1. HIT Standards Committee Privacy and Security Workgroup: Privacy and Security Workgroup: Update Dixie Baker, SAIC Steve Findlay, Consumers Union March 24, 2009

2. 2 Privacy and Security Workgroup Members Dixie Baker, SAIC Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer Ed Larsen, HITSP David McCallie, Cerner Corporation John Moehrke, HITSP Steve Findlay, Consumers Union Gina Perez, Delaware Health Information Network Wes Rishel, Gartner Walter Suarez, Kaiser Permanente Sharon Terry, Genetic Alliance

3. 3 Progress Updated IFR Review to incorporate comments from the HIT Standards Committee – submitted to HITSC Chairs Supporting HIT Policy Committee’s Privacy and Security Policy Workgroup, and aligning our standards efforts to their priorities –Consent management –Review of existing security policy inherent in HIPAA Security Rule Launching educational sessions on standards activities around consent management

4. 4 Consumer Health Permissions Privacy Consent (or Consent Directive) – Consumer’s written or verbal permission to collect, use, and/or disclose individually identifiable health information (IIHI) Privacy Authorization – A signed, written document that contains all of the elements required by the HIPAA Privacy Rule and that gives a covered entity permission to use or disclose specified IIHI for specified purposes Informed Consent – Consumer’s written permission to perform a specific medical procedure, or to participate in a specific research study or clinical trial, that is given only after the consumer has been fully informed of the purposes, risks, benefits, confidentiality protections, and other relevant aspects of the activity

5. Consent Management Today Consumer permissions captured as manual signature on paper form Paper forms filed in each organization who holds consumer’s private health information 5 Consent/Authorization

6. Consent Management Tomorrow 6 Rules inexorably tied to information exchanged – updates propagated to all data instances throughout life cycle Permissions cross-validated & translated into consent rules enforced by security access control mechanisms Consent Rule 1 Consent Rule 2 Consent Rule n...... Chris’ EHR Permissions and updates captured as part of health record Permissions interpretable by humans & computers Consent/Authorization Consumer digitally signs consent or authorization

7. Standards Needed Consent Rule 1 Consent Rule 2 Consent Rule n...... Chris’ EHR Consent/Authorization Digital signatures Privacy policies Data model & schema Permission syntax & vocabulary Cross-validation of consumer permissions Maintaining and retrieving permissions Translating permissions into access-control rules Enforcement and auditing of permission-related activities Exchanging permissions & access rules Propagating permission revocations & modifications 7

8. Educational Sessions re Standardardization Efforts Relating to Consent Management April 1, 2:00-4:00pm ET: Organization for the Advancement of Structured Information Standards (OASIS) / International Security Trust and Privacy Alliance (ISTPA) Privacy Management Reference Model (PMRM); Speakers – John Sabo, Michael Willett April 23, 2:00-4:00pm ET: Integrating the Healthcare Enterprise (IHE) Basic Patient Privacy Consents (BPPC) Profile; Speaker – John Moehrke [Schedule TBD]: Health Level 7 (HL7) Version 3 Domain Analysis Model: Medical Records; Composite Privacy Consent Directive – Speaker (TBD) [Schedule TBD]: OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) and eXtensible Access Control Markup Language (XACML) – Speaker (TBD) 8