HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

Slides:

Advertisements

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Advertisements

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

NYS Office of Health Information Technology Transformation 1 HEAL 5 Kickoff Meeting Privacy and Security Workgroup Co-chairs: Tom Check – VNS of NY Lisa.

HITPC Information Exchange Workgroup Discussion of Governance RFI May 16,

NHIN Direct Project Communications Work Group Message for State HIE/RECs August 30, 2010.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 19,

Privacy and Security in the Direct Context Session 6 April 12, 2010.

A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability.

Informed Consent and HIPAA Tim Noe Coordinating Center.

Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families

1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Health Information Technology Nationwide Activities and Issues Roy H. Wyman, Jr. May 7, 2009.

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.

Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.

Update on Federal HIT Legislation Kirsten Beronio Mental Health America.

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

State Alliance for e-Health Conference Meeting January 26, 2007.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

State HIE Program Chris Muir Program Manager for Western/Mid-western States.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

HIT Policy Committee Privacy & Security Tiger Team Update Deven McGraw, Co-Chair Center for Democracy & Technology Paul Egerman, Co-Chair June 25, 2010.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Patient Matching Recommendations February 2,

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

1 Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topics Governance RFI Prioritized Questions June 4, 2012.

HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

ONC’s Proposed Strategy on Governance for the Nationwide Health Information Network Following Public Comments on RFI HIT Standards Committee Meeting September.

HIT Policy Committee Privacy & Security Policy Workgroup Deven McGraw, Chair Center for Democracy & Technology Rachel Block, Co-Chair NYS Department of.

HIT Standards Committee Overview and Progress Report March 17, 2010.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,

Scalable Trust Community Framework STCF (01/07/2013)

HIT Policy Committee Health Information Exchange Workgroup Deven McGraw, Center for Democracy & Technology Micky Tripathi, Massachusetts eHealth Collaborative.

Mariann Yeager, NHIN Policy and Governance Lead (Contractor) Office of the National Coordinator for Health IT David Riley, CONNECT Lead (Contractor) Federal.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair July 21, 2010.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

1 Overview of HIT Policy Committee’s Privacy Hearing Jodi Daniel, JD, MPH Director, Office of Policy and Research Office of the National Coordinator for.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Bringing Health Information to Life DAVID BLUMENTHAL, MD, MPP National Coordinator of Health Information Technology US Department of Health & Human Services.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,

Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Status Update Deven McGraw, Chair Center for Democracy & Technology Micky Tripathi, Co-Chair Massachusetts eHealth Collaborative May 19, HIT Policy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.

The HIPAA Privacy Rule: Implications for Medical Research

Health Information Security and Privacy Collaborative (HISPC) Overview

American Health Information Management Association

Concerns of a Privacy Advocate – and How to Respond

Healthcare Privacy: The Perspective of a Privacy Advocate

Drew Hunt Network Security Analyst Valley Medical Center

Enforcement and Policy Challenges in Health Information Privacy

Analysis of Final HIPAA Privacy Modification Rule

Non-HIPAA Governmental Regulation of Healthcare Privacy and Security

Health Information Exchange for Eligible Clinicians 2019

Presentation transcript:

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology Transformation NYS Department of Health May 19, 2010

Broad Charge To make short-term and long-term recommendations to the Committee on privacy and security policies and practices that will help build public trust in health information technology and electronic HIE and enable their appropriate use to improve healthcare quality and efficiency. Specifically, the Workgroup will seek to address the complex privacy and security requirements through the development of proposed policies, governance models, solutions, and approaches that enhance privacy and security while also facilitating the appropriate collection, access, use, disclosure and exchange of health information to improve health outcomes. 2

Privacy and security for electronic health information exchange Privacy and security are foundational to achieving meaningful use of health IT. A comprehensive set of privacy and security protections that build on current law and more specifically implement the principles in the Nationwide Data Sharing Framework is critical to building the foundation of trust that will support and enable meaningful use by providers, hospitals and consumers and patients. Individual consent is an important component of a framework of policies that govern exchange – but it is only one element of the framework. Individuals ideally should not bear the burden of protecting their privacy. Electronic health information exchange to meet “meaningful use” may take place in a number of ways, and what is needed to build and maintain public trust may vary based on how exchange occurs. 3

General Themes from WG Discussions One-to-one exchange, where provider directly sends information to another provider to facilitate treatment and there is no entity in the middle with any access to identifiable patient information, is closest to present circumstances. However, if entity facilitating exchange has ability to access information (either in the message header or the content) that includes information that either directly or by inference includes patient-level information, workgroup had concerns– even in one-to-one models. –Not clear that current law adequately addresses activities of exchange “facilitators” (with “facilitators” potentially playing a range of roles) 4

General Themes (cont.) What would a reasonable patient expect? All levels of exchange should be subject to specific policies and technology requirements that are adequately enforced regardless of whether patient consent is required. Consent may be particularly important in new (unexpected) or uncertain scenarios. –Where exchange not governed by clear rules that are adequately enforced, individuals should have some choice with respect to whether their information is exchanged via that model. –Some models may be so “new” that even with some protections, may want to still give individuals some sort of choice (i.e., database, and query/response) (need further workgroup discussion on this). 5

Recommendations 1.We need specific policies, as well as technology requirements, to govern all forms of electronic health information exchange. Implement the Nationwide Privacy and Security Framework principles. Work should take place ideally before, or at least in conjunction with, technology standards work. Technology should implement policy and not make it Fill gaps in current law. Address “facilitator” access to identifiable information o Constraints on collection, access, and use of identifiable data o Constraints on data retention and re-use o Security requirements 6

Recommendations (cont.) 2.One-to-one exchange from one provider to another for treatment purposes – even with no “facilitator” - must be governed by policies that at least include: Encryption (no ability for facilitator to access content) o Encryption ideally should be required when potential for transmitted data to be exposed (mandate through meaningful use/certification criteria or HIPAA security rule modification) Limits on identifiable (or potentially identifiable) information in the message Identification and authentication 3.If strong policies such as the above are in place and enforced, we don’t think the above scenario needs any additional individual consent beyond what is already required by current law. 7

Questions to Resolve – Enforcing Requirements on “Facilitators” Many will be business associates, but could be limits to reach of business associate provisions –Doesn’t cover subcontractors of business associates –Balance of power in determining terms of agreement may be with the business associates –Current business associate rules do not dictate specific terms re: access, use and disclosure of PHI Meaningful use/certification criteria does not reach entities not participating in incentive program What role can/should states play? NHIN governance will be important question to resolve Role of DURSA? 8

Further work Drilling down on specific policies and technology requirements for all models of exchange –In conjunction with IE and NHIN Workgroups –Work more closely with NHIN Direct technical group –Work closely with ONC staff working on state HIE grant requirements Role consent plays in non-direct models such as central database and query/response Consent at more granular level (such as by data type) Transparency for patients “De-identified” data 9