‘National Progress Report on eHealth’ Shows Significant Progress in Last 3 Years

Posted on July 4, 2010 by Mike Squires

eHealth Initiative Survey Identifies Challenges with Consumer Outreach and Understanding of Value
eHealth Initiative (eHI) issued the following press release on July 1, 2010.
WASHINGTON, DC – July 1, 2010 -Today, the eHealth Initiative (eHI) released the “National Progress Report on eHealth,” which tracks the progress of eHealth in the wake of the American Recovery and Reinvestment Act of 2009.

National Progress Report on eHealth 2010

The National Progress Report on eHealth includes a review of progress made over the last three years relative to strategies and actions proposed in a 2007 eHI report. Over one hundred individuals participated on committees charged with assessing progress in five focus areas: Aligning Incentives; Engaging Consumers; Improving Population Health; Managing Privacy, Security & Confidentiality; and, Transforming Care Delivery. The report highlights key trends, actions, and strategies that still need to be addressed.

The report reveals a number of high-level findings including:

Significant progress has been made over the last three years as a result of public and private sector initiatives. The American Recovery and Reinvestment Act (ARRA) was the key driver of progress.
Many providers are concerned about the lack of coordination across the government health and health information technology (HIT) initiatives.
More education and outreach to consumers about HIT and health information exchange (HIE) is required.
Knowledge and transparency of privacy and security policies will be the key to building consumer trust of HIT and HIE.

As part of the assessment process, eHI conducted an informal online survey to gauge perceptions of progress. The survey responses offer a snapshot about the eHealth landscape. Some findings include:

The majority of respondents believe significant progress has been made: 61 percent of respondents agree or strongly agree with the statement that significant progress has been made in the successful adoption and use of HIT since 2007.
The value of HIE is not clearly understood by the majority of respondents: 54.9 percent disagree or strongly disagree with the statement that the value of HIE is clearly understood.
The majority of respondents believe outreach to consumers about the value of EHRs and HIE is not effective: 66.6 percent disagree or strongly disagree with the statement that current outreach to consumers about the value of EHRs and HIE is effective.
The majority believe Regional Extension Centers and the National Health Information Technology Research Center (HITRC) will be vital to educating providers: 66.1 percent of respondents agree or strongly agree with the view that Regional Extension Centers and the HITRC will be vital to educating providers about adoption and meaningful use of HIT.

“Contributors to the report found that, while considerable progress has been made over the past three years, challenges remain,” noted Jennifer Covich Bordenick, eHealth Initiative’s Chief Executive Officer. “Coordinating public and private sector efforts, and communicating the true value of HIT and HIE to consumers will be critical as we move forward.”

As part of its work, the eHealth Initiative collected information on dozens of existing and new HIT initiatives occurring across the country. An online version of the current activities is available in the report and online.

The National Progress Report on eHealth was supported by the Commonwealth Fund, a private foundation supporting independent research on health policy reform and a high performance health system.

The report is available on the eHI website at: http://www.ehealthinitiative.org/

###

About eHealth Initiative
The eHealth Initiative (eHI) is an independent, non-profit, multi-stakeholder organization whose mission is to drive improvements in the quality, safety, and efficiency of healthcare through information and information technology (IT). eHI is the only organization that represents all of the stakeholders in the healthcare industry. eHI advocates for the use of HIT that is practical, sustainable and addresses stakeholder needs, particularly those of patients. For more information, visit http://www.ehealthinitiative.org/
# # #

Jennifer Lubell, HITS staff writer, reported July 2, 2010 in ModernHealthcare.com on National Progress Report,
“Electronic healthcare initiatives have made headway over the last several years, but health information technology remains an undervalued tool, a new report concludes.”

Toward Enhanced Information Capacities for Health: Achieving the Promise: NCVHS

Posted on June 26, 2010 by Mike Squires

NCVHS Concept Paper Looks How to Achieve the
Promise of Health Reform and Electronic Health Records
The National Committee on Vital and Health Statistics (NCVHS) met June 16-17, 2010 in Washington, DC, and used the NCVHS concept paper “Toward Enhanced Information Capacities for Health” as the basis of discussions for their 6oth Anniversary Symposium of the committee. The paper, issued May 26, 2010, focuses on policies HHS could establish to maximize the benefits that could be acheived through the appropriate use of the tremendous amount of health data that will be generated with Electronic Health Records.

The committee advises the Secretary of HHS on policies toward health data, statistics, privacy, national health information policy, and Administrative Simplication of HIPAA.

NCVHS Concept Paper
“Toward Enhanced Information Capabilities for Health”
PDF FORMAT
The text of the 11-page paper is reproduced in whole below.

EXECUTIVE SUMMARYHealth care reform and federal stimulus legislation have created an unprecedented opportunity to improve health and health care in the United States. The nation’s ability to seize this opportunity will depend greatly on the existence of robust health information capacities. The National Committee on Vital and Health Statistics (NCVHS) is the statutory advisory body on health information policy to the Department of Health and Human Services. On the occasion of the Committee’s 60th anniversary, this concept paper outlines its current thinking about the necessary information capacities and how NCVHS can help the Department guide their development.

We are entering a new chapter in the health and health care of Americans. The expansion of health care coverage, the infusion of new funds and adoption of standards for electronic health records (EHRs), and increased administrative simplification offer us the potential to use the enriched data generated to better address our country’s health and health care challenges. Having better information with which to measure and understand the processes, episodes, and outcomes of care as well as the determinants of health can bring considerable health benefits, not only to individuals but also to the population as a whole.

To be able to achieve the promise of these new developments, we need to be attentive to the underpinnings of the data, ensuring that they are easy to generate and use at the front lines as well as easy to reuse, manipulate, link, and learn from within a mantle of privacy and security. It is important to remember that the new data sources are not necessarily a replacement for traditional sources such as administrative and survey data, which play a key role in our infrastructure. Rather, the new sources present an opportunity to augment and enrich traditional sources. While efficiency may be gained by replacing some survey and administrative data with newer EHR data, we must continue to nourish and sustain the traditional data sources that offer unique and irreplaceable information for both clinical and population health purposes.

National health information capacities must enable not just better clinical care but also population health and the many synergies between the two. More specifically, health information policy should foster improved access to affordable, efficient, quality health care; enhanced clinical care delivery; greater patient safety; empowered and engaged patients and consumers; patient trust in the protection of their health information; continuous improvement in population health and the elimination of health disparities; and support of clinical and health services research. A major priority of health information policy should be to enable the multiple uses of data, drawn from the full range of sources, while minimizing burden. Most sources have primary uses for which they were designed; however, with adequate standardization, privacy protections, and technology, the data from many sources can be used for multiple purposes. Realizing the collective potential of all information sources is what will allow the U.S. to maximize the return on its investments in system reform and health IT for the benefit of all Americans.

As information capacities expand, it is critical that the information be comprehensive, timely, efficiently retrievable, and usable, with full individual privacy protections in place. “Comprehensive” refers to the inclusion not just of traditional health-related data, but also of data on the full array of determinants of health, including community attributes and cultural context. Usability of the data—whether for initial use or reuse―requires a well-coordinated effort to assure the accessibility and availability of information as well as its standardization.

NCVHS will continue to use its consultative and deliberative processes, working collaboratively with other HHS advisory committees, to help the Department meet these opportunities and challenges. Given the rapidity of the changes now under way, we cannot over-emphasize the urgency of this endeavor and the need to move ahead with deliberate speed.

INTRODUCTION

Health care reform and federal stimulus legislation have created an unprecedented opportunity to improve health and health care in the United States. The nation’s ability to seize this opportunity will depend greatly on the existence of robust health information capacities. 1 To maximize the return on these enormous investments and make it possible to evaluate their impact, health information capacities must be carefully developed with an eye to their uses for improving health care and health for all Americans. New investments in EHRs and health information exchanges are important contributors, especially for clinical care, but the benefits from these investments will be limited unless the synergies with other types of health information are recognized and used. Population-level data from vital statistics systems, surveys, and public health surveillance and health care administrative data are equally important information sources. Assuring that all these sources are adequately developed and supported and can be integrated appropriately is essential to developing the information capacities the nation needs.

The National Committee on Vital and Health Statistics, the Department’s statutory advisory body on health information policy, has long assisted the Department in the development of national health information policy, providing thought leadership and expert advice in the areas of population health, privacy, standards, the NHII/NHIN, health care quality, and more. Nearly ten years ago, NCVHS put forward a vision for a national health information infrastructure in its 2001 report, Information for Health,2 followed in 2002 by a vision for 21st century health statistics.3 Today, as data and communication capacities explode and health care coverage expands, new thinking and visioning are needed to clarify the information capacities that will make it possible to meet our national goals for better health and health care for all Americans. On the occasion of the Committee’s 60th anniversary, this concept paper outlines its current thinking about the required capacities and their development.

In 2009, as course-altering legislation was unfolding, NCVHS began to consider how it could assist the Department’s development of the necessary information capacities.4 All four NCVHS subcommittees have contributed to the early thinking on this subject, and all plan further work

—————————————————————————-
1 We use the term capacities in the sense of the ability to perform or produce. That is, information capacities are understood in relation to specific needs, purposes, and functions of information.
2 NCVHS, Information for Health: A Strategy for Building the National Health Information Infrastructure, November 2001.
3 NCVHS, Shaping a Health Statistics Vision for the 21st Century, November 2002.
4 As part of this process, NCVHS in 2009 commissioned two authors of the 2002 health statistics vision report to help the Committee consolidate and update its recommendations. Their report to the Committee is posted on the NCVHS website. < http://www.ncvhs.hhs.gov/090922p3.pdf >
————————————————————————————-
in their respective domains, as described below. 5 The Committee has crafted a highly effective process for bringing multiple points of view and areas of expertise to bear as it develops recommendations to the Secretary, and this process is well suited to the work that lies ahead. NCVHS will continue to use its consultative process to create venues for dialog, eliciting input and perspectives from stakeholders and experts regarding critical challenges, potential opportunities, and next steps. It will use this external input and its own broad expertise to help the Department develop health information policies that are commensurate with new opportunities and needs. Given the rapidity of the changes now under way, we cannot over- emphasize the urgency of this endeavor and the need to move ahead with deliberate speed.

INFORMATION CAPACITIES FOR HEALTH AND HEALTH CAREPublic sector involvement in health information has a long history. State, local, and federal agencies have gathered information through vital records, hospital and ambulatory data sets, public health surveillance, population surveys, and other sources to monitor health trends, identify threats, and guide interventions to protect and promote health. Congress initiated a new type of government involvement in 1996 when the Health Information Portability and Accountability Act (HIPAA) recognized the importance of protecting individuals’ health care information while improving the efficiency of health care delivery through standardized electronic administrative transactions. Most recently, the American Recovery and Reinvestment Act of 2009 (ARRA) began another type of intervention, providing financial incentives for health IT adoption in the nation’s hospitals and physician offices as well as funding for infrastructure support.

While much current attention is focused on the ARRA funding of health IT and critical associated tasks such as defining and implementing “meaningful use” of EHRs, a broader perspective is required to take full advantage of evolving opportunities. Widespread use of optimally configured, standardized EHRs will greatly expand the information available on health care services, users, and providers. However, promoting the health and wellness of the population also requires information about those who have not received health care services, among other things, as well as information on other determinants of health beyond traditional health care, including environmental, social, and economic factors.6

In short, national health information capacities must support a broad array of uses and purposes that include improving access to affordable and efficient quality health care, supporting clinicians in delivering care, empowering and engaging patients and consumers in their care,
—————————————————————————-
5 At present, NCVHS has subcommittees on population health, standards, quality, and privacy/confidentiality/security.
6 See the NCVHS-developed graphic of the determinants of health on page 9 of its report on a vision for 21st century health statistics (see note 3).
—————————————————————————-
ensuring patient safety, promoting patient trust, eliminating health disparities, monitoring and improving population health, and supporting health services and clinical research. As these capacities are developed, it is critical that the information being collected be comprehensive, timely, efficiently retrievable, and usable, and that individual privacy be protected.

In the Committee’s view, this requires a well-coordinated effort that assures the following:

1. Accessibility and availability of information. The availability of sufficient, timely information from relevant sources must be assured to meet the priority needs of diverse users (including clinicians, consumers, purchasers, payors, researchers, public health officials, regulators, and policymakers) for taking action and evaluating outcomes. To minimize burden, wherever possible data should be collected once, for multiple appropriate uses by authorized users. Where appropriate, the capacity to connect data from multiple sources should be provided.

2. Standardization. Standardization is necessary to enable interoperability for the efficient collection and timely sharing of information among all types of users. Robust standards should be assured through the definition, application, and adoption of terminologies, codes, and messaging in the areas of reimbursement, public health, regulation, statistical use, clinical use, e-prescribing, and clinical documents.

3. Privacy, confidentiality, and security protections. With the increasing adoption of interoperable electronic health records technology, along with the move toward global access to health data and emerging new uses of data, methods of access and information availability raise significant new and unique privacy and security concerns. Appropriate privacy, confidentiality, and security protections; data stewardship; governance; and an understanding of shared responsibility for the proper collection, management, sharing, and use of health data are critical to addressing these concerns.

Each is briefly discussed below.

1. ACCESSIBILITY AND AVAILABILITY OF INFORMATION

In today’s world, the boundaries between health care, population health, and even individual personal health management are permeable, and information exchange is increasingly multi- directional. The domains traditionally called “public health” and “health care” are increasingly intertwined, often sharing broad, common information sources and capacities. For example, promoting the health and wellness of individuals and the population requires attention to health determinants including not only the treatment and prevention of disease and the nature of community health resources but also environmental, housing, educational, nutritional, economic, and other influences. Continuously improving the quality, value, and safety of health care involves, among other things, research and knowledge management, meaningful performance measurement, education and workforce development, and support for personal and family health management. Finally, improving health and health care on a national scale requires monitoring and eliminating health disparities and assessing the health status of all Americans, including vulnerable sub-populations.

A major priority of health information policy should be to facilitate these interconnections and enable the multiple uses of information for current and emerging data needs. With health IT, complemented by the necessary privacy protections and data stewardship and facilitated by well designed standards, data can be combined to create richer information and used to address a broad array of current and emerging health and health care issues. Realizing the collective potential of all information sources is what will allow the U.S. to maximize the return on its investments in system reform and health IT for the benefit of all Americans.

At present, the major sources of data on health are:

       Surveys (interview and examination) and Censuses    Public health surveillance data (e.g., notifiable disease reporting, medical device reporting)        Health care data (EHRs, HIEs, registries, and other such as prescription history, labs, imaging)
      Administrative data (claims, hospital discharge data, vital records)
      Research data (community-based studies, clinical trials, research data repositories)

Another essential set of sources for understanding health is the information on influences on health (including transportation, housing, air and water quality, land use, education, and economic factors) managed by various public and private sector agencies. In addition to all these well-established sources, new ones such as personal health records and computerized personal health monitoring devices are emerging with the potential to contribute to understanding health at individual and population levels. Social networking content has the potential to provide yet another new and novel resource.

Most data sources have primary uses for which they were designed. However, given adequate standardization, privacy protections, and informatics technology, these sources have great potential to be used for multiple purposes. For example, EHR data elements are collected to document and manage clinical care, but also can be used for public health reporting (such as communicable diseases and medication safety) and to evaluate population health and conduct health services research. Surveys are principally for population-level analysis, but survey information also contributes to clinical care. Vital records not only provide information about births and deaths, but also serve as the “bookends” of population health data. Administrative data (ICD-9-CM disease codes and CPT-4/HCPS procedure codes) were initially used for management and reimbursement, but today play a critical role in quality assessment and public health monitoring (e.g., quality and safety indicators and disease prevalence evaluation). As we look to the future, the goal is to leverage all these sources, when appropriate, and expand their utility for understanding personal and population health and their determinants while carefully protecting the confidentiality of the data they contain.

To bring about the needed improvements and efficiencies and draw all possible benefit from the large and growing investment in health IT, the emerging information capacities must enable both more effective and cost-effective clinical services and population health promotion, and their many synergies. This can be facilitated through multi-directional data sharing and linkages to generate information that is comprehensive and broadly representative. It will be critical to break down the silos that now make it difficult to share and connect data. This requires addressing the policy, institutional, technical, and other barriers that contribute to the existing silos. A workforce trained to take advantage of the broader data and informatics capacities is also essential. Detailed local data are needed to enable understanding of health and health care at local neighborhood, community, sub-population, and other levels of aggregation. Key decisions about health and health care are made at the local level, and we envision the potential to meet these needs in ways not previously possible. Finally, a critical use of population health data, especially with the advent of health care reform, is to assess the effectiveness, comparative effectiveness, and equity of health care.

Because resources are limited and burden must be minimized, information policy must set priorities regarding which data are most important in order to target investments in data collection. As noted, burden can be minimized by collecting data once for multiple uses. At least in the near term, provided that data can be put in the hands of trusted stewards, enhanced administrative data may be a powerful component that reduces the burden of multiple collections. As new capacities come on line, it may be possible to curtail or redirect some current collection activities.

An important criterion is that information, whatever its source, must be meaningful to users. Experience has demonstrated that having relevant data and information available does not ensure that it is accessible in a timely manner and useful form to the full range of potential users. Delays may be created by approval processes or regulatory requirements, as well as by the lack of data handling and analysis capacities that could enable a user to pose a question, indentify relevant data sources, and request a report that is understandable and protects the privacy of data sources. Ensuring access to useful information is a critical part of the challenge. An overarching goal of all these endeavors is to assure that data can be converted into information and ultimately into knowledge that can answer the priority questions about personal and population health in the U.S. and enable effective decisions and actions to improve them.

2. STANDARDS FOR INTEROPERABILITY, USABILITY, QUALITY, SAFETY, AND EFFICIENCY

The purposes of health information standards are to ensure the efficient, secure, safe, and effective delivery of high quality health care and population health services; to support the information exchange needs of health care, public health, and research; and to empower consumers to improve their health.

The impending implementation of the next generation of HIPAA standards, the enactment of The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and the recent signing of health reform into law are creating an unprecedented convergence of driving forces, foundational components, technology advances and capabilities, and regulatory requirements. Together, these assets can help create a common national pathway toward achieving the vision and policy priorities of a 21st century health system that relies on a strong health information and health information technology foundation. The past five years have seen a remarkable transformation in the adoption and use of standards for electronic exchange of health information. The transformation encompasses privacy and security standards, standards for administrative and financial transactions, the establishment of unique identifiers, and more recently the adoption of standards for codifying, packaging, and transmitting clinical information between and across health care organizations. This rapidly evolving transformation is moving us closer to the ideal of a fully interoperable electronic health information collection and exchange environment that supports all functions and needs of the country’s health and health care ecosystem, as discussed in the previous pages.

Data standards provide a key architectural building block that supports the collection, use, and exchange of health information. Health information standards have been developed and are being adopted and implemented in many different areas. Capturing information in codified format through standard representations such as clinical vocabularies and terminologies, code sets, classification systems, and definitions is a key strategy for achieving semantic interoperability. The inclusion of standardized metadata, which describe characteristics of the data such as provenance, increases the potential for assessing the reliability and validity of the data for aggregation, research, and other uses. Organizing and packaging data through defined electronic message and document standards to be accessed and exchanged via standardized electronic transport mechanisms and protocols achieves access and exchange of health information. The availability and integrity of health information is protected and ensured through the deployment of security standards, thus guaranteeing confidentiality and privacy of protected health information. Finally, the certification of health information technology for Meaningful Use depends on the wise deployment and use of health information standards.

3. PRIVACY, CONFIDENTIALITY, SECURITY

With the move toward the management of health data in electronic form, there is a significant opportunity to enhance health data access, utility in patient care, and important secondary uses. The opportunity is further enhanced through the emergence of new methods to exchange health data, both on a regional and national basis. However, the ability to realize the potential of electronic health data depends greatly on ensuring that uses are appropriate and individuals’ reasonable privacy, confidentiality, and security expectations are met.

Individuals should have the right to understand how their health data may be used, and to provide consent where appropriate. Often, consent is difficult, as not all uses are known at the time the health data are collected. Further, standards do not yet exist to track an individual’s consent as data are exchanged. Although many of the population health uses described in this concept paper involve aggregated or de-identified health data, legitimate concerns exist about group harms and possible re-identification. In addition, the possibility of using health data from emerging information sources, such as personal health record systems, raises unique privacy concerns.

NCVHS has discussed many of these privacy challenges in numerous reports and letters to the Secretary. Most notably, NCVHS published two reports, a Primer on health data stewardship 7 and Recommendations on Privacy and Confidentiality, 2006-2008. Both are available on the NVCHS website.8

Further work is necessary to develop the privacy, confidentiality, and security standards that should apply as these data uses continue to evolve. In addition, work is needed to establish governance structures to provide the proper oversight of entities that exchange and use health data. In essence, governance is the accountability for ensuring that proper data stewardship (as described in the NCVHS Primer cited above) is practiced. To differentiate between governance and data stewardship, data stewardship is focused on the internal practices of the entity that uses health data, whereas governance is focused on the oversight of such entities to ensure that their data stewardship practices are adequate. Such oversight includes initially approving entities that have access to data, ensuring that such entities appropriately use and protect data, and ensuring that entities that misuse data are appropriately sanctioned.

THE WAY FORWARDTaken together, today’s emerging policy opportunities and the nation’s longstanding health challenges create a situation of considerable urgency for the United States. The openness to bold new approaches offered by recent legislation will disappear quickly. Given that the U.S. lags behind most other industrialized countries in the health status of its citizens, we must seize the opportunities to maximize the health benefits and begin to assess whether the huge investments are indeed having the desired impact.

This paper has noted the critical federal role in devising health information policy to support national health goals. Federal leadership is more needed than ever to create the comprehensive approaches that will guide the development of information capacities and coordinate efforts by actors in the public and private sectors. Whatever progress is made in the critical transition to electronic health records, clinical data alone will not suffice; broad information capacities that

————————————————————
7 An NCVHS Primer: Health Data Stewardship―What, Why, Who, How, December 2009.
8 http://www.ncvhs.hhs.gov
————————————————————

draw on all the sources and serve all the purposes discussed in this paper will be necessary. This will require shoring up the data resources for public functions such as surveys, safety surveillance, and vital records, along with strategic thinking to determine what capacities will be needed in the future and how to guide their development. Many issues require research and demonstration as part of a prioritized, adequately funded research agenda. In addition, further investments in a trained workforce are needed, to ensure the availability of professionals and leaders who can properly use information resources for analysis and decision-making.

As it develops policies and strategies, the Department has always invited input from experts and stakeholders; and NCVHS has long helped to facilitate this dialogue and distill the key messages and lessons. NCVHS will continue to use its consultative and deliberative processes, working collaboratively with other HHS advisory committees, to help the Department meet the current opportunities and challenges. As noted, all NCVHS subcommittees plan to be involved in this effort; this report is an early installment on subcommittee and full Committee work plans for the coming 18 months or more. NCVHS expects to develop recommendations on a research agenda, which may be the focus of one or more hearings. Each of the subcommittees is identifying the key issues in its domain, to be pursued through workshops, hearings, and internal deliberations as NCVHS develops recommendations for the Secretary. The subcommittees’ preliminary thinking is outlined below.

SUBCOMMITTEE ON QUALITY

Over the next two years, the NCVHS Subcommittee on Quality will focus on supporting the development of meaningful measures, leveraging both existing and emerging data sources (e.g., patient-generated data, remote monitoring, personal health records), and in particular identifying significant opportunities and gaps. Critical to meaningful measurement is the availability of relevant data elements that could be easily captured using certified EHR technology and functionality, among other tools. The Subcommittee on Quality will identify emerging health data needs for a health system where the individual engages in his or her health and health care. As a near-term priority, the Subcommittee will address the data needs of person-centered health and health care, emphasizing coordination and continuity of care across a continuum of services. A longer term goal is to develop a national strategy to leverage clinically rich health data to address important national questions about determinants of health and disease.

SUBCOMMITTEE ON PRIVACY, CONFIDENTIALITY AND SECURITY

The NCVHS Subcommittee on Privacy, Confidentiality and Security will focus its efforts on providing recommendations that support national priorities, in coordination with such groups as the ONC HIT Policy Committee’s Privacy and Security Workgroup. In the next year, the Subcommittee plans to develop recommendations regarding governance as well as a framework for the identification and appropriate management of sensitive data. The Subcommittee will also consider transparency and the role of patient consent. In addition, it will continue to review and make recommendations regarding new privacy, confidentiality, and security regulations; compliance with these regulations; and strategies for effective enforcement.

SUBCOMMITTEE ON STANDARDS

Health care reform legislation now provides a new opportunity to continue the administrative simplification that began under HIPAA―a process in which NCVHS will remain heavily involved. The NCVHS Subcommittee on Standards will continue to meet its responsibilities related to HIPAA; will implement the many administrative simplification responsibilities assigned by the Health Reform Act of 2010; and will meet new requests for recommendations on the use of standards to enhance interoperability of the transmission and semantics of health data as they arise. As we look to the future, several goals stand out with respect to standards. The Subcommittee will seek to ensure a comprehensive framework and roadmap for health information standards that support the national health IT strategic framework, vision and policy priorities; the public health policy agenda; the NCVHS proposed data stewardship framework; a national research agenda that includes comparative effectiveness; and the needs of all data users.

SUBCOMMITTEE ON POPULATION HEALTH

Understanding the population’s health and its determinants relies on multiple data sources, including population surveys, clinical data, administrative data (notably, birth and death records and billing data on use of health services), and public health and environmental reporting systems. At the national level, Federal agencies such as the National Center for Health Statistics are charged with developing methods, assessing validity, and reporting national population health information. As we envision building a comparable capacity for communities and states across America, the quality of information and its timeliness will be central to success. The Subcommittee on Population Health will focus on facilitators and barriers to data linkage at state and local levels as a critical part of health information infrastructure, specifically linking EHR data with existing administrative and local survey data. Fundamental to understanding population health is describing the underlying population, which also comprises those who have not seen a doctor recently or have refused to respond to a survey. The work of the Subcommittee will focus on methods to ensure that linked data sources provide valid health information, including methods to adjust for missing data and methods to protect privacy.

Privacy and Security Tiger Team: Jun 29 Consumer Choice Tech Hearing

Posted on June 21, 2010 by Mike Squires

Consumer Choice Technology Hearing June 29, 2010
Plus Tiger Team Archives
Privacy and Security “Tiger Team” Announces Consumer Choice Technology Hearing
Friday, June 18th, 2010 | Posted Originally on FACA Blog by Deven McGraw and reposted by e-Healthcare Marketing in full.

The HIT Policy Committee (HITPC) invites you to attend the Privacy and Security Tiger Team’s upcoming hearing on consumer choice technology. The Tiger Team is a workgroup which has been assigned the task of analyzing and providing recommendations on privacy and security issues on an expedited basis to the HITPC, and ultimately to the Office of the National Coordinator for Health Information Technology. Many consumers and consumer groups have expressed concern about the ability of patients to control the disclosure of their health information as providers transition to electronic health records and electronic health information exchange. The protection of information related to “sensitive” health conditions such as substance abuse, mental health and sexually transmitted disease is of particular concern. Currently, some state and federal laws require patient consent to share this information. In the paper based exchange, control is maintained either by sharing the record only with patient consent or by redacting certain information from the record prior to sharing. Some experts have said there is no technology to support these consent requirements in an electronic environment. Others have stated that some technology supports these consent requirements.

The purpose of the hearing is to learn more about the capabilities of existing consumer choice technology and the potential for future development in this area. The morning session will focus on consumer choice technology in use today in health information exchange. A user of the technology will speak about their specific implementation of the technology, accompanied by a demonstration. The afternoon session will take a look at consumer choice technologies that are in the development stages for use within health information exchange. These developers have been invited to demonstrate either a prototype of the technology or its current use, and discuss its potential for further development within health information exchange.

After each session, a panel of discussants, along with the members of the Tiger Team, will pose questions to the users and developers about the technological approaches presented. The goal of the panel is to probe the presenters for further information regarding the implementation of the consumer choice solutions and potential for technological development. There will be an opportunity for public testimony both in the morning and the afternoon.

We look forward to learning from the users and developers of these technologies as well as the various stakeholders for electronic health information exchange.

Privacy and Security Tiger Team Hearing Details:
Tuesday, June 29, 2010
8:00 a.m. – 5:15 p.m.

Grand Hyatt Hotel
1000 H Street NW
Washington, DC 20001
Meeting Location: Constitution Ballroom, Constitution Level

Registration Information and Agenda (pdf)
# # #

AGENDA (pdf)
8:15am Opening remarks by Tiger Team co-chairs
–Deven McGraw, Center for Democracy & Technology
–Paul Egerman, Software Entrepreneur
8:15am Opening remarks by David Blumenthal, MD
National Coordinator for Health IT
8:30am Consumer Choice Technology in Use Today — Panel 1
–Intersystems HealthShar
–CMBHS
9:30am Break
9:45am Consumer Choice Technology in Use Today–Panel 2
–E-MD E-Chart
–TBD
10:45am Consumer Choice Technology in Use Panel Discussion
–Deborah Peer, MD
–Melissa Goldstein, JD, MA
–Iona Singureanu
–David Kibbe, MD
11:30am Tiger Team Discussion
12: 15pm Lunch
1:15pm Cutting-edge Consumer Choice Technology–Panel 3
–Tolven Institute
–Private Access
2:15pm Break
2:30pm Cutting-edge Consumer Choice Technoloogy–Panel 4
–DOD/VA VLER
–HIPAAT
3:30pm Cutting-edge Consumer Choice Technology Panel Discussion
–Deborah Peer, MD
–Melissa Goldstein, JD, MA
–Iona Singureanu
–David Kibbe, MD
4:15pm Tiger Team Discussion
5:00pm Public Discussion
5:15pm Adjourn

Privacy and Security Tiger Team Section on ONC site

Tiger Team Meetings Archive
June 15, 2010 Meeting
Agenda [PDF - 36 KB]
Recommendations [PDF 16 KB]
Meeting Audio [MP3 - 24 MB]

June 11, 2010 Meeting
Agenda [PDF - 13 KB]
Point to Point Exchange Risk Levels [PDF - 72 KB]
Meeting Audio [MP3 - 24 MB]

June 10, 2010
Agenda [PDF - 19 KB]
NHIN Policy and Technology Framework [PDF - 124 KB]
Meeting Audio [MP3 - 14 MB]

Privacy of Substance Abuse & Mental Health Info: New FAQs

Posted on June 21, 2010 by Mike Squires

New FAQs: Privacy of Individually Identifiable Health Information (Privacy Rule)
FAQs PDF Document
Emailed June 17, 2010 by Office of National Coordinator for Health IT
The Substance Abuse & Mental Health Services Administration (SAMHSA) and the Office of the National Coordinator (ONC) for Health Information Technology announced yesterday the release of the Frequently Asked Questions (FAQs) for Applying the Substance Abuse Confidentiality Regulations to the Health Information Exchange (HIE).

The Substance Abuse Confidentiality Regulations, 42 CFR Part 2, govern the use and disclosure of alcohol and drug abuse patient records that are maintained at federally funded substance abuse programs. Both SAMHSA and ONC want to ensure that our constituents receive every tool and resource possible to allow a more complete understanding of these Federal regulations, which were enacted in 1972 and 1975. The FAQs outline the general provisions of 42 CFR Part 2, provide guidance on its application to electronic health records, and identify methods for including substance abuse patient record information into health information exchange that is consistent with the Federal statute.

The FAQs will serve as a valuable resource to a variety of individuals, including specialty and medical providers, as well as HIE technical developers and policymakers. The FAQs are not meant to provide legal advice.

Both SAMHSA and ONC are committed to adhering to the Federal protections of 42 CFR Part 2 and recognize the importance of promoting behavioral health in electronic health records. A meeting is being planned for August 4, from 8:30 a.m. to 12:30 p.m. to provide those interested an opportunity to provide input on the utility of the FAQs.

From ONC site on June 21, 2010:
Substance Abuse Confidentiality Regulations FAQs - ”A Frequently Asked Questions (FAQs) document for applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges (HIEs) was released on 6/16/2010. This document is an educational tool that serves as a resource for practitioners in the field, as they are applying the Substance Abuse Confidentiality Regulations to Health Information Exchange activities, but does not provide legal advice to its user. ”

From Substance Abuse & Mental Health Services Administration (SAMHSA)
Health Information Privacy June 21, 2010

Substance Abuse Confidentiality Regulations

Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE) (pdf file | 81 kbytes) | Cover Page (26 kbytes) | Posted on 06/16/2010

Privacy and e-Consent in Three Countries (pdf file | 731 kbytes)
Feb 16, 2007

The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs (pdf file | 192 kbytes)
June 2004

Confidentiality of Alcohol and Substance Abuse Patient Records regulation (42 CFR Part 2)
Electronic Code of Federal Regulations: e-CFR Data is current as of June 17, 2010

HHS, Office for Civil Rights – HIPAA

HHS, Office of National Coordinator (ONC)
# # #

Mary Mosquera of Government Health IT reported June 21, 2010 on the “guidelines on the conditions under which records pertaining to a patient’s alcohol and drug abuse can be shared via electronic health information exchange systems.”

June 16 Webinar on HIE Multi-Party Legal Agreements/DURSA

Posted on June 16, 2010 by Mike Squires

Multi-Party Legal Agreements for Health Information Exchange
Produced by National eHealth Collaborative
June 16, 2010 2:30 – 4:00 pm ET
Excerpted from National eHealth Collaborative site on June 16, 2010
“NeHC is offering a Special National Health IT Week Stakeholder Forum on Multi-Party Legal Agreements for Health Information Exchange as an opportunity for all stakeholders, especially state decision makers, to understand how multi-party legal agreements can be effective for data-sharing at the state level.

Trust Framework

“This session is intended to provide decision makers and others with a foundational legal concept for understanding potential applications of multi-party data-sharing agreements. The Data Use and Reciprocal Services Agreement (DURSA) used by the NHIN Exchange will be presented as a case study in the development of multi-party agreements and participants will learn about those aspects of the DURSA that may be applicable to state level agreements.

“Experts from the ONC Office of Policy and Planning and the ONC Office of State and Community Programs, as well as the State-Level HIE Project led by the AHIMA Foundation (technical assistance provider to state HIE grantees), will be on hand to answer questions from stakeholders and participate in the discussion.

“LEARNING OBJECTIVES: By participating in this Stakeholder Forum, participants will:

Learn about aspects of the DURSA that may impact HIE development for states
Take away information that will inform state-level plans to consider participation in interstate HIE or the NHIN Exchange”

To register, please go to NeHC site.

ONC Forms New Privacy & Security Tiger Team

Posted on June 9, 2010 by Mike Squires

New Privacy & Security Tiger Team formed
Meets June 10-11, 2010:
Initial Focus on NHIN Direct Message Handling Process
Emailed notice from Office of Nat’l Coordinator for Health IT
June 9, 2010
“The Office of the National Coordinator for Health Information Technology (ONC) has organized a workgroup (subcommittee) under the auspices of the HIT Policy Committee to move forward on a range of privacy and security issues.”

“A new Privacy & Security Tiger Team (comprised of members from the HIT Policy Committee and the HIT Standards Committee as well as National Committee on Vital and Health Statistics) will work over the next few months to address the requirements of HITECH and the needs of many new organizations created under that law.”

“This workgroup is chaired” by Deven McGraw, Center for Democracy & Technology; and co-chaired byPaul Egerman. ”We expect the work of the Tiger Team to be completed by late fall 2010.” (Chair names corrected per ONC site.)

“Please note the workgroup will meet tomorrow (6/10) and Friday (6/11). Visit the ONC website at http://healthit.hhs.gov/facas for a P&S Tiger Team Member List and dates/times for public participation info for the meetings. ”
# # #

Howard Anderson, Managing Editor of HealthcareInfoSecurity.com, reported on June 9, 2010, in a story headlined “New Advisory Group Will Focus on Data Exchange Policies,” that the initial plan is for the group to take a narrow focus and complete it by the end of the summer, unless its mission is extended. Anderson provides a good overview.

HIT Policy Committee
Privacy & Security Tiger Team Members

Deven McGraw, Center for Democracy & Technology, Co-Chair
Paul Egerman, Co-Chair
Dixie Baker, SAIC
Christine Bechtel, National Partnership for Women & Families
Rachel Block, NYS Department of Health
Neil Calman, The Institute for Family Health
Carol Diamond, Markle Foundation
Judy Faulkner, EPIC Systems Corp.
Gayle Harrell, Consumer Representative/Florida
John Houston, University of Pittsburgh Medical Center; NCVHS
David Lansky, Pacific Business Group on Health
David McCallie, Cerner Corp.
Wes Rishel, Gartner
Micky Tripathi, Massachusetts eHealth Collaborative
Latanya Sweeney, Carnegie Mellon University

Upcoming Meetings: June 10 and 11, 2010

June 10, 2010 – 2:00 p.m. to 4:00 p.m.
Agenda [PDF - 19 KB]
NHIN POLICY AND TECHNOLOGY FRAMEWORK [PDF - 124 KB]
2:00 p.m. Call to Order – Judy Sparrow, ONC
2:05 p.m. Introductions & Overview of Agenda [Primary Issue: NHIN Direct Message Handling Policy]
–Deven McGraw, Chair
–Paul Egerman, Co-Chair
2:15 p.m. Level of Policy Recommendations – Deven McGraw
2:30 p.m. Overarching Issues Raised by NHIN Direct – Paul Egerman -
–Centralization/Decentralization Issue
–Degree of PHI Exposure
–Policies with Respect to HISPs
–Granularity of Responsibility—entity vs. individual clinician – Deven McGraw
3:30 p.m. Frameworks Discussion – Deven McGraw
3:45 p.m. Public Comment
4:00 p.m. Adjourn

NOTE: Link to NCVHS sensitive data hearing
http://www.ncvhs.hhs.gov/100615ag.htm

June 11, 2010 – 10:30 a.m. to 2:00 p.m./ET
Agenda [PDF - 13 KB]
Point to Point Exchange Risk Levels [PDF]
10:30 a.m. Call to Order – Judy Sparrow, ONC
10:35 a.m. Review of Agenda – Deven McGraw and Paul Egerman
10:45 a.m. Overview of NHIN Exchange – ONC
11:00 a.m. Continued Discussion of Message Handling Policy Issues, con’t Paul Egerman
1:00 p.m. Frameworks Discussion, con’t – Deven McGraw
1:45 p.m. Public Comment
2:00 p.m. Adjourn

NHIN POLICY AND TECHNOLOGY FRAMEWORK [PDF – 124 KB
Policy Principles
1. Individual Access
2. Correction
3. Openness and Transparency
4. Individual choice
5. Collection, Use and Disclosure Limitation
6. Data Integrity and Quality
7. Safeguards
8. Accountability

Technology Principles
1. Keep it simple
2. Keep the implementation cost as low as possible
3. Donʼt let “perfect” be the enemy of “good enough”
4. Design for the little guy
5. Do not try to create a one-size-fits-all standard
6. Separate content and transmission standards.
7. Create publicly available vocabularies & code sets
8. Leverage the web for transport (“health internet”).
9. Position quality measures so they motivate standards adoption.
10. Support implementers

To participate:
Via Webcast
Audio:
You may listen in via computer or telephone.

US toll free: 1-877-705-2976
International Direct: 1-201-689-8798

Updates on ONC’s SHARP — Strategic Healthcare IT Advanced Research Projects

Posted on June 7, 2010 by Mike Squires

SHARP Awards for Health IT Establish Web Sites
Web sites have been launched for each of the four advanced research projects announced April 2, 2010 by the Office of the National Coordinator (ONC) for Health IT. The program called Strategic Healthcare IT Advanced Research Projects (SHARP), totalling $60 million over four years, taps into four consortia of leading reseach and academic institutions each led by a major research institution. “The research projects supported by the SHARP program will focus on solving current and expected future challenges that represent barriers to adoption and meaningful use of health IT. These projects will focus on areas where ‘breakthrough’ advances are needed to realize the full potential of health IT.” This chart was taken from the Mayo Clinic College of Medicine Wiki site for its project.

: SHARP Organization

1. Security of Health IT
http://sharps.org
University of Illinois at Urbana-Champaign
Strategic Healthcare IT Advanced Research Projects on Security (SHARPS)
SHARPS is accociated with the Center for Health Information Privacy and Security in the Information Trust Institute at the University of Illinois at Urbana-Champaign
In their research overview, SHARPS describes the structure of their project, “SHARPS is organized around three major environments: Electronic Health Records (EHRs), Health Information Exchanges (HIEs), and Telemedicine (TEL), with Personal Health Records (PHRs) included as a major subtopic. SHARPS research projects in these strategic areas are interconnected through three cross-cutting themes: conceptual and policy foundations, service models, and open validation.”
People
Research
Jobs
Publications
Links

2. Patient-Centered Congnitive Support
http://sharpc.org
The University of Texas Health Science Center at Houston
National Center for Cognitive Informatics and Decision Making in Healthcare (NCCD)
Alternative URL: http://www.uthouston.edu/nccd
Mission: “The mission of the NCCD is to bring together a collaborative, interdisciplinary team of researchers from across the nation; with the highest level of expertise in patient-centered cognitive support research from biomedical and health informatics, cognitive science, clinical sciences, industrial and systems engineering, and health services research. Additionally, the NCCD will conduct short-term research that addresses the urgent usability , workflow, and cognitive support issues of Health Information Technology ( HIT) as well as long-term, breakthrough research that can fundamentally remove the key cognitive barriers to HIT adoption and meaningful use. The center will translate research findings to the real world through a cooperative program involving researchers, patients, providers, HIT vendors, and other stakeholders.”

About NCCD
Org Chart
Projects
Key Personnel

Project Advisory Committee
Sharp C Wiki (not up and running as of 6/7/2010)

Projects	Project Title
Project 1	Work-Centered Design of Care Process Improvements in HIT
Project 2A	Cognitive Foundations for Decision Making: Implications for Decision Support
Project 2B	Modeling of Setting-Specific Factors to Enhance Clinical Decision Support Adaptation
Project 3	Automated Model-based Clinical Summarization of Key Patient Data
Project 4	Cognitive Information Design and Visualization: Enhancing Accessibility and Understanding of Patient Data
Project 5	Improving Communication in Distributed Team Environment

3. Health Application and Network Platform Architectures
http://www.smartplatforms.org
Harvard University
Substitutable Medical Apps, reusable technologies

“A platform with substitutable apps constructed around core services is a promising approach to driving down healthcare costs, supporting standards evolution, accommodating differences in care workflow, fostering competition in the market, and accelerating innovation.”

The March 26, 2009 essay by Kenneth D. Mandl, MD, MPH, and Isaac S. Kohane, MD, PhD, in New England Journal of Medicine “No Small Change for the Health Information Economy”. They wrote “A health care system adapting to the effects of an aging population,growing expenditures, and a diminishing primary care workforceneeds the support of a flexible information infrastructure thatfacilitates innovation in wellness, health care, and publichealth.” They reference the flexbility of applications and the stable platform provided by the iPhone.

HTML: http://content.nejm.org/cgi/content/full/360/13/1278
PDF: http://content.nejm.org/cgi/reprint/360/13/1278.pdf

Ten principles were developed at a subsuquent workshop setup on May 13, 2009 by the”Informatics Program at Children’s Hospital Boston (CHIP) “of leading experts in health, innovation and technology to define ten core principles of a platform that would support healthcare information technology.” See “Ten Principles for Fostering Development of an ‘iPhone-like’ Platform for Healthcare Information Technology”

4. Secondary Use of EHR Data
http://sharpn.org
Mayo Clinic College of Medicine
Per Mayo Clinic College of Medicine Wiki: “We propose research that will generate a framework of open-source services that can be dynamically configured to transform EHR data into standards-conforming, comparable information suitable for large-scale analyses, inferencing, and integration of disparate health data. We will apply these services to phenotype recognition (disease, risk factor, eligibility, or adverse event) in medical centers and population-based settings. Finally, we will examine data quality and repair strategies with real-world evaluations of their behavior in Clinical and Translational Science Awards (CTSAs), health information exchanges (HIEs), and National Health Information Network (NHIN) connections.

“We have assembled a federated informatics research community committed to open-source resources that can industrially scale to address barriers to the broad-based, facile, and ethical use of EHR data for secondary purposes. We will collaborate to create, evaluate, and refine informatics artifacts that advance the capacity to efficiently leverage EHR data to improve care, generate new knowledge, and address population needs. Our goal is to make these artifacts available to the community of secondary EHR data users, manifest as open-source tools, services, and scalable software. In addition, we have partnered with industry developers who can make these resources available with commercial deployment. We propose to assemble modular services and agents from existing open-source software to improve the utilization of EHR data for a spectrum of use-cases and focus on three themes: Normalization, Phenotypes, and Data Quality/Evaluation. Our six projects span one or more of these themes, though together constitute a coherent ensemble of related research and development. Finally, these services will have open-source deployments as well as commercially supported implementations.

“There are six strongly intertwined, mutually dependent projects, including: 1) Semantic and Syntactic Normalization; 2) Natural Language Processing (NLP); 3) Phenotype Applications; 4) Performance Optimization; 5) Data Quality Metrics; and 6) Evaluation Frameworks. The first two projects align with our Data Normalization theme, while Phenotype Applications and Performance Optimization span themes 1 and 2 (Normalization and Phenotyping); while the last two projects correspond to our third theme.”

SHARP Program Organization
SHARP Area 4: Themes & Projects
Project Initiation Meeting Slides PDF

For more recent post about SHARP Program on e-Healthcare Marketing, click here.

ONC Plans new Privacy and Security Task Force

Posted on May 28, 2010 by Mike Squires

Chief Privacy Officer for Health IT Joy Pritts
announces new Privacy & Security Task Force
Per slide (ppt slide set) from May 26, 2010 Privacy and Security Workgroup of Health IT Standards Committee, ONC Chief Privacy Officer “Joy Pritts (had) talked to Workgroup about ONC’s plan to create a Privacy and Security Task Force, under HITPC (HIT Policy Committee), to work intensively over the summer to define privacy and security policy to be applied consistently across ONC projects and programs.”
“–Workgroup encouraged involvement of technical experts in Task Force and offered support.
“–Privacy and Security Workgroup efforts to consider and recommend standards, implementation specifications, and certification criteria will abate pending policy decisions from the new Task Force.”

Howard Anderson, Managing Editor of HealthcareInfoSecurity.com reported ” ‘it became quite apparent that a number of workgroups were working on little pieces of this at the same time, and the issues were overlapping, and we didn’t really want to proceed in that fashion very much longer,’ Pritts told a meeting of ONC’s Health Information Technology Policy Committee on May 26.”

Safeguarding Health Information: Building Assurance through HIPAA Security

Posted on May 20, 2010 by Mike Squires

2010 HIPAA Conference from NIST and OCR:
Safeguarding Health Information: Building Assurance through HIPAA Security
May 11-12, 2010

PURPOSE:
“The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety; and, the Breach Notification regulations requiring HIPAA covered entities and their business associates to notify individuals when their health information is breached.

“NIST’s (National Institute of Standards and Technology) mission, as a non-regulatory federal agency within the U.S. Department of Commerce, is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

“This conference will provide a forum to discuss the current HIT security landscape, as well as practical strategies, tips, and techniques for implementing the requirements of the HIPAA Security Rule.”

AGENDA:
Click this link to view the final agenda with presentation summaries (updated May 7).

Presentations - 2010 HIPAA
Links below all open pdf versions of presentations.

Tuesday, May 11 (Day 1):

Welcoming Remarks from OCR
Susan McAndrew – Deputy Director for Privacy, HHS Office for Civil Rights

Welcoming Remarks from NIST
William Barker – Chief Cybersecurity Advisor, NIST Information Technology Laboratory

Tips and Techniques for Conducting Risk Assessments
Pat Toth – NIST
Marissa Gordon-Nguyen – HHS/OCR

Keynote Address
Georgina Verdugo—Director, HHS Office for Civil Rights
Howard Schmidt – White House Cybersecurity Coordinator

Standards and Certification Interim Final Rule
Steve Posnack – HHS/ONC
Lisa Carnahan – NIST

Panel: Breach Notification
Christina Heide – Health Information Privacy Division, HHS/OCR
Cora Tung Han – Division of Privacy and Identity Protection, Federal Trade Commission (FTC)

Security of Health Devices
Elliot Sloane – Drexel University

Security Considerations for New Media and Healthcare
Sharon Finney – Corporate Data Security Officer, Adventist Health System

Update on OCR Enforcement of the Privacy and Security Rules
Marilou King – Civil Rights Division, HHS Office of General Counsel
David Holtzman – Health Information Privacy Division, HHS/OCR

Wednesday, May 12 (Day 2):

FTC Information Security
Alain Sheer – Attorney, Division of Privacy and Identity Protection, FTC

Strategies for Developing and Implementing Contingency Plans
David Holtzman – Health Information Privacy Division, HHS/OCR
Marianne Swanson – NIST

Logging and Auditing in a Healthcare Environment
Mac McMillan – Cynergistek, Inc

Panel: HIPAA Security Compliance: An Industry Perspective
Panel Slides
Sue Miller – WEDI
Lisa Gallagher – HIMSS
Robert Tennant – MGMA
Dan Rode – AHIMA

HIE Security Architecture
John Kelly – Director, eBusiness Architecture, Harvard Pilgrim Healthcare

Security Implementation Considerations for Mobile and Wireless Technologies
Matt Sexton – Booz Allen

Encryption Standards
Matt Scholl – Group Manager, Security Management and Assurance, Computer Security Division, NIST

HIPAA Security Standards: Guidance on Risk Analysis Issued by Office of Civil Rights

Posted on May 20, 2010 by Mike Squires

HIPAA Security Standards: Guidance on Risk Analysis
DRAFT Posted 5/7/10
The Office of Civil Rights (OCR) in the Dept of Health and Human Services issued its first guidance in a series required by HITECH on the HIPAA Security Rule. The rule, summarized in an article by Dom Nicastro for HealthLeaders Media on May 12, 2010, quotes Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, “The guidance is an effective primer in that it summarizes basic information about the required risk analysis within the security rule that has existed since the early days of HIPAA,” while it’s not a “one-size-fits all blueprint.”

The document is available on the OCR site.
Guidance document reproduced below in html text.
PDF Version.
Footnote references are numbered in bold italics within parentheses, such as (1) , and with references at the end of the document.
“OCR encourages the public to offer feedback on this guidance. OCR staff will carefully review all public comments to determine how to improve these materials. Comments can be provided via the following e-mail address: OCRPrivacy@hhs.gov.”

Introduction

The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. (1) (45 C.F.R. §§ 164.302 – 318.) This series of guidances will assist organizations (2) in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI). The guidance materials will be developed with input from stakeholders and the public, and will be updated as appropriate.

We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. (3) An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

We note that some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST). NIST, a federal agency, publishes freely available material in the public domain, including guidelines. (4) Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI. Therefore, non-federal organizations may find their content valuable when developing and performing compliance activities.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.

Risk Analysis Requirements under the Security Rule

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The following questions adapted from NIST Special Publication (SP) 800-66 (5) are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

 Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
 What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
 What are the human, natural, and environmental threats to information systems that contain e-PHI?

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)

The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate.

Organizations should use the information gleaned from their risk analysis as they, for example:

            Design appropriate personnel screening processes. (45 C.F.R. §164.308(a)(3)(ii)(B).)
            Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
            Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
            Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
            Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

Important Definitions

Unlike “availability”, “confidentiality” and “integrity”, the following terms are not expressly defined in the Security Rule. The definitions provided in this guidance, which are consistent with common industry definitions, are provided to put the risk analysis discussion in context. These terms do not modify or update the Security Rule and should not be interpreted inconsistently with the terms used in the Security Rule.

Vulnerability

Vulnerability is defined in NIST Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”

Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of e-PHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.

Threat

An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:

 Natural threats such as floods, earthquakes, tornadoes, and landslides.

 Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to e-PHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.

 Environmental threats such as power failures, pollution, chemicals, and liquid leakage.

Risk

An adapted definition of risk, from NIST SP 800-30, is:

“The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to—

          1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
         2. Unintentional errors and omissions
        3. IT disruptions due to natural or man- made disasters
       4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

Elements of a Risk Analysis

There are numerous methods of performing risk analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule. Some examples of steps that might be applied in a risk analysis process are outlined in NIST SP 800-30. (6)

The remainder of this guidance document explains several elements a risk analysis must incorporate, regardless of the method employed.

Scope of the Analysis

The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.

Data Collection

An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)

Identify and Document Potential Threats and Vulnerabilities

Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

Assess Current Security Measures

Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

The security measures implemented to reduce risk will vary among organizations. For example, small organizations tend to have more control within their environment. Small organizations tend to have fewer variables (i.e. fewer workforce members and information systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk to the confidentiality, availability and integrity of e-PHI in a small organization may differ from those that are appropriate in large organizations. (7)

Determine the Likelihood of Threat Occurrence

The Security Rule requires organizations to take into account the probability of potential risks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are “reasonably anticipated.”

The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§ 164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)

Determine the Potential Impact of Threat Occurrence

The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.

The output of this process should be documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)

Determine the Level of Risk

Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.

The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

Finalize Documentation

The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is a direct input to the risk management process.

Periodic Review and Updates to the Risk Assessment

The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.

A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if the covered entity has experienced a security incident, has had change in ownership, turnover in key staff or management, is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed to ensure the e-PHI is reasonably and appropriately protected. If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed. Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels. (8)

In Summary

Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

Resources

The Security Series papers available on the Office for Civil Rights (OCR) website, http://www.hhs.gov/ocr/hipaa , contain a more detailed discussion of tools and methods available for risk analysis and risk management, as well as other Security Rule compliance requirements. Visit http://www.hhs.gov/ocr/hipaa for the latest guidance, FAQs and other information on the Security Rule.

Several other federal and non-federal organizations have developed materials that might be helpful to covered entities seeking to develop and implement risk analysis and risk management strategies. The Department of Health and Human Services does not endorse or recommend any particular risk analysis or risk management model. The documents adherence to any or all of the standards contained in these materials prove substantial compliance with the risk analysis requirements of the Security Rule. Rather, the materials are presented as examples of frameworks and methodologies that some organizations use to guide their risk analysis efforts.

The National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, is responsible for developing information security standards for federal agencies. NIST has produced a series of Special Publications, available at http://csrc.nist.gov/publications/PubsSPs.html , which provide information that is relevant to information technology security. These papers include:

 Guide to Technical Aspects of Performing Information Security Assessments (SP800115)

 Information Security Handbook: A Guide for Managers (SP800-100; Chapter 10nprovides a Risk Management Framework and details steps in the risk management process)

 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP800-66; Part 3 links the NIST Risk Management Framework to components of the Security Rule)

 A draft publication, Managing Risk from Information Systems (SP800-39)

The Office of the National Coordinator for Health Information Technology (ONC) has produced a risk assessment guide for small health care practices, called Reassessing Your Security Practices in a Health IT Environment, which is available at this link (pdf).

The Healthcare Information and Management Systems Society (HIMSS), a private consortium of health care information technology stakeholders, created an information technology security practices questionnaire, available at http://www.himss.org/content/files/ApplicationSecurityv2.3.pdf . The questionnaire was developed to collect information about the state of IT security in the health care sector, but could also be a helpful self-assessment tool during the risk analysis process.

The Health Information Trust Alliance (HITRUST) worked with industry to create the Common Security Framework (CSF), which is available at http://hitrustcentral.net/files . The risk management section of the document, Control Name: 03.0, explains the role of risk assessment and management in overall security program development and implementation. The paper describes methods for implementing a risk analysis program, including knowledge and process requirements, and it links various existing frameworks and standards to applicable points in an information security life cycle.

References

(1) Section 13401(c) of the Health Information Technology for Economic and Clinical (HITECH) Act.

(2) As used in this guidance the term “organizations” refers to covered entities and business associates. The guidance will be updated following implementation of the final HITECH regulations.

(3) The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20, 2003, 68 FR 8334.

(4) The 800 Series of Special Publications (SP) are available on the Office for Civil Rights’ website–specifically, SP 800-30 – Risk Management Guide for Information Technology Systems.(http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.)

(5) See NIST SP 800-66, Section #4 “Considerations When Applying the HIPAA Security Rule.” Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf

(6) Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf.

(7) For more information on methods smaller entities might employ to achieve compliance with the Security Rule, see #7 in the Center for Medicare and Medicaid Services’ (CMS) Security Series papers, titled “Implementation for the Small Provider.” Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/smallprovider.pdf.

(8) For more information on methods smaller entities might employ to achieve compliance with the Security Rule, see #6 in the Center for Medicare and Medicaid Services’ (CMS) Security Series papers, titled “Basics of Risk Analysis and Risk Management.” Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf .

e-Healthcare Marketing

Health Information Exchange, Electronic Health Records and Personal Health Records

Category Archives: Privacy & Security