1 / 8

HIT Standards Committee

HIT Standards Committee. Privacy and Security Workgroup: Update Dixie Baker, SAIC Steve Findlay, Consumers Union March 24, 2009. Privacy and Security Workgroup Members. Dixie Baker, SAIC Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer

damara
Télécharger la présentation

HIT Standards Committee

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker, SAIC Steve Findlay, Consumers Union March 24, 2009

  2. Privacy and Security Workgroup Members Dixie Baker, SAIC Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer Ed Larsen, HITSP David McCallie, Cerner Corporation John Moehrke, HITSP Steve Findlay, Consumers Union Gina Perez, Delaware Health Information Network Wes Rishel, Gartner Walter Suarez, Kaiser Permanente Sharon Terry, Genetic Alliance

  3. Progress Updated IFR Review to incorporate comments from the HIT Standards Committee – submitted to HITSC Chairs Supporting HIT Policy Committee’s Privacy and Security Policy Workgroup, and aligning our standards efforts to their priorities Consent management Review of existing security policy inherent in HIPAA Security Rule Launching educational sessions on standards activities around consent management

  4. Consumer Health Permissions Privacy Consent (or Consent Directive) – Consumer’s written or verbal permission to collect, use, and/or disclose individually identifiable health information (IIHI) Privacy Authorization – A signed, written document that contains all of the elements required by the HIPAA Privacy Rule and that gives a covered entity permission to use or disclose specified IIHI for specified purposes Informed Consent – Consumer’s written permission to perform a specific medical procedure, or to participate in a specific research study or clinical trial, that is given only after the consumer has been fully informed of the purposes, risks, benefits, confidentiality protections, and other relevant aspects of the activity

  5. Consent Management Today Consumer permissions captured as manual signature on paper form Paper forms filed in each organization who holds consumer’s private health information Consent/Authorization

  6. Consent Management Tomorrow Permissions and updates captured as part of health record Consent Rule 1 Chris’ EHR Consent Rule 2 . . . Consent Rule n Permissions interpretable by humans & computers Consent/Authorization Consumer digitally signs consent or authorization Permissions cross-validated & translated into consent rules enforced by security access control mechanisms Rules inexorably tied to information exchanged – updates propagated to all data instances throughout life cycle

  7. Standards Needed • Privacy policies • Data model & schema • Permission syntax & vocabulary Consent Rule 1 Chris’ EHR • Digital signatures Consent Rule 2 . . . Consent Rule n • Cross-validation of consumer permissions • Maintaining and retrieving permissions • Translating permissions into access-control rules • Enforcement and auditing of permission-related activities Consent/Authorization • Exchanging permissions & access rules • Propagating permission revocations & modifications

  8. Educational Sessions re Standardardization Efforts Relating to Consent Management April 1, 2:00-4:00pm ET: Organization for the Advancement of Structured Information Standards (OASIS) / International Security Trust and Privacy Alliance (ISTPA) Privacy Management Reference Model (PMRM); Speakers – John Sabo, Michael Willett April 23, 2:00-4:00pm ET: Integrating the Healthcare Enterprise (IHE) Basic Patient Privacy Consents (BPPC) Profile; Speaker – John Moehrke [Schedule TBD]: Health Level 7 (HL7) Version 3 Domain Analysis Model: Medical Records; Composite Privacy Consent Directive – Speaker (TBD) [Schedule TBD]: OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) and eXtensible Access Control Markup Language (XACML) – Speaker (TBD)

More Related