confidentiality codes refactored
DESCRIPTION
Confidentiality Codes Refactored. Serafina Versaggi and Kathleen Connor Eversolve. Problem Statement. The current HL7 Confidentiality Code System is overloading the coded attributes of confidentiality Current Confidentiality Codes mix: - PowerPoint PPT PresentationTRANSCRIPT
SERAFINA VERSAGGI AND KATHLEEN CONNOREVERSOLVE
Confidentiality Codes Refactored
Problem Statement
The current HL7 Confidentiality Code System is overloading the coded attributes of confidentiality
Current Confidentiality Codes mix: Privacy Policy Codes about how Sensitive Information must be handled with Metadata tags (data about data content) used to convey Information Sender and
Receiver responsibilities to prevent unauthorized use or disclosure
Without guidance on the intended use of these metadata tags, implementers may mistakenly applying Privacy Policy and Sensitive Information Codes as metadata on protected information On external wrappers used as transport information in exchange On document headers for use by records management systems/repositories
As a result, they may be breaching protected information by disclosing the sensitive nature of that information to unauthorized Receivers
Happy News
Refactored Confidentiality Codes fit seamlessly into the Composite Security and Privacy DAM with minimal changes
This should be considered validation of that good work
Proposed changes specify Sender responsibility to ensure that protected information is
handled in accordance with Privacy Policies Receiver responsibility for handling protected information the
Sender is authorized to disclose Interoperable and policy driven Confidentiality Codes that
reduce the need for point to point negotiation when exchanging information
Proposed Changes to the DAM Refactors current Confidentiality Code System
Reason: Multiple Axes that blend internal Privacy Policies with Role and User base Access and interoperable Confidentiality Codes
Defines new interoperable Confidentiality Codes Specifies Receiver responsibilities for information being exchanged Limited set of codes that convey general information handling rules Convey sensitivity levels without disclosing why the information is or is not sensitive
Relocates Sensitive Information Codes to ActPrivacyPolicyType value set Sensitive Information Codes represent a type of Organizational Privacy Policy Like Jurisdictional Privacy Policies, these are implemented in a Policy Information Point
to inform the Policy Decision Point Adds Information Subject Authorization to Disclose
Consent Directives - specify disclosures that are more restrictive than generally applicable Jurisdictional Health Privacy Policies
Disclosure Authorizations - specify disclosures less restrictive than generally applicable Jurisdictional Health Privacy Policies
Current HL7 Confidentiality Code Concept Domains
Current Confidentiality Codes Relationships
Code Definition
ConfidentialityByAccessKind
• A value set that allows access to information by subject / role and relationship based rights
• These concepts are mutually exclusive, one and only one is required for a valid confidentiality coding)
ConfidentialityModifiers • Modifiers of role based access
rights • Multiple allowed
ConfidentialityByInfoType
• By information type, only for service catalog entries
• Multiple allowed• Not to be used with actual
patient data!
Disambiguating Confidentiality and Sensitivity
Definition of these concepts are often intertwined, and usage is not clearly orthogonal in many contexts
Healthcare differentiate these because of heightened Privacy concerns
Confidentiality is a security concept How information is treated Who can know and what they can do with it Has no necessary bearing on social values
ISO 7498-2:1989 - Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Sensitivity is a social perception concept How information is regarded socially What others will think about and act on the information How that “social” perception and resulting reaction will impact the information
subject and/or owner ISO7498-2:1989 - Sensitivity is the characteristic of a resource which implies its value
or importance and may include its vulnerability
Confidentiality – Sensitivity Matrix
Sender Assigns Confidentiality Codes
Access Control Systemdrives Sender Disclosure
Process
CDA HeaderConfidentiality Code+ URL to referenced
License
Sender assignsConfidentiality Codes
to comply with Obligations to
protect informationInner Envelope with Confidentiality Code
Envelope License
Header License
Section Licenses
Encounter Section + CC
Medication Section + CC
Lab Section + CC
Problem Section + CC
Lab Result Entries
Entry Licenses
Encrypted Transmission Wrapper
License Conveys Receiver Obligations toProtect the information
Receiver complies with obligation with ACSenforcement of Licenses, which may apply at
the CDA Header, Section, or Entry
ActPrivacyPolicyType
Vocabulary Changes to Support Use Cases
Added attribute to Privacy Policy that designates which Privacy Policy May leverage existing HL7 vocabulary Act.code concept domain
“ActPrivacyPolicyType” Proposed Vocabulary includes:
ActPrivacyLaw – with example codes e.g., 42 CFR Part 2 and HIPAA Sensitivity -
Defined as policies shared by a policy domain relating to sensitivity of information
Leverages ISO7498-2:1989 definitions for Confidentiality and Sensitivity
Example codes from the ConfidentialityModifiers and ConfidentialityByInfoType and proposed codes for Use Case discovered gaps such as Sensitive Service Provider and Employee
Relocated Sensitive Information Codes
Relocates Sensitive Information Codes from AccessByInfoType and Confidentiality Modifiers to the ActPrivacyPolicyType value set
No impact on earlier models which will reference current Confidentiality Code System
No impact on CDA which only uses Normal, Restricted, and Very Restricted
Future models that use ActPrivacyPolicyCodes can target classes with a Comply relationship to an ActClassPolicy
Refactored Confidentiality Codes
Lvl- Typ
Concept CodeHead Code-defined Value Set
Definition, Properties, Relationships
0-A _Confidentiality
Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO 7498-2:1989]
Description: The codes in the Confidentiality code system are values that prevent the unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.
The confidentiality code assigned by an information sender (per policies intended by the custodian) that convey receiver obligation to ensure that the information is not made available or redisclosed to unauthorized individuals, entities, or processes (security principals). The receiver may only grant authorized principals access to the minimum necessary information for the purpose of use intended by the sender. The receiver must grant principals permission to perform approved operations on the information object.
Refactored Confidentiality Codes
Lvl Concept Code
Print Name
Definition
.U unrestricted Metadata indicating that there are no receiver responsibilities to comply with
sender’s information policy.
1-L . L low Metadata indicating the receiver responsibility to comply with sender’s de-identified information policy specifying authorized principals, permissions, and purpose of use.
1-L .M moderate Metadata indicating the receiver responsibility to comply with an information subject’s authorization to disclose agreement specifying authorized principals, permissions, and purpose of use.
1-L . N normal Metadata indicating the receiver responsibility to comply with sender’s applicable jurisdictional privacy policy specifying authorized principals, permissions, and purpose of use.
1-L . R restricted Metadata indicating the receiver responsibility to access and comply with information subject’s consent directives, default consent rules, or a sender’s organizational privacy policies that are more stringent than jurisdictional privacy policies, which specify restrictions on authorized principals, permissions, and purpose of use. May be preempted by jurisdictional law, e.g., for public health reporting or emergency treatment.
1-L . V very restricted Metadata indicating the receiver responsibility to comply with sender’s or other
authority’s policy for highly sensitive information, which specify restrictions on authorized principals, permissions, and purpose of use.
Proposed Refactoring
Next Steps – Prepare Harmonization Proposal
UPCOMING HARMONIZATION MTGS
Harmonization Conference Call
Nov 15, 2011 to Nov 18, 2011Add to Outlook Calendar
Templates and Examples
Download Harmonization Proposal Template/Example
Initial Proposals
Submissions due 10/16/2011, midnight Eastern
Final Proposals
Submissions due 11/06/2011, midnight Eastern
View/Upload Proposals
View/Upload Proposals
Policy and Procedural Excerpts
Harmonization Process Overview
<http://www.hl7.org/events/harmonization/index.cfm>
Annex
Compares Current and Proposed VocabularyProvides Glossary of Terms
Current Definition of Confidentiality
New Definition of Confidentiality
Description:Values that control
disclosure of information.
Example: Normal, restricted, substance abuse related.
Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO 7498-2:1989]
Description: The codes in the Confidentiality code system are values that prevent the unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.
The confidentiality code assigned by an information sender (per policies intended by the custodian) that convey receiver obligation to ensure that the information is not made available or redisclosed to unauthorized individuals, entities, or processes (security principals).
The receiver may only grant authorized principals access to the minimum necessary information for the purpose of use intended by the sender. The receiver must grant principals permission to perform approved operations on the information object.
Confidentiality Code System Definition
Proposed & Current Confidentiality Code Definitions
Lvl Code
Print Name
Proposed Definition Current Definition
.U unrestricted
Metadata indicating that there are no receiver responsibilities to comply with sender’s information policy.
N/A - New Code
1-L . L low
Metadata indicating the receiver responsibility to comply with sender’s de-identified information policy specifying authorized principals, permissions, and purpose of use.
No patient record item can be of low confidentiality. However, some service objects are not patient related and therefore may have low confidentiality.
1-L .M moderate
Metadata indicating the receiver responsibility to comply with an information subject’s authorization to disclose agreement specifying authorized principals, permissions, and purpose of use.
Normal confidentiality rules (according to good health care practice) apply, that is, only authorized individuals with a legitimate medical or business need may access this item.
1-L . N normal
Metadata indicating the receiver responsibility to comply with sender’s applicable jurisdictional privacy policy specifying authorized principals, permissions, and purpose of use.
N/A - New Code
1-L
. R restricted
Metadata indicating the receiver responsibility to access and comply with information subject’s consent directives, default consent rules, or a sender’s organizational privacy policies that are more stringent than jurisdictional privacy policies, which specify restrictions on authorized principals, permissions, and purpose of use. May be preempted by jurisdictional law, e.g., for public health reporting or emergency treatment.
Restricted access, e.g. only to providers having a current care relationship to the patient.
1-L . V very
restricted
Metadata indicating the receiver responsibility to comply with sender’s or other authority’s policy for highly sensitive information, which specify restrictions on authorized principals, permissions, and purpose of use.
Very restricted access as declared by the Privacy Officer of the record holder.
GlossaryTerm Definition
Access Control
A system that enables an authority to control access to resources based on criteria related to role, user identification, or context.
Confidentiality ISO 7498-2:1989 - Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes
Disclosure Authorization
An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
Description: An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.[US government definition at HHS]
DURSAData Use and Reciprocal Support Agreement (DURSA) is a multiparty legal agreement (contract) designed for lawful and secure information exchange using a set of interoperability standards and specifications within a policy domain.
Jurisdictional Law Includes statutes, regulations, case law, and judicial authority.
Metadata Data about data content. Does not include data about how data is stored.
ObligationsThe rules for Custodians that collect, access, use or disclose protected information, which may be conveyed by a License such as an encoded privacy law, organizational privacy policy, DURSA, privacy consent directive, or disclosure authorization.
GlossaryTerm Definition
Privacy The state of being something that belongs to, concerns, or is accessible only to an individual person or a specific group.
Privacy Consent Directive
A consent directive is a record of a healthcare consumer’s privacy policy, which is in accordance with governing jurisdictional and organization privacy policies that grant or withhold consent: • To one or more identified entities in a defined role • To perform one or more operations (e.g., collect, access, use, disclose, amend, or delete) • On an instance or type of IIHI • For a purpose such as treatment, payment, operations, research, public health, quality
measures, health status evaluation by third parties, or marketing • Under certain conditions, e.g., when unconscious • For specified time period, e.g., effective and expiration dates • In certain context, e.g., in an emergency A consent directive is an instance of governing jurisdictional and organization privacy policies, which may or may not be backed up by a signed document (paper or electronic). HITSP TP 30
Privacy Policy The set of policies that an organization or party uses to collect or hide information about an end user or customer of the organization, particularly where it concerns private information.
Responsibilities
The information handling rules for Senders and Receivers for transmission of protected information as convey Confidentiality Codes.
Sensitivity ISO7498-2:1989 - Sensitivity is the characteristic of a resource which implies its value or importance and may include its vulnerability
Trust Agreements
There are two categories of trust agreements: Point-to-Point agreements and multi-party Data Use and Reciprocal Support Agreement (DURSA)