100 likes | 227 Views
Model Modular Participants Agreement Release 2. July 31, 2013. Welcome!. Agenda. Goal: Finalize Draft and Submit Release 2.0 to CalOHII Roll Call Review Comments on the Draft Next Steps Closing Comments. 1.5 Definitions.
E N D
Model Modular Participants AgreementRelease 2 July 31, 2013
Agenda Goal:Finalize Draft and Submit Release 2.0 to CalOHII Roll Call Review Comments on the Draft Next Steps Closing Comments
1.5 Definitions Decision: Define security incident to exclude unsuccessful security incidents and the laundry list. Change: 1.5.1 “Unsuccessful Security Incident” means a security incident (as defined under HIPAA) that does not result in: (1) the unauthorized access, use, disclosure, modification or destruction of information; or (2) material interference with system operations in an information system, including, without limitation, activity such as pings and other broadcast attacks on HIO’s firewall, port scans, unsuccessful log-on attempts, denial of service and/or any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic protected health information. To: 1.5.1 “Unsuccessful Security Incident” means a security incident (as defined under HIPAA) that does not result in: (1) the unauthorized access, use, disclosure, modification or destruction of information; or (2) material interference in the HIO information system, so long as no such incident results in unauthorized access, use or disclosure of electronic protected health information.
9.2 Privacy and Security of Patient Data Decision: As long as Security Incidents is defined, the term “serious” can be taken out. It’s not needed. Change: Reporting of Serious Breaches and Security Incidents. To: Reporting of Breaches and Security Incidents.
9.2.2 Decision: Allen will come up with an alternative. “Parties agree to work cooperatively to make sure there is a trusting environment for the secure exchange of information.” Change: 8.2.2. Reporting Unsuccessful Security Incidents. The Participant shall annually provide a report to HIO describing in summary form the number, nature and extent of Unsuccessful Security Incidents experienced by the Participant during the period covered by that report, as more specifically described in the Policies and Procedures. To: 9.2.2. Reporting Unsuccessful Security Incidents. The Participant shall annually provide a report to HIO describing in summary form the nature and extent of Unsuccessful Security Incidents directly related to the HIO that were experienced by the Participant during the period covered by that report, as more specifically described in the Policies and Procedures.
9.2.2.1 Decision: The proposed change is fine. Change: 8.2.2.1 Reports to Participants. HIO shall on a monthly basis provide a report to all Participants describing all Serious Breaches of Privacy or Security reported by Participants to HIO during the prior month, as more particularly described in Section Error! Reference source not found. (Reporting Breaches and Security Incidents). HIO shall on an annual basis provide a report to all Participants describing in summary form Unsuccessful Security Incidents reported by Participants to HIO pursuant to Section 0 (Reporting Unsuccessful Security Incidents) To: 9.2.2.1 Reports to Participants. HIO shall on a monthly basis provide a report to all Participants describing all Serious Breaches of Privacy or Security discovered by the HIO or reported by Participants to HIO during the prior month, as more particularly described in Section Error! Reference source not found. (Reporting Breaches and Security Incidents). HIO shall on an annual basis provide a report to all Participants describing in summary form Unsuccessful Security Incidents reported by Participants to HIO pursuant to Section 0 (Reporting Unsuccessful Security Incidents)
Footnote 5 Decision: Allen will go through and make minor grammatical errors and clarify ambiguous language in the footnotes. Change from: Under Model #3, the HIO serves as a conduit as under Models #1 and #2. However, under Model #3, the HIO performs certain data transmission services that require it to have access to and/or to be responsible to maintain some Patient Data on behalf of its Participants. To: Under Model #3, the HIO serves as a conduit provides transport services as under Models #1 and #2. However, under Model #3, the HIO performs certain data transmission services that require it to have access to and/or to be responsible to maintain some Patient Data on behalf of its Participants.
Exhibit X Decision: The purpose of the BAA is to demonstrate compliance with HIPAA, not compliance to every obligation and provision of law. One of California’s outputs will be a CA specific BAA in compliance with CA law. Allen will drop a footnote. BA is taking a federal approach…would be helpful in grander scheme of things with interstate exchange to draft a BA that complies with CA…one of the thorns in CA is what exemptions apply. • HIPAA allows up to 60 days with regards to breach notification while California Health and Safety Code Section 1280.15 provides up to 5 days. The recommendation was that this would be a preemption applicable to Section f of the MMPA HIPAA-only Component.
Next Steps: -Co-Chairs finalize version 2.0 -Send clean copy to the Task Force -If anyone has concerns they can request to be removed from list of contributors. Your participation and input are appreciated. Stay tuned!