1 / 27

Date : July 27, 2010 Time : 1:30 pm – 3:30 pm Location : NC Hospital Association 2400 Weston Parkway, Cary, N

Date : July 27, 2010 Time : 1:30 pm – 3:30 pm Location : NC Hospital Association 2400 Weston Parkway, Cary, NC 27513 Dial in : 1-866-922-3257 Participant Code: 654 032 36# . Agenda . Meeting Objectives. Confirm Operational Plan components related to security

gustav
Download Presentation

Date : July 27, 2010 Time : 1:30 pm – 3:30 pm Location : NC Hospital Association 2400 Weston Parkway, Cary, N

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Date: July 27, 2010 Time: 1:30 pm – 3:30 pm Location: NC Hospital Association 2400 Weston Parkway, Cary, NC 27513 Dial in: 1-866-922-3257 Participant Code: 654 032 36#

  2. Agenda

  3. Meeting Objectives • Confirm Operational Plan components related to security • Review legal scan of existing NC data security laws and flag those that may impact consent model under current law (Pathway One), including discussion of how/whether identified laws should be changed under Pathway Two (i.e., assuming changes to existing NC law). • Identify key decisions related to Confidentiality, Integrity, and Availability of Data to be addressed in Phase 2 (post-Operational Plan submission)

  4. Meeting Schedule Revisions

  5. Proposed Operational Plan Drafting Schedule • July 13 Board Meeting • Review Operational Plan structure • Approve, reject or modify Workgroup recommendations • July 14 – August 2 • Draft Operational Plan components by Domain including decisions endorsed through July 13 Board meeting. • Meaningful Use final rules expected in mid-July. Educational webinar for Board and all workgroups on final regs. • August 2 – August 6 • Core project team and co-chair review of working draft • August 6 Workgroup final meetings prior to Operational Plan • August 9 – August 12 • Updates and revisions to Operational Plan draft to include August 6 • August 17 • Board meeting to review July and August recommendations and preliminary Operational Plan draft • August 19– August 25 • Board and public review of revised Operational Plan draft (revisions based on direction in August 17 board meeting) • August 27 • Tentative Board call • August 27 – August 30 • Prepare final draft for submission to ONC by August 31 Board Meeting Plan Submission to ONC

  6. Operational Plan Components Related to Security

  7. Operational Plan Outline • NC HIE • Combined Strategic & Operational Plan • I. Introduction • NC HIE Initiative Background • Collaborative Stakeholder Process • Timeline and Next Steps • II. Strategic Plan • Guiding Principles by Domain • Vision • III. Operational Plan • Approach to Statewide HIE • Meaningful Use • A. Governance • Overview • Public/Private Partnership, Articles of Incorporation and Founding Board • Bylaws • Board Nomination Process Moving Forward • Authority and Involvement of the State • Ongoing Development of Governance and Policy Structures • Next Steps • B. Technical Infrastructure • Overview • Planned Technical Architecture • Planned Core Infrastructure • Standards • Technology Deployment • Next Steps • C. Business & Technical Operations • Overview • Core Services • Value-Add Services • Leveraging HIE Capacity in NC • Implementation Timeline • Next Steps • D. Legal & Policy • Overview • Consent, including: • State law scan - consent for TPO • Pathways 1 & 2 • Security • Authorization, Authentication, Access, Audit and Breach • CIA – Confidentiality, Integrity, Availability • Next Steps

  8. E. Finance • Overview • Financial Model Methodology • Financial Model Key Assumptions • Environmental Data Collection • Cost and Revenue Models • Sustainability Planning • Next Steps (including Controls and Reporting) • IV. Coordination • Overview • Medicaid • ARRA Programs • Veterans Affairs • V. Development of Stakeholder Communication Plan • Appendices

  9. Operational Plan Guidance • Authorization • NC HIE Progress to Date: • The board adopted recommendation that security policies and procedures (P&P) should require the use of role-based access standards, but with limitations on the number of roles and with the requirement that if someone changes position/role, role-based access must change accordingly and be verified via the audit process. • Subcommittee drafted a set of role-based access key principles. • Next Steps: • Present key principles to board at August 17 meeting. • Draft policy with council.

  10. Role-Based Access Key Principles 1. The NC HIE will Establish and Implement Role-Based Access Standards The NC HIE will develop a policy to define a core set of user roles that encompass all anticipated user types and to define which rights (i.e., information access parameters, system functions) are permitted for each role. The policies and procedures developed will: • Establish categories of Authorized Users. • Define the purposes for which Authorized Users in those categories may access Protected Health Information via the statewide HIE. • Define the types of Protected Health Information that Authorized Users within such categories may access (e.g., demographic data only, clinical data). 2. Regular Monitoring and Updating Access privileges must be updated to reflect changes in user roles, employment or any other applicable user event. Appropriate security measures will be taken to minimize the possibility of unauthorized access to secure data by those who are no longer authorized to have access to that information, including regular audits of whether role-based access permissions should have changed.

  11. Role-Based Access Key Principles 3. Principles of User Access Permissions The NC HIE will maintain user access permission profiles to specify which system functions and protected health information may be accessed by authorized users according to the specific role classification to which they are assigned. Specific role classifications and related permissions should be directly tied to the job requirements of the authorized users. User access permission profiles are based upon two principles: First, that access to information must not be so restricted as to interfere with the quality or efficiency of patient care; and second, that access shall be sufficiently restricted to afford privacy and security to patients’ information. 4. Role-Based Access At a minimum, the NC HIE must utilize the following role-based access standards to establish categories of authorized users for the purposes of accessing clinical data for treatment: a. Practitioner with access to clinical information and Break the Glass authority; b. Practitioner with access to clinical information but no Break the Glass authority; c. Non-Practitioner with access to clinical information; d. Non-Practitioner with access to non-clinical information; e. HIE administrators with access to non-clinical information; and f. Technical support administrators who may have access to large amounts of information • As a matter of policy, no one Administrator should have access to all data and oversight mechanisms must be put in place for those administrators who have access to large volume of data).

  12. Role-Based Access Key Principles 5. Special Policy Consideration for Disaster Situations The NC HIE will develop a policy that may allow for broader access to data in the event of a qualified emergency or disaster situation that requires “all hands on deck” to provide care resources. 6. Termination of Access If an Authorized User no longer requires system access, if user permissions change, or if system use audits demonstrate protracted inactivity or unauthorized activity in specific user accounts, modification or termination of access privileges will be processed in the HIE as soon as possible and coordinated with the appropriate entities. This also applies to termination of access to specific types of PHI and/or system functions when the status of any user no longer requires access to specific types of information. 7. Sanctions Should be Developed and Imposed for Violations of Role-Based Access Standards

  13. Operational Plan Guidance • Authentication • NC HIE Progress to Date: • This issue cuts across the considerations of the other Legal/Policy Workgroup Subcommittees and NCHIE Workgroups. The board adopted the subcommittee recommendation to revisit the issue of Authentication after the proposed technical model for the statewide HIE is further developed. • Workgroup recommended a legal scan be conducted to provide a more thorough understanding of the requirements under existing NC law for the disclosure of certain types of potentially sensitive heath information. 13

  14. Operational Plan Guidance • Authentication • Next Steps: • Legal/Policy Workgroup will review technical model and develop a recommendation for authentication in Phase 2. • Recommendation will address key questions, including: • What should the policies & procedures established through a statewide HIE in North Carolina require as the minimum authentication assurance level? • Should the policies & procedures mandate use of minimum technologies to support those assurance levels? • See federal authentication assurance levels • Should the policies & procedures established through a statewide HIE in North Carolina require/allow use of more stringent authentication policies and procedures for sensitive information? • Draft policy with council. 14

  15. Operational Plan Guidance • Access • NC HIE Progress to Date: • The board adopted the subcommittee recommendation: • Policies and procedures should require training for authorized users on use of the statewide HIE and that training should be done by participants as part of HIPAA or other staff training; • To further explore the possibility of creating a website with training materials; and • That additional discussion is needed regarding whether to require attestation of completion of training (including possible consideration of testing for comprehension), and whether attestation should take electronic or paper form. 15

  16. Operational Plan Guidance • Access • Next Steps: • Develop policies and procedures in partnership with NC HIE staff and council. Key questions include: • Should the policies & procedures established through a statewide North Carolina HIE specify who (local or community HIE or participant) should assign unique IDs and/or how often they should be updated? If so, how? • Should the policies & procedures specify who should maintain them? If so, how? • Should the policies & procedures established through a statewide HIE in North Carolina require that authorized users sign acknowledgements of local or community HIE policies and procedures related to access? 16

  17. Operational Plan Guidance • Audit • NC HIE Progress to Date: • The board adopted the subcommittee recommendation that policies and procedures should require periodic audits to ensure compliance with policies that must be performed by the entities disclosing data and that technological guidance must be provided to participants to enable them to perform audits. • Next Steps: • Legal/Policy Workgroup will review technical model and develop a recommendation for audit in Phase 2 including key questions: • Should the policies and procedures require audit findings be made publicly available? • Should the policies and procedures require a minimum level of audit log (e.g. immutable logs?) or minimum time periods for producing audit logs? 17

  18. Operational Plan Guidance • Breach • NC HIE Progress to Date: • The board adopted the subcommittee’s Key Breach Principles, with the understanding that one principle was yet to be finalized. • Next Steps: • Draft policies with council. 18

  19. Breach Key Principles 1. Compliance with the Law The NC HIE shall abide by all applicable federal and state laws and regulations (including HIPAA) pertaining to the security of protected health information. 2. Need for Accountability While consent, authorization, authentication, access and audit policies will be designed to protect patients from privacy breaches, they have little weight if the NC HIE and its Participants are not held accountable to certain behavioral standards when privacy violations occur. 3. Commitment to Preventing Breaches The NC HIE shall implement policies, standards and procedures to prevent breaches – electronically or otherwise –to protect the confidentiality, integrity and availability of protected health information. 4. Implementation of a Breach Notification Policy and Breach Plan by the NC HIE The NC HIE shall implement a breach notification policy that includes a breach plan that outlines the process by which the NC HIE will investigate, confirm and respond to a breach of security and/or confidentiality of protected health information, including defining when and how to notify Participants (both organizational and individual) regarding a breach.

  20. Breach Key Principles 5. Implementation of a Breach Plan by Participants in the NC HIE Participants in the NC HIE shall be required to implement a breach plan as part of their policies and procedures that aligns with the NC HIE breach plan and meets a minimum set of requirements established by the NC HIE regarding, among other things, investigation, mitigation and notification. 6. Obligation of Participants to Report Actual and Suspected Breaches. Participants in the NC HIE shall notify the NC HIE in the event that the Participants or their business associates become aware of any actual or suspected breach of protected health information that materially involve the statewide HIE. 7. Minimize Burden on Participants The NC HIE shall make every effort to simplify its policies and procedures to ensure that they do not inadvertently serve as a deterrent to participation in the statewide exchange.

  21. Legal Scan of NC Data Security Laws

  22. Key Decisions Related to Confidentiality, Integrity and Availability of Data to be Addressed in Phase 2

  23. Confidentiality, Integrity & Availability Confidentiality • Protect information from being viewed or read by individuals who should not access it. • Loss of confidentiality can happen physically (for example, theft) or electronically (for example, lack of encryption or lack of protection against spyware). Integrity • Protect information from being modified without the modification being authorized. • Unauthorized information mortification can be intention or accidental. • In addition to human error or malicious intent, accidental integrity loss can happen at a system level (for example, file deletions caused by a computer virus). Availability • Ensure that information is available to be accessed when a user attempts to access it.

  24. CIA – Discussion of Threshold Issues for Phase 2 • Security Subcommittee recommends that the following threshold issues related to CIA for the statewide HIE be addressed in Phase 2:

  25. Straw Principles for Discussion Purposes - CIA • Collection, Use and Disclosure Limitation - Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately. • Data Quality and Integrity - Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner. • Safeguards - Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. • Other?

  26. Next Steps • Upcoming Meetings • Full Workgroup Meeting – July 29 (last meeting of this phase) • Questions or Comments? • Contact: nc.hie@healthwellnc.com 26

  27. Open Public Comment

More Related