Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Similar presentations


Presentation on theme: "HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009."— Presentation transcript:

1 HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009

2 2 Workflow 1.Review and comment on the Privacy and Security policy priority in the meaningful-use matrix, focusing on Goals, 2011 Objectives, and 2011 Measures –Present recommendations to HIT Standards Committee for conveyance to HIT Policy Committee 2.Map 2011 measures into specific features and functions within three categories: 1)Products that can be purchased (certified by CCHIT outside the real-life setting) 2)IT infrastructure necessary to enable the product to be meaningfully used 3)Operational environment in which the product will be used meaningfully

3 3 Workflow (continued) 3.Map features and functions to standards and certification criteria –Use Privacy and Security worksheet provided by ONC as starting point for EHR standards and certification criteria (category #1) –For categories #2 and #3, use HITSP TN900 as primary resource –Identify additional industry standards as needed 4.Recommend standards and certification criteria to ONC

4 Privacy and Security Policy Matrix - Goals GOALS (current) Ensure privacy and security protections for confidential information through operating policies, procedures, and technologies and compliance with applicable law Provide transparency of data sharing to patient GOALS (recommended) Protect individual privacy, care quality, patient safety, and population health Ensure privacy and security protections for Protect confidential information and essential EHR services through operating policies, procedures, and technologies, and compliance with applicable law Provide transparency of data sharing to patient

5 Privacy and Security Policy Matrix - Objectives 2011 OBJECTIVES (current) Compliance with HIPAA Privacy and Security Rules and state laws Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework 2011 OBJECTIVES (recommended) Compliance with HIPAA Privacy and Security Rules, ARRA privacy and security provisions, and state laws Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework Assure that EHR services and information are available when needed at the point of care

6 Privacy and Security Policy Matrix - Objectives 2011 OBJECTIVES (current) Compliance with HIPAA Privacy and Security Rules and state laws Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework 2011 OBJECTIVES (recommended - continued) Enable EHR data to be used for population health purposes, while minimizing privacy risks to individuals Assure that measures are attainable by small practices as well as large hospitals and integrated delivery networks

7 Privacy and Security Policy Matrix - Measures 2011 MEASURES (current) Full compliance with HIPAA Privacy and Security Rules An entity under investigation for a HIPAA privacy or security violation cannot achieve meaningful use until the entity is cleared by the investigating authority Conduct or update a security risk assessment and implement security updates as necessary 2011 MEASURES (recommended) Full compliance with HIPAA Privacy and Security Rules An entity under investigation by the HHS Office of Civil Rights for a HIPAA privacy or security violation cannot achieve meaningful use until the entity is cleared by the investigating authority a plan has been put in place to correct the fault and address the harm caused

8 Privacy and Security Policy Matrix - Measures 2011 MEASURES (current) Full compliance with HIPAA Privacy and Security Rules An entity under investigation for a HIPAA privacy or security violation cannot achieve meaningful use until the entity is cleared by the investigating authority Conduct or update a security risk assessment and implement security updates as necessary 2011 MEASURES (recommended - continued) Conduct or update a security risk assessment and implement security updates as necessary and as appropriate for the size of the enterprise Provide measures to assure the timely availability of services and information required for safe care delivery

9 Privacy and Security Policy Matrix - Measures 2011 MEASURES (current) Full compliance with HIPAA Privacy and Security Rules An entity under investigation for a HIPAA privacy or security violation cannot achieve meaningful use until the entity is cleared by the investigating authority Conduct or update a security risk assessment and implement security updates as necessary 2011 MEASURES (recommended - continued) Provide anonymized or pseudonymized health data to public health agencies

10 Next Step – Map Measures to Features & Functions Segment into three categories: 1)Products that can be purchased –Certified by CCHIT outside the real-life setting –e.g., user and entity authentication, access control, audit 2)IT infrastructure necessary to enable the product to be meaningfully used –e.g., identity management, secure email, system backup 3)Operational environment in which the product will be used meaningfully –e.g., authorization policies, audit review

11 From Measures to Standards & Certification 2011 Measures –E.g., Full compliance with HIPAA P&S Rules 2011 Features & Functions 1.EHR Products (CCHIT Criteria) 2.IT Infrastructure 3.Operations Standards –HITSP –NIST –ISO –OASIS –etc. Certification Criteria –HHS Criteria for EHR Reimbursement


Download ppt "HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009."

Similar presentations


Ads by Google