Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013

Tiger Team Charge The Tiger Team is charged with making short-term and long-term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that will help build public trust in health information technology and electronic HIE, and enable their appropriate use to improve healthcare quality and efficiency, particularly as related to ARRA and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security. 2

Topics Covered Stage 2 of Meaningful Use (specifically, policies related to the view/download/transmit functionality) Patient’s right to request an amendment to information in an EHR Improving accuracy in patient matching Consent 3

View/Download/Transmit Transparency (transmittal letter of August 16, 2011) –Providers participating in the Meaningful Use program should offer patients clear and simple guidance regarding use of view and download (short notice with links to more information) –Patients should be prompted to confirm that they want to complete a download or transmit transaction (at least initially – could give patients the capability to turn this off) –Markle Common Framework and MyHealtheVet Blue Button provide good models –Did not ask for this to be in certification for CEHRT – Tiger Team members did not want a rigid, one-size-fits all approach to this (wanted to give providers some flexibility) 4

View/Download/Transmit Security (transmittal letter of April 18, 2011) –Eligible Providers & Hospitals should deploy audit trails for the patient’s portal and at least be able to provide these to patients on request (will need to be part of certification). –Patient portals should include mechanisms to ensure information can be securely downloaded to a third party authorized by patients. –Certified EHRs should include a capability to detect and block programmatic attacks or attacks from a known but unauthorized persons (such as through auto lock-out after a number of unsuccessful log-in attempts). 5

View/Download/Transmit Data Integrity (transmittal letter of April 18, 2011) –Patient portals should include appropriate provisions for data provenance, which is accessible to the user, when the user accesses the data and included with the information upon download and transmit Further discussion needed to flesh out the details (for example, what information is needed to be included in provenance both for access and download/transmit; balancing accessibility with user interface issues). 6

View/Download/Transmit Identity proofing/authentication (approved by HIT PC on January 8, 2012; follow up to initial recommendations in transmittal letter of April 18, 2011) –ONC should develop & disseminate best practices for identity proofing and authentication for patient access to portals. –Such best practices should follow some key principles, including that protections be commensurate with risk and solutions be easy for patients and consumers (be consistent with what they are willing to do and not set the bar too high) –Best practices should evolve over time in response to innovation (and potential solutions developed as part of the NSTIC multistakeholder process) 7

View/Download/Transmit Identity proofing/authentication (transmittal letter of May 3, 2013; update to initial recommendations in transmittal letter of April 18, 2011) –Providers can ID proof in person but should also offer a remote solution (such as knowledge-based authentication, done in- house or using outside service). Remote ID proofing could be combined with out-of-band confirmation. –Providers should be strongly encouraged to use more than user ID and password to authenticate – but not something too burdensome for consumers to use (not NIST level of assurance 3, but more like “2.5,” similar to what is customarily used in on-line banking). Also disseminate best practices in password management. –Re: patient use of DIRECT, patient should provide DIRECT address to provider; no need for additional requirements on patients 8

Patient’s Right to Request an Amendment Followed right in HIPAA Privacy Rule (45 CFR ): –Patients can request (from the source) an amendment or to append information indicating a dispute about information in the record. If amendment made, providers must make reasonable efforts to inform & provide amendment to persons (including BAs) that the provider knows received the information and may rely on on it to the patient’s detriment). A provider who receives an amendment from another provider must make the change. 9

Patient’s Right to Request an Amendment* Certified EHR Technology should have capability in MU Stage 2 to support patient-requested amendments to health information per HIPAA. Specifically the systems should make it technically possible for providers to: –Make amendments to a patient’s health information in a way that is consistent with the entity’s obligations with respect to the legal medical record (i.e., there should be the ability to access/view the original data and to identify any changes to it). –Append information from the patient in the event of a dispute and any rebuttal from the entity regarding disputed data. CEHRT should have the ability by MU Stage 3 to transmit patient-requested amendments, updates or appended information to other providers to whom the data in question has been previously transmitted. * Transmittal letter of July 25,

Improving Accuracy in Patient Matching* Recommendations arose out of public hearing that took place in December Addressing this requires a comprehensive solution, involving both humans and technology (not an issue fixed by a number) Data fields commonly used in matching should be standardized Providers & HIEs should internally evaluate and seek to improve matching accuracy ONC should develop, promote and disseminate best practices Patients can and should be allowed to play a role in improving data quality * Transmittal letter of February 8,

Consent* Based on principle that clinician/physician-patient relationship is locus of trust in health information exchange, and that patients should not be surprised to learn where their information is disclosed. Patients should have meaningful choice re: whether their information is shared in exchange arrangements where their providers/IDSs no longer control decisions over whether their information is disclosed. Meaningful choice include the opportunity to make the choice in advance, with full transparency of risks and benefits ONC should study/pilot technology approaches to enable patients to make more granular choices *Transmittal letter of August 19,