Consent Directive Management Adding patient privacy support to OpenHIE Derek Ritz, P.Eng., CPHIMS-CA Architecture Virtual Meeting, August 2015.

Slides:

Advertisements

Similar presentations

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

Advertisements

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Confidentiality and HIPAA

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

HIPAA Health Insurance Portability and Accountability Act.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

Complying with Privacy to Enable Innovation & Research

FERPA 2008 New regulations enact updates from over a decade of interpretations.

A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability.

HIPAA – Health Insurance Portability & Accountability Act and the Privacy Act MSgt Nechele M. Chambers Senior Enlisted Liaison TRICARE Area Office-Europe.

Consumer Privacy using HITSP TP30 John Moehrke – GE Healthcare Co-Chair HITSP Security/Privacy/Infrastructure Co-Chair HL7 Security Workgroup Member IHE.

HIE Implementation in Michigan for Improved Health As approved by the Michigan Health Information Technology Commission on March 4, 2009.

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Brief Profile Proposal for 2015/16 Yr 9 presented to the Quality, Research & Public Health (QRPH) Planning Committee RPE for ICP Xen Santas | James Kariuki.

HIPAA PRIVACY AND SECURITY AWARENESS.

Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Robert Horn Agfa Healthcare.

What IHE Delivers Security and Privacy Overview & BPPC September 23, Chris Lindop – IHE Australia July 2011.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force.

State Alliance for e-Health Conference Meeting January 26, 2007.

0 Craig Miller Vice President, Health Strategy and Innovation Health Information Exchange: Facilitating data sharing between public.

NYSAIS | Webinar | May 11, 2011 Electronic Signatures and Red Flag Rules Presented by: Donald J. Mosher Partner Schulte Roth & Zabel LLP

“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 9, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 23, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.

© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June © 2003 IBM Corporation Shortcomings.

 The use of telecommunications technology to provide, enhance, or expedite health care services.  Accessing off-site databases, linking clinics or physicians'

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

“Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 16, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

Whose Responsibility is it? Karen Korb TELUS Health Solutions November 24, 2009 Privacy and Confidentiality in the EHR:

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Health Information Technologies and Health Care Transformation James Golden, PhD Director, Division of Health Policy Minnesota Department of Health February.

Project MED INF 403 DL Winter 2008 Group 3. Group Members Michael Crosswhite Maureen Farrell Julia Hernandez R Steven McDonald Jennifer Ogg David Robbins.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

© 2004 Moses & Singer LLP HIPAA and Patient Privacy Issues Raised by the New Medicare Prescription Drug Program National Medicare Prescription Drug Congress.

1 [INSERT SPEAKER NAME DATE & LOCATION HERE] Ethics of Tuberculosis Prevention, Care and Control MODULE 5: INFORMATION COUNSELLING AND THE ROLE OF CONSENT.

OpenHIE’s Architecture and its Components

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

September, 2005What IHE Delivers 1 Basic Patient Privacy Consents IHE Educational Workshop 2007 John Moehrke Lori Forquet.

The Patient Choice Project Use Case Working Session February 12 th, 2016.

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.

“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 30, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.

Shaun Grannis, MD, MS, FAAFP FACMI Biomedical Informatics Scientist Regenstrief Institute / Indiana University The Impact of Interoperability / HIE to.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.

 Health Insurance and Accountability Act Cornelius Villalon Jr.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Health Insurance Portability and Accountability Act of 1996

Integrating the Healthcare Enterprise

MIT HIT Symposium How HIPAA Applies to HIT

Move this to online module slides 11-56

HIPAA Pros - Minimum Necessary

National Congress on Health Care Compliance

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

HIPAA Privacy and Security Update - 5 Years After Implementation

Presentation transcript:

Consent Directive Management Adding patient privacy support to OpenHIE Derek Ritz, P.Eng., CPHIMS-CA Architecture Virtual Meeting, August 2015

Agenda  Framing the problem  Key challenges/concepts  Opt-out vs Opt-in  PHI collection vs disclosure  Authentication vs authorization  Public vs personal interests  Clinical risk vs privacy risk  Proposed solution: all-in or all-out, no BTG 2

Framing the problem  At present (OpenHIE v1) there is no support for consent management in OpenHIE.  The “policy posture” of OpenHIE is that it supports implied consent on the part of subjects of care that all of their personal health information (PHI) may be collected and stored in the HIE and that it may be made available to any authenticated health worker to support care delivery (OpenHIE’s primary purpose of use). 3

Opt-in vs Opt-out  Implied consent (opt-out)  PHI can be collected and shared for care purposes (and certain related purposes).  You invoke your rights of privacy by opting out.  Explicit consent (opt-in)  Each patient explicitly provides informed consent prior to the collection and sharing of PHI.  Such a policy gives operational effect to the person-centric healthcare tenet: “nothing about me, without me”.  Explicit consent gives primacy to the “personal rights” aspects of privacy. 4

Opt-in vs Opt-out  One of the key challenges regarding opt-out vs. opt-in is the relative effort (and associated cost) of operationalizing each option.  Capturing informed, explicit consent is difficult, time-consuming, and expensive.  Studies have shown that the “enrollment” rates of opt-in schemes are significantly lower than for opt- out schemes.  OpenHIE should adopt implied consent (opt-out) 5

PHI collection vs disclosure  There are some who believe that there should be consent required to collect PHI as well as to disclose or share it.  Others contend that the collection of PHI is not something one can choose to opt out of as it is necessary to support payment processes, health system management and surveillance processes which accrue to the benefit of the subject of care and which, themselves, are non-optional.  OpenHIE should support mandatory collection and consent regarding disclosure only 6

Authentication vs authorization  OpenHIE authenticates calling application via ATNA  OpenHIE trusts the calling application to have authenticated the end-user (trust network)  A consent directive that is more finely grained than all-access / no-access will rely on the authenticated identity of subjects of care, providers of care, or both – so that authority to access PHI can be established. This requirement is difficult to fill.  OpenHIE should support all-or-nothing access to PHI with no support for BTG 7

Public vs personal interests  Pervasive eHealth infrastructure supports patient-safe, high-quality care delivery at scale. This is a public good which benefits all.  An individual’s interests as regards to personal privacy may be in tension with the public good.  Expenditures on eHealth infrastructure have an opportunity cost as well as a financial cost.  Few will avail themselves of consent management.  OpenHIE should favour the simplest, least expensive solution that supports consent management. 8

Clinical risk vs privacy risk  Level of risk is defined as the product of the likelihood of an event times the impact or consequences of the event (where both may be expressed quantitatively).  Privacy impacts (of sharing data / breaching) are not of the same order of risk as clinical impacts (or not sharing data).  OpenHIE’s default behaviour should be share data; this behaviour mitigates clinical risk. 9

Recommended solution  The recommended consent management option for OpenHIE is disclosure opt-out (there is implied consent to collect and to disclose).  PHI is always collected.  In the absence of a disclosure consent directive, 100% of the PHI in the HIE would be returned to the requestor.  The point of service (POS) system would be relied upon to authenticate users and to enforce role-based access control (RBAC), if appropriate. Such authentication and authorization would be out of scope for OpenHIE (although may be required as part of the on-boarding process to become a trusted node on the HIE). 10

Making it go…  It is recommended that OpenHIE consider adopting use of the PD1-12 Protection Indicator element, which may be saved as part of a PIX transaction and retrieved via a PDQ transaction  At the IL, for each query for PHI:  Execute PDQ to retrieve PD1-12 value for ECID  If opted out, return exception; else if not opted out, return requested content. 11

Making it go…  At the POS, support:  education of subjects regarding their privacy rights and the implications of withdrawing consent to disclose  capture (paper-based or electronic), filing and maintenance of subject’s disclosure consent directive  communication of subject’s consent directive to the CR (electronically, updating PD1-12 via PIX, or via a paper- based workflow to a central CR administration). 12