Blumenthal, ONC; and Verdugo, HHS Office of Civil Rights Release
“Statement on Privacy and Security”
Plus New Web site, FAQs, HHS Press Release, Blog Post
Joint ONC/OCR Statement on Privacy and Security
David Blumenthal, M.D., M.P.P., National Coordinator for Health Information Technology, U.S. Department of Health and Human Services (HHS); and
Georgina Verdugo, Director, Office for Civil Rights, HHS
As the Department of Health and Human Services (HHS or The Department) continues its efforts to improve the health and care of all Americans by promoting the advancement of health information technology (IT), one of the Department’s guiding principles is that the benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure. HHS’s goal, as directed by the 2009 Health Information Technology for Clinical and Economic Health (HITECH) Act, is to improve the nation’s health care system by enabling health information to follow the patient wherever and whenever it is needed. The HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) are working jointly on a number of projects to ensure that this electronic exchange of health information is built on a foundation of privacy, and security.
On July 8, 2010, HHS announced proposed regulations under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that would expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today. We urge consumers, providers, and other stakeholders to read these proposals and offer comments during the 60-day comment period, which will officially open on July 14, 2010. Information about posting comments will be available at http://www.regulations.gov.
Additionally, over the past few months, ONC and OCR have embarked on a number of other initiatives that serve to integrate privacy and security into the nation’s health IT efforts. As directed by HITECH, ONC established a new Chief Privacy Officer (CPO) position to provide critical advice to the National Coordinator in developing and implementing ONC’s privacy and security programs. The new CPO, Joy Pritts, JD, will play a key role in helping ONC design new policies to address privacy and security issues in every phase of health IT development and implementation.
On August 24, 2009, OCR issued an interim final breach notification regulation, which improves transparency and acts as an incentive to the health care industry to improve privacy and security by requiring HIPAA covered entities to promptly notify affected individuals, the HHS Secretary and, in some cases the media, of a breach. This new federal law holds covered entities and business associates accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care.
ONC is coordinating with the Centers for Medicare & Medicaid Services (CMS) on CMS’s development of a final regulation on the Medicare and Medicaid Electronic Health Record Incentives Programs. The incentives programs promote critical privacy and security measures and business practices. ONC also is developing a final regulation on standards and certification criteria to ensure that electronic health records (EHRs) contain the capabilities to support needed privacy and security requirements.
With respect to security, the Department also embarked on a number of initiatives. OCR coordinated with the National Institute of Standards and Technology to host a conference focused on the HIPAA Security Rule. OCR also issued draft guidance in conducting a HIPAA Security Risk Analysis to assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Additionally, an advisory committee on HIT standards held hearings to better understand security priorities, the effectiveness of security procedures, and vulnerabilities.
All these activities only serve as a prelude to our ongoing efforts to ensure that electronic health information is private and secure. In addition:
-
ONC and OCR are working together with representatives of consumer and industry groups to promote the adoption of privacy and security safeguards as essential components of implementing health information technology.
-
ONC is ensuring that the technical and policy foundations of the nationwide health information network will demonstrate methods for achieving trust among entities exchanging information while integrating best practices for privacy and security. A privacy and security workgroup (known as a “Tiger Team”) of the Health Information Technology Policy Committee (HITPC) was convened with strong consumer representation to hold public deliberations and make recommendations related to patient choice in how health information is exchanged; consumer access to health information; personal health records (PHRs); segmentation of health information; and transparency about information sharing and protections.
-
ONC staff is working with the President’s cybersecurity initiative and other Federal partners to solicit input from the best security minds in the federal government. Based on these activities, ONC will provide direction on security best practices and standards to technical and policy decision makers for inclusion in health information exchange programs.
-
Finally, the Department is working to provide the private sector with greater resources for improving privacy and security. Regional Extension Centers will educate providers about necessary privacy and security measures. Curriculum Development Centers Programs will incorporate necessary information into standard curricula for Community College Consortia, where a new cadre of HIT professionals will be trained, and for University-Based Training Programs, where health professionals will learn about HIT. State Health Information Exchange Cooperative Agreements and Beacon Communities grants will provide living examples of how privacy and security are successfully implemented and brought to scale.
# # #
Excerpted from ONC Health IT Buzz Blog on July 8, 2010:
Privacy and Security
Thursday, July 8th, 2010 | Posted by: Joy Pritts, Chief Privacy Officer on Health IT Buzz Blog and republished here by e-Healthcare Marketing.
Privacy and security are the bedrock of building trust in health information exchange. The proposed modifications to the HIPAA Privacy & Security Rules, announced today, are a significant step forward in HHS’s efforts to protect patient privacy rights while encouraging the adoption of electronic health information exchange. The next phase of this process is just as important—obtaining public feedback and suggestions concerning the proposed rules. The comment period will begin once the rule is published in the Federal Register on July 14. You can submit your comments electronically through http://www.regulations.gov/ or via mail (original and 2 copies) to the Office for Civil Rights at: Office for Civil Rights, Attention: HITECH Privacy Rule Modifications, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, S.W., Washington, D.C. 20201. HHS is looking forward to receiving your input.
# # #
HHS Press Release on July 8, 2010:
HHS Strengthens Health Information Privacy and Security through New Rules
New health privacy website launched
HHS Secretary Kathleen Sebelius today announced important new rules and resources to strengthen the privacy of health information and to help all Americans understand their rights and the resources available to safeguard their personal health data. Led by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR), HHS is working with public and private partners to ensure that, as we expand the use of health information technology to drive improvements in the quality and effectiveness of our nation’s health care system, Americans can trust that their health information is protected and secure.
“To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers,” said HHS Secretary Kathleen Sebelius. “While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”
Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information.
The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:
- expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.
- requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
- setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
- prohibiting the sale of protected health information without patient authorization.
“The benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure at all times,” said Georgina Verdugo, OCR director at HHS. “This proposed rule strengthens the privacy and security of health information, and is an integral piece of the administration’s efforts to broaden the use of health information technology in health care today.”
HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.
“Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our health care system,” said HHS’ national coordinator for health information technology, David Blumenthal, M.D., M.P.P. “Empowering Americans with real-time and secure access to the information they need to live healthier lives is paramount.”
HHS also launched today a privacy website at http://www.hhs.gov/healthprivacy/index.html to help visitors easily access information about existing HHS privacy efforts and the policies supporting them. The site emphasizes HHS’ deep commitment to privacy in the collection, use, and exchange of personally identifiable information. This new resource provides Americans with confidence that their personal information is secure and underscores HHS’ goal of greater openness and transparency in government.
The HITECH Act established the position of Chief Privacy Officer in ONC. Joy Pritts recently assumed the new position and is leading HHS efforts to develop and implement privacy and security programs and polices related to electronic health information.
“HHS strongly believes that an individual’s personal information is to be kept private and confidential and used appropriately by the right people, for the right reasons,” said Pritts. “Without such assurances, an individual may be hesitant to share relevant health information.”
For more information about the proposed rule announced today visit http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf
For other HHS Recovery Act programs, see
http://www.hhs.gov/recovery/programs/index.html#Health.
Health Data Privacy and Security Resources
http://www.hhs.gov/healthprivacy
The contents of the Health Data Privacy and Security Resources section have been excerpted below on July 8, 2010.
This page provides key messages and access to resources emphasizing HHS’ commitment to privacy as a fundamental consideration in its collection, use, and exchange of personally identifiable information. This central resource helps visitors easily access information about existing HHS privacy efforts and the policies supporting them.
In support of HHS’ vision for Open Government and Transparency, this resource is to provide further confidence in the expectations Americans have for the privacy of their personal information and is to inspire added trust in HHS’ efforts to improve our nation’s health through safe and secure health information exchanges. HHS strongly believes that an individual’s personal information is to be kept private, confidential and used appropriately by the right people, for the right reasons. Without such assurances, an individual may be hesitant to share relevant health information.
More information about HHS’ commitment to health data privacy can be found in the notice of proposed rulemaking (NPRM) issued July 8, 2010; in the Frequently Asked Questions (FAQs); and the OCR/ ONC Joint statement on the NPRM.
You can access more information on health data privacy through the links provided below.
Privacy Policies
HHS Privacy Impact Assessments
Health Information Portability and Accountability Act
Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules
Electronic Health Information Exchange Privacy and Security
Department Privacy Resources
Privacy Protection for Research Subjects: Certificates of Confidentiality
National Center for Health Statistics
Section 13101 of the HITECH Act (2009) required that a new Chief Privacy Officer (CPO) position be established in ONC. The CPO will advise the National Coordinator on critical privacy and security policies and will play a key role in the design of new policies to assure that privacy and security is addressed in every phase of health IT development and implementation. The Chief Privacy Officer will also coordinate with other federal agencies, states and regions, and international efforts.
The Office for Civil Rights (OCR) within the Department of Health and Human Services has the regulatory authority for the HIPAA Privacy and Security rules. OCR also issues guidance and interpretations on HIPAA Privacy and Security rules, including how these rules apply to electronic health records, personal health records, and health information technology. OCR has enforcement authority to ensure compliance with the HIPAA Privacy and Security Rules through investigation and the ability to impose civil monetary penalties. The HITECH Act of 2009 enhanced many of the Privacy Rule provisions, including extending certain requirement to business associates; limiting uses and disclosure of protected health information for marketing; prohibiting the sale of protected health information (PHI) without patient authorization; expanding individuals’ rights to access their information and restrict certain PHI disclosures to health plans; and providing greater enforcement authority to OCR. The Office of the National Coordinator (ONC) for Health Information Technology is charged with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of health information. This includes examining and recommending policy, technology, and practices that protect privacy and promote security. In addition, ONC develops regulations for the certification of electronic medical records, engages public input, and implements grant programs, such as those to initiate state health information exchanges, the Regional Extension Centers that provide technical assistance to provided to reach meaningful use of EHRs, and Beacon Communities grants that will establish and demonstrate best practices for middle and later adopters of HIT.
3. What are the roles of the HITPC and HITSC in privacy and security?
HITECH (Section 13101) required the establishment of a Health Information Technology Policy Committee (HITPC) to make recommendations on the policies needed to enable the electronic exchange and use of health information. The HITPC recently formed a privacy and security work group (called a “Tiger Team”) with strong consumer representation to make recommendations on patient choice in health information exchange; consumer access to their health information; personal health records; segmentation of health information; and transparency about information sharing practices. The Health Information Technology Standards Committee (HITSC) deliberates on the technical HIT standards required for electronic exchange. HITSC held hearings to better understand security priorities, the effectiveness of security procedures, vulnerabilities, and is currently soliciting information related to data segmentation and privacy. The Committees submit their recommendations to the National Coordinator. The National Coordinator evaluates the Committees’ recommendations and advises the Secretary of Health and Human Services.
4. What is ONC doing to promote privacy in health information exchange (HIE)?
ONC is working with the federal Health Information Technology Policy Committee (HITPC) and HIT Standards Committee (HITSC) to explore policy and technical methods for enabling patient choice in health information exchange, including a one-day conference on available technical capabilities to support patient consent. White papers on patient consent models and state consent laws were issued and a paper on data segmentation is underway. A study of the privacy and security practices of entities not subject to HIPAA will support a report to Congress in which ONC will, in consultation with the Federal Trade Commission, make recommendations on the privacy and security requirements for non-covered entities, with an emphasis on personal health records. A Request for Information on the same topic is being released to solicit information from the public. ONC is organizing a series of listening sessions to engage the public in a national dialogue about health information exchange. The Office of the Chief Privacy Officer is working with ONC divisions to assure the integration of privacy into all facets of ONC activities and projects. In addition, ONC is working to ensure that the technical and policy foundations of the nationwide health information network will demonstrate methods for achieving trust among entities exchanging information while integrating best practices for privacy and security.
5. What ONC activities are targeted to assure sufficient security capabilities in HIE?
ONC federal advisory committees have been active in collecting information, deliberating on key issues, and making recommendations to the National Coordinator on measures related to security of health information exchange. In addition to the activities of the Health Information Technology Policy Committee (HITPC), the Health Information Technology Standards Committee held hearings to better understand security priorities, the effectiveness of security procedures, and vulnerabilities. ONC also embarked on a multi-phase cybersecurity program that includes an assessment of HIT risks and threats and the development of a multi-pronged approach to combating them. ONC also is collaborating with the President’s cybersecurity initiative along with other federal partners to solicit input from the best security minds in the government on security best practices and standards. Meaningful use requirements for Medicare and Medicaid incentive payments include measures to protect security and privacy, and ONC’s interim final rule certification standards for EHRs includes the technical capabilities required to assure that information is adequately protected.
