SERAFINA VERSAGGI AND KATHLEEN CONNOREVERSOLVE

Confidentiality Codes Refactored

Problem Statement

The current HL7 Confidentiality Code System is overloading the coded attributes of confidentiality

Current Confidentiality Codes mix: Privacy Policy Codes about how Sensitive Information must be handled with Metadata tags (data about data content) used to convey Information Sender and

Receiver responsibilities to prevent unauthorized use or disclosure

Without guidance on the intended use of these metadata tags, implementers may mistakenly applying Privacy Policy and Sensitive Information Codes as metadata on protected information On external wrappers used as transport information in exchange On document headers for use by records management systems/repositories

As a result, they may be breaching protected information by disclosing the sensitive nature of that information to unauthorized Receivers

Happy News

Refactored Confidentiality Codes fit seamlessly into the Composite Security and Privacy DAM with minimal changes

This should be considered validation of that good work

Proposed changes specify Sender responsibility to ensure that protected information is

handled in accordance with Privacy Policies Receiver responsibility for handling protected information the

Sender is authorized to disclose Interoperable and policy driven Confidentiality Codes that

reduce the need for point to point negotiation when exchanging information

Proposed Changes to the DAM Refactors current Confidentiality Code System

Reason: Multiple Axes that blend internal Privacy Policies with Role and User base Access and interoperable Confidentiality Codes

Defines new interoperable Confidentiality Codes Specifies Receiver responsibilities for information being exchanged Limited set of codes that convey general information handling rules Convey sensitivity levels without disclosing why the information is or is not sensitive

Relocates Sensitive Information Codes to ActPrivacyPolicyType value set Sensitive Information Codes represent a type of Organizational Privacy Policy Like Jurisdictional Privacy Policies, these are implemented in a Policy Information Point

to inform the Policy Decision Point Adds Information Subject Authorization to Disclose

Consent Directives - specify disclosures that are more restrictive than generally applicable Jurisdictional Health Privacy Policies

Disclosure Authorizations - specify disclosures less restrictive than generally applicable Jurisdictional Health Privacy Policies

Current HL7 Confidentiality Code Concept Domains

Current Confidentiality Codes Relationships

Code Definition

ConfidentialityByAccessKind

• A value set that allows access to information by subject / role and relationship based rights

• These concepts are mutually exclusive, one and only one is required for a valid confidentiality coding)

ConfidentialityModifiers • Modifiers of role based access

rights • Multiple allowed

ConfidentialityByInfoType

• By information type, only for service catalog entries

• Multiple allowed• Not to be used with actual

patient data!

Disambiguating Confidentiality and Sensitivity

Definition of these concepts are often intertwined, and usage is not clearly orthogonal in many contexts

Healthcare differentiate these because of heightened Privacy concerns

Confidentiality is a security concept How information is treated Who can know and what they can do with it Has no necessary bearing on social values

ISO 7498-2:1989 - Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Sensitivity is a social perception concept How information is regarded socially What others will think about and act on the information How that “social” perception and resulting reaction will impact the information

subject and/or owner ISO7498-2:1989 - Sensitivity is the characteristic of a resource which implies its value

or importance and may include its vulnerability

Confidentiality – Sensitivity Matrix

Sender Assigns Confidentiality Codes

Access Control Systemdrives Sender Disclosure

Process

CDA HeaderConfidentiality Code+ URL to referenced

License

Sender assignsConfidentiality Codes

to comply with Obligations to

protect informationInner Envelope with Confidentiality Code

Envelope License

Header License

Section Licenses

Encounter Section + CC

Medication Section + CC

Lab Section + CC

Problem Section + CC

Lab Result Entries

Entry Licenses

Encrypted Transmission Wrapper

License Conveys Receiver Obligations toProtect the information

Receiver complies with obligation with ACSenforcement of Licenses, which may apply at

the CDA Header, Section, or Entry

ActPrivacyPolicyType

Vocabulary Changes to Support Use Cases

Added attribute to Privacy Policy that designates which Privacy Policy May leverage existing HL7 vocabulary Act.code concept domain

“ActPrivacyPolicyType” Proposed Vocabulary includes:

ActPrivacyLaw – with example codes e.g., 42 CFR Part 2 and HIPAA Sensitivity -

Defined as policies shared by a policy domain relating to sensitivity of information

Leverages ISO7498-2:1989 definitions for Confidentiality and Sensitivity

Example codes from the ConfidentialityModifiers and ConfidentialityByInfoType and proposed codes for Use Case discovered gaps such as Sensitive Service Provider and Employee

Relocated Sensitive Information Codes

Relocates Sensitive Information Codes from AccessByInfoType and Confidentiality Modifiers to the ActPrivacyPolicyType value set

No impact on earlier models which will reference current Confidentiality Code System

No impact on CDA which only uses Normal, Restricted, and Very Restricted

Future models that use ActPrivacyPolicyCodes can target classes with a Comply relationship to an ActClassPolicy

Refactored Confidentiality Codes

Lvl- Typ

Concept CodeHead Code-defined Value Set

Definition, Properties, Relationships

0-A _Confidentiality

Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO 7498-2:1989]

Description: The codes in the Confidentiality code system are values that prevent the unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.  

The confidentiality code assigned by an information sender (per policies intended by the custodian) that convey receiver obligation to ensure that the information is not made available or redisclosed to unauthorized individuals, entities, or processes (security principals).  The receiver may only grant authorized principals access to the minimum necessary information for the purpose of use intended by the sender. The receiver must grant principals permission to perform approved operations on the information object.  

Refactored Confidentiality Codes

Lvl Concept Code

Print Name

Definition

.U unrestricted Metadata indicating that there are no receiver responsibilities to comply with

sender’s information policy.

1-L . L low Metadata indicating the receiver responsibility to comply with sender’s de-identified information policy specifying authorized principals, permissions, and purpose of use.

1-L .M moderate Metadata indicating the receiver responsibility to comply with an information subject’s authorization to disclose agreement specifying authorized principals, permissions, and purpose of use.

1-L . N normal Metadata indicating the receiver responsibility to comply with sender’s applicable jurisdictional privacy policy specifying authorized principals, permissions, and purpose of use.

1-L . R restricted Metadata indicating the receiver responsibility to access and comply with information subject’s consent directives, default consent rules, or a sender’s organizational privacy policies that are more stringent than jurisdictional privacy policies, which specify restrictions on authorized principals, permissions, and purpose of use. May be preempted by jurisdictional law, e.g., for public health reporting or emergency treatment.

1-L . V very restricted Metadata indicating the receiver responsibility to comply with sender’s or other

authority’s policy for highly sensitive information, which specify restrictions on authorized principals, permissions, and purpose of use.

Proposed Refactoring

Next Steps – Prepare Harmonization Proposal

UPCOMING HARMONIZATION MTGS

Harmonization Conference Call

Nov 15, 2011 to Nov 18, 2011Add to Outlook Calendar

Templates and Examples

Download Harmonization Proposal Template/Example

Initial Proposals

Submissions due 10/16/2011, midnight Eastern

Final Proposals

Submissions due 11/06/2011, midnight Eastern

View/Upload Proposals

View/Upload Proposals

Policy and Procedural Excerpts

Harmonization Process Overview

<http://www.hl7.org/events/harmonization/index.cfm>

Annex

Compares Current and Proposed VocabularyProvides Glossary of Terms

Current Definition of Confidentiality

New Definition of Confidentiality

Description:Values that control

disclosure of information.

Example: Normal, restricted, substance abuse related.

Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [ISO 7498-2:1989]

Description: The codes in the Confidentiality code system are values that prevent the unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.  

The confidentiality code assigned by an information sender (per policies intended by the custodian) that convey receiver obligation to ensure that the information is not made available or redisclosed to unauthorized individuals, entities, or processes (security principals).

The receiver may only grant authorized principals access to the minimum necessary information for the purpose of use intended by the sender. The receiver must grant principals permission to perform approved operations on the information object.

Confidentiality Code System Definition

Proposed & Current Confidentiality Code Definitions

Lvl Code

Print Name

Proposed Definition Current Definition

.U unrestricted

Metadata indicating that there are no receiver responsibilities to comply with sender’s information policy.

N/A - New Code

1-L . L low

Metadata indicating the receiver responsibility to comply with sender’s de-identified information policy specifying authorized principals, permissions, and purpose of use.

No patient record item can be of low confidentiality. However, some service objects are not patient related and therefore may have low confidentiality.

1-L .M moderate

Metadata indicating the receiver responsibility to comply with an information subject’s authorization to disclose agreement specifying authorized principals, permissions, and purpose of use.

Normal confidentiality rules (according to good health care practice) apply, that is, only authorized individuals with a legitimate medical or business need may access this item.

1-L . N normal

Metadata indicating the receiver responsibility to comply with sender’s applicable jurisdictional privacy policy specifying authorized principals, permissions, and purpose of use.

N/A - New Code

1-L

. R restricted

Metadata indicating the receiver responsibility to access and comply with information subject’s consent directives, default consent rules, or a sender’s organizational privacy policies that are more stringent than jurisdictional privacy policies, which specify restrictions on authorized principals, permissions, and purpose of use. May be preempted by jurisdictional law, e.g., for public health reporting or emergency treatment.

Restricted access, e.g. only to providers having a current care relationship to the patient.

1-L . V very

restricted

Metadata indicating the receiver responsibility to comply with sender’s or other authority’s policy for highly sensitive information, which specify restrictions on authorized principals, permissions, and purpose of use.

Very restricted access as declared by the Privacy Officer of the record holder.

GlossaryTerm Definition

Access Control

A system that enables an authority to control access to resources based on criteria related to role, user identification, or context.

Confidentiality ISO 7498-2:1989 - Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Disclosure Authorization

An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

Description: An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.[US government definition at HHS]

DURSAData Use and Reciprocal Support Agreement (DURSA) is a multiparty legal agreement (contract) designed for lawful and secure information exchange using a set of interoperability standards and specifications within a policy domain.

Jurisdictional Law Includes statutes, regulations, case law, and judicial authority.

Metadata Data about data content. Does not include data about how data is stored.

ObligationsThe rules for Custodians that collect, access, use or disclose protected information, which may be conveyed by a License such as an encoded privacy law, organizational privacy policy, DURSA, privacy consent directive, or disclosure authorization.

GlossaryTerm Definition

Privacy The state of being something that belongs to, concerns, or is accessible only to an individual person or a specific group.

Privacy Consent Directive

A consent directive is a record of a healthcare consumer’s privacy policy, which is in accordance with governing jurisdictional and organization privacy policies that grant or withhold consent: • To one or more identified entities in a defined role • To perform one or more operations (e.g., collect, access, use, disclose, amend, or delete) • On an instance or type of IIHI • For a purpose such as treatment, payment, operations, research, public health, quality

measures, health status evaluation by third parties, or marketing • Under certain conditions, e.g., when unconscious • For specified time period, e.g., effective and expiration dates • In certain context, e.g., in an emergency  A consent directive is an instance of governing jurisdictional and organization privacy policies, which may or may not be backed up by a signed document (paper or electronic). HITSP TP 30

Privacy Policy The set of policies that an organization or party uses to collect or hide information about an end user or customer of the organization, particularly where it concerns private information.

Responsibilities

The information handling rules for Senders and Receivers for transmission of protected information as convey Confidentiality Codes.

Sensitivity ISO7498-2:1989 - Sensitivity is the characteristic of a resource which implies its value or importance and may include its vulnerability

Trust Agreements

There are two categories of trust agreements: Point-to-Point agreements and multi-party Data Use and Reciprocal Support Agreement (DURSA)