1

HIT Standards CommitteeHIT Standards Committee

Privacy and Security Workgroup: Privacy and Security Workgroup: RecommendationsRecommendations

Dixie Baker, SAIC

Steven Findlay, Consumers Union

July 21, 2009

2

Most Americans Rate the Healthcare System Fair or Poor

How would you rate the health care system in America today? (2009 n=1,000)

Source: Employee Benefit Research Institute and Mathew Greenwald & Associates,2008-2009 Health Confidence Survey

3

Consumers Have Little Confidence that Electronic Health Records Will Remain Confidential

If medical records and personal health information were to be stored electronically and shared through the Internet, how confident are you that those records and information would remain confidential? (2009 n=1,000)

Source: Employee Benefit Research Institute and Mathew Greenwald & Associates,2008-2009 Health Confidence Survey

4

ARRA Addresses These Concerns by Stimulating Adoption of Health Information Technology (HIT)

• Current paper- and fax-based system is inefficient and costly, and perpetuates medical practice as a “cottage industry” moving to electronic records and exchanges will reduce inefficiencies and cost, while improving patient safety and care quality

• Recording and exchanging health information electronically will improve the quality of care, and reduce costs, by:– Reducing reliance on physicians’ (oft-illegible) handwritten and faxed

prescriptions and notes – Making health information available whenever and wherever it is

needed– Facilitating the measurement of outcomes and comparison of

effectiveness– Streamlining medical research– Facilitating the detection of potential health threats to the public

5

But There’s a Caveat…

• Use of computers and networks introduces new risks to personal privacy

• As providers become more dependent on EHRs, the potential impacts of data corruption and service interruption will increase

• Privacy and security mechanisms are designed to help protect personal privacy and to assure quality care by providing:1. Ability to record and enforce consumers’ individual preferences on

who can see or use their personal health information and for what purposes – whether it’s within a hospital or between their family doctor and the specialist she has chosen to help diagnose a problem

2. Ability to protect their health information from being changed or deleted

3. Ability to make sure that their health information is available to their family physician, the specialists he/she consults, and physicians providing emergency care in their local emergency room and the clinic in the remote mountain community where they vacation

6

ARRA EHR-Adoption Reimbursement Requirements

• To encourage broad adoption of EHRs, ARRA offers reimbursement to eligible providers who meet two requirements:1. Acquire a certified EHR product or service

2. Demonstrate that he/she is using that product/service “meaningfully”

• The Standards Committee needs to recommend both:1. Criteria for certifying products

2. Criteria for demonstrating that an applicant is using that product meaningfully

7

EHR-Adoption Privacy and Security

• For privacy and security, certification that a defined function or service has been implemented in a product is not sufficient to demonstrate “meaningful use” (or even “use”) of that function or service

• The Privacy and Security Workgroup has adopted an approach that addresses both the certification of products and the demonstration that a user is using the certified product “meaningfully”

8

Mapping “ARRA 8” to Product Certification Criteria

9

Mapping “ARRA 8” to Meaningful Use Criteria

10

“ARRA 8” Requirements and Standards

ARRA Priority Areas of Focus Derived Privacy & Security Services

HITSP Standards?

1) Technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information

Identity management Yes

User/entity authentication Yes

Identity- / role-based access control

Yes

Label-based access control No

Consent management Partial

Transmission integrity protection Yes

Transmission confidentiality protection

Yes

2) Nationwide HIT infrastructure for electronic use and exchange of EHR

Secure communications channel Yes

Secure email Yes

11

“ARRA 8” Requirements and Standards

ARRA Priority Areas of Focus Derived Privacy & Security Services

HITSP Standards?

3) EHR certification (all) --

4) Technologies that as a part of a qualified electronic health record allow for an accounting of disclosures made by a covered entity

Auditing Yes

Consistent time Yes

Inter-enterprise traceability No

Non-repudiation Yes

5) The use of certified electronic health records to improve the quality of health care

Document integrity protection Yes

Transmission integrity protection Yes

Non-repudiation Yes

Service availability No

12

“ARRA 8” Requirements and Standards

ARRA Priority Areas of Focus Derived Privacy & Security Services

HITSP Standards?

6) Technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals

Transmission confidentiality protection

Yes

Deidentification Yes

Anonymization Yes

Pseudonymization Partial

Limited data set No

7) Demographic data N/A --

8) Special populations N/A --

13

Privacy and Security WG Recommendations

• Certification criteria should not dictate policy beyond what is specified in ARRA and the HIPAA Security and Privacy Rules – Allow adopter to configure products to its individual policy

based on its own risk factors

• Product certification should address both functional requirements (services provided) and assurance levels (strength of mechanisms and implementations) – Use ISO/IEC 15408, Common Criteria for Information

Technology Security Evaluation, to specify Evaluation Assurance Levels (EAL) for use cases

• For greater openness and broader interoperability, prefer standards developed by international Standards Development Organizations (SDOs)

14

Privacy and Security WG Recommendations

• Certification criteria and standards should enable design possibilities that leverage fundamental principles and open standards

• Product certification criteria should build toward full interoperability with both healthcare partners (providers, payers, HIEs, etc.) and consumers; for example:– 2011: secured enterprises + simple, secured sharing with

healthcare partners and consumers – 2013: secured health exchanges with healthcare partners and

consumers– 2015: full integration of consumer preferences with enterprise

and exchange access controls

15

Privacy and Security WG Recommendations

• “Meaningful use” criteria should be rules-based and should specify what certified features must be used and how, within the context of defined, operational use cases

• “Meaningful use” should include at least:– Required certified features and their configuration within

applicable use case– Secure IT infrastructure– Current HIPAA risk analysis and risk-management plan– Current HIPAA contingency plan (back-up, disaster recovery,

emergency operations, testing and revision, criticality analysis)

16

Consent Management – the Widest, and Perhaps Most Urgent, Gap

• Consent management involves several functions:1. Recording patient elections (privacy authorizations and

informed consents) in a consistent way such that both humans and computers can interpret the elections consistently across systems and organizations

2. Transferring these elections among all entities that handle their PHI (e.g., providers, labs, pharmacies, payers, researchers, PHI vendors)

3. Translating these elections into access control rules

4. Managing the continually changing elections

17

Consent Management – the Widest, and Perhaps Most Urgent, Gap

• Some standards-development work is under way– HL7, primarily focusing on privacy and security authorizations– Consent Assertion Markup Language (CAML, John Halamka) – XML data

model representing all patient authorizations and consents– HITSP TP30 and the Integrating the Healthcare Enterprise (IHE) Basic

Patient Privacy Consent (BPPC) profile • HIE, OASIS, and ASTM are addressing the exchange of consumer

elections• No significant efforts addressing translation into access-control rules, or

change management• Consumers are beginning to play a much greater role in defining how

their information is shared and used – standards are needed

• HHS should encourage and support the rapid, well informed, development of consent management standards comprehensively addressing 1-4 above 

18

Recommended Standards – Readiness Ratings

1. Mature; known or certain to be implementable in 2011; implemented widely (>20%) in industry

2. Ready for introduction; known/certain for 2013

3. Well developed; work in progress for 2013 / 2015

4. In development; standards to be determined

19

Recommended Standards*

*See hand-out for further details

Short Title Services Supported 1 2 3 4

HL7 Version 3 Standard: Role Based Access Control (RBAC) Access control x

OASIS eXtensible Access Control Markup Language (XACML)

Access control x

OASIS Security Assertion Markup Language (SAML) v2.0 Access control x

OASIS WS-Trust Access control x

ISO/IEC Common Criteria for Information Technology Security Evaluation

Assurance certification x

IHE Audit Trail and Node Authentication (ATNA) Profile Audit x

ASTM Standard Guide for Electronic Authentication of Health Care Information

Authentication x

IETF Kerberos Authentication x

IHE ITI-TF Authentication Authentication x

IHE ITI-TF Cross-Enterprise Document Sharing-B (XDS.b) Authentication; Consent management

x

IHE ITI-TF Enterprise User Authentication (EUA) Authentication x

IHE ITI-TF Cross Enterprise User Assertion (XUA) Authentication x

OASIS Simple Object Access Protocol (SOAP) Authentication x

20

Recommended Standards

Short Title Services Supported 1 2 3 4

HL7 V3 Data Consent Consent management x

IHE ITI-TF Basic Patient Privacy Consents (BPPC) Consent management x

IHE ITI-TF Registry Stored Query Transaction for XDS Profile Supplement

Consent management x

OASIS/ebXML Registry Information Model v3.0 Consent management x

OASIS/ebXML Registry Services (ebRS) Specifications Consent management x

IETF Network Time Protocol (NTP) Consistent time x

IETF Simple Network Time Protocol (SNTP) Consistent time x

IHE ITI-TF Consistent Time (CT) Consistent time x

HIPAA Privacy Rule: Deidentification Deidentification x

HIPAA Privacy Rule: Pseudonymization Deidentification x

HL7 Version 3.0 Clinical Genomics; Pedigree (Anonymization)

Deidentification x

IETF Domain Name Service (DNS) Identity Management x

IETF Lightweight Directory Access Protocol (LDAP) Identity Management x

IHE ITI-TF Personnel White Pages (PWP) Identity Management x

IETF Language Tags Identity Management x

21

Recommended Standards

Short Title Services Supported 1 2 3 4

IHE ITI-TF Cross Community Access (XCA) Infrastructure x

IHE ITI-TF Cross-Enterprise Document Sharing-B (XDS.b) Infrastructure x

ETSI XML Advanced Electronic Signatures (XadES) Non-repudiation x

HIE ITI-TF Document Digital Signature (DSG) Content Non-repudiation x

IETF Cryptographic Message Syntax Non-repudiation; secure email

x

ISO Health Informatics, Public Key Infrastructure (PKI) Non-repudiation x

FIPS 197, Advanced Encryption Standard (AES) Secure transmission x

IETF Transport Layer Security (TLS) Protocol Secure transmission x

IHE ITI-TF Cross-Enterprise Document Media Interchange (XDM)

Secure email x