1

Overview of HIT Policy Committee’s Privacy Hearing

Jodi Daniel, JD, MPHJodi Daniel, JD, MPH

Director, Office of Policy and ResearchDirector, Office of Policy and ResearchOffice of the National Coordinator for Health Office of the National Coordinator for Health Information TechnologyInformation Technology

October 14, 2009

22

Overview

• Held on September 18, 2009• Organized by a Privacy Task Force

– Members of HITPC– Members of HITSC– ONC– OCR

33

Overview

• Brought together experts representing differing stakeholder viewpoints

• Objectives of hearing included:– Gain insight from industry experts– Prioritize issues

• Next Steps:– Task Force will recommend a plan and priorities to HITPC at

next meeting

4

Summary of ARRA Statute

• New HIPAA provisions, including:– Applicability to business associates– New breach notification requirements– Accounting for disclosures for TPO– Electronic copy of records to patients– Changes to enforcement

• ARRA privacy & security topics, including:– Technologies for segmentation– Technologies for accounting– Technologies for IIHI to be unusable, unreadable, or

indecipherable to unauthroized individuals

5

Panel 1

• Patient Choice, Control, and Segmentation of Health Information– Deborah Peel, Patients Privacy Rights– J. Marc Overhage, Regenstrief Institute– Susannah Fox, Pew Internet & American Life Project– Deven McGraw, Center for Democracy and Technology

• Themes:– Consumers want privacy and accessibility by them and caregivers– Issue: “Consumer control” v. comprehensive framework with consent

included where appropriate– Architecting privacy and security into the software, the processes and

the agreements – Segmentation of sensitive date v. difficulty of hiding data from all

sources

6

Panel 2

• Use, Disclosure, Secondary Uses, Data Stewardship– Eileen Twiggs, Planned Parenthood Federation of America– John Houston, University of Pittsburgh Medical Center– James Golden, Minnesota Department of Health

• Themes:– Sensitive data must be addressed because of increased risks– Only access information necessary and for a particular

authorized purpose through exchange– Protections follow the data– Enforcement is key– HIE raises great opportunities for public health and should

follow existing frameworks for protections (incl state and local)

7

Panel 3

• Models for Data Storage & Exchange, Aggregate Data, De-identification/ Re-identification– Claudia Williams, Markle Foundation– Philip Marshall, WebMD– Kenneth Buetow, National Cancer Institute/NIH/HHS

• Themes:– Keep data close to source (distributed information model) and query

for aggregate data– PHRs and consumer control– Policy should drive architecture including flexibility– Consent poses challenges for secondary uses and access controls

with audit is important– Don’t prevent all misuse, prevent most and enforce

8

Panel 4

• Transparency, Audit, Accountability– Robert Gellman, Consultant– Robin Omata, Kaiser Permanente

• Themes:– Patient ready access to accounting of disclosure is important

for transparency and accountability v. accounting is costly and not widely used by patients

9

Questions?