Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

Published byRudolph Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013."— Presentation transcript:

1 Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013

2 Tiger Team Charge The Tiger Team is charged with making short-term and long-term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that will help build public trust in health information technology and electronic HIE, and enable their appropriate use to improve healthcare quality and efficiency, particularly as related to ARRA and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security. 2

3 Topics Covered Stage 2 of Meaningful Use (specifically, policies related to the view/download/transmit functionality) Patient’s right to request an amendment to information in an EHR Improving accuracy in patient matching Consent 3

4 View/Download/Transmit Transparency (transmittal letter of August 16, 2011) –Providers participating in the Meaningful Use program should offer patients clear and simple guidance regarding use of view and download (short notice with links to more information) –Patients should be prompted to confirm that they want to complete a download or transmit transaction (at least initially – could give patients the capability to turn this off) –Markle Common Framework and MyHealtheVet Blue Button provide good models –Did not ask for this to be in certification for CEHRT – Tiger Team members did not want a rigid, one-size-fits all approach to this (wanted to give providers some flexibility) 4

5 View/Download/Transmit Security (transmittal letter of April 18, 2011) –Eligible Providers & Hospitals should deploy audit trails for the patient’s portal and at least be able to provide these to patients on request (will need to be part of certification). –Patient portals should include mechanisms to ensure information can be securely downloaded to a third party authorized by patients. –Certified EHRs should include a capability to detect and block programmatic attacks or attacks from a known but unauthorized persons (such as through auto lock-out after a number of unsuccessful log-in attempts). 5

6 View/Download/Transmit Data Integrity (transmittal letter of April 18, 2011) –Patient portals should include appropriate provisions for data provenance, which is accessible to the user, when the user accesses the data and included with the information upon download and transmit Further discussion needed to flesh out the details (for example, what information is needed to be included in provenance both for access and download/transmit; balancing accessibility with user interface issues). 6

7 View/Download/Transmit Identity proofing/authentication (approved by HIT PC on January 8, 2012; follow up to initial recommendations in transmittal letter of April 18, 2011) –ONC should develop & disseminate best practices for identity proofing and authentication for patient access to portals. –Such best practices should follow some key principles, including that protections be commensurate with risk and solutions be easy for patients and consumers (be consistent with what they are willing to do and not set the bar too high) –Best practices should evolve over time in response to innovation (and potential solutions developed as part of the NSTIC multistakeholder process) 7

8 View/Download/Transmit Identity proofing/authentication (transmittal letter of May 3, 2013; update to initial recommendations in transmittal letter of April 18, 2011) –Providers can ID proof in person but should also offer a remote solution (such as knowledge-based authentication, done in- house or using outside service). Remote ID proofing could be combined with out-of-band confirmation. –Providers should be strongly encouraged to use more than user ID and password to authenticate – but not something too burdensome for consumers to use (not NIST level of assurance 3, but more like “2.5,” similar to what is customarily used in on-line banking). Also disseminate best practices in password management. –Re: patient use of DIRECT, patient should provide DIRECT address to provider; no need for additional requirements on patients 8

9 Patient’s Right to Request an Amendment Followed right in HIPAA Privacy Rule (45 CFR 164.526): –Patients can request (from the source) an amendment or to append information indicating a dispute about information in the record. If amendment made, providers must make reasonable efforts to inform & provide amendment to persons (including BAs) that the provider knows received the information and may rely on on it to the patient’s detriment). A provider who receives an amendment from another provider must make the change. 9

10 Patient’s Right to Request an Amendment* Certified EHR Technology should have capability in MU Stage 2 to support patient-requested amendments to health information per HIPAA. Specifically the systems should make it technically possible for providers to: –Make amendments to a patient’s health information in a way that is consistent with the entity’s obligations with respect to the legal medical record (i.e., there should be the ability to access/view the original data and to identify any changes to it). –Append information from the patient in the event of a dispute and any rebuttal from the entity regarding disputed data. CEHRT should have the ability by MU Stage 3 to transmit patient-requested amendments, updates or appended information to other providers to whom the data in question has been previously transmitted. * Transmittal letter of July 25, 2011 10

11 Improving Accuracy in Patient Matching* Recommendations arose out of public hearing that took place in December 2010. Addressing this requires a comprehensive solution, involving both humans and technology (not an issue fixed by a number) Data fields commonly used in matching should be standardized Providers & HIEs should internally evaluate and seek to improve matching accuracy ONC should develop, promote and disseminate best practices Patients can and should be allowed to play a role in improving data quality * Transmittal letter of February 8, 2011 11

12 Consent* Based on principle that clinician/physician-patient relationship is locus of trust in health information exchange, and that patients should not be surprised to learn where their information is disclosed. Patients should have meaningful choice re: whether their information is shared in exchange arrangements where their providers/IDSs no longer control decisions over whether their information is disclosed. Meaningful choice include the opportunity to make the choice in advance, with full transparency of risks and benefits ONC should study/pilot technology approaches to enable patients to make more granular choices *Transmittal letter of August 19, 2010 12

Download ppt "Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013."

Similar presentations

A Plan for a Sustainable Community Behavioral Health Information Network Western States Health-e Connection Summit & Trade Show September 10, 2013.

A Plan for a Sustainable Community Behavioral Health Information Network Western States Health-e Connection Summit & Trade Show September 10, 2013.
Quality Measures Vendor Tiger Team January 30, 2014.

Quality Measures Vendor Tiger Team January 30, 2014.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 Understanding Patient Engagement in Stage 2 MU: Direct, HIPAA, VDT, and Patient Engagement.

Connecticut Ave NW, Washington, DC Understanding Patient Engagement in Stage 2 MU: Direct, HIPAA, VDT, and Patient Engagement.
Privacy & Security Tiger Team: Accounting of Disclosures Recommendations November 18, 2013 Office of the National Coordinator for Health Information Technology.

Privacy & Security Tiger Team: Accounting of Disclosures Recommendations November 18, 2013 Office of the National Coordinator for Health Information Technology.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.

Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
1 Privacy and Security Tiger Team Meeting Discussion Materials Topics Patient Authentication Hearing Questions for RFC on Meaningful Use Stage 3 October.

1 Privacy and Security Tiger Team Meeting Discussion Materials Topics Patient Authentication Hearing Questions for RFC on Meaningful Use Stage 3 October.
Notice of Proposed Rulemaking (NPRM) Comments Privacy and Security Workgroup Deven McGraw, chair Stan Crosley, co-chair April 27, 2015.

Notice of Proposed Rulemaking (NPRM) Comments Privacy and Security Workgroup Deven McGraw, chair Stan Crosley, co-chair April 27, 2015.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
HIT Policy Committee Accountable Care Workgroup – Kickoff Meeting May 17, 2013 1:00 – 2:00 PM Eastern.

HIT Policy Committee Accountable Care Workgroup – Kickoff Meeting May 17, :00 – 2:00 PM Eastern.
Privacy and Security Tiger Team Comparison of Stage 2 Proposed Rules w/Health IT Policy Committee previous privacy & security recommendations Preliminary.

Privacy and Security Tiger Team Comparison of Stage 2 Proposed Rules w/Health IT Policy Committee previous privacy & security recommendations Preliminary.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 3, 2011 1.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 3,

Similar presentations

Ads by Google