Presentation is loading. Please wait.

Presentation is loading. Please wait.

PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011.

Published byAubrey Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011."— Presentation transcript:

1 PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011

2 Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

3 Privacy Management Reference Model Services n Core Policy Services l Agreement- agreements, options, permissions l Control – policies – data management n Presentation and Lifecycle Services l Interaction - manages data/preferences/notice l Agent - software that carries out processes l Usage - data use, aggregation, anonymization l Access - individual review/updates to PI n Privacy Assurance Services l Certification - credentials, trusted processes l Audit - independent, verifiable accountability l Validation - checks accuracy of PI l Enforcement - including redress for violations Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

4 Syntax for each Service: Functions n DEFINE [SVC] operational requirements n SELECT [SVC] (input, process, and output) data and parameters n INPUT [SVC] data and parameter values in accordance with Select n PROCESS [SVC] data and parameter values within Functions n OUTPUT [SVC] data, parameter values, and actions n LINK [SVC] to other (named) Services n SECURE [SVC] with the appropriate security function s Each USE CASE invokes a sequence of Service “calls” Each Service call executes a sequence of Functions (drawn from these seven Function categories) Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

5 Emergency Responder Use Case: On Site Care

6 ACTOR: ECS PI-In [detailed PI required] Source (Actor) Requirements Services Incident ReportExternal sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification Situational Awareness Report External Sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification Patient EHR Information Service Provider and other Healthcare systems  HIPAA security and privacy rules  HITECH  3 rd party inherited policy agreements  Security  Control  Audit  Interaction  Validation  Certification  Usage Situation Assessment On-site Care/Incident Commander  General scene information  None Data Flows TO a Single Actor (ECS) with PMRM Service Invocations

7 ECSIncident ReportExternal sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification Consider one ‘row’ in the table:

8 External Source connects to the ECSSECURITY: establish confidential communication (encryption) CERTIFICATION: check External Source credentials INTERACTION: Provide privacy notice to the External Source, if appropriate Incident Report is transmitted to the ECSVALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Incident Report Tabular, time-line flow of Service invocations: Services Operational Requirements Time Line

9 ECS Situational Awareness Report External Sources  ECS Privacy and Security Policy  jurisdictional regulations  OnStar  Security  Control  Audit  Interaction  Validation  Usage  Certification External Source connects to the ECSSECURITY: establish confidential communication (encryption) CERTIFICATION: check External Source credentials INTERACTION: Provide privacy notice to the External Source, if appropriate Situation Awareness Report is transmitted to the ECS VALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Situation Awareness Report Services Operational Requirements Time Line Additional Row: Question: Separate analysis needed for each policy domain (eg, OnStar)?

10 ECS Patient EHR Information Service Provider and other Healthcare systems  HIPAA security and privacy rules  HITECH  3 rd party inherited policy agreements  Security  Control  Audit  Interaction  Validation  Certification  Usage ECS connects to Service Provider and other Health Care Systems SECURITY: establish confidential communication (encryption) CERTIFICATION: mutually check credentials INTERACTION: Provide privacy notice to the Provider/other Systems, if appropriate Patient EHR is transmitted to the ECSVALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Patient EHR Services Operational Requirements Time Line Additional Row :

11 ECS Situation AssessmentOn-site Care/Incident Commander  General scene information  None (?) Services Operational Requirements Time Line Additional Row: On site Commander records general scene information in the Situation Assessment SECURITY: establish confidential communication or log-in (encryption) CERTIFICATION: mutually check credentials INTERACTION: Any PI contained in general scene information? VALIDATION: check the PI for reasonableness, veracity, and relevance, possibly against other sources CONTROL and USAGE: Store the PI, together with all appropriate permissions for subsequent PI use AUDIT: record the receipt of the PI and Situation Assessment

12 Data Flows FROM a Single Actor (ECS) with PMRM Service Invocations Actor: ECS PI-OutDestination (Actor) Requirements [ Services Incident Report: PI Instance and enhancements On-site Care/Incident Commander System  ECS Privacy and Security Policy  Jurisdictional regulations  Security  Control  Audit  Interaction  Validation  Usage Situational Awareness ReportOn-site Care/Incident Commander System ECS Privacy and Security Policy - Jurisdictional regulations  Security  Control  Audit  Interaction  Validation  Usage Patient Data RequestService Providers and other healthcare systems  HIPAA security and privacy requirements  Unique healthcare system requirements  Security  Control  Audit  Interaction  Validation  Certification  Usage  Enforcement Health Information from DevicesService Providers and other healthcare systems  HIPAA security and privacy requirements  Unique healthcare system requirements  Security  Control  Audit  Interaction  Validation  Certification  Usage  Enforcement Virtual ConsultOn-site Care/Incident Commander System Virtual ConsultOn-site Care/Incident Commander System

13 - examine each row of the OUT table, in turn; then, - Move to each Actor, analyzing the IN/OUT flows

14 Where Does the Reference Model Fit? Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA) Privacy Management Reference Model

Download ppt "PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011."

Similar presentations

National HIT Agenda and HIE - 2007 John W. Loonsk, M.D. Director of Interoperability and Standards Office of the National Coordinator Department of Health.

National HIT Agenda and HIE John W. Loonsk, M.D. Director of Interoperability and Standards Office of the National Coordinator Department of Health.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Surviving a Privacy Exam Barbara B. Fitch 2 nd VP–Market Conduct & Compliance National Life Insurance Company October 3, 2005.

Surviving a Privacy Exam Barbara B. Fitch 2 nd VP–Market Conduct & Compliance National Life Insurance Company October 3, 2005.
Health Insurance Portability & Accountability Act (HIPAA)

Health Insurance Portability & Accountability Act (HIPAA)
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Capability Cliff Notes Series PHEP Capability 6—Information Sharing What Is It And How Will We Measure It?

Capability Cliff Notes Series PHEP Capability 6—Information Sharing What Is It And How Will We Measure It?
Licensing Division Reengineering Project Requirements Workshop Copyright Owners 1/26/2011.

Licensing Division Reengineering Project Requirements Workshop Copyright Owners 1/26/2011.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
HEDIS Audit – Appropriate Monitoring and Oversight of Vendors Presenter: Yolanda Strozier, MBA Project Manager, EQRO Services.

HEDIS Audit – Appropriate Monitoring and Oversight of Vendors Presenter: Yolanda Strozier, MBA Project Manager, EQRO Services.
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

Similar presentations

Ads by Google