210 likes | 370 Views
HIT Standards Committee. Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union July 21, 2009. Most Americans Rate the Healthcare System Fair or Poor. How would you rate the health care system in America today? (2009 n=1,000).
E N D
HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union July 21, 2009
Most Americans Rate the Healthcare System Fair or Poor How would you rate the health care system in America today? (2009 n=1,000) Source: Employee Benefit Research Institute and Mathew Greenwald & Associates, 2008-2009 Health Confidence Survey
Consumers Have Little Confidence that Electronic Health Records Will Remain Confidential If medical records and personal health information were to be stored electronically and shared through the Internet, how confident are you that those records and information would remain confidential? (2009 n=1,000) Source: Employee Benefit Research Institute and Mathew Greenwald & Associates, 2008-2009 Health Confidence Survey
ARRA Addresses These Concerns by Stimulating Adoption of Health Information Technology (HIT) Current paper- and fax-based system is inefficient and costly, and perpetuates medical practice as a “cottage industry” moving to electronic records and exchanges will reduce inefficiencies and cost, while improving patient safety and care quality Recording and exchanging health information electronically will improve the quality of care, and reduce costs, by: Reducing reliance on physicians’ (oft-illegible) handwritten and faxed prescriptions and notes Making health information available whenever and wherever it is needed Facilitating the measurement of outcomes and comparison of effectiveness Streamlining medical research Facilitating the detection of potential health threats to the public
But There’s a Caveat… Use of computers and networks introduces new risks to personal privacy As providers become more dependent on EHRs, the potential impacts of data corruption and service interruption will increase Privacy and security mechanisms are designed to help protect personal privacy and to assure quality care by providing: Ability to record and enforce consumers’ individual preferences on who can see or use their personal health information and for what purposes – whether it’s within a hospital or between their family doctor and the specialist she has chosen to help diagnose a problem Ability to protect their health information from being changed or deleted Ability to make sure that their health information is available to their family physician, the specialists he/she consults, and physicians providing emergency care in their local emergency room and the clinic in the remote mountain community where they vacation
ARRA EHR-Adoption Reimbursement Requirements To encourage broad adoption of EHRs, ARRA offers reimbursement to eligible providers who meet two requirements: Acquire a certified EHR product or service Demonstrate that he/she is using that product/service “meaningfully” The Standards Committee needs to recommend both: Criteria for certifying products Criteria for demonstrating that an applicant is using that product meaningfully
EHR-Adoption Privacy and Security For privacy and security, certification that a defined function or service has been implemented in a product is not sufficient to demonstrate “meaningful use” (or even “use”) of that function or service The Privacy and Security Workgroup has adopted an approach that addresses both the certification of products and the demonstration that a user is using the certified product “meaningfully”
Privacy and Security WG Recommendations Certification criteria should not dictate policy beyond what is specified in ARRA and the HIPAA Security and Privacy Rules Allow adopter to configure products to its individual policy based on its own risk factors Product certification should address both functional requirements (services provided) and assurance levels (strength of mechanisms and implementations) Use ISO/IEC 15408, Common Criteria for Information Technology Security Evaluation, to specify Evaluation Assurance Levels (EAL) for use cases For greater openness and broader interoperability, prefer standards developed by international Standards Development Organizations (SDOs)
Privacy and Security WG Recommendations Certification criteria and standards should enable design possibilities that leverage fundamental principles and open standards Product certification criteria should build toward full interoperability with both healthcare partners (providers, payers, HIEs, etc.) and consumers; for example: 2011: secured enterprises + simple, secured sharing with healthcare partners and consumers 2013: secured health exchanges with healthcare partners and consumers 2015: full integration of consumer preferences with enterprise and exchange access controls
Privacy and Security WG Recommendations “Meaningful use” criteria should be rules-based and should specify what certified features must be used and how, within the context of defined, operational use cases “Meaningful use” should include at least: Required certified features and their configuration within applicable use case Secure IT infrastructure Current HIPAA risk analysis and risk-management plan Current HIPAA contingency plan (back-up, disaster recovery, emergency operations, testing and revision, criticality analysis)
Consent Management – the Widest, and Perhaps Most Urgent, Gap Consent management involves several functions: Recording patient elections (privacy authorizations and informed consents) in a consistent way such that both humans and computers can interpret the elections consistently across systems and organizations Transferring these elections among all entities that handle their PHI (e.g., providers, labs, pharmacies, payers, researchers, PHI vendors) Translating these elections into access control rules Managing the continually changing elections
Consent Management – the Widest, and Perhaps Most Urgent, Gap Some standards-development work is under way HL7, primarily focusing on privacy and security authorizations Consent Assertion Markup Language (CAML, John Halamka) – XML data model representing all patient authorizations and consents HITSP TP30 and the Integrating the Healthcare Enterprise (IHE) Basic Patient Privacy Consent (BPPC) profile HIE, OASIS, and ASTM are addressing the exchange of consumer elections No significant efforts addressing translation into access-control rules, or change management Consumers are beginning to play a much greater role in defining how their information is shared and used – standards are needed HHS should encourage and support the rapid, well informed, development of consent management standards comprehensively addressing 1-4 above
Recommended Standards – Readiness Ratings Mature; known or certain to be implementable in 2011; implemented widely (>20%) in industry Ready for introduction; known/certain for 2013 Well developed; work in progress for 2013 / 2015 In development; standards to be determined
Recommended Standards* *See hand-out for further details