privacy and security tiger team - august 19 2010

8/9/2019 Privacy and Security Tiger Team - August 19 2010

http://slidepdf.com/reader/full/privacy-and-security-tiger-team-august-19-2010 1/26

HIT Policy CommitteeHIT Policy CommitteePrivacy and Security Tiger TeamPrivacy and Security Tiger Team

Deven McGraw, Chair Paul Egerman, Co-Chair

August 19, 2010

1



Tiger Team Members

Deven McGraw, Chair , Center for Democracy & TechnologyPaul Egerman, Co-Chair ,Dixie Baker , SAICChristine Bechtel , National Partnership for Women & FamiliesRachel Block , NYS Department of Health

Carol Diamond , Markle FoundationJudy Faulkner , EPIC Systems Corp.Gayle Harrell , Consumer Representative/FloridaJohn Houston , University of Pittsburgh Medical Center; NCVHSDavid Lansky , Pacific Business Group on HealthDavid McCallie , Cerner Corp.Wes Rishel , Gartner Latanya Sweeney , Carnegie Mellon UniversityMicky Tripathi , Massachusetts eHealth Collaborative

Adam Greene , Office of Civil RightsJoy Pritts , ONCJudy Sparrow , ONC

2



Agenda²Review Recommendation Letter with focuson items not previously presented to Policy Committee

Tiger Team¶s Scope

Core Recommendation

Core Values

Triggers and Meaningful Consent

Granular Consent

Conclusions

3



Framing: Scope

Recommendations apply to electronic exchange of patient identifiablehealth information among known entities to meet Stage 1 of MeaningfulUse (MU)

HealthHealthInformationInformationExchangeExchange

Treatmentand

Coordinationof Care

Quality Reporting

Claims andPayment

Processing

Research

Patient Access

PublicHealthReporting

Note: Patient Access, Research and Claims and Payment Processing are not in scope for this initial discussion. 4



Scope: Specific Issues/Questions Addressed

1. Use of intermediaries or third party service providers inidentifiable health information exchange;

2. Trust framework to allow exchange among providers for purposeof treating patients;

3. Ability of the patient to consent to participation in identifiablehealth information exchange at a general level (i.e., yes or no),and how consent should be implemented;

4. The ability of technology to support more granular patientconsents (i.e., authorizing exchange of specific pieces of information while excluding other records); and

5. Additional recommendations with respect to exchange for Stage Iof Meaningful Use ± treatment, quality reporting, and publichealth reporting.

5



Core Tiger Team Recommendation

All entities involved in health information exchange ± including providers (individual and institutional)and third party service providers like HealthInformation Organizations (HIOs) and other intermediaries ± should follow the full complementof fair information practices(FIPs) when handlingpersonally identifiable health information. ± Each set of recommendations is mapped to applicable fair

information practice principle(s)

Formulation of FIPs comes from ONC¶s NationwidePrivacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information(adopted by Policy Committee in Strategic Framework).

6



Core Values

The relationship between the patient and his or her healthcare provider is the foundation for trust in health informationexchange, particularly with respect to protecting theconfidentiality of personal health information.

As key agents of trust for patients, providers are responsible

for maintaining the privacy and security of their patients¶records.

We must consider patient needs and expectations. Patientsshould not be surprised about or harmed by collections,uses, or disclosures of their information.

Ultimately, to be successful in the use of health informationexchange to improve health and health care, we need to earnthe trust of both consumers and physicians.

7



Recommendations 1 and 2

1. Use of intermediaries or third party service providers inidentifiable health information exchange;

2. Trust framework to allow exchange among providers for purposeof treating patients;

Recommendations previously presented and included in Appendix.

8



3 .1 Consent and Directed Exchange

Recommendation 3.1 on page 9 Assuming that FIPs are followed, directed exchange for treatment does not require patient consent beyondwhat is required in current law or what has been

customary practiceNot intended to change patient-provider relationship or importance of provider exercising judgment on the patient¶sbehalf The same considerations and customary practices that apply

to paper or fax exchange apply to directed electronic exchange

9



3 .2 Trigger when ONC Should RequireAdditional Consent

When the decision to disclose or exchange the patient¶sidentifiable health information from the provider¶s record isnot in the control of the provider or that provider¶s organized

health care arrangement (³OHCA´), patients should be able toexercise meaningful consent to their participation.

ONC should promote this policy through all of its levers.

L etter Pages 10 and 11

10



3 .2 Trigger when ONC Should RequireAdditional Consent

Examples:

± A centralized HIO model, which retains identifiable patient dataand makes that information available to other parties.

± A federated HIO model, which exercises control over the abilityto access individual patient data.

± Information is aggregated outside the auspices of the provider or OHCA and comingled with information about the patient fromother sources.

11



Trigger when ONC Should Require AdditionalConsent (cont.)

- The patient must be provided with an opportunity to givemeaningful consent b efore the provider releases control over exchange decisions.

- If the patient does not consent to participate in an HIO modelthat ³triggers´ consent, the provider should, alternatively,exchange information through directed exchange.

- There are some HIOs that offer multiple services. Theprovider may still contract with an HIO to facilitate directedexchange as long as the arrangement meets the requirementsof recommendation 1 of this letter.

12



3 .3 Meaningful Consent Attributes

± Advanced knowledge/time ± Not compelled, or used for discriminatory

purposes ± Full transparency and education. ± Commensurate with Circumstances ± Consistent with Patient Expectations ± Revocable

Details in Appendix

13



3 .4 Consent Implementation Guidance

The provider has the responsibility to educate and discuss withpatients how their information is shared.

The federal government, as well as regional extension centers andHIOs, also have responsibilities to educate the public and shouldprovide resources to providers.

Providers should obtain and keep track of patient consent but theymay delegate consent management/administrative functions to athird party (such as an HIO), with appropriate oversight.

14



3 .5 Provider Consent to Participate inExchange

Should providers have a choice about participating in

exchange models?

Yes!.

L etter Page 13

15



4. Ability of Technology to Support MoreGranular Patient Consent

June 29 Technology Hearing (June 29) (pages 14-17)

Reviewed NCVHS recommendations

Co-chairs of NCVHS confidentiality and privacyworkgroup made presentation

16



Ability of Technology to Support More Granular Patient Consent ± Recommendation 4

Promising Technology but in the early stages of developmentand adoption.

Furthering experience and stimulating innovation for granular consent are needed.

This is an area that should be a priority for ONC to explorefurther.

17



Ability of Technology to Support More Granular Patient Consent ± Recommendation 4 (cont.)

Important that ONC find evidence (such as through pilots) for successful models and not rely on theoretical possibilities.

In the interim, patient education is paramount: Realisticexpectations about privacy need to be established.

18



Question 5: Additional Recommendations

1. Use of intermediaries or third party service providers in identifiable health informationexchange;

2. Trust framework to allow exchange among providers for purpose of treating patients;3. Ability of the patient to consent to participation in identifiable health information exchange at a

general level (i.e., yes or no), and how consent should be implemented;4. The ability of technology to support more granular patient consents (i.e., authorizing exchange

of specific pieces of information while excluding other records); and

5. Additional recommendations with respect to exchange for Stage Iof Meaningful Use ± treatment, quality reporting, and publichealth reporting.

Recommendation #5 was previously presented and are includedin Appendix.

19



Conclusion

Recommendations were targeted to address a set of questions raised by ONC; they are not the definitive or final word on privacy and security and health IT/healthinformation exchange.More work is necessary ± only a systemic andcomprehensive approach to privacy and security canachieve public confidence.

Among the issues needing further work: exchangebeyond Stage 1, provider credentialing assurancelevels, individual access, transparency, securitysafeguards, and de-identified data.

20



Appendix

21



1. Use of ³Third Party Service Organizations´

Recommendation 1 on page 6 of the letter Third party service organizations should not collect, use or disclose identifiable health information for any purpose other than to provide the services specified in the businessassociate or service agreement and any necessaryadministrative functions.Such information should be retained only for as long asreasonably necessary. Retention policies must bedisclosed. After retention period, information must besecurely returned or destroyed.Require transparency also for uses of de-identified data.BAA provides accountability ± but not sufficient governanceto build/maintain public trust

22



2. Trust Framework for Exchange AmongProvidersRecommendation 2 on pages 7-9 (top)

Providers ³hold the trust´ ± but may delegate functionssuch as issuing digital credentials or verifying provider identity, as long as delegation maintains this trust.

Federal government should establish acceptable levelof accuracy and establish and enforce clear credentialing requirements; state governments canprovide additional rules if necessaryProviders should also attest to relationship with thepatient who is the subject of the information, and allwho exchange identifiable health information should berequired to comply with applicable law and policies(enforced through law and ONC policy levers)

23



3 .3 Meaningful Consent Guidance WhenTrigger AppliesRecommendation 3.3 on page 12

Such consent must be meaningful in that it: ± Allows the individual advanced knowledge/time to make a

decision. (E.g., outside of the urgent need for care.) ± Is not compelled, or is not used for discriminatory

purposes. (E.g., consent to participate in a centralized HIOmodel or a federated HIO model is not a condition of receiving necessary medical services.)

± Provides full transparency and education. (I.e., theindividual gets a clear explanation of the choice and its

consequences, in consumer-friendly language that isconspicuous at the decision-making moment.)

24



Meaningful Consent Guidance (cont.)

± Is commensurate with the circumstances. (I.e., the moresensitive, personally exposing, or inscrutable the activity,the more specific the consent mechanism. Activities thatdepart significantly from patient reasonable expectations

require greater degree of education, time to makedecision, opportunity to discuss with provider, etc. ± Must be consistent with reasonable patient expectations

for privacy, health, and safety; and ± Must be revocable. (I.e., patients should have the ability to

change their consent preferences at any time. It should beclearly explained whether such changes can applyretroactively to data copies already exchanged, or whether they apply only "going forward.")

25



5. Additional Recommendations re: Stage 1 of Meaningful UseRecommendation 5 on pages 17-18

Exchange of identifiable health information for treatment should be for treatment of the individual whois the subject of the information, unless the provider

has the consent of that individual use his/her information to treat others (note: further work needed toensure appropriate care of infants and children)Public Health and Quality reporting should take placeusing the least amount of identifiable informationnecessary, unless law requires disclosure of identifiersProvider is responsible for public health and qualitydisclosures, but may delegate to an HIO pursuant to abusiness associate agreement.

26

privacy and security tiger team - august 19 2010

Documents