Veterans Health Administration Healthcare Information Governance

1. Veterans Health AdministrationHealthcare Information Governance Emerging Health Technologies Advancement Center (EHTAC) Virtual Demonstrations – Security Brown Bag May 24th , 2012 Healthcare Classification System for Security and Privacy May 24, 2012

2. Healthcare Classification System for Security and Privacy Overview: Existing classification standards and methodologies exist in the U.S. for handling of SENSITIVE information. Presentation focuses on how the use of a Healthcare Classification System could resolve some of the issues related to proposed ONC Standards and Interoperability Data Segmentation pilot projects. Uses standards based vocabulary for defining clinical documents confidentiality, sensitivity, obligation, and refrain policy attribute values, to protect the underlying clinical content. 

3. Healthcare Classification System for Security and Privacy Objectives: Data Segmentation Demonstration and Pilot projects will exercise defined aspects of the Implementation Guide in a real-world setting. The real-world pilots evaluate not only the technology and standards, but also provide a test bed to evaluate the interaction of technology, implementation support, and operational infrastructure required to meet Data Segmentation Use case objectives at the stakeholder or organization levels. Value Statement: The Data Segmentation for Privacy initiative enables the sharing of patient data in compliance with policy, regulation, and patient consent directives. Data Segmentation for privacy supports these policies which require the protection of certain types of personal health information (PHI). Data Segmentation also provides a platform for patient control over the use and disclosure of their health information. The goal is to build patient trust and participation in the health care system.

4. Healthcare Classification System for Security and Privacy Document Set Generation Requesting Organization Servicing Organization Document Set Delivered to Requesting Organization Policy Decision Determining Inclusion Organizational Policy Law Layered Security Service Clinical Knowledge Deny Deny Permit Permit Servicing Organization Policy Decision Clinicians Request Patient Record Document Assembly And Tagging Creation of Secured Inner Policy Wrapper Creation of Secured Outer Policy Wrapper Creation of Composite Document Set Local Authorization Decision Patient Consent Patient Consent Classification System Organizational Policy Organizational Policy

5. Healthcare Classification System for Security and Privacy Common Vocabulary HL7 Privacy and Security Policy Vocabulary C32 – Document Type Currently Exchanged on NwHIN

6. Healthcare Classification System for Security and Privacy Encrypted Clinical Payload

7. Healthcare Classification System for Security and Privacy Viewing Document Contents Delivery of Clinical Document Originating Service Organization Authorization Decision Based on Sensitivity and Confidentiality of Content (Permit/Deny) Payload is unencrypted And evaluated against Policy. Secure Key Management and Exchange Request to View (Permit/Deny) Assert Credentials And Purpose of Use Primary Access Authorization Decision Each document may be handled differently Outer Envelope Has No Knowledge Of Content Patient Consent Organizational Policy

8. Healthcare Classification System for Security and Privacy Questions ?

9. Healthcare Classification System for Security and Privacy Envelope Policy Controls Outer - Handling Information Inner - Document Type, Sensitivity, and Confidentiality Backup SLIDE