Interoperability Roadmap Comments Privacy and Security Workgroup Deven McGraw, chair Stanley Crosley, co-chair April 7, 2015.

Slides:



Advertisements
Similar presentations
| Implications for Health Information Exchange – MetroChicago January 2011.
Advertisements

ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
Interoperability Roadmap Comments Notice of Proposed Rulemaking Introduction Privacy and Security Workgroup March 30, 2015.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations.
Privacy and Security Workgroup October 14, 2014 Deven McGraw, chair Stan Crosley, co-chair.
Notice of Proposed Rulemaking (NRPM) Comments Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair May 12, 2015.
MU Stage 3 Notice of Proposed Rulemaking (NPRM) Comments Privacy and Security Workgroup Deven McGraw, chair Stan Crosley, co-chair May 7, 2015.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Interoperability and Health Information Exchange Workgroup March 10, 2015 Micky Tripathi, chair Chris Lehmann, co-chair.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.
April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.
Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families
New York Health Information Security and Privacy Collaboration (NY HISPC) AHRQ Annual Meeting September 27, 2007 Ellen Flink Project Director NYS DOH.
Notice of Proposed Rulemaking (NRPM) Comments Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair May 22, 2015.
1 Health Information Security and Privacy Collaboration (HISPC) National Conference HISPC Contributions to Massachusetts HIE Privacy and Security Progress:
Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.
Authentication, Access Control, and Authorization (1 of 2) 0 NPRM Request (for 2017) ONC is requesting comment on two-factor authentication in reference.
Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Interoperability and Health Information Exchange Workgroup April 2, 2015 Micky Tripathi, chair Chris Lehmann, co-chair 1.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
State Alliance for e-Health Conference Meeting January 26, 2007.
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
HIT Policy Committee Privacy & Security Tiger Team Update Deven McGraw, Co-Chair Center for Democracy & Technology Paul Egerman, Co-Chair June 25, 2010.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Notice of Proposed Rulemaking (NRPM) Comments Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair May 12, 2015.
Draft – discussion only Advanced Health Models and Meaningful Use Workgroup June 23, 2015 Paul Tang, chair Joe Kimura, co-chair.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Patient Matching Recommendations February 2,
1 Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topics Governance RFI Prioritized Questions June 4, 2012.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Special Railways Phase III Proposed approach to regulatory changes Jakarta 16 May 2011.
ONC’s Proposed Strategy on Governance for the Nationwide Health Information Network Following Public Comments on RFI HIT Standards Committee Meeting September.
Larry Wolf Certification / Adoption Workgroup May 13th, 2014.
Privacy and Security Solutions For Interoperable Health Information Exchange Presented by Linda Dimitropoulos, PhD RTI International Presented at AHRQ.
AN INTRODUCTION Managing Change in Healthcare IT Implementations Sherrilynne Fuller, Center for Public Health Informatics School of Public Health, University.
Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 22, 2015.
Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 8, 2015.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,
© 2004 Moses & Singer LLP HIPAA and Patient Privacy Issues Raised by the New Medicare Prescription Drug Program National Medicare Prescription Drug Congress.
HIT Policy Committee Health Information Exchange Workgroup Deven McGraw, Center for Democracy & Technology Micky Tripathi, Massachusetts eHealth Collaborative.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair July 21, 2010.
Consent & Vulnerable Adults Aim: To provide an opportunity for Primary Care Staff to explore issues related to consent & vulnerable adults.
Computable Privacy: State-Focused Activities Privacy and Security Workgroup ONC Update October 26, 2015.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
The Patient Choice Project Project Kickoff December 14 th, 2015.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,
Interoperability Roadmap Comments Privacy and Security Workgroup March 16, 2015.
Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
PHDSC Privacy, Security, and Data Sharing Committee Letter to Governors.
Established standards of care given with respect and consideration, regardless of race, age, or payment source. Information about your illness, possible.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Query Health Operations Workgroup Standards & Interoperability (S&I) Framework October 13, :00am – 12:00pm ET.
HIT Policy Committee Health Information Exchange Workgroup Comments on Notice of Proposed Rule Making (NPRM) and Interim Final Rule (IFR) Deven McGraw,
Health IT Policy Committee Workgroup Evolution
Healthcare Privacy: The Perspective of a Privacy Advocate
Enforcement and Policy Challenges in Health Information Privacy
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Non-HIPAA Governmental Regulation of Healthcare Privacy and Security
Presentation transcript:

Interoperability Roadmap Comments Privacy and Security Workgroup Deven McGraw, chair Stanley Crosley, co-chair April 7, 2015

Agenda 1.Overarching Comments 2.Section H Comments 3.Section G Comments 1

PSWG Members Deven McGraw, Chair, Manatt, Phelps & Phillips, LLP Stanley Crosley, Co-Chair, Drinker Biddle & Reath LLP Donna Cryer, Member, CryerHealth Gayle B. Harrell, Member, Florida State House of Representatives Linda Kloss, Member, Kloss Strategic Advisors, Ltd. David Kotz, Member, Dartmouth College Gilad Kuperman, Member, NewYork- Presbyterian Hospital Manuj Lal, Member, PatientPoint Enterprise David McCallie, Jr., Member, Cerner Corporation Micky Tripathi, Member, Massachusetts eHealth Collaborative John Wilbanks, Member, Sage Bionetworks Kristen Anderson, Ex Officio, Federal Trade Commission Sarah Carr, Ex Officio, NIH Office of Science Policy Adrienne Ficchi, Ex Officio, Veterans Health Administration Stephania Griffin, Ex Officio, Veterans Health Administration Cora Tung Han, Ex Officio, Federal Trade Commission Taha Kass-Hout, Ex Officio, Food and Drug Administration Bakul Patel, Ex Officio, Food and Drug Administration Linda Sanches, Ex Officio, Office for Civil Rights-Health and Human Services Kitt Winter, Ex Officio, Social Security Administration 2

Overarching Comments 3 OVERARCHING COMMENTS

4 Comments Clarify language regarding the relationship between “basic choice” and existing health or medical privacy laws that permit the sharing of health information for some purposes (such as among health care providers for treatment and care coordination) without the requirement to first obtain patient permission. For many readers, the draft Roadmap was unclear on what was intended in the discussion of basic choice. Some interpreted the discussion as requiring basic choice even in circumstances where the law permits data to be shared without first requiring an individual’s express permission (for example, the draft Roadmap describes the laws that permit sharing as being the default when an individual has not expressed basic choice, which could lead to an interpretation that some level of basic choice is either required or preferred). Overarching Comments

5 Comments ONC should make sure the final Roadmap clearly and unambiguously articulates the following national near-term goals (which were presented to the PSWG by ONC during one of our public sessions on the Roadmap): Exchange is permitted for certain purposes without an individual’s permission; Basic choice, if offered to individuals, is offered in a technically standard way and individuals can more easily make choices electronically and online; and Harmonize categories/conditions legislatively defined under federal and state law (e.g., mental health). Overarching Comments

6 Comments With respect to exchange among providers, the Interoperability Roadmap should focus first on removing the roadblocks to exchange pursuant to existing laws, to achieve more consistent interpretations of these laws and assure greater interoperability. Policy debates about the degree of control that patients should have over personal health information are ongoing and will continue into the future, particularly as technology and cultural norms around privacy evolve and as the exchange and use of health information extends beyond the boundaries of traditional healthcare. ONC should focus the Roadmap first on promoting/assuring interoperability within traditional healthcare providers in the face of the existing legal and regulatory framework, enabling existing laws and practices around patient choice to be honored, but also considering the dynamic environment of greater patient engagement that is rapidly evolving outside of these traditional borders. It would help to clarify whether, when a provider makes a disclosure permitted by federal law, the discloser is liable for any bad or careless acts of the receiver. Clarity on this point would reduce uncertainty and depending on the answer, might help remove obstacles to interoperability. Overarching Comments

COMMENTS – SECTION H Comments – Section H Consistent representation of authorization to access health information When coupled with identity verification, this allows consistent decisions to be made by systems about access to information. 7

8 Specifically Charged QuestionComments H1. Who should ONC convene to develop policy recommendations and a framework to enable consistent decisions about authorized access to health information? ONC should gather information from a broad array of stakeholders trying to exchange, or facilitate the exchange of, health information (providers, patients, HIEs, federal and state entities, etc.) to determine what are common obstacles with respect to demonstrating legal authority to access a record, particularly for treatment and care coordination purposes, and starting with circumstances where consent is not required. Section H - Consistent representation of authorization to access health information

9 Specifically Charged QuestionComments H2. Is there agreement that the issue of “rules confusion” should be addressed from a policy perspective at the state level to advance the goals of a learning health system? If no, why not? If yes, what would be three priority areas for additional clarification? Clarification from state and federal regulators (ideally with specific examples) about what is acceptable for demonstrating legal authority to access information would be enormously helpful. Focus should be on specific, high impact use cases that achieve the Interoperability goals of years 1-3 of ONC’s 10-year vision. ONC should work with stakeholders to define these examples that might serve as a basis for additional regulatory guidance; achievement of meaningful use objectives and sharing within accountable care organizations pursuant to other alternative payment models are two suggestions. Section H - Consistent representation of authorization to access health information

10 Specifically Charged QuestionComments H2. Is there agreement that the issue of “rules confusion” should be addressed from a policy perspective at the state level to advance the goals of a learning health system? If no, why not? If yes, what would be three priority areas for additional clarification? Suggested priority areas: demonstrating the existence of a direct or indirect treatment relationship; requirements to share data for treatment or care coordination (both privacy and security); the impact of consent or authorization of the patient to share information, both in circumstances where it is required and in circumstances where it is not. For example, the HITPC approved recommendations from the Tiger Team that included best practices for demonstrating legal authority to access a record in an environment governed by HIPAA. These and other approaches deemed acceptable should be broadly disseminated, if necessary in conjunction with the Office for Civil Rights (OCR) or other regulatory agencies. There is also confusion with respect to other federal laws (42 C.F.R. Part 2) as well as state laws, where even providers operating within states do not fully understand their own state laws with respect to authorized sharing of identifiable health information. Section H - Consistent representation of authorization to access health information

11 Specifically Charged QuestionComments H3. For role-based access, how should role categorization proceed across the healthcare system? ONC should focus on facilitating entity-to-entity exchange; who is permitted to access that information within the entity – role-based access – should be left to internal policies. Role-based access (RBA) is typically determined within an organization or institution. One organization’s RBA controls – which are often very complex and under constant reevaluation – should have little or no bearing on whether another organization will decide to engage with it in health information exchange. A receiving organization is expected to facilitate how information is “triaged” within that organization. This includes ensuring health information (1) is delivered to the person to whom it is specifically addressed/directed, in circumstances where a particular person is designated as the recipient, and (2) is accessed only by persons who have legal authority to access that record and have the properly assigned role within their organization or institution. These latter two decisions are made at the organization/institution level. Section H - Consistent representation of authorization to access health information

12 Specifically Charged QuestionComments H3. For role-based access, how should role categorization proceed across the healthcare system? Clarification that sending organizations are not legally responsible for how a receiving organization routes communication could help resolve uncertainty. The Interoperability Roadmap could reinforce the need for organizations to embrace best practices with regard to structuring these internal policies. Section H - Consistent representation of authorization to access health information

13 Specifically Charged QuestionComments H4. Is there a basic set of defined roles that can be agreed upon and built on? Granular consent requirements may necessitate some role standardization. As ONC further explores harmonization of more granular consent laws, it should consider whether role standardization, at least a high level, would help resolve interoperability obstacles posed by granular consent requirements. Note – granularity with respect to role standardization will need to be constrained in order to assure interoperability (example of open source software). Section H - Consistent representation of authorization to access health information

14 Specifically Charged QuestionComments H5. Are existing standards to support authorization in healthcare sufficient to meet the needs of an evolving nationwide learning health system? H6. What are the reasons for the relatively low uptake of existing standards? These are questions more appropriate for the Standards Committee to resolve. Section H - Consistent representation of authorization to access health information

COMMENTS – SECTION G Comments – Section G Consistent representation of permission to collect, share and use identifiable health information Though legal requirements differ across the states, nationwide interoperability requires a consistent way to represent an individual's permission to collect, share and use their individually identifiable health information, including with whom and for what purpose(s). 15

16 Specifically Charged QuestionComments G1. Are states ready to collaborate on the issue of permission? Why or why not? We do not know the answer to the question. We agree collaboration would be helpful and hope there is a willingness on the part of the states to come to the table, but states are addressing many issues and there may be limited bandwidth to take this on, particularly given its complexity. There will need to be a federal “convenor” to support this effort. Section G – Consistent representation of permission to collect, share and use identifiable health information

17 Specifically Charged QuestionComments G1. Are states ready to collaborate on the issue of permission? Why or why not? An early focus could be on developing standard definitions, so that consent can be more consistently represented. As the imperatives to exchange grow stronger (due to payment reform and increased adoption of telemedicine, for example), the distress levels felt by providers who are unable to exchange due to lack of understanding of legal requirements and lack of technical mechanisms for achieving compliance will increase. This may help bring people to the table. States could consider whether the framework recommended by the National Committee on Vital and Health Statistics (NCVHS) – which established specific, defined categories for granular consent – would help them achieve some consensus on how to harmonize. Consider also whether the Uniform Law Commissioners could help in drafting harmonized approaches. The Development of standards on granular choice should focus on circumstances where a patient’s consent is required by law to improve provider confidence that they are exchanging data in compliance with law, and therefore to remove barriers to interoperable exchange. Section G – Consistent representation of permission to collect, share and use identifiable health information

18 Specifically Charged QuestionComments G2. What other methodologies, including technical solutions, should also be considered to address this concern? 1.Although this is not a “technical” solution, ONC should evaluate the work done by the Social Security Administration (SSA) in formulating a universal authorization to share data that has enabled them to access data across states for consideration in disability determinations. 2.ONC should also investigate the successful nationwide implementation of simple consumer preferences (akin to “basic choice”) through the FTC’s “Do Not Call” Registry. 3.ONC should also look at successful existing exchange models to explore whether their approaches can be scaled. 4.Use of consent repositories is another approach worth considering. Section G – Consistent representation of permission to collect, share and use identifiable health information

19 Specifically Charged QuestionComments G3. The Draft Interoperability Roadmap assumes that consent should persist with patient information; is this a valid assumption? What would be the impact of non- persistence on the interoperable movement of data? Achieving technical ability to “persist” consent or authorization is desirable – but likely only in those circumstances where there is either a legal obligation for consent to be persisted and honored across settings, or in the circumstance of data shared directly by, or at the request of, the patient. For some circumstances, having consent persist with the information is either legally required (e.g., pursuant to 42 C.F.R. Part 2 or other more granular consent laws) or would be desirable, although it is technologically very difficult to accomplish. Section G – Consistent representation of permission to collect, share and use identifiable health information

20 Specifically Charged QuestionComments G3. The Draft Interoperability Roadmap assumes that consent should persist with patient information; is this a valid assumption? What would be the impact of non- persistence on the interoperable movement of data? At a minimum, consents need to be clearly communicated in circumstances where law or policy requires consent for sharing. In our work on query for patient records, as well as on granular consent and data segmentation, we have repeatedly recommended having a standard way of communicating consent to share where such consent is required. There is concern that in the absence of a legal obligation to obtain the consent of the patient, it may not be possible for that consent to be honored downstream – and individuals providing that consent need to understand this. Does persistence of a consent trigger an obligation (either in reality or perception) that the consent must be honored? In addition, if we require consent to be persisted, do we risk creating an environment where consent becomes a de facto requirement because the absence of consent communicates that such sharing is not permitted? Section G – Consistent representation of permission to collect, share and use identifiable health information

21 Specifically Charged QuestionComments G4. Is there agreement on approaching consent through basic choice as it relates to TPO followed by granular choice supported by a set of nationwide harmonized rules? G5. What are the alternatives we should be considering? G6. What areas of health information should be addressed first for granular choice? G7. What are realistic timeframes? 1.ONC should make sure it also focuses on assuring that exchange can occur in circumstances governed by HIPAA (where choice is not necessarily required), in addition to focusing on choice circumstances. For example, ONC should look at the recommendations on “directed exchange” adopted by the HITPC in August ONC should also consider how to enable patients – such as through basic choice – to require that their data be shared for treatment purposes; in other words, ONC and applicable regulators could clarify whether a provider is permitted to refuse to exchange data when a patient requests exchange. This should be a fundamental use case for the Interoperability Roadmap and an example for which additional regulatory guidance could be promulgated. Section G – Consistent representation of permission to collect, share and use identifiable health information

22 Specifically Charged QuestionComments G4. Is there agreement on approaching consent through basic choice as it relates to TPO followed by granular choice supported by a set of nationwide harmonized rules? G5. What are the alternatives we should be considering? G6. What areas of health information should be addressed first for granular choice? G7. What are realistic timeframes? 3.Basic choice has been implemented in one form or another by a number of HIEs and other exchange settings – and achieving exchange among HIEs is a desirable near-term goal, which bolsters the argument for early focus on basic choice. 4.Because granular choice harmonization requires some significant work on the policy front, and work with multiple states, efforts to bring states together to begin the dialogue could be launched even while the standards focus is on enabling basic choice. 5.Consider whether there are intermediate options between basic and granular, because granular is typically defined as applying to types of data. Consider enabling choice at the level of provider or provider organization, and enabling patients to make more global choices (for example, all treating providers vs. being required to specifically name them) should they choose to do so. Section G – Consistent representation of permission to collect, share and use identifiable health information

23 Specifically Charged QuestionComments G8. How should success be measured when addressing the complexity of the rules environment? Success metrics should be linked to Interoperability goals, and, as noted above, focused on removal of obstacles to achieving high impact use cases. Some possible examples are set forth below: Convene a dialogue with states with respect to harmonization. (1 year) Issuance of more guidance on acceptable mechanisms for assuring legal authorization to share information. (within 1-2 years, at least at the federal level) Achievement of consensus on definitions for basic choice. (within 2-4 years) Greater exchange of information for treatment and care coordination, particularly in circumstances where HIPAA governs (or there are no state laws that restrict sharing of information for those purposes). (1-5 years) This is already occurring with respect to e-prescriptions. Section G – Consistent representation of permission to collect, share and use identifiable health information