1 overview of hit policy committee’s privacy hearing jodi daniel, jd, mph director, office of...
TRANSCRIPT
1
Overview of HIT Policy Committee’s Privacy Hearing
Jodi Daniel, JD, MPHJodi Daniel, JD, MPH
Director, Office of Policy and ResearchDirector, Office of Policy and ResearchOffice of the National Coordinator for Health Office of the National Coordinator for Health Information TechnologyInformation Technology
October 14, 2009
22
Overview
• Held on September 18, 2009• Organized by a Privacy Task Force
– Members of HITPC– Members of HITSC– ONC– OCR
33
Overview
• Brought together experts representing differing stakeholder viewpoints
• Objectives of hearing included:– Gain insight from industry experts– Prioritize issues
• Next Steps:– Task Force will recommend a plan and priorities to HITPC at
next meeting
4
Summary of ARRA Statute
• New HIPAA provisions, including:– Applicability to business associates– New breach notification requirements– Accounting for disclosures for TPO– Electronic copy of records to patients– Changes to enforcement
• ARRA privacy & security topics, including:– Technologies for segmentation– Technologies for accounting– Technologies for IIHI to be unusable, unreadable, or
indecipherable to unauthroized individuals
5
Panel 1
• Patient Choice, Control, and Segmentation of Health Information– Deborah Peel, Patients Privacy Rights– J. Marc Overhage, Regenstrief Institute– Susannah Fox, Pew Internet & American Life Project– Deven McGraw, Center for Democracy and Technology
• Themes:– Consumers want privacy and accessibility by them and caregivers– Issue: “Consumer control” v. comprehensive framework with consent
included where appropriate– Architecting privacy and security into the software, the processes and
the agreements – Segmentation of sensitive date v. difficulty of hiding data from all
sources
6
Panel 2
• Use, Disclosure, Secondary Uses, Data Stewardship– Eileen Twiggs, Planned Parenthood Federation of America– John Houston, University of Pittsburgh Medical Center– James Golden, Minnesota Department of Health
• Themes:– Sensitive data must be addressed because of increased risks– Only access information necessary and for a particular
authorized purpose through exchange– Protections follow the data– Enforcement is key– HIE raises great opportunities for public health and should
follow existing frameworks for protections (incl state and local)
7
Panel 3
• Models for Data Storage & Exchange, Aggregate Data, De-identification/ Re-identification– Claudia Williams, Markle Foundation– Philip Marshall, WebMD– Kenneth Buetow, National Cancer Institute/NIH/HHS
• Themes:– Keep data close to source (distributed information model) and query
for aggregate data– PHRs and consumer control– Policy should drive architecture including flexibility– Consent poses challenges for secondary uses and access controls
with audit is important– Don’t prevent all misuse, prevent most and enforce
8
Panel 4
• Transparency, Audit, Accountability– Robert Gellman, Consultant– Robin Omata, Kaiser Permanente
• Themes:– Patient ready access to accounting of disclosure is important
for transparency and accountability v. accounting is costly and not widely used by patients
9
Questions?