1 / 9

Privacy and Security Tiger Team Meeting

Privacy and Security Tiger Team Meeting. Discussion Materials Topics Patient Authentication Hearing Questions for RFC on Meaningful Use Stage 3 October 1, 2012. Overview. Provide an update and obtain input on plans for the Oct. 29 hearing on Patient Authentication

maleah
Télécharger la présentation

Privacy and Security Tiger Team Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Tiger Team Meeting Discussion Materials Topics Patient Authentication Hearing Questions for RFC on Meaningful Use Stage 3 October 1, 2012

  2. Overview • Provide an update and obtain input on plans for the Oct. 29 hearing on Patient Authentication • Obtain input from the Tiger Team on questions to include in the Request for Comment (RFC) on Meaningful Use (MU) Stage 3 • Strawman questions are on slides 7 through 9 • Tiger Team suggestions will be presented at the HITPC meeting on Wednesday Oct. 3

  3. Patient Authentication Hearing Overview • October 29, 2012; 12pm – 4pm • Virtual hearing • Identify and explore issues related to patient authentication, including • Misuse/Fraud • ID Proofing issues (attributes, in-person, delegated, etc.) • Authentication issues (two-factor, credentialing, third-party, etc.) • Usability (complexity for patients, etc.) • Broad variety of panelists representing both health care sector and other industries • Using the FACA blog to get patient stories and potentially locate a good patient witness

  4. Hearing Panel Descriptions • Introduction • Frame issues, including implications for MU Stage 3 • Panel One – “About patient authentication” • Address why authentication is important • Explore patient/consumer perspectives as well as lay out the key issues • Panel Two – “Patient authentication now” • Learn what holders of patient health information are doing now w/r/t authentication • Panel Three – “Authentication solutions on the horizon” • Explore what solutions being developed, for patients (Blue Button) as well as in other industries

  5. Proposed Hearing Panelists • Panel One – “About patient authentication” • LiveStrong - confirmed • Patient • Immunization Registry • NIST migrant project • Kantara - confirmed • Direct Trust - confirmed • Panel Two – “Patient authentication now” • HealthVault - confirmed • ProHealth MD • VA, MyHealtheVet • Intuit Health - confirmed • Small provider • Quest diagnostics - confirmed • Panel Three – “Authentication solutions on the horizon” • Automate Blue Button / Rhex - confirmed • Enroll UX 2014 / CMS • PayPal • Wells Fargo • DAON • USPS - confirmed

  6. Proposed Hearing Agenda • 12:00 p.m. Welcome and Roll Call - Mackenzie Robertson, ONC • 12:02 p.m. Opening Remarks/Framing Hearing - FarzadMostashari • 12:15 p.m. Panel One – “About Patient Authentication “ 5 Panelists (5 - 7 minutes each, 30 minute Q&A – 60 minutes total) • 1:15 p.m. Panel Two – “Patient Authentication Now” 5 panelists (5 - 7 minutes each, 30 minute Q&A – 60 minutes total) • 2:15 p.m. Break • 2:30 p.m. Panel Three – “Authentication Solutions on the Horizon” 5 panelists (5 – 7 minutes each, 30 minute Q&A – 60 minutes total) • 3:30 p.m. Discussion 25 minutes for discussion of issues raised during panels • 3:55 p.m. Public Comment • 4:00 p.m. Adjourn

  7. Straw Questions: RFC on MU Stage 3 (1 of 3) • Should the next phase of certification criteria include capabilities to authenticate provider users at LoA 3 for remote access?   • If so, how would the criterion/criteria be described, given the optionality permitted under NIST 800-63.1 for authenticating at LoA 3?   • What impact (if any) would certification of EHRs for this functionality have on national efforts (through NSTIC) to establish portable, high level credentials that clinicians and other EHR users can use in multiple settings? 

  8. Straw Questions: RFC on MU Stage 3 (2 of 3) • The requirement in Stage 1 that EPs/EHs/CAHs attest to completing a HIPAA security risk assessment has been successful in getting health care providers covered by HIPAA (and participating in the MU program) to make this a priority.   • The expectation is that the additional requirement in Stage 2 to attest to addressing encryption of data at rest in CEHRT will have a similar positive impact.   • The Tiger Team is considering whether to make other HIPAA security rule provisions subject to specific attestation as part of Meaningful Use.   • Which provisions are candidates for prioritizing as part of Meaningful use?

  9. Straw Questions: RFC on MU Stage 3 (3 of 3) • For example, the requirement to make staff aware of the HIPAA Security Rule and to train staff on Security Rule provisions is one of the top 5 areas of noncompliance identified by the Office of Civil Rights over the past 5 years.   • The Tiger Team initially proposes to require providers to attest to having conducted the required education and training of staff as part of Meaningful Use Stage 3.   • We request your comments on this proposal.

More Related