Service Provider and other Healthcare systems  HIPAA security and privacy rules  HITECH  3 rd party inherited policy agreements  Security  Control  Audit  Interaction  Validation  Certification  Usage ECS connects to Service Provider and other Health Care Systems SECURITY: establish confidential communication (encryption) CERTIFICATION: mutually check credentials INTERACTION: Provide privacy notice to the Provider/other Systems, if appropriate Patient EHR is transmitted to the ECSVALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Patient EHR Services Operational Requirements Time Line Additional Row :

ECS Situation AssessmentOn-site Care/Incident Commander  General scene information  None (?) Services Operational Requirements Time Line Additional Row: On site Commander records general scene information in the Situation Assessment SECURITY: establish confidential communication or log-in (encryption) CERTIFICATION: mutually check credentials INTERACTION: Any PI contained in general scene information? VALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Situation Assessment

Data Flows FROM a Single Actor (ECS) with PMRM Service Invocations Actor: ECS PI-OutDestination (Actor) Requirements [ Services Incident Report: PI Instance and enhancements On-site Care/Incident Commander System  ECS Privacy and Security Policy  Jurisdictional regulations  Security  Control  Audit  Interaction  Validation  Usage Situational Awareness ReportOn-site Care/Incident Commander System ECS Privacy and Security Policy - Jurisdictional regulations  Security  Control  Audit  Interaction  Validation  Usage Patient Data RequestService Providers and other healthcare systems  HIPAA security and privacy requirements  Unique healthcare system requirements  Security  Control  Audit  Interaction  Validation  Certification  Usage  Enforcement Health Information from DevicesService Providers and other healthcare systems  HIPAA security and privacy requirements  Unique healthcare system requirements  Security  Control  Audit  Interaction  Validation  Certification  Usage  Enforcement Virtual ConsultOn-site Care/Incident Commander System Virtual ConsultOn-site Care/Incident Commander System

- examine each row of the OUT table, in turn; then, - Move to each Actor, analyzing the IN/OUT flows

Where Does the Reference Model Fit? Copyright © International Security Trust and Privacy Alliance (ISTPA) Privacy Management Reference Model