HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
HITPC Information Exchange Workgroup Discussion of Governance RFI May 16,
NHIN Direct Project Communications Work Group Message for State HIE/RECs August 30, 2010.
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
Privacy and Security in the Direct Context Session 6 April 12, 2010.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Minnesota Law and Health Information Exchange Oversight Activities James I. Golden, PhD State Government Health IT Coordinator Director, Health Policy.
Building Tools for Trust for Nationwide Health Information Exchange Copyright All Rights Reserved. 1.
ONC HIT Policy Committee Interoperability and HIE Workgroup Panel 3: State/Federal Perspectives August 22, 2014 Jennifer Fritz, MPH Deputy Director Office.
Control environment and control activities. Day II Session III and IV.
New York Health Information Security and Privacy Collaboration (NY HISPC) AHRQ Annual Meeting September 27, 2007 Ellen Flink Project Director NYS DOH.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Appendix : Supporting Details to Recommendations Presented to the HITPC.
HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.
Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
HIT Policy Committee NHIN Workgroup Introductory Remarks David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of Commerce,
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
TUESDAY, 4:00 – 4:20PM WEDNESDAY, 4:00 – 4:20PM Douglas Hill, NHIN Implementation Lead (Contractor), Office of the National Coordinator for Health IT Vanessa.
Identity Ecosystem Framework and Charter Gap Analysis.
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,
State HIE Program Chris Muir Program Manager for Western/Mid-western States.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
HIT Policy Committee Privacy & Security Tiger Team Update Deven McGraw, Co-Chair Center for Democracy & Technology Paul Egerman, Co-Chair June 25, 2010.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Organizational and Legal Issues -- Developing organization and governance models for HIE Day 2 -Track 5 – SECOND SESSION – PRIVACY AND SECURITY CONNECTING.
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
HIT Standards Committee NHIN Workgroup Introductory Remarks Farzad Mostashari Office of the National Coordinator for Health IT Douglas Fridsma Office of.
ONC’s Proposed Strategy on Governance for the Nationwide Health Information Network Following Public Comments on RFI HIT Standards Committee Meeting September.
1 David C. Kibbe, MD MBA DirectTrust A Discussion About Scalable Trust May 9,
Health Information Technology EHR Meaningful Use Milestones for HIT Funding Michele Madison
Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.
HIT Policy Committee NwHIN Governance Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,
Scalable Trust Community Framework STCF (01/07/2013)
Mariann Yeager, NHIN Policy and Governance Lead (Contractor) Office of the National Coordinator for Health IT David Riley, CONNECT Lead (Contractor) Federal.
Bringing Health Information to Life DAVID BLUMENTHAL, MD, MPP National Coordinator of Health Information Technology US Department of Health & Human Services.
Moving the National Health Information Technology Agenda Forward The Fourth Health Information Technology Summit March 28, 2007 Robert M. Kolodner, MD.
Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
Governance Workgroup Recommendations on Scope of Nationwide Health Information Network Governance Functions John Lumpkin, MD, MPH, Chair Robert Wood Johnson.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.
1 David C. Kibbe, MD MBA DirectTrust Collaborating to Build the Security and Trust Framework for Direct Exchange June 20, 2013.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Pennsylvania Health Information Exchange NJHIMSS - DVHIMSS Enabling Healthcare Transformation Through Information Technology September, 2010.
Introduction to Compliance Auditing
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Standards and the National HIT Agenda John W. Loonsk, MD
Service Organization Control (SOC)
Internal control - the IA perspective
Model Contract for Health
The partnership principle in the implementation of the CSF funds ___ Elements for a European Code of Conduct.
Enforcement and Policy Challenges in Health Information Privacy
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Appropriate Access InCommon Identity Assurance Profiles
Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.
Presentation transcript:

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad Mostashari, ONC

Discussion Topics Recommendations for a national-level HIE Trust Framework that addresses elements for trust among parties in the exchange HIE trust framework is applied to a directed push model –Implications of third parties supporting aspects of the HIE trust framework 2

NHIN Workgroup Recommendation (Feb. 2010) Role of Government Establish and maintain a framework of trust, including ensuring adequate privacy and security protections to enable electronic health information exchange. Create structures/incentives to enable information exchange where trust or necessary standards / services do not exist. Limit intervention where information exchange with providers currently exists – to the extent possible. Create incentives to improve interoperability, privacy and security of information exchange. Support real-world testing and validation of the services and specifications to verify scalability on a nationwide basis. 3

HIE Trust Framework: Findings There is a need for a national-level trust framework to promote the electronic exchange of health information: –Provides a tool for understanding how trust may be implemented across a broad range of uses and scenarios; –Addresses need for adequate privacy and security protections, although not intended to reflect all that is needed for consumer trust in HIE; –Articulates the common elements required for exchange partners to have confidence in health information exchange (HIE) Recognizes that implementation of the elements will vary depending upon various factors (e.g. exchange partners, information, purpose, etc.) –Supports interoperability from a policy perspective; –Recognizes obligation to abide by and to continue complying with trust requirements in order to continue realizing value of information exchange; –Considers lessons learned from existing HIE activities. 4

HIE Trust Framework: Recommendation Adopt an overarching trust framework at the national level to enable health information exchange that includes these essential elements: –Agreed Upon Business, Policy and Legal Requirements / Expectations –Transparent Oversight –Enforcement and Accountability –Identity Assurance –Minimum Technical Requirements All five components needed to support trust, but individually may not be sufficient. 5

HIE Trust Framework: Essential Components for Trust Agreed Upon Business, Policy and Legal Requirements: All participants will abide by an agreed upon a set of rules, including compliance with applicable law and act in a way that protects the privacy and security of the information. Enforcement and Accountability: Each participant must accept responsibility for its exchange activities and answer for adverse consequences. Transparent Oversight : Oversight of the exchange activities to assure compliance. Oversight should be as transparent as possible. Identity Assurance: All participants need to be confident they are exchanging information with whom they intend and that this is verified as part of the information exchange activities. Technical Requirements: All participants agree to comply with some minimum technical requirements necessary for the exchange to occur reliably and securely. 6

1. Agreed Upon Business, Policy and Legal Requirements Agreed upon and mutually understood set of expectations, obligations, policies and rules around how partners will use, protect and disclose health information in general and their exchange-related activities specifically (not necessarily top-down regulation). –Built upon existing applicable law, including HIPAA and federal and state law. –Requires participants to act in a way that protects privacy and security of the information. (Privacy and Security Workgroup addressing privacy and security of the information once received.) –Varies depending upon context – e.g. type of exchange, parties involved (including relationship of partners), purposes for which data are exchanged (including secondary and future use), etc. 7

2. Enforcement and Accountability Each exchange partner should be accountable for its exchange activities and must be prepared to answer at multiple levels. For example: –Individual subjects of the exchanged information; –Other participants in the exchange; –Third parties providing enabling functions; –Certifiers / accrediting bodies; –Governmental entities. Methods for confirming, detecting and enforcing compliance, and the consequences may vary at each level (e.g. loss of status or business, enforcement of penalties and, if appropriate, redress for those harmed, etc.) Common desire to avoid these consequences and continue to derive value gives each exchange partner some comfort that all other exchange partners will uphold their commitments. 8

3. Transparency and Oversight “Oversight” is intended to mean management, maintenance, supervision, and monitoring of the trust relationship and exchange activities. There should be as much transparency as possible in: –The oversight mechanisms employed to protect the information; and –The oversight process and results, including findings and consequences. (Some oversight, e.g. governmental oversight, may not be entirely transparent.) The nature of oversight and the mechanisms used will depend upon exchange model, the parties involved, and the needs the exchange partners identify. Oversight will operate at multiple levels (e.g. parties to the exchange, individual subject of the information, third parties, government, etc.) It should be clear that even with the trust framework and oversight mechanisms in place, there can be no absolute guarantee of privacy and security. 9

4. Identity Assurance Exchange partners will not exchange information with just anyone. Each has to be confident they are exchanging information with whom they intend to exchange information. Each exchange partner therefore validates (and should maintain an audit log of) the identity of those with whom it exchanges information. Validation of parties to the exchange can occur in a number of ways (e.g., based on manual determinations at practice level, or using identity proofing and digital credentials to validate members of a network). 10

5. Minimum Technical Requirements In all exchanges, partners have to adhere to technical standards to support the privacy and security requirements of the trust framework. Technical requirements for the exchange could include measures designed to ensure that data received have been unaltered during transit. Non-compliance with technical requirements for secure transport should prevent an exchange from occurring. 11

TRUST ENABLING FUNCTIONS APPLIED TO DIRECTED PUSH OF INFORMATION SCENARIO 12

Agreed upon business, policy and legal requirements Based upon applicable law and expectation that privacy and security of the information will be protected. Informal social contract if EHR-to-EHR (covered entity to covered entity) without use of third party. There may be agreements required between each healthcare provider organization and its end users. Formal agreements may be required if there is a third party involved, depending upon the actions performed and access to identifiable data. For example: –Business associate agreements likely if third party providers routing or provider directory services. –Additional policies and formal agreements may be required if third party offers other services, such as translation, data aggregation, etc. or if there is use of data by third party (whether metadata or data content).,13

Enforcement and Accountability Exchange partners should accountable to each other, patients and governmental agencies. Third parties that support identity assurance, provider directories, or secure routing functions should also be accountable. One consequence for failing to uphold commitments to comply with the trust framework is termination of the exchange relationship between the parties. Other consequences could include legal implications (e.g. if breach of formal contract, liability, redress for harm, etc.),14

Transparency and Oversight Governmental oversight of compliance with laws (e.g., HIPAA). Patient and exchange partners oversee and monitor to ensure exchange occurs. Governmental oversight may be required for organizations that provide identity assurance and routing. Third parties may also play a role in oversight. That oversight must include transparency to foster accountability of the enabling functions.,15

Identity Assurance & Minimum Technical Requirements Identity Assurance –Identities of exchange partners and/or users validated by provider organization or third party identity service provider; other participants rely upon this. Minimum Technical Requirements –Meaningful use certification criteria (e.g. secure transport, etc.) –The ability to look up and locate a provider’s electronic address –The ability to securely route information to the provider’s electronic address, which could occur: EHR to EHR or Lab to EHR; EHR to EHR using a third party’s routing services only; EHR to EHR using third party services (e.g. registry services, provider directories, identity services, etc.); EHR to EHR using other HIE services (e.g. HIOs, eprescribing networks, secure messaging, EHR-specific networks, etc.),16

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad Mostashari, ONC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.