Veterans Health AdministrationHealthcare Information Governance
Emerging Health Technologies Advancement Center (EHTAC)Virtual Demonstrati ons – Security Brown Bag May 24 t h , 2012
Healthcare Classifi cati on System for Security and Privacy
May 24, 2012
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
Overview:Existing classification standards and methodologies exist in the U.S. for handling of SENSITIVE information.
Presentation focuses on how the use of a Healthcare Classification System could resolve some of the issues related to proposed ONC Standards and Interoperability Data Segmentation pilot projects.
Uses standards based vocabulary for defining clinical documents confidentiality, sensitivity, obligation, and refrain policy attribute values, to protect the underlying clinical content.
2
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
Objectives:Data Segmentation Demonstration and Pilot projects will exercise defined aspects of the Implementation Guide in a real-world setting. The real-world pilots evaluate not only the technology and standards, but also provide a test bed to evaluate the interaction of technology, implementation support, and operational infrastructure required to meet Data Segmentation Use case objectives at the stakeholder or organization levels.
Value Statement:The Data Segmentation for Privacy initiative enables the sharing of patient data in compliance with policy, regulation, and patient consent directives. Data Segmentation for privacy supports these policies which require the protection of certain types of personal health information (PHI). Data Segmentation also provides a platform for patient control over the use and disclosure of their health information. The goal is to build patient trust and participation in the health care system.
3
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
4
Document Set Generation
CliniciansRequestPatient Record
LocalAuthorizationDecision
ServicingOrganizationPolicyDecision
DocumentAssemblyAndTagging
Creationof SecuredInnerPolicy Wrapper
Creationof SecuredOuterPolicy Wrapper
Permit Permit
Deny
Creation ofCompositeDocument Set
Deny
PatientConsent
OrganizationalPolicy
PatientConsent
OrganizationalPolicy
Requesting Organization Servicing Organization
Layered Security Service
Classification System
Document SetDelivered toRequesting Organization
ClinicalKnowledge
Policy DecisionDetermining Inclusion
Organizational Policy Law
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
5
C32 – Document TypeCurrently Exchanged on NwHIN
HL7 Privacy and Security Policy Vocabulary
Common Vocabulary
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
6
Encrypted Clinical Payload
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
7
Viewing Document Contents
Primary AccessAuthorizationDecision
PatientConsent
OrganizationalPolicy
Request to View
Originating Service Organization
Outer Envelope Has No Knowledge Of Content
DeliveryofClinicalDocument
Secure Key Management and Exchange
(Per
mit/
Den
y)
AssertCredentialsAnd Purpose of Use
Eac
h do
cum
ent
may
be
hand
led
diffe
rent
ly
Authorization DecisionBased on Sensitivity andConfidentiality of Content
Payload is unencryptedAnd evaluated againstPolicy.
(Per
mit/
Den
y)
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
8
Questions ?
VETERANS HEALTH ADMINISTRATION
Healthcare Classification System for Security and Privacy
9
Envelope Policy ControlsOuter - Handling InformationInner - Document Type, Sensitivity, and Confidentiality
Backup SLIDE