Date post: | 29-May-2018 |
Category: |
Documents |
Upload: | rich-elmore |
View: | 220 times |
Download: | 0 times |
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 1/26
HIT Policy CommitteeHIT Policy CommitteePrivacy and Security Tiger TeamPrivacy and Security Tiger Team
Deven McGraw, Chair Paul Egerman, Co-Chair
August 19, 2010
1
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 2/26
Tiger Team Members
Deven McGraw, Chair , Center for Democracy & TechnologyPaul Egerman, Co-Chair ,Dixie Baker , SAICChristine Bechtel , National Partnership for Women & FamiliesRachel Block , NYS Department of Health
Carol Diamond , Markle FoundationJudy Faulkner , EPIC Systems Corp.Gayle Harrell , Consumer Representative/FloridaJohn Houston , University of Pittsburgh Medical Center; NCVHSDavid Lansky , Pacific Business Group on HealthDavid McCallie , Cerner Corp.Wes Rishel , Gartner Latanya Sweeney , Carnegie Mellon UniversityMicky Tripathi , Massachusetts eHealth Collaborative
Adam Greene , Office of Civil RightsJoy Pritts , ONCJudy Sparrow , ONC
2
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 3/26
Agenda²Review Recommendation Letter with focuson items not previously presented to Policy Committee
Tiger Team¶s Scope
Core Recommendation
Core Values
Triggers and Meaningful Consent
Granular Consent
Conclusions
3
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 4/26
Framing: Scope
Recommendations apply to electronic exchange of patient identifiablehealth information among known entities to meet Stage 1 of MeaningfulUse (MU)
HealthHealthInformationInformationExchangeExchange
Treatmentand
Coordinationof Care
Quality Reporting
Claims andPayment
Processing
Research
Patient Access
PublicHealthReporting
Note: Patient Access, Research and Claims and Payment Processing are not in scope for this initial discussion. 4
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 5/26
Scope: Specific Issues/Questions Addressed
1. Use of intermediaries or third party service providers inidentifiable health information exchange;
2. Trust framework to allow exchange among providers for purposeof treating patients;
3. Ability of the patient to consent to participation in identifiablehealth information exchange at a general level (i.e., yes or no),and how consent should be implemented;
4. The ability of technology to support more granular patientconsents (i.e., authorizing exchange of specific pieces of information while excluding other records); and
5. Additional recommendations with respect to exchange for Stage Iof Meaningful Use ± treatment, quality reporting, and publichealth reporting.
5
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 6/26
Core Tiger Team Recommendation
All entities involved in health information exchange ± including providers (individual and institutional)and third party service providers like HealthInformation Organizations (HIOs) and other intermediaries ± should follow the full complementof fair information practices(FIPs) when handlingpersonally identifiable health information. ± Each set of recommendations is mapped to applicable fair
information practice principle(s)
Formulation of FIPs comes from ONC¶s NationwidePrivacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information(adopted by Policy Committee in Strategic Framework).
6
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 7/26
Core Values
The relationship between the patient and his or her healthcare provider is the foundation for trust in health informationexchange, particularly with respect to protecting theconfidentiality of personal health information.
As key agents of trust for patients, providers are responsible
for maintaining the privacy and security of their patients¶records.
We must consider patient needs and expectations. Patientsshould not be surprised about or harmed by collections,uses, or disclosures of their information.
Ultimately, to be successful in the use of health informationexchange to improve health and health care, we need to earnthe trust of both consumers and physicians.
7
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 8/26
Recommendations 1 and 2
1. Use of intermediaries or third party service providers inidentifiable health information exchange;
2. Trust framework to allow exchange among providers for purposeof treating patients;
Recommendations previously presented and included in Appendix.
8
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 9/26
3 .1 Consent and Directed Exchange
Recommendation 3.1 on page 9 Assuming that FIPs are followed, directed exchange for treatment does not require patient consent beyondwhat is required in current law or what has been
customary practiceNot intended to change patient-provider relationship or importance of provider exercising judgment on the patient¶sbehalf The same considerations and customary practices that apply
to paper or fax exchange apply to directed electronic exchange
9
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 10/26
3 .2 Trigger when ONC Should RequireAdditional Consent
When the decision to disclose or exchange the patient¶sidentifiable health information from the provider¶s record isnot in the control of the provider or that provider¶s organized
health care arrangement (³OHCA´), patients should be able toexercise meaningful consent to their participation.
ONC should promote this policy through all of its levers.
L etter Pages 10 and 11
10
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 11/26
3 .2 Trigger when ONC Should RequireAdditional Consent
Examples:
± A centralized HIO model, which retains identifiable patient dataand makes that information available to other parties.
± A federated HIO model, which exercises control over the abilityto access individual patient data.
± Information is aggregated outside the auspices of the provider or OHCA and comingled with information about the patient fromother sources.
11
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 12/26
Trigger when ONC Should Require AdditionalConsent (cont.)
- The patient must be provided with an opportunity to givemeaningful consent b efore the provider releases control over exchange decisions.
- If the patient does not consent to participate in an HIO modelthat ³triggers´ consent, the provider should, alternatively,exchange information through directed exchange.
- There are some HIOs that offer multiple services. Theprovider may still contract with an HIO to facilitate directedexchange as long as the arrangement meets the requirementsof recommendation 1 of this letter.
12
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 13/26
3 .3 Meaningful Consent Attributes
± Advanced knowledge/time ± Not compelled, or used for discriminatory
purposes ± Full transparency and education. ± Commensurate with Circumstances ± Consistent with Patient Expectations ± Revocable
Details in Appendix
13
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 14/26
3 .4 Consent Implementation Guidance
The provider has the responsibility to educate and discuss withpatients how their information is shared.
The federal government, as well as regional extension centers andHIOs, also have responsibilities to educate the public and shouldprovide resources to providers.
Providers should obtain and keep track of patient consent but theymay delegate consent management/administrative functions to athird party (such as an HIO), with appropriate oversight.
14
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 15/26
3 .5 Provider Consent to Participate inExchange
Should providers have a choice about participating in
exchange models?
Yes!.
L etter Page 13
15
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 16/26
4. Ability of Technology to Support MoreGranular Patient Consent
June 29 Technology Hearing (June 29) (pages 14-17)
Reviewed NCVHS recommendations
Co-chairs of NCVHS confidentiality and privacyworkgroup made presentation
16
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 17/26
Ability of Technology to Support More Granular Patient Consent ± Recommendation 4
Promising Technology but in the early stages of developmentand adoption.
Furthering experience and stimulating innovation for granular consent are needed.
This is an area that should be a priority for ONC to explorefurther.
17
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 18/26
Ability of Technology to Support More Granular Patient Consent ± Recommendation 4 (cont.)
Important that ONC find evidence (such as through pilots) for successful models and not rely on theoretical possibilities.
In the interim, patient education is paramount: Realisticexpectations about privacy need to be established.
18
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 19/26
Question 5: Additional Recommendations
1. Use of intermediaries or third party service providers in identifiable health informationexchange;
2. Trust framework to allow exchange among providers for purpose of treating patients;3. Ability of the patient to consent to participation in identifiable health information exchange at a
general level (i.e., yes or no), and how consent should be implemented;4. The ability of technology to support more granular patient consents (i.e., authorizing exchange
of specific pieces of information while excluding other records); and
5. Additional recommendations with respect to exchange for Stage Iof Meaningful Use ± treatment, quality reporting, and publichealth reporting.
Recommendation #5 was previously presented and are includedin Appendix.
19
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 20/26
Conclusion
Recommendations were targeted to address a set of questions raised by ONC; they are not the definitive or final word on privacy and security and health IT/healthinformation exchange.More work is necessary ± only a systemic andcomprehensive approach to privacy and security canachieve public confidence.
Among the issues needing further work: exchangebeyond Stage 1, provider credentialing assurancelevels, individual access, transparency, securitysafeguards, and de-identified data.
20
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 21/26
Appendix
21
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 22/26
1. Use of ³Third Party Service Organizations´
Recommendation 1 on page 6 of the letter Third party service organizations should not collect, use or disclose identifiable health information for any purpose other than to provide the services specified in the businessassociate or service agreement and any necessaryadministrative functions.Such information should be retained only for as long asreasonably necessary. Retention policies must bedisclosed. After retention period, information must besecurely returned or destroyed.Require transparency also for uses of de-identified data.BAA provides accountability ± but not sufficient governanceto build/maintain public trust
22
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 23/26
2. Trust Framework for Exchange AmongProvidersRecommendation 2 on pages 7-9 (top)
Providers ³hold the trust´ ± but may delegate functionssuch as issuing digital credentials or verifying provider identity, as long as delegation maintains this trust.
Federal government should establish acceptable levelof accuracy and establish and enforce clear credentialing requirements; state governments canprovide additional rules if necessaryProviders should also attest to relationship with thepatient who is the subject of the information, and allwho exchange identifiable health information should berequired to comply with applicable law and policies(enforced through law and ONC policy levers)
23
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 24/26
3 .3 Meaningful Consent Guidance WhenTrigger AppliesRecommendation 3.3 on page 12
Such consent must be meaningful in that it: ± Allows the individual advanced knowledge/time to make a
decision. (E.g., outside of the urgent need for care.) ± Is not compelled, or is not used for discriminatory
purposes. (E.g., consent to participate in a centralized HIOmodel or a federated HIO model is not a condition of receiving necessary medical services.)
± Provides full transparency and education. (I.e., theindividual gets a clear explanation of the choice and its
consequences, in consumer-friendly language that isconspicuous at the decision-making moment.)
24
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 25/26
Meaningful Consent Guidance (cont.)
± Is commensurate with the circumstances. (I.e., the moresensitive, personally exposing, or inscrutable the activity,the more specific the consent mechanism. Activities thatdepart significantly from patient reasonable expectations
require greater degree of education, time to makedecision, opportunity to discuss with provider, etc. ± Must be consistent with reasonable patient expectations
for privacy, health, and safety; and ± Must be revocable. (I.e., patients should have the ability to
change their consent preferences at any time. It should beclearly explained whether such changes can applyretroactively to data copies already exchanged, or whether they apply only "going forward.")
25
8/9/2019 Privacy and Security Tiger Team - August 19 2010
http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 26/26
5. Additional Recommendations re: Stage 1 of Meaningful UseRecommendation 5 on pages 17-18
Exchange of identifiable health information for treatment should be for treatment of the individual whois the subject of the information, unless the provider
has the consent of that individual use his/her information to treat others (note: further work needed toensure appropriate care of infants and children)Public Health and Quality reporting should take placeusing the least amount of identifiable informationnecessary, unless law requires disclosure of identifiersProvider is responsible for public health and qualitydisclosures, but may delegate to an HIO pursuant to abusiness associate agreement.
26