Bi-monthly call with NDIIC Joining Prepared for:SAMHSA – OBHITA Team Prepared by:Tony Calice FEI Systems FEI Systems Inc. Copyright 2009-2010 - All Rights.

Slides:

Advertisements

Similar presentations

HEALTH HOMES HEALTH HOMES TECHNOLOGY SIMULATION WORKSHOP Ron HendlerNish Thakker.

Advertisements

Chapter 3 Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser.

Confidentiality and HIPAA

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Ethics, Confidentiality, and HIPAA! 2006 ASAC Drug Court Confidentiality FMJ Multi- County November 8, 2006.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Westbrook Technologies from Document Management’s Role in HIPAA.

NAU HIPAA Awareness Training

THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.

2014 Certification Criteria associated with MU Menu Stage 2: 2014 Certification Criteria associated with MU Core Stage 2: 2014 Certification Criteria associated.

KENTUCKY GOVERNOR’S OFFICE OF ELECTRONIC HEALTH INFORMATION HIE-SDE SUB AWARDEE Presented by Karen Chrisman Staff Attorney.

North Carolina Health Information Exchange Patient Consent Options for HIE NC HIE Board Education Webinar Date: July 2, 2010 Time: 8:30 am – 9:30 am Location:

The Patient as Steward of Healthcare Data Managing Consent Preferences John D. Halamka MD Louis Sullivan Lecture.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Informed Consent and HIPAA Tim Noe Coordinating Center.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Health Insurance Portability and Accountability Act (HIPAA)

Consumer Privacy using HITSP TP30 John Moehrke – GE Healthcare Co-Chair HITSP Security/Privacy/Infrastructure Co-Chair HL7 Security Workgroup Member IHE.

The Final Standards Rule John D. Halamka MD. Categories of Standards Content Vocabulary Privacy/Security.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

Initial slides for Layered Service Architecture

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Standards Categories February 24, 2006 HITSP Inventory of Standards Inventories Committee Edits.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Kory Schnoor IDPH Office of Health IT. The Iowa e-Health vision is for: a healthier Iowa through the use and exchange of electronic health information.

Introduction to Secure Messaging Issues Russ Chung, American Eagle Group The Open Group Messaging Forum July 24, 2003.

Data Gathering HITPC Workplan HITPC Request for Comments HITSC Committee Recommendations gathered by ONC HITSC Workgroup Chairs ONC Meaningful Use Stage.

Governor’s Office of Electronic Health Information The National Council for Community Behavioral Healthcare.

Chapter 2 Standards for Electronic Health Records McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved.

ATR Recovery Coach Learning Community Facilitated by: Haner Hernandez, Ph.D., CADCII, LADCI Beth Fraster, LICSW, December 19, 2013.

1 Developing and Implementing Electronic Health Records for Behavioral Health Services Strategic Planning for Providers to Improve Business Practices October.

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange and MU3 RFC Comments Summary April 15, 2013.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Knowledge Services and the Role of Medical Libraries in Health Care Information Technology John D. Halamka MD 2010 Leiter Lecture.

Working with HIT Systems

Component 11/Unit 2a Meaningful Use of the Electronic Health Record (EHR)

Integrating a Federated Healthcare Data Query Platform With Electronic IRB Information Systems Shan He IPHIE 2010.

HIT Standards Committee Overview and Progress Report March 17, 2010.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

S ecure A rchitecture F or E xchanging Health Information in Central Massachusetts Larry Garber, M.D. Peggy Preusse, R.N. June 9 th, 2005.

Office of the National Coordinator for Health Information Technology ONC Update for HITSP Board U.S. Department of Health and Human Services John W. Loonsk,

XDS Security ITI Technical Committee May, XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation.

Kentucky eHealth Summit Michael R. Lardiere, LCSW Vice President Health Information Technology and Strategic Development The National Council for Community.

HIPAA Requirements for Computer-based Patient Record Systems and the CPR Selection Toolkit Caroline Samuels MD

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

HIPAA and RESEARCH 5 th Thursday May 31, Page 2.

Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

Electronic Medical Record (EMR)

Standards and the National HIT Agenda John W. Loonsk, MD

Privacy Notice - Requirements

Confidential Records and Protected Disclosures

EHR System Function and Information Model (EHR-S FIM is based on EHR-S FM R2.0) CP.6.2 Manage Immunization Administration aka DC in EHR-S FM.

HIPAA Security Standards Final Rule

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Privacy and Security Update - 5 Years After Implementation

ONC Update for HITSP Board

Presentation transcript:

Bi-monthly call with NDIIC Joining Prepared for:SAMHSA – OBHITA Team Prepared by:Tony Calice FEI Systems FEI Systems Inc. Copyright All Rights Reserved

Page 3 Patient Ed MU, Web MD link PCAST Update on MU Security Requirements Analysis (Tony) Update on ONC Webcast (Tony) (Any other Bi-monthly call topics) FEI Systems Inc. Copyright All Rights Reserved Agenda

REM Development Timeline

PCAST Report Vision Universal access Robust platform for developers* Data Exchange Privacy Protection on all data Data Aggregation Needs Universal Language Digital Infrastructure for locating patients Unburdening of government role in the harmonization Transport Layer Security Layer Privacy Layer Interoperable Layer Universal Language * create user interfaces, decision support, storage, and archiving services that will be broadly available to end-users and will not require major capital investments

Interoperable Records Portable, structured data

3 Aspects of the Interoperable Record Transport* Protocols (such as HTTPS) Messages (such as XD*) Ontology: Organization of information Semantics: Paired understanding of observations

Patient Record Observations recorded in Visits* * “… EHR Modules to be certified for an ambulatory setting, they will need to be designed to enable the user to electronically record, modify, and retrieve a patient’s problem list over multiple encounters.” 45 CFR Part 170

Observations codified from Visits* Observations Problems Medications Allergies Lab Results Immunizations* Symptoms* Vocabulary Standards Problems: ICD-9 or SNOMED CT Medications: Any source vocabulary that is included in RxNorm Allergies: Lab results: LOINC Immunizations: CVX for vaccines Symptoms: SNOMED* Procedure Codes*: CPT or ICD-9 * Optional/Not required for Stage 1 Certification

Seems clear, where’s the conflict? There are at least 3 ways to organize observations NIEM HL7 ASTM Observations Codified Observations Structured Data NIEM HL7/CDA ASTM/CCR

Security Technical Safe Guards

Security Business Driver Business Drivers HIPAA Administrative Safe Guards ~ 45 CFR (a)(1) HIPAA Safe Harbor Federal Information Security Management Act (FISMA)

MU Security Two Aspects Accountability Identify Users and roles Audit Track: date, time, patient identification, user identification When: An “Entity” preforms a Create, Modify, Access, Deleted on a patient record Protect Integrity of log as per FIPS & FIPS Roles Safe Harbor Ability to encrypt “data at rest” (as per FIPS and Special Bulletin ) Required to encrypt any data being exchange (as per FIPS Guidance 8 Stage 1 Requirements 1. § (o) - Access control 2. § (p) - Emergency access 3. § (q) - Automatic log-off 4. § (r) - Audit log 5. § (s) - Integrity 6. § (t) - Authentication 7. § (u) - General Encryption 8. § (v) - Encryption when exchanging electronic health information

2 Technical Safe Guards Encryption Prevents access to record by making contents unreadable Message Digests “Hash Values” One way algorithm that produces a value associated with data (usually at the time it is written to a file or read from a file)

Privacy Preferences #Element Description 1Program or person permitted to make the disclosure 2 name or title of the individual or the name of the organization to which disclosure is to be made 3Patient Name 4purpose of the disclosure 5What information to be disclosed 6Consent (signature of patient or guardian) 7date of consent 8statement that the consent is subject to revocation at any time 9Consent expiration (date, event or condition upon which the consent will expire) 9 Elements of Consent Needed for 42-CFR Disclosures Legal Action Center for the Substance Abuse and Mental Health Services Administration. (2010, 6 17). Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE). Retrieved 10 11, 2010, from The Substance Abuse and Mental Health Services Administration :

HIE Consent Models Opt-Out (non 42 CFR complaint) In this model, all patient information is shared with any participant on the HIE unless patients indicate otherise Opt-Out with exceptions In this model, all patient information is shared with any participant on the HIE unless patients indicate otherise Opt-In In this model, all patient information is shared only when patient consent is given This requires patient knowledge and explicit authorization to share eBHR with each node on HIE Durability of Consent: Hub and Spoke: Temporary (one-time authorization) to "Until Death" Federated HIE: Temporary to some "reasonable" criteria Opt-In with exceptions In this model, some patient information is shared only when patient consent is given This requires patient knowledge and explicit authorization to share eBHR with each node on HIE Durability of Consent: Hub and Spoke: Temporary (one-time authorization) to "Until Death" Federated HIE: Temporary to some "reasonable" criteria No Sharing The eBHR is only shared in an emergency "break the glass" scenario RestrictiveNon - Restrictive Goldstein, JD, M. M., Rein, MS, A. L., Hughes, JD, P. P., Lappas, JD, J. K., Weinstein, S. A., & Williams, B. (2010, 03 23). CONSUMER CONSENT OPTIONS FOR ELECTRONIC HEALTH INFORMATION EXCHANGE: POLICY CONSIDERATIONS AND ANALYSIS. Retrieved 10 11, 2010, from HealthIT.hhs.gov:

Two Types of HIEs Hub and Spoke (CDR)Federated HIE