october 22, 2009 1 to dramatically improve safe and secure patient and provider access to personal...
Post on 27-Dec-2015
216 Views
Preview:
TRANSCRIPT
October 22, 20091
To dramatically improve safe and secure patient and provider access to personal health information and decision-making processes, benefiting the health and wellbeing, safety, efficiency, and quality of care for all Californians.
California HHS - HIT Mission
October 22, 20092
Today’s CA eHealth Environment• HIE has traditionally been poorly funded – only communities with
uncommon commitment and a forceful champion have succeeded
• EHR adoption has required large investments from organizations capable of making them, and has created a “digital divide” for clinical sites not able to aggressively fund EHR adoption
• ARRA brings large dollars, and with it a large number of “experts” in HIE and EHR adoption
If it was easy to organize communities, it would have been done with CHINs – and most CHINs did not succeed
Leverage HIE and EHR adoption experiences and resources already present in the State (20 HIEs; 70 provider orgs with EHR adoption projects)
• ARRA implementation is moving quickly – it is our collective job to ensure that the related investments are made thoughtfully and can produce the desired health care outcomes
October 22, 20094
Providers
• 90,000 Physicians
• 65,000 Active in Patient Care
• 400 Hospitals
• 1,200 Nursing Homes
Underserved Providers
• 7,500 – 11,000 “Medi-Cal oriented” physician practices
• 890 Community Clinic sites (~180 corporations)
• 28 Critical Access Hospitals
• 16 Public Hospitals
• 62 Public Health Departments & affiliated clinics
California’s Unique Challenges -- 1
October 22, 20095
California’s Unique Challenges -- 2
States with Regional HIEs
State Population
# of HIEs Equivalent California Counties
County Population
New York 19,400,000 14 Los Angeles + Orange + San Diego + Riverside + San Bernardino
20,749,000
Massachusetts 6,500,000 6 Los Angeles 10,364,000
Indiana 6,300,000 3 San Diego + Orange 6,270,000
State HIE State Population Equivalent California County
County Population
Delaware 873,000 Fresno County 931,000
Idaho 1,500,000 Alameda County 1,543,000
Maine 1,300,000 Sacramento County 1,424,000
Nebraska 1,800,000 Santa Clara County 1,820,000
Utah 2,700,000 Orange County 3,121,000
Vermont 621,000 San Joaquin County 685,000
October 22, 20096
• California has a unique opportunity to create a world-class health information highway for the benefit of all of its citizens
• The distinction between “HIE” and “EHR” should be merged into “eHealth” because they are facets of the larger subject
• California should have one entity that coordinates all organized eHealth activities in order to ensure maximizing value, leveraging scarce resources, and providing best return for Californians
This entity will become the place where eHealth activity throughout the State is coordinated and tracked
This organization will be charged with communicating best practices and acceleration methodologies
• Meaningful Use will ultimately be determined by the number of patients with improved outcomes, not the amount of incentive dollars received
The CA Vision
October 22, 20097
1. To ensure patients have safe, secure access to their personal health information and the ability to share that information with others involved in their care
2. To engage in an open, inclusive, collaborative, public-private process that supports widespread EHR adoption and a robust, sustainable statewide health information exchange
3. To maximize California’s access to critical ARRA stimulus funds4. To integrate and synchronize the planning and implementation of HIE,
HIT, telehealth and provider incentive program components of the federal stimulus act
5. To improve health care outcomes and reduce costs6. To ensure accountability in the expenditure of public funds7. To improve public health through stronger public health program
integration, bio-surveillance and emergency response capabilities
CA HIT&E Objectives
October 22, 20098
• December 2007, Governor forms the Privacy & Security Advisory Board (PSAB) reporting to the Secretary of CHHS
• April, 2009: Jonah Frohlich appointed to position of Deputy Secretary, Health IT, California Health & Human Services Agency
• April 2009, CHHS convened the California Health Information Exchange Advisory Board, a 19 member board to provide oversight of HIE.
• May 2009, State Planning Workgroups organized• May-June, 2009, 20 regional town hall meetings• July, 2009, 3 statewide town hall meetings• July 20, 2009, Statewide HIT&E Planning Summit• August, 2009, CA State Plan for HIT&E released; RFI for SDGE released• September, 2009, RFI proposals due; Oct, decision due on SDGE• Nov-Dec, 2009, Ramp up SDGE process and coordination with REC
designees, Broadband, Training, and other federal funded projects.
CA Timeline
October 22, 20099
The CA Plan:• Includes public and private sector joint oversight• Expands existing HIOs and EHR networks• Partners with communities to implement “shovel-ready” projects• Avoids potential conflicts of interest in distribution of ARRA funds,
by being open to participation by all HIOs and does not itself act as an HIO.
CA Governance Model
October 22, 200910
California PSAB Status
• California’s Privacy & Security Advisory Board and its 5 Committees creating P&S guidelines and implementation frameworks for ARRA HITECH funding
• Guideline process is collaborative and transparent and includes:– Participation of All Committee Members & Stakeholders &
Interested Parties
– Development of Draft Privacy & Security Guidelines
– Use of Survey Monkey to Compile All Comments
– Use of Open Teleconference to Respond to Comments
– Use of CalOHII Hosted Website to Post All Documents (with comments and responses)
– Vetted through Privacy, Security and HIE Committees
October 22, 200911
HIE Consent Recommendations fromthe HIO Committee
1. The HIE development in California does not have enough trust mechanisms in place to allow a less conservative consent approach to be adopted.
2. As more trust mechanisms are adopted by stakeholders involved in the exchange, the consent approach should be changed to reflect the level of security and privacy of the information.
3. Direct treatment relationships should not be hampered by the consent approach.
4. A safety net (break-the-glass) option in emergency circumstances be adopted.
5. The consent approach should not impact the quality of care.
6. Details need to be worked out by the Committee.
October 22, 200912
PSAB Operational Plan Factors Incorporates:
• ARRA• HIPAA• Alcohol and Drug Abuse Patient Records• HHS Framework• Potential Additional ONC Requirements
May also incorporate:• NIST and portions of FIPS• NHIN Core Services• Department of Veterans Affairs• Department of Defense• Indian Health Services
October 22, 200913
Coordination with Federal Programs• Medicare• Epidemiology and Lab Capacity Coop. Agreement• Assistance for Integrating Long Term care Population into State
Grants to Promote HIT• Implementation (CMS/ASPE)• HIV Care Grant Program• Maternal and Child Health State Systems• State Offices of Rural Health Policy• State Offices of Primary Care• State Mental Health Data Infrastructure Grants• State Medicaid/CHIP Programs• IHS and Tribal Activities• Emergency Medical Services for Children Program
October 22, 200914
Coordination with Other ARRA Programs
• Health Information Exchange
• Regional Extension Centers
• EHR Loan Fund
• Workforce Development Initiatives
• Broadband Mapping
• Broadband Access
• Research & New Technology
October 22, 200915
PSAB Key Implementation Focus• Access Control
• NIST-2 & NIST-3 Authentication
• P/ABAC Authorization (attribute-based, policy enforced authorization, with preference to authorization arbitration at data requestor location (“ZBAC”)
• Collection Limitation & Other CA Law vs Federal Law
• Use and Disclosure • Provision of health care services vs all other secondary uses
• Sensitive Information
• HIE consent• Opt In/Out
• Consent options & usage
October 22, 200916
PSAB Access Control
• Authentication• Single Entity can use AD, OID, or other secured directory
services for identity assertion.
• Must adhere to NIST Level 2 requirement for establishment of identity
• May use single factor with strong passwords and strong password management controls
• Must use NIST-3 dual factor for any access that is from outside of the physical entity boundaries (will become a requirement for accessing data through an HIE)
• Authorization across entity domains may be accomplished using federated authentication, but must abide by CA OCIO standard for federated identity management.
October 22, 200917
CA OCIO Fed Auth Standard• The solution must support OASIS WS-Security including a Secure Token
Service (STS).
• The solution must support OASIS WS-SecurityPolicy which states the conditions of a given security policy.
• The solution must support WS-Trust which states the conditions of the trust relationship.
• If federation across security realms is required, then the solution must use WS-Federation as the framework.
• The solution must support OASIS Security Assertion Markup Language (SAML) as the token profile (profiles are defined in WS-Security) for NIST levels 2 and 3 assurance.
• If the solution requires encryption beyond SSL/TSL, then it must support W3C XML Encryption and IETF PKIX for Public Key Infrastructure (X.509).
• If proof of sender is required, then the solution must support W3C XML DigitalSignature and IETF PKIX for Public Key Infrastructure (X.509).
October 22, 200918
PSAB Authorization• Authorization
• P/ABAC Authorization (attribute-based, policy enforced authorization, with preference to authorization arbitration at data requestor location (“ZBAC”)
• Opt Out for provision of Health Care
• Opt In for all other uses of IHI (Individual Health Data)
• Must include consent attributes [NOTE: while we are only now just getting into the details of consent, we will most likely use the HITSP TP-30 Construct ]
• Approved Attributes as of the 9/16/09 PSAB Board Mtg:• Data Source;• Role of Requestor;• Sensitivity of Data;• Consent Directives of the Data Subject
• Entity of Requestor;• Use of Data;
top related