Date: June 8, 2010 Time: 11:30 am – 1:30 pm Location: NC Institute of Medicine (

Date: June 8, 2010Time: 11:30 am – 1:30 pm

Location: NC Institute of Medicine (http://www.nciom.org/about/Directions.shtml)

Dial in: #: 1-866-922-3257 Participant Code: 654 032 36#

North Carolina Health Information Exchange

Legal/Policy WorkgroupSecurity Subcommittee Meeting

2

Agenda

Topic Leads Time

Role Call and Objectives Co-Chairs 11:30 – 11:45

Update on NC Legal Analysis Process Jill Moore 11:45 – 12:00

Discussion of Threshold Issues for Security Subcommittee:

Goal: Agreement on Scope of Key Issues

Co-Chairs & Manatt

12:00 – 1:30

3

Select HHS Privacy and Security Framework Principles1 2

• Openness and Transparency - There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.

• Individual Choice - Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.

• Collection, Use and Disclosure Limitation - Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.

• Individual Access - Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

• Correction- Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.

1 In creating the HHS Privacy and Security Framework Principles, ONC relied on the Markle Foundation’s core principles for a networked environment, among other available privacy and security principles. See “The Architecture for Privacy in a Networked Environment.” Markle Connecting for Health Common Framework.

2 “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. U.S. Department of Health and Human Services. December 15, 2008.

4

Markle Foundation Connecting for Health Common Framework: Resources for Implementing Private and Secure HIE

5

Authorization, Authentication, Access, Audit, & Breach

• Authorization: The process of determining whether a particular individual has the right to access PHI through an HIE. Authorization is usually based on role-based access standards that take into account an individual’s job function and the information needed to successfully carry out a role. Authorization policies generally set forth minimum requirements that HIE participants should follow when establishing role-based access standards and authorizing individuals to access information through the HIE.

• Authentication: The process of verifying that an individual who has been authorized and is seeking to access information via an HIE is who he or she claims to be. Authentication policies represent an important technical security safeguard for protecting a patient’s information from various internal and external risks, including unauthorized access. Authentication policies generally set forth minimum requirements that HIE participants should follow when authenticating individuals prior to allowing them to access information through the HIE.

• Access: Access controls govern when and how a patient’s information may be accessed by HIE participants. Access policies generally set forth minimum behavioral controls HIE participants should implement to ensure that: 1.) only Authorized Users access information; and 2.) they do so only in accordance with patient consent and with other requirements that limit their access to specified information (e.g., that which is relevant to a patient’s treatment).

• Audits: Audits are oversight tools for recording and examining access to information (e.g., who accessed what data and when) and are necessary for verifying compliance with access controls developed to prevent/limit inappropriate access to information. Audit policies generally set forth minimum requirements that HIE participants should follow when logging and auditing access to health information through the HIE.

• Breach: Breach policies are designed to hold HIE participants accountable and to certain behavioral standards when privacy violations occur. Breach policies generally set forth minimum standards HIE participants follow in the event of a breach of PHI through the HIE, assure patients about the HIE’s commitment to privacy, and mitigate any harm that privacy violations may cause.

Issues to Consider

7

Key Decision Points: Authorization

• Should the policies & procedures require the use of role-based access standards by local or community HIEs an/or participants?

• Who should set these standards? HIEs or participants?

• What should they be?

• How often should they be updated?

8

Key Decision Points: Access

• Should the policies & procedures established through a statewide North Carolina HIE specify who (local or community HIE or participant) should assign unique IDs and/or how often they should be updated? If so, how?

• Should the policies & procedures specify who should maintain them? If so, how?

• Should the policies & procedures require training for Authorized Users?

• What should it entail?

• Who should perform it?

• Should the policies & procedures established through a statewide HIE in North Carolina require that authorized users sign acknowledgements of local or community HIE policies and procedures related to access?

9

Key Decision Points: Access, Cont’d

• Should the policies & procedures establish minimum standards for disabling authorized users’ access to health information after inappropriate access?


• Should the policies & procedures establish common policies and procedures for terminating a logged-in authorized user’s session due to inactivity?


10

Key Decision Points: Authentication

• What should the policies & procedures established through a statewide HIE in North Carolina require as the minimum authentication assurance level?

• Should the policies & procedures mandate use of minimum technologies to support those assurance levels?

• See federal authentication assurance levels

• Should the policies & procedures established through a statewide HIE in North Carolina require/allow use of more stringent authentication policies and procedures for sensitive information?

11

Key Decision Points: Audits

• Should the policies & procedures established through a statewide HIE in North Carolina require audits and by whom should they be conducted?

• Should the policies & procedures specify what should be tracked?

• How often?

• Should the policies and procedures require audit findings be made publicly available?

• Should the policies and procedures require a minimum level of audit log (e.g. immutable logs?) or minimum time periods for producing audit logs?

• Should the policies and procedures require minimum procedures related to consumer access?


12

Key Decision Points: Breach

• What should the minimum standards be for:

• Alerting participant organizations of situations where patients’ information may have been inappropriately accessed?

• Alerting patients of situations where their information may have been inappropriately accessed?

• Mitigating the impact of inappropriate access of patient information? If so, how?

• Jointly investigating situations where patients’ health information may have been inappropriately accessed?

• Who should have responsibility for the above? Local or community HIEs? Participants?

• Should the policies & procedures establish common sanction policies to address situations when individuals violate the policies and procedures for accessing patient information through a local or community HIE?


13

Levels of Risk According to the Feds – Authentication Services Needed to Balance Risk & Cost

14

Non-Healthcare Identity Proofing Examples

Annual Credit Report Capital One HSBC Direct

Initial Set of Identity Information Collected

Legal NameSSNDate of BirthMailing AddressResidency More than 2

Years?

Legal NameCitizenshipSSNDate of BirthDriver’s License/State ID #Email AddressMailing AddressPhone NumberResidency More than 2 Years?

Legal NameCitizenshipSSNDate of BirthDriver’s License/State ID #Email AddressMailing AddressPhone NumberResidency More than 2 Years?

Additional Set of Identity Information Collected

Personal Questions*• Mortgage provider?• Mortgage amount?• Car loan provider?• Car loan amount?

Personal Questions*• Car loan provider?• Car loan term?• Personal loan provider?• Personal loan amount?• Credit card provider?

Personal Questions*• Student loan provider?• Student loan amount?• Car loan provider?• Car loan amount?• Credit card provider?

Method Used to Verify Identity Information

Third Party Source Verification and Knowledge Based Authentication



Account Activation Method

Immediate Log back in with account information, SSN and email address to establish on-line account access; also required to provide 3 security answers for customer support.

Log back in with account information and SSN to establish on-line account access.

Authentication Credential

Credit report number provided by credit agency, along with State, Zip Code and SSN

Username/password Username/password

* Personal questions are geared toward the applicant based on their verified credit information. Verified credit information is determined from the initial set of identity information collected from the applicant.

15

New HITECH Breach Notification Requirements

• Effective September 23, 2009, a CE must, following the discovery of a breach of protected health information, notify each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach.1

• Only unauthorized acquisition, use or disclosure that poses a significant risk for financial, reputational , or other harm to the individual is considered a breach.

• A BA must, following the discovery of a breach of PHI, notify the CE of such breach and provide required information to the CE.

If good faith belief unauthorized person would not have reasonably been

able to retain PHI

If good faith belief unauthorized person would not have reasonably been

able to retain PHI

Unintentional access by authorized person if in good faith and not re-disclosed in

manner not permitted under Privacy Rule

Unintentional access by authorized person if in good faith and not re-disclosed in

manner not permitted under Privacy Rule

Unauthorized acquisition, access, use or disclosure of

PHI that compromises privacy or security

Unauthorized acquisition, access, use or disclosure of

PHI that compromises privacy or security

Inadvertent disclosure from one authorized individual to another at same CE, BA or

arrangement

Inadvertent disclosure from one authorized individual to another at same CE, BA or

arrangement

And not if

ButNot

1 Only breaches of “unsecured” PHI (e.g. PHI that is not encrypted or has not been destroyed in accordance with guidance issued by HHS at 74 Fed. Reg. 19006-19010) trigger the breach notification requirement.

16

HITECH Breach Notification Requirements

Notification Requirements

Timeliness of

Notification

When must CEs provide notice of a breach? Without unreasonable delay but in no case later than 60 calendar days from the time the CE discovered the breach or should have discovered the breach using reasonable diligence.

Breaches are treated as discovered by a CE or BA as of the first day on which such breach is known to the CE or BA, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of the entity or associate) or should reasonably have been known to the CE or BA to have occurred.

Content of Notification

What must CEs include in the notification? A description of what happened; the type of unsecured PHI involved; the steps the CE recommends the individual take to protect himself or herself; a description of what the CE is doing to investigate, mitigate and protect against future similar breaches; contact information for the individual to communicate with the CE; and any sanctions imposed on workforce members involved.

Recipients of

Notification

Who must be notified? Requires that notice be provided to each individual whose unsecured PHI has been, or is reasonably believed by the CE (or BA as applicable) to have been accessed, acquired, used or disclosed as a result of a breach.

Requires that notice be provided to media outlets and the Secretary of HHS when breaches are suspected to involve more than 500 residents of a particular state or jurisdiction. Also requires annual notice to Secretary of HHS of breaches with fewer than 500 subjects.

Directs the Secretary to post a list of CEs involved in breaches involving more than 500 individuals on the HHS website.

Method of Notification

How must CEs provide notification? Via first –class mail, or email if the individual has agreed to email, to the individual's last known addresss. Substitute notice may be provided in certain circumstances

17

Meaningful Use and SecurityONC Interim Final Rule with Comment (Jan 2010)

MU Outcomes MU Stage 1 Objectives MU Stage 1 Measures MU Stage 1 Reporting

Ensure adequate privacy and security protections for personal health information

Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities

Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary

Attestation that a risk analysis was conducted or reviewed

Certification Criteria to Support the Achievement of MU Stage 1 for EHRs Adopted by EPs or EHs:

1. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

2. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.

3. Terminate an electronic session after a predetermined time of inactivity.

4. Encrypt and decrypt electronic health information according to user-defined preferences (e.g., backups, removable media, at log-on/off) in accordance with specified standards.

5. Encrypt and decrypt electronic health information when exchanged in accordance with the specified standards.

6. Record actions (e.g., deletion) related to electronic health information in accordance with specified standards (i.e., audit log), provide alerts based on userdefined events, and electronically display and print all or a specified set of recorded information upon request or at a set period of time.

7. Verify that electronic health information has not been altered in transit and detect the alteration and deletion of electronic health information and audit logs in accordance with the specified standards.

8. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.

9. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with specified standards.

10. Record disclosures made for treatment, payment, and health care operations in accordance with specified standards

18

Possible Subcommittee Next Steps for Discussion

• Triage issues to move toward consensus recommendations with respect to framework by August 2010 versus those to establish a process to address in next 12 months?

• Identify barriers to be addressed?

• Analysis of how various NC HIE’s approach security?

• Scan of data security laws (slated for Legal Subcommittee in late June 2010)?

19

Security Subcommittee Threshold Issues

Threshold Issue Consensus Recommendations

Unresolved Questions

Authorization

Authentication

Access

Audit

Breach

Appendix

21

Issue Background Threshold Decision Implication

1 Statewide Collaboration

Privacy & security policies must be informed by the viewpoints and experiences of all of those who will be subject to their regulation.

Agreement that a collaborative governance process involving broad stakeholder representation is required to resolve these threshold issues and other, less foundational, though no less important issues.

Without a statewide, collaborative process in place that includes the right stakeholders and is funded appropriately, it may not be possible to develop statewide privacy & security policies

2 Scope While HIPAA does not require consent for treatment and other specific uses of health information, it is important to remember that HIPAA was written in the context of a one-to-one health information exchange environment.

An interoperable health system facilitates a many-to-many information exchange relationship that, some believe, may demand new approaches for protecting privacy and security.

Many-to-many exchange allows for health care providers to reach out to large networks of clinicians and providers to obtain health information and use it in patient care

Agreement as to whether or not any new statewide privacy and security policies should be applied only to HIE occurring through a statewide health information network and not to existing one-to-one exchanges.

Decisions about level of protection afforded to health information exchanged in NC should only be contemplated after this threshold decision is made.

Privacy & Security – Threshold Issues Must Be Agreed Upon to Develop Statewide Privacy and Security Policies

22

Threshold Privacy & Security Issues (Continued)


3 Policy Interoperability

Statewide policies are necessary to obtain patient trust and ensure interoperability. To protect privacy & security, policies must be enforced at the state-level and cannot be set locally by different HIE projects.

Agreement as to whether or not all participants in statewide HIE will be required to abide by the privacy & security policies under development and whether a statewide enforcement mechanism will be in place to ensure compliance.

Statewide policies related to privacy & security that must be followed by all providers exchanging information in NC will have a significant impact on any technical specifications imposed to ensure interoperability throughout the state.

4 Compliance with Existing Law

Federal and state laws may, for instance, require special protections be granted to certain classes of information (e.g. laws requiring consent for disclosure of records of federally-assisted substance abuse centers).

Agreement as to whether or not statewide privacy and security policies will be adopted in compliance with existing law or whether changes in existing law will be sought.

Further agreement that NC state government will bless any statewide policies developed as compliant with existing law so as to ensure HIE participants are not subject to liability as a result of following policy.

A decision to adopt policies in compliance with existing law will impose certain limitations that must be accepted.

23


5 Baseline Access Principle(s)

Owing to sensitivity related to certain types of Protected Health Information (e.g. information related to minors, HIV/AIDS status, mental health, substance abuse and genetic testing), some HIEs may choose to filter, or treat specially, such information from exchange.

Agreement as to whether those involved in health information exchange will be required/allowed to filter certain types of sensitive health.

A decision to require/allow for filtering of certain types of Protected Health Information will necessitate development of specialized policies and technical capabilities.

6 Baseline Consent Principle(s)

In order to ensure that Protected Health Information is available and ready for sharing when a provider seeks to access it through a health information exchange, information may be uploaded to a HIE/otherwise be made available in advance of the provider request.

Agreement as to whether consent will be required in order to ready it for exchange by uploading it to a HIE.

How this decision is addressed will impact the availability of data and the general utility of the exchange.

Threshold Privacy & Security Issues (Continued)

24

Analytic FrameworkRHIO – Core Components

Nature of participants

Purpose of exchange/Mission

Type of information exchanged

How information is exchanged

Multi-stakeholder & All Consumers

Improve quality, safety,

efficiency of care

Clinical data

Protocols, standards and services

Scope of services

Privacy, security, authentication,

authorization, access, and auditing policies

GovernanceTransparent policy framework,

inclusive decision making process

Consumer AccessProvisions for ensuring consumer access to and

control of data

25

For What Purposes May Information Available through NC’s Statewide HIE Be Used?

Research

Marketing

Treatment

Provider-based quality improvement Level 1 Uses?

Level 2 Uses?

Payer-based care management

Public health

Additional Levels?Law enforcement

Others?

26

Potential Definitions of Uses of Information

• The provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party. A third party is an entity with whom a health care provider has a contractual relationship related to the provision, coordination or management of health care and related services for a consumer. Under this contractual relationship, the health care provider must ensure that the contracted entity adheres to new consent policies and procedures;

• Consultation between health care providers regarding a patient; and

• The referral of a patient from one health care provider to another.

Treatment

Provider-based quality improvement

Activities by a provider and/or its contracted entities that include:

• Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination; and

• Disease management which can include a range of activities that involve the provider-controlled exchange of consumer health information with third parties with whom the provider has a contractual relationship related to the provision, coordination or management of health care and related services for a consumer.

• Third party entities may include health plans

(Source: Modified from HIPAA)

27

Potential Definition of Uses of Information

• A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

(Source: HIPAA)

• Any communication about a product or service that encourages recipients to purchase or use the product or service. 1

• An arrangement whereby an RHIO participant and another entity discloses consumer health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. 2


Marketing

Research

Activities by a health plan that include:

• Conducting case management and care coordination; and • Disease management which can include a range of activities through

which the health plan has direct access to patient-identifiable clinical data without the provider serving as an intermediary.


Payer-based care management

1 2 The HIPAA Privacy Rule contains a number of exceptions to marketing that do not require patient authorization. HITECH Section 13406 amended HIPAA such that if a Covered Entity is paid by an outside entity to send a communication to a patient, the communication is deemed to be marketing and requires prior authorization from the patient – even if that communication falls into one of the current exceptions to the definition in the Privacy Rule.

28

Potential Definitions of Uses of Information

• Consistent with applicable provisions of HIPAA:– Disclosure to a law enforcement official as required by law including laws that require the reporting of

certain types of wounds or other physical injuries.– Disclosure in response to a law enforcement official’s request for PHI for the purpose of identifying or

locating a suspect, fugitive, material witness, or missing person.– Disclosure in response to a law enforcement official’s request for PHI about an individual who is or is

suspected to be be a victim of a crime.• Other types of disclosures as allowed under HIPAA and state law.

(Source: HIPAA)

Law enforcement

• Disclosure to a public health authority authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (Source: Modified from HIPAA)

• Other types of public health disclosures as allowed under HIPAA and state law.

Public health

Documents

Date: June 8, 2010 Time: 11:30 am – 1:30 pm Location: NC Institute of Medicine (