Download - HIT Standards Committee
HIT Standards CommitteeHIT Standards CommitteePrivacy and Security Workgroup: Privacy and Security Workgroup: Update
Dixie Baker, SAICSteve Findlay, Consumers Union
March 24, 2009
2
Privacy and Security Workgroup Members
• Dixie Baker, SAIC• Anne Castro, BlueCross BlueShield of South Carolina• Aneesh Chopra, Federal Chief Technology Officer• Ed Larsen, HITSP• David McCallie, Cerner Corporation• John Moehrke, HITSP• Steve Findlay, Consumers Union• Gina Perez, Delaware Health Information Network• Wes Rishel, Gartner • Walter Suarez, Kaiser Permanente• Sharon Terry, Genetic Alliance
3
Progress
• Updated IFR Review to incorporate comments from the HIT Standards Committee – submitted to HITSC Chairs
• Supporting HIT Policy Committee’s Privacy and Security Policy Workgroup, and aligning our standards efforts to their priorities– Consent management– Review of existing security policy inherent in HIPAA Security
Rule
• Launching educational sessions on standards activities around consent management
4
Consumer Health Permissions
• Privacy Consent (or Consent Directive) – Consumer’s written or verbal permission to collect, use, and/or disclose individually identifiable health information (IIHI)
• Privacy Authorization – A signed, written document that contains all of the elements required by the HIPAA Privacy Rule and that gives a covered entity permission to use or disclose specified IIHI for specified purposes
• Informed Consent – Consumer’s written permission to perform a specific medical procedure, or to participate in a specific research study or clinical trial, that is given only after the consumer has been fully informed of the purposes, risks, benefits, confidentiality protections, and other relevant aspects of the activity
Consent Management Today
Consumer permissions captured as manual signature on paper form
Paper forms filed in each organization who holds consumer’s private health information
5
Consent/AuthorizationConsent/Authorization
Consent Management Tomorrow
6
Rules inexorably tied to information exchanged – updates propagated to all data instances throughout life cycle
Permissions cross-validated & translated into consent rules enforced by security access control mechanisms
Consent Rule 1
Consent Rule 2
Consent Rule n
...Chris’ EHR
Permissions and updates captured as part of health record
Permissions interpretable by humans & computers
Consent/AuthorizationConsent/Authorization
Consumer digitally signs consent or authorization
Standards Needed Consent Rule 1
Consent Rule 2
Consent Rule n
...Chris’ EHR
Consent/AuthorizationConsent/Authorization
• Digital signatures
• Privacy policies• Data model & schema• Permission syntax & vocabulary
• Cross-validation of consumer permissions
• Maintaining and retrieving permissions
• Translating permissions into access-control rules
• Enforcement and auditing of permission-related activities
• Exchanging permissions & access rules
• Propagating permission revocations & modifications
7
Educational Sessions re Standardardization Efforts Relating to Consent Management
• April 1, 2:00-4:00pm ET: Organization for the Advancement of Structured Information Standards (OASIS) / International Security Trust and Privacy Alliance (ISTPA) Privacy Management Reference Model (PMRM); Speakers – John Sabo, Michael Willett
• April 23, 2:00-4:00pm ET: Integrating the Healthcare Enterprise (IHE) Basic Patient Privacy Consents (BPPC) Profile; Speaker – John Moehrke
• [Schedule TBD]: Health Level 7 (HL7) Version 3 Domain Analysis Model: Medical Records; Composite Privacy Consent Directive – Speaker (TBD)
• [Schedule TBD]: OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) and eXtensible Access Control Markup Language (XACML) – Speaker (TBD)
8