Privacy and Security Workgroup

October 14, 2014

Deven McGraw, chairStan Crosley, co-chair

2

Agenda

• Member Introductions• Charge• Overview– Structure– Core Values

• Workplan Items• High-level Workplan• PSWG 2014 Schedule• Outcomes & Impact

3

PSWG Overview: MembershipFirst Name Last name Organization

Deven McGraw Manatt, Phelps & Phillips, LLP

Stanley Crosley Drinker Biddle & Reath LLP / Director, Indiana University Center for Law, Ethics and Applied Research in Health Information (CLEAR)

Deb Bass Nebraska Health Information Initiative

Donna Cryer CryerHealth

Linda Kloss Kloss Strategic Advisors, Ltd

David Kotz Dartmouth College

Gilad Kuperman New York-Presbyterian Hospital

Manuj Lal PatientPoint Enterprise

David McCallie, Jr. Cerner Corporation

Mark Sugrue Lahey Hospital & Medical Center

Micky Tripathi Massachusetts eHealth Collaborative

John Wilbanks Sage Bionetworks

Gayle Harrell Florida House of Representatives

Stephania Griffin Veterans Health Administration (VHA)

Linda Sanches Department of Health and Human Services Office for Civil Rights (HHS / OCR)

Kitt Winter Social Security Administration (SSA)

Julia Cassidy Office of the National Coordinator Staff Lead (ONC)

Helen Caton-Peters Office of the National Coordinator Staff Lead (ONC)

Kathryn Marchesini Office of the National Coordinator Staff Lead (ONC)

4

Charge

• The Privacy and Security Workgroup will provide input and make recommendations on policy issues and opportunities to ensure that information captured and exchanged electronically is protected and shared consistent with consumer needs and expectations.

• The Workgroup will proactively identify topics for recommendations and be responsive to other workgroups to address privacy and security issues that are critical to workgroup deliberations.

• Examples of issues to be considered include, but are not limited to– Topics to address interoperability goals/challenges– Big Data and privacy in healthcare

5

PSWG Overview: Structure

The PSWG was formed in 2010 • Formerly called the Privacy and Security Tiger Team• Objective: enable quick progress in advising ONC on critical privacy and

security issues regarding the adoption of electronic health records (EHR) and health information exchange (HIE).

• See additional information on the Workgroup at: http://www.healthit.gov/facas/health-it-policy-committee/hitpc-workgroups/privacy-and-security-workgroup

• Structure (public/private membership):Chair / Co-Chair

PSWG Member PSWG Member PSWG Member PSWG Member

ONC (with MITRE

support)

6

PSWG Overview: Core Values

• The relationship between the patient and his or her health care provider is the foundation for trust in health information exchange, particularly with respect to protecting the confidentially of personal health information.

• As key agents of trust for patients, providers are responsible for maintaining the privacy and security of their patients’ records.

• We must consider patient needs and expectations. Patients should not be surprised about or harmed by collections, uses, or disclosures of their information.

• Ultimately, for health information exchange to successfully improve patient health and health care, we need to earn the trust of both consumers and physicians.

7

Workplan Items

• Workgroup Kick-Off• Big Data and Privacy in Health Care– Legal and technical challenges related to the privacy and

security of big data in healthcare– Create recommendations for a legal and technical

framework that would help protect and secure data

• Federal HIT Strategic Plan • MU3 NPRM • Published version of Interoperability Roadmap• Minors/Adolescents/Young Adults and Consent

8

High-level Workplan

Tasks Start Date Due Date Oct-14

Nov-14

Dec-14

Jan-15

Feb - 15

Mar-15

Apr-15

May-15

Jun-15

Workgroup Kick-Off 10/14/2014 10/14/2014

Big Data and Privacy 10/27/14 3/31/2015

Comment on Federal HIT Strategic Plan TBD

TBD-Q4/Q1 TBD-Q4/Q1

Comment on MU3 NPRM TBD TBD - Q1 TBD - Q1

Comment on published version of Interoperability Roadmap TBD

TBD - Q1 TBD - Q1

Minors/Adolescents/Young Adults and Consent

4/1/2015 6/30/2015

9

Privacy and Security Workgroup2014 Schedule

Meetings TaskOctober 14, 2014 • Review charge, introduce members

• Workplan review

October 15, 2014Joint HITPC/HITSC Meeting

• Discussion of the interoperability roadmap

October 27, 2014 • Summary of interoperability roadmap briefing from 10/15/14• Introduce topic: big data and privacy in health care

November 10, 2014 • Big data and privacy in health care

November 24, 2014 • Big data and privacy in health care

December 2, 2014HITPC Meeting

• Interoperability roadmap recommendations to HITPC

December 8, 2014 • Big data and privacy in health care• Transition to comment on Federal HIT Strategic Plan TBD

December 15, 2014 • Big data and privacy in health care• Comment on Federal HIT Strategic Plan TBD

10

Outcomes & Impact: Sample Implementation in Policy and Technical Assistance

HITPC recommendation: Include in MU Stage 1 requirement that eligible professionals and hospitals conduct a security risk assessment under HIPAA. ONC should provide appropriate guidance.

ONC releases Security Risk Assessment Tool to Regional Extension Centers (RECs) providing technical assistance to professionals.

July 2010

HHS releases final MU Stage 1 Rule requiring professionals and hospitals to attest to conducting or reviewing security risk assessment in order to receive payment.

11

• Program Guidance examples include:– State Health Information Exchange (HIE) –Program

Information Notice (PIN) - 002: Requirements and Recommendations

– HIE – PIN – 003: Privacy and Security Framework Requirements

Outcomes & Impact: Influence ONC Program Guidance

12

• Data Segmentation for Privacy (DS4P)*• eConsent Trial Project*• Mobile Device Provider Education• Notice of Privacy Practices (NPP) Project* • Provider and Staff Security Video Games*• mHealth Consumer/Patient Research• Exemplar Health Information Exchange Governance En

tities Program (Program) Funding Opportunity• The Query Health Initiative• The Direct Project• Blue Button FAQS*• Data Provenance*Indicates project was initiated in direct response to PSWG recommendations.

Outcomes & Impact: ONC Projects Influenced by Recommendations

13

Outcomes & Impact

Explore the role ONC plays when it comes to inspiring confidence and trust in health IT to improve patient care:

Privacy & Security Executive Summary

Privacy & Security Infographic

First Annual Summary of Privacy and Security Activities

http://www.healthit.gov/policy-researchers-implementers/everyone-has-role-protecting-and-securing-health-information