480 likes | 499 Views
Tugboat Captains & Clinicians Both are in Harms Way. Presented to: Internet2 Conference Atlanta, GA - October 31, 2000 W. Holt Anderson, Executive Director NC Healthcare Information & Communications Alliance, Inc. (NCHICA). Structure of Presentation. Implementing a Vision HIPAA
E N D
Tugboat Captains & CliniciansBoth are in Harms Way Presented to: Internet2 Conference Atlanta, GA - October 31, 2000 W. Holt Anderson, Executive Director NC Healthcare Information & Communications Alliance, Inc. (NCHICA)
Structure of Presentation • Implementing a Vision • HIPAA • HealthKey • NC Projects • Federal PKI Bridge • The Tugboat Captain
Implementing a Vision • “Paperless, person-centered health records by 2010.” • Adopted by the following organizations in NC: • Medical Society • Nurses Association • Hospital Assn. • Health Information Management Assn. • Assn.of Local Health Directors • Assn. of Pharmacists • Health Care Facilities Assn. • Assn. For Health Care Quality • Assn. For Hospice & End of Life Care
Definition - Health Record • A virtual digital record of an individual’s health information and all episodes of care • This record is maintained by multiple providers and shared when necessary for care of that individual (as allowed by patient consent and/or law) • NOT a central “master file”of information
Enhancing the Quality of Care • Preventing medical mishaps related to drug interactions, handwriting, allergies, transmissible diseases, etc. (Automated delivery of information) • Enhancing quality control through access to information
Death by Handwriting • Texas cardiologist • Prescribed 20mg Isordil 4X / day • Pharmacist • Filled 20mg Plendil 4X / hday = 80mg / day • Normally Plendil taken max 10mg / day • 42-year old patient died of heart attack • Jury found MD and Pharmacist responsible and awarded $450K to widow and three small children USA Today 10-21-99
Controlling and Reducing Costs Cost of paper records is said to be at least 25% of total health care costs. • Minimize space requirements • Reduce resources for filing, storage and retrieval of information • Improve access time • Less duplication
HIPAA Health Insurance Portability & Accountability Act of 1996 [PL 104-191] • Administrative Simplification • Electronic Transactions & Codes • National Identifiers • Security & Electronic Signatures • Privacy • Generally expected to be implemented by end of 2002 • Civil Monetary & Criminal Penalties
Federal Mandate under HIPAA(in effect since 8/21/96) • Section 1173(d)(2) of the Act stipulates that healthcare organizations (that maintain or transmit electronic patient information) shall maintain reasonable and appropriate administrative, technical, and physical safeguards to: • Ensure the integrity and confidentiality of patient information • Protect against any reasonably anticipated threats or hazards to the security or integrity of the information • Protect against unauthorized uses or disclosures of the information • And, ensure the compliance of the officers and employees of the organization with this provision.
ProposedPrivacy Regulation • Covers electronic information (and products of and contributors to electronic information) • Providers, Health Plans & Clearinghouses • Requires contracts with trading partners to assure continuity of privacy (also in Security regs) • Permits sharing for care, claims, & certain operations (QA, utilization review, credentialing) without patient consent • Limited sharing for “national priority” activities • Requires written “fair information practices”
Penalties for Non-Compliance • Violation of transaction or security standards • Not more than $100 per violation, maximum of $25,000/year • No aggregate maximum • Wrongful disclosures (privacy) • Not more than $50,000 per violation • Imprisonment for not more than one year
Penalties for Non-Compliance (cont) • False Pretenses (privacy) • Not more than $100,000 per violation • Imprisonment not more than five years • Intent to sell, transfer, or use (privacy) • Not more than $250,000 per violation • Imprisonment for not more than ten years
Scope of Compliance • More than just technology • Policies • Operational Procedures • Physical Security • Business Partner Agreements • Personnel • Management & Supervision • Training
Security Standard • Defined: • Set of requirements with implementation features that providers, health plans, and clearinghouses must include in their operations to assure that individual health information remains secure. • Scalable: applies to all size organizations; larger organizations may be held to a higher standard.
Electronic Signature Technical Security Services Digital Signature Access Controls Audit Controls Authorization Controls Data Authentication (corruption) Entity Authentication Security Requirements by Category Administrative Physical Safeguards Technical Security Mechanisms Certification Chain of Trust Agreements Contingency Plan Formal Mechanisms: Records Info Access Control Internal Audit Personnel Security Security Configuration Security Incident Procedures Security Mgmt. Process Termination Procedures Training Assigned Security Responsibility Media Controls Physical Access Controls Policy - Workstation Use Secure Workstation Location Security Awareness Training Communications/Network Controls Integrity Controls Message Authentication Implementation Features Under Each Requirement
Technical Security Mechanisms Objective: Ensure processes are in place to guard against unauthorized access to data that is transmitted over a communications network (intercept and interpret), and to protect systems from external access.
Communications--Open Network • Where the network is open (e.g., shared data line, Internet, switched WAN), then the following must be in place: • Alarm (sense abnormal conditions) • Audit Trail • Entity Authentication • Event Reporting • Encryption is stated as “should be employed”
If You Use Electronic Signatures • Must have: • message integrity • non-repudiation • user authentication • May have: • ability to add attributes • continuity of signature capability • countersignature capability • independent verifiability • interoperability • multiple signatures • transportability
HealthKey HealthKey Secure E-Health Solutions A Program funded by The Robert Wood Johnson Foundation
HealthKey Origins • Funded by $2.5 million Robert Wood Johnson Foundation grant - Fall 1999 • Collaboration to advance the development of health information infrastructure • Market-driven, community-based approach • Coordinated pilot efforts in 5 states
HealthKey Participants • Massachusetts Health Data Consortium (MHDC) • Minnesota Health Data Institute (MHDI) • North Carolina Healthcare Information and Communications Alliance (NCHICA) • Utah Health Information Network (UHIN) • Community Health Information Technology Alliance (CHITA) -- WA
HealthKey Strategy • Identify interoperable, standards-based solutions to real business problems • Showcase pilot participants as leaders in testing evolving health information infrastructure • Identify approaches to achieve HIPAA compliance
$64,000 Question Is PKI a valid infrastructure for the health industry? If so, what is the likely architectural model?
MN & NCto pilot Bridge CA • Developed by Mitretek for the Federal Dept of Treasury/GSA • Allows validation of digital certificates from multiple CAs • Aggressive timeframe - demo by Spring 2000 • Additional states/projects can tie in after pilot phase
NCHICA PKI Projects • Rekmote access to immunization registry • Shared access to clinical info for Medicaid high-maintenance patients • Remote primary care provider access to neonatal/perinatal patient info • Remote primary care provider access to patient info for children with special needs • Access to emergency dept. database • Possible pharmacy application
MHDI PKI Projects • Access to Immunization data • Transmit newborn screening results from MN Dept of Health • Provide secure access to Central Query Service for eligibility inquiries • Other States • Additional projects underway
What is PAiRS? • Combines immunization records from both public and private sources in a common database • Widely accessible, inexpensive and secure inquiry only access to immunization records via the Internet • Reliably identifies relevant records for an individual in the absence of a unique identifier
Current Project Status • Approximately 1.5 million children (0-18) and an associated 12 million vaccine doses • 28 pilot sites, 172 users • Over $1 million in in-kind contributions
Challenges to Successful Implementation of PAiRS: • Initiation of use • Recognition of PAiRS value • Accessibility of computers • Computer skills of nurses and physicians • Busy practices with established service delivery methods • Security & Interoperability
Where do we go from here? • PAiRS participation expansion • PKI for user authentication and security • Regional PAiRS project - demonstration project to facilitate inter-state exchange of immunization information
NCEDD Project Description • 3 goals (putting down a railroad track) • select a standard data format (DEEDS) • demonstrate secure data exchange • statewide ED database for injury surveillance, EMS outcomes, best practice (NCEDD)
Use of NCEDD Data • Public Health Surveillance • Disasters, bioterrorism, reportable conditions • Research using hospital discharge dataset • Injury surveillance, Trends/impact of new facilities, HMO penetration, substance abuse indicators • Linkages- outcomes, episode of care • EMS • Trauma Registry • Hospital Database • Aggregate format • Oversight Committee of participating hospitals
Security/Access Concerns • Confidential data over Internet • Patient • Facility • Provider • Authentication of users - multiple organizations • Public health staff - SCHS, Epidemiology • STEER staff - Chapel Hill, Wilmington • Participant hospitals ?
Federal PKI Approach(with thanks to Richard A. Guida, Chair, Federal PKI Steering Committee) • Establish Federal PKI Policy Authority • Develop/deploy Bridge CA using COTS • Four levels of assurance (emulate Canada) • Prototype early 2000, production mid 2000 • Deal with directory issues in parallel • Border directory concept; “White Pages” • Use ACES (Access Certs for Electronic Services) for public transactions
FBCA Overview • Non-hierarchical hub for interagency interoperability • Ability to map levels of assurance in disparate certificate policies • Ultimate “bridge” to CAs external to Federal government • Directory contains only FBCA-issued certificates
FBCA PKI Architecture US Federal
Potential Architectures • Multiple CAs within membrane, with single signing key • Single CA • Multiple CAs within membrane, cross-certified among themselves
Multiple CAs, Cross-certified • In essence, the “quark” model • Certificate path length may be +1 • Adding CAs within membrane should be straightforward albeit not necessarily easy • Requires solving inter-product interoperability issues within membrane rather than outside - which is good
Current Status • Decision: cross-certified CAs within membrane • Multiple vendor products: Initially Entrust and GTE for “prototype” FBCA • Migration from prototype to production FBCA will entail adding other CAs inside the membrane • GSA/FTS has responsibility to execute
PKI Use and Implementation Issues • Misunderstanding what it can and can’t do • Requiring legacy fixes to implement • Waiting for standards to stabilize • High cost - a yellow herring • Interoperability woes - a red herring • Legal trepidation - the brightest red herring
The Tugboat Captain TJ Hooper v. Northern Barge Company60 F.2d 737 (2d Cir. 1932) • Long Island Sound - storm comes up and tug loses barge • Plaintiff was barge owner • Plaintiff found negligent because Captain had no weather radio Rationale: to avoid negligence, keep up with technological innovations - they set the standard of care in the industry
The price of good navigation is eternal vigilance W. Holt Anderson, Executive Director NC Healthcare Information & Communications Alliance, Inc. www.nchica.org
Thank you ! www.nchica.org