Privacy, Security and Data Exchange Committee Annual Report 2009 PHDSC Home Page PHDSC Annual Meeting November 12, 2009
Background and Mission Mission Represent and educate broad public sector health and health services research interests on privacy and security issues Focus on priorities related to privacy, security, and data standardization, including implementation of federal privacy and security rules Address balancing the need for individual privacy, confidentiality, and security with the need for use of data for public health and research activities
2009 Accomplishments Participated in national privacy and security efforts (HISPC and HITSP) Completed Privacy projects Final Report on Variations in and Solutions to State Privacy and Security Policies Affecting Public Health Final Report on Best Practices in Public Health Information Privacy Established a web page to track ARRA privacy and security regulations and provide comment as released Planning periodic webinars on privacy, security and exchange topics
Participation in National Privacy and Security Efforts CCHIT Continued leadership role in the Privacy Workgroup HISPC Phase III completed in July 2009 Seven Multi-state Collaboratives developed common, replicable multi-state solutions to privacy and security issues HISPC reports: Google healthit.hhs.gov:HISPC or 512&mode=2&cached=true&objID= &mode=2&cached=true&objID=1240
Participation in National Privacy and Security Efforts HISPC Multi-state Collaboratives
Participation in National Privacy and Security Efforts HITSP Continued leadership roles in the Population Perspective and the Security, Privacy and Infrastructure (SPI) TCs In 2009 Population TC worked in 3 major areas: refinement of the Quality Measures constructs; development of a Maternal and Child Health Interoperability Specification (IS) and a Newborn Screening IS SPI TC developed the new HITSP Privacy and Security Capabilities and Service Collaborations – a simplified approach to implement interoperable standards leveraging existing HITSP specifications to support ARRA’s Meaningful Use and beyond. Areas include: communicate structured and unstructured documents, establish secure web access, assign pseudo-identity, consumer preferences and consent management, access control, security audit, patient identification mgmt, and healthcare document mgmt
2008 Committee Privacy Projects Completed final documents in early 2009 Project 2 – Report on Variations Solutions to State Privacy/Security Policies Affecting Public Health Summary of top public health information exchange issues identified by HISPC states that result from variations in privacy/security business practices, policies and state laws Project 3 - Report on Best Practices in Public Health Information Privacy Identified state best practices on privacy and security related to public health and health information exchange from direct state interviews Presented Project 3 Report findings at the 2009 PHIN conference
Privacy ‘expert’ and advisor Agency data practices coordinator Central office/point of contact for privacy coordination, implementation, compliance resolution, policies, awareness and education Identify, detect, prevent, address agency breaches Assist with or responsible for drafting/reviewing agency privacy legislation Coordinate with privacy officers of other state agencies and in county and local health departments Project 3 Findings: Role of the Privacy Official
Initial implementation of/confusion over HIPAA Determination, documentation and dissemination of covered entity status Establishing/designating a privacy office/privacy officer and assigning responsibilities Conducting a HIPAA preemption analysis and an analysis of public health laws vis-à-vis HIPAA Creating an internal education plan and external communications strategy Findings: Issues Faced in the Past 5 Years
Conducting in-depth program-by-program analyses Developing internal privacy and security policies and procedures to address specific HIPAA requirements Securing and disseminating legal opinions to address data collection issues Business associate clarifications Providing guidance to local public health departments Findings: Issues Faced in the Past 5 Years
Data linkages and de-identification: Balancing public health benefits with de-identification procedures Privacy of genetic information: States investigating the need to further strengthen new federal regulations Enforcement: States now able to bring legal action Ongoing workforce education and training State HIE privacy considerations Privacy considerations related to the exchange of health information across state boundaries Findings: Current Health Information Privacy Issues
Data breaches and identity theft Highest priority for most privacy officials Addressing increased data mobility and portability of data devices New/emerging state legislation on privacy breaches and consumer protection Need to create a ‘breach preventing’ and enforcement culture and workforce Federal law issues: FERPA (schools), 42 CFR (substance abuse), reporting HIV/AIDS data Findings: Current Health Information Privacy Issues
Health IT and HIE issues EHRs, PHRs, HIEs and the role of public health, both as a participant and as a recipient of information Impact of expanded EHR adoption on privacy of health information and public health exchanges Opt-in/Opt-out; Granular privacy controls by consumers Impact of personal health records on public health Findings: New and Emerging Health Information Privacy Issues
Public health agencies at the forefront of the development and deployment of local/regional/state HIEs Key issues identified: Lack of integration of the state’s public health information infrastructure with the state’s HIE efforts Lack of roadmap for public health participation in HIEs Lack of regulatory framework for HIEs in states Lack of public health privacy framework for HIE participation Findings: New and Emerging Health Information Privacy Issues
To help address privacy issues: Develop a state public health privacy framework Standardize definition of sensitive health information Standardize consent requirements Align privacy policies with the needs of Clinical/Public Health Research Findings: Recommendations
Create and convene a Public Health Privacy Officers Community of Practice (CoP) Explore conducting a more comprehensive survey to provide additional information on current priorities and solutions Conduct a similar survey of Public Health Security Officers and explore creation of a Public Health Security Officers CoP Establish a web-based Public Health Privacy and Security Resource Center Findings: Identified Next Steps for the Consortium
ARRA Privacy and Security Regulations Web Page Tracks ARRA privacy and security regulations mandated to facilitate health information exchange activity ( Notify PHDSC listserv participants as regulations are released Goal to hold teleconferences to gather input for and submit comments from the PH community Comment timelines will be short; quick action and participation are critical
Hold Webinars on Privacy, Security and Exchange Topics Focus initial topics on the ARRA privacy and security regulations Integrate webinars as able around the ARRA regulation events Building a list of topics and potential speakers; looking for additional input Over time, plan to hold a set number of webinars per year Look into outreach to PH privacy and security officers for participation
Future Committee Activity Follow progress and implications of new federal privacy and security regulations Facilitate member comments on draft regulations Develop and hold regular webinars on privacy, security, and exchange related topics Continue to seek national involvement in privacy/security efforts
Committee Chairs Vicki Hohner, MBA Senior Consultant Fox Systems, Inc. David P. Lawton RN, PhD Health Surveillance Section Administrator Nebraska Health and Human Services System