onc update on privacy and security activitiesnw-hin governance recommendations • validation...
TRANSCRIPT
ONC Update on Privacy and Security Activities
The National HIPAA Summit March 10, 2011
Joy Pritts, JDChief Privacy Officer
Chief Privacy Officer• Position created in HITECH/ARRA
• Duties: Advise the National Coordinator on privacy, security, and data stewardship of electronic health information and to coordinate with other Federal agencies. . . with State and regional efforts, and with foreign countries with regard to the privacy, security, and data stewardship of electronic individually identifiable health information.
ONC Privacy and Security Initiatives• Consult with private and public stakeholders to
evaluate and develop privacy and security policy– Federal advisory and other committees, which make
recommendations to ONC and Secretary• Incorporate initiatives and learn from ONC
programs• Coordinate approaches with other federal
agencies• Conduct research
3
President's Council of Advisors on Science and Technology (PCAST)
• Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward, available at:
http://www.whitehouse.gov/sites/default/files/micro sites/ostp/pcast-health-it-report.pdf
• Released December 8, 2010
4
PCAST: Report Recommendations• Universal Exchange Language" to facilitate
interoperability • Modular, separable data elements ( v. document
approach)• Metadata tags for each data element containing
– provenance and attributes of data– privacy controls specified by the patient
5
PCAST: Report Recommendations• Search engine technology able to index data
elements based on metadata. Results would reflect:– Patient consent preferences and– Access rights of the authenticated user.
• De-identified data searchable by metadata tags for – Population health– Research– Other purposes
6
• ONC issued RFI to solicit public comment on implications on current and future ONC work
• Created PCAST workgroup within HIT Policy Committee– Charge: Synthesize and analyze public comments
and input into the PCAST Report relative to implications on current and future ONC work
– Coordinating with P&S Tiger Team which is reviewing its past recommendations in light of PCAST
7
PCAST: Follow Up
HITPC: First P & S Recommendations • Core requirements
– Establish trust
– Preserve patient-provider relationship
– All who engage in HIE should be required to comply with fair information practices
• Consent to share health information through an electronic HIE
• Data Segmentation
HIT Policy Committee: Data segmentation recommendations follow up
• ONC is funding project with respect to enabling some more granular choice for sharing patient information in order to electronically implement existing law
• Focus is on behavioral health
• Working closely with SAMHSA
HITPC : Recommendations on Provider Authentication
• Submitted to ONC late November, 2010• Addressed authentication at the “organizational” level• All entities involved in health data exchange should
be required to have digital certificates• Credentialing organizations/certificate issuers should
rely on existing criteria and processes when applicable – e.g., NPI
HITPC: Recommendations on Provider Authentication
• EHR certification should include criteria that tests capabilities to retrieve, validate, use, and revoke digital certificates that comply with standards
HITPC: Recommendations on Provider Authentication
• Multiple credentialing entities should be available• ONC should establish program to “accredit” such
credentialing entities• Leverage existing processes such as the Federal
Bridge
HITPC: Recommendations on Provider Authentication
• Standards Committee, should select or specify standards for digital certificates (including data fields) in order to promote interoperability among health care organizations.
• HITSC Privacy and Security Workgroup has been assigned this task
HITPC: Patient Information Matching Recommendations
• Tiger Team hearing in December 2010• Recommendations accepted by HITPC and
submitted to ONC February 2011
HITPC: Patient Information Matching Recommendations
• Address quality of data collection at source as a starting point
• Standardized formats for demographic data fields
• Develop, promote and disseminate best practices
• Support the role of the individual/patient • Others
15
HIT Policy Committee P&S Tiger Team
Currently addressing:• Provider authentication (human user level) • What level of assurance is appropriate
under what circumstances?
Nationwide Health Information Network (NW-HIN) Governance
• HITECH Charge: National Coordinator shall establish a governance mechanism for the nationwide health information network.
• Privacy and security are factors for establishing trust
• HITPC Governance Workgroup
• ONC received preliminary recommendations from HITPC on governance in December 2010
HITPC: NW-HIN Governance Recommendations
• “Preferred” approach– Energy star
• Federal support within strong incentives to adopt• Conditions of trust and interoperability
– ONC should establish initial conditions and set process for adding or modifying conditions
– Flexible for innovation and adaption
18
HITPC: NW-HIN Governance Recommendations
• Validation mechanism to verify that conditions are satisfied – Leverage existing methods, processes and entities
• ONC should oversee NW-HIN governance and assure accountability
19
ONC Activity
• Committed to acting on recommendations– Accept– Reject– Modify
20
ONC Involvement in Other HHS Privacy and Security Initiatives
21
Patient Protection and Affordable Care Act (ACA)
22
• Improve patient access to quality care– No denial of coverage for pre-existing conditions– Limits on higher rates due to health status, gender– Private insurance through health benefit (insurance)
exchanges– May reduce concern about privacy
ACA: Need for Data
• Coordinate Care– Medical Homes– Accountable care organizations
• No denial of coverage for pre-existing conditions• Receive bonuses when providers keep costs down and meet
specific quality benchmarks
• Health benefit exchanges– Verification of eligibility
• Present some privacy and security issues
23
Other Federal Initiatives
• Federal HIT Taskforce• National Strategy for Trusted Identities in
Cyberspace (NSTIC)– Individual ID proofing
• National Science and Technology Council (NSTC) – Cabinet-level council for coordinating science and
technology policies across the Executive Branch
24
Other Federal Initiatives• NSTC-Internet Privacy Policy Taskforce
– Led by Commerce and Justice Departmetn– Green paper: Commercial Data Privacy and
Innovation in the Internet– Carves out those covered by other sector-specific
laws (e.g., HIPAA)– Fair Information Practices for all who transmit
identifiable information over the internet– Voluntary, enforceable industry standards
25
Protecting Privacy and Security in HIT and HIE
A continuously evolving landscape
26
The End
27