1 / 48

Tugboat Captains & Clinicians Both are in Harms Way

Tugboat Captains & Clinicians Both are in Harms Way. Presented to: Internet2 Conference Atlanta, GA - October 31, 2000 W. Holt Anderson, Executive Director NC Healthcare Information & Communications Alliance, Inc. (NCHICA). Structure of Presentation. Implementing a Vision HIPAA

risa-guerrero
Télécharger la présentation

Tugboat Captains & Clinicians Both are in Harms Way

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tugboat Captains & CliniciansBoth are in Harms Way Presented to: Internet2 Conference Atlanta, GA - October 31, 2000 W. Holt Anderson, Executive Director NC Healthcare Information & Communications Alliance, Inc. (NCHICA)

  2. Structure of Presentation • Implementing a Vision • HIPAA • HealthKey • NC Projects • Federal PKI Bridge • The Tugboat Captain

  3. Implementing a Vision • “Paperless, person-centered health records by 2010.” • Adopted by the following organizations in NC: • Medical Society • Nurses Association • Hospital Assn. • Health Information Management Assn. • Assn.of Local Health Directors • Assn. of Pharmacists • Health Care Facilities Assn. • Assn. For Health Care Quality • Assn. For Hospice & End of Life Care

  4. Definition - Health Record • A virtual digital record of an individual’s health information and all episodes of care • This record is maintained by multiple providers and shared when necessary for care of that individual (as allowed by patient consent and/or law) • NOT a central “master file”of information

  5. Enhancing the Quality of Care • Preventing medical mishaps related to drug interactions, handwriting, allergies, transmissible diseases, etc. (Automated delivery of information) • Enhancing quality control through access to information

  6. Death by Handwriting • Texas cardiologist • Prescribed 20mg Isordil 4X / day • Pharmacist • Filled 20mg Plendil 4X / hday = 80mg / day • Normally Plendil taken max 10mg / day • 42-year old patient died of heart attack • Jury found MD and Pharmacist responsible and awarded $450K to widow and three small children USA Today 10-21-99

  7. Controlling and Reducing Costs Cost of paper records is said to be at least 25% of total health care costs. • Minimize space requirements • Reduce resources for filing, storage and retrieval of information • Improve access time • Less duplication

  8. HIPAA Health Insurance Portability & Accountability Act of 1996 [PL 104-191] • Administrative Simplification • Electronic Transactions & Codes • National Identifiers • Security & Electronic Signatures • Privacy • Generally expected to be implemented by end of 2002 • Civil Monetary & Criminal Penalties

  9. Federal Mandate under HIPAA(in effect since 8/21/96) • Section 1173(d)(2) of the Act stipulates that healthcare organizations (that maintain or transmit electronic patient information) shall maintain reasonable and appropriate administrative, technical, and physical safeguards to: • Ensure the integrity and confidentiality of patient information • Protect against any reasonably anticipated threats or hazards to the security or integrity of the information • Protect against unauthorized uses or disclosures of the information • And, ensure the compliance of the officers and employees of the organization with this provision.

  10. ProposedPrivacy Regulation • Covers electronic information (and products of and contributors to electronic information) • Providers, Health Plans & Clearinghouses • Requires contracts with trading partners to assure continuity of privacy (also in Security regs) • Permits sharing for care, claims, & certain operations (QA, utilization review, credentialing) without patient consent • Limited sharing for “national priority” activities • Requires written “fair information practices”

  11. Penalties for Non-Compliance • Violation of transaction or security standards • Not more than $100 per violation, maximum of $25,000/year • No aggregate maximum • Wrongful disclosures (privacy) • Not more than $50,000 per violation • Imprisonment for not more than one year

  12. Penalties for Non-Compliance (cont) • False Pretenses (privacy) • Not more than $100,000 per violation • Imprisonment not more than five years • Intent to sell, transfer, or use (privacy) • Not more than $250,000 per violation • Imprisonment for not more than ten years

  13. Scope of Compliance • More than just technology • Policies • Operational Procedures • Physical Security • Business Partner Agreements • Personnel • Management & Supervision • Training

  14. Security Standard • Defined: • Set of requirements with implementation features that providers, health plans, and clearinghouses must include in their operations to assure that individual health information remains secure. • Scalable: applies to all size organizations; larger organizations may be held to a higher standard.

  15. Electronic Signature Technical Security Services Digital Signature Access Controls Audit Controls Authorization Controls Data Authentication (corruption) Entity Authentication Security Requirements by Category Administrative Physical Safeguards Technical Security Mechanisms Certification Chain of Trust Agreements Contingency Plan Formal Mechanisms: Records Info Access Control Internal Audit Personnel Security Security Configuration Security Incident Procedures Security Mgmt. Process Termination Procedures Training Assigned Security Responsibility Media Controls Physical Access Controls Policy - Workstation Use Secure Workstation Location Security Awareness Training Communications/Network Controls Integrity Controls Message Authentication Implementation Features Under Each Requirement

  16. Technical Security Mechanisms Objective: Ensure processes are in place to guard against unauthorized access to data that is transmitted over a communications network (intercept and interpret), and to protect systems from external access.

  17. Communications--Open Network • Where the network is open (e.g., shared data line, Internet, switched WAN), then the following must be in place: • Alarm (sense abnormal conditions) • Audit Trail • Entity Authentication • Event Reporting • Encryption is stated as “should be employed”

  18. If You Use Electronic Signatures • Must have: • message integrity • non-repudiation • user authentication • May have: • ability to add attributes • continuity of signature capability • countersignature capability • independent verifiability • interoperability • multiple signatures • transportability

  19. HealthKey HealthKey Secure E-Health Solutions A Program funded by The Robert Wood Johnson Foundation

  20. HealthKey Origins • Funded by $2.5 million Robert Wood Johnson Foundation grant - Fall 1999 • Collaboration to advance the development of health information infrastructure • Market-driven, community-based approach • Coordinated pilot efforts in 5 states

  21. HealthKey Participants • Massachusetts Health Data Consortium (MHDC) • Minnesota Health Data Institute (MHDI) • North Carolina Healthcare Information and Communications Alliance (NCHICA) • Utah Health Information Network (UHIN) • Community Health Information Technology Alliance (CHITA) -- WA

  22. HealthKey Strategy • Identify interoperable, standards-based solutions to real business problems • Showcase pilot participants as leaders in testing evolving health information infrastructure • Identify approaches to achieve HIPAA compliance

  23. $64,000 Question Is PKI a valid infrastructure for the health industry? If so, what is the likely architectural model?

  24. MN & NCto pilot Bridge CA • Developed by Mitretek for the Federal Dept of Treasury/GSA • Allows validation of digital certificates from multiple CAs • Aggressive timeframe - demo by Spring 2000 • Additional states/projects can tie in after pilot phase

  25. NCHICA PKI Projects • Rekmote access to immunization registry • Shared access to clinical info for Medicaid high-maintenance patients • Remote primary care provider access to neonatal/perinatal patient info • Remote primary care provider access to patient info for children with special needs • Access to emergency dept. database • Possible pharmacy application

  26. MHDI PKI Projects • Access to Immunization data • Transmit newborn screening results from MN Dept of Health • Provide secure access to Central Query Service for eligibility inquiries • Other States • Additional projects underway

  27. Provider Access to Immunization Registry Securely PAiRS

  28. What is PAiRS? • Combines immunization records from both public and private sources in a common database • Widely accessible, inexpensive and secure inquiry only access to immunization records via the Internet • Reliably identifies relevant records for an individual in the absence of a unique identifier

  29. Current Project Status • Approximately 1.5 million children (0-18) and an associated 12 million vaccine doses • 28 pilot sites, 172 users • Over $1 million in in-kind contributions

  30. Challenges to Successful Implementation of PAiRS: • Initiation of use • Recognition of PAiRS value • Accessibility of computers • Computer skills of nurses and physicians • Busy practices with established service delivery methods • Security & Interoperability

  31. Where do we go from here? • PAiRS participation expansion • PKI for user authentication and security • Regional PAiRS project - demonstration project to facilitate inter-state exchange of immunization information

  32. NCEDD Project Description • 3 goals (putting down a railroad track) • select a standard data format (DEEDS) • demonstrate secure data exchange • statewide ED database for injury surveillance, EMS outcomes, best practice (NCEDD)

  33. Use of NCEDD Data • Public Health Surveillance • Disasters, bioterrorism, reportable conditions • Research using hospital discharge dataset • Injury surveillance, Trends/impact of new facilities, HMO penetration, substance abuse indicators • Linkages- outcomes, episode of care • EMS • Trauma Registry • Hospital Database • Aggregate format • Oversight Committee of participating hospitals

  34. NCEDD Security

  35. Security/Access Concerns • Confidential data over Internet • Patient • Facility • Provider • Authentication of users - multiple organizations • Public health staff - SCHS, Epidemiology • STEER staff - Chapel Hill, Wilmington • Participant hospitals ?

  36. Federal PKI Approach(with thanks to Richard A. Guida, Chair, Federal PKI Steering Committee) • Establish Federal PKI Policy Authority • Develop/deploy Bridge CA using COTS • Four levels of assurance (emulate Canada) • Prototype early 2000, production mid 2000 • Deal with directory issues in parallel • Border directory concept; “White Pages” • Use ACES (Access Certs for Electronic Services) for public transactions

  37. FBCA Overview • Non-hierarchical hub for interagency interoperability • Ability to map levels of assurance in disparate certificate policies • Ultimate “bridge” to CAs external to Federal government • Directory contains only FBCA-issued certificates

  38. FBCA PKI Architecture US Federal

  39. Potential Architectures • Multiple CAs within membrane, with single signing key • Single CA • Multiple CAs within membrane, cross-certified among themselves

  40. Multiple CAs, Cross-certified • In essence, the “quark” model • Certificate path length may be +1 • Adding CAs within membrane should be straightforward albeit not necessarily easy • Requires solving inter-product interoperability issues within membrane rather than outside - which is good

  41. Current Status • Decision: cross-certified CAs within membrane • Multiple vendor products: Initially Entrust and GTE for “prototype” FBCA • Migration from prototype to production FBCA will entail adding other CAs inside the membrane • GSA/FTS has responsibility to execute

  42. PKI Use and Implementation Issues • Misunderstanding what it can and can’t do • Requiring legacy fixes to implement • Waiting for standards to stabilize • High cost - a yellow herring • Interoperability woes - a red herring • Legal trepidation - the brightest red herring

  43. The Tugboat Captain TJ Hooper v. Northern Barge Company60 F.2d 737 (2d Cir. 1932) • Long Island Sound - storm comes up and tug loses barge • Plaintiff was barge owner • Plaintiff found negligent because Captain had no weather radio Rationale: to avoid negligence, keep up with technological innovations - they set the standard of care in the industry

  44. The price of good navigation is eternal vigilance W. Holt Anderson, Executive Director NC Healthcare Information & Communications Alliance, Inc. www.nchica.org

  45. Thank you ! www.nchica.org

More Related