interoperability roadmap comments privacy and security workgroup march 16, 2015

Interoperability Roadmap Comments

Privacy and Security Workgroup

March 16, 2015

2

Agenda

• Discussion of Draft Interoperability Roadmap comments for Sections G and H

3

Privacy and SecurityDraft Workplan

Meetings Task December 5, 2015 • Virtual hearing – big data and privacy

December 8, 2014 • Virtual hearing – big data and privacy

January 12, 2015 • Big data and privacy in health care

January 26, 2015 • Big data and privacy in health care

February 9, 2015 • Big data and privacy in health care

HITPC Meeting February 10, 2015 • Charged with commenting on the Interoperability Roadmap V.1

✓ February 23, 2015 • Transition to comment on Interoperability Roadmap

March 16, 2015 • Comment on the Interoperability Roadmap

HITPC Meeting April 7, 2015 • Interoperability Roadmap comments to the HITPC

4

Section Headings

Section H – Consistent representation of authorization to access health information When coupled with identity verification, this allows consistent decisions to be made by systems about access to information.

Section G – Consistent representation of permission to collect, share and use identifiable health information Though legal requirements differ across the states, nationwide interoperability requires a consistent way to represent an individual's permission to collect, share and use their individually identifiable health information, including with whom and for what purpose(s).

5

Straw Overarching Comments (for discussion)

1. Clarify language regarding the relationship between “basic choice” and existing health or medical privacy laws that permit sharing of health information for some purposes (such as among health care providers for treatment and care coordination) without the requirement to first obtain consent.

• For many readers, the draft Roadmap was unclear on what was intended in the discussion of basic choice, with some people interpreting the discussion as requiring basic choice even in circumstances where the law permits data to be shared without first requiring an individual’s express permission (for example, the draft Roadmap describes the laws that permit sharing as being the default when an individual has not expressed basic choice, which could lead to an interpretation that some level of basic choice is either required or preferred).

• ONC should make sure the final Roadmap clearly and unambiguously articulates the following national near-term goals (which were presented to the PSWG by ONC during one of our public sessions on the Roadmap):• Exchange is permitted for certain purposes without an individual’s permission;• Basic choice, if offered to individuals, is offered in a technically standard way and

individuals can more easily make choices electronically and online; and• Harmonize categories/conditions legislatively defined under federal and state law

(e.g., mental health).

6

Straw Overarching Comments (for discussion)

Straw overarching recommendations (for discussion)2. With respect to exchange among providers, the

Interoperability Roadmap should focus on clarifying existing law and policies to enable exchange; it is not a vehicle for considering policy change on consent. – Policy debates about the degree of control that patients should

have over personal health information continue and will continue into the future, particularly as technology and cultural norms around privacy evolve.

– ONC should use the Roadmap not as a vehicle for policy change, but as a vehicle for promoting/assuring interoperability in the face of the existing policy framework, enabling existing laws and practices around patient choice to be honored

7

Workgroup Discussion – Section HConsistent representation of authorization to access health informationWhen coupled with identity verification, this allows consistent decisions to be made by systems about access to information.

8

Interoperability Roadmap Section HConsistent representation of authorization to access health information

Charged Questions for Section H:1. Who should ONC convene to develop policy recommendations and a

framework to enable consistent decisions about authorized access to health information?

2. Original question from Section G - Is there agreement that the issue of “rules confusion” should be addressed from a policy perspective at the state level to advance the goals of a learning health system? If no, why not? If yes, what would be three priority areas for additional clarification?

3. For role-based access, how should role categorization proceed across the healthcare system?

4. Is there a basic set of defined roles that can be agreed upon and built on? 5. Are existing standards to support authorization in healthcare sufficient to

meet the needs of an evolving nationwide learning health system?6. What are the reasons for the relatively low uptake of existing standards?

9


1. Who should ONC convene to develop policy recommendations and a framework to enable consistent decisions about authorized access to health information?

Straw Response (for discussion):1. ONC should gather information from a broad array of

stakeholders trying to exchange, or facilitate the exchange of, health information (providers, patients, HIEs, federal and state entities, etc.) to determine what are common obstacles with respect to demonstrating legal authority to access a record, particularly for treatment and care coordination purposes, and even in circumstances where consent is not required.

10


2. Original question from Section G - Is there agreement that the issue of “rules confusion” should be addressed from a policy perspective at the state level to advance the goals of a learning health system? If no, why not? If yes, what would be three priority areas for additional clarification?

Straw Response (for discussion):1. Clarification from regulators (ideally with specific examples) about what is

acceptable for demonstrating legal authority to access information would be enormously helpful. – For example, the HITPC approved recommendations from the Tiger Team that included

best practices for demonstrating legal authority to access a record in an environment governed by HIPAA. These and other approaches deemed acceptable should be broadly disseminated.

– There is also confusion with respect to other federal laws (42 C.F.R. Part 2) as well as state laws, where even providers operating within states do not fully understand their own state laws with respect to authorized sharing of identifiable health information.

– Areas for clarification: existence of a direct or indirect treatment relationship; as noted further above, the consent or authorization of the patient to share information in circumstances where it is required.

11


3. For role-based access, how should role categorization proceed across the healthcare system?

4. Is there a basic set of defined roles that can be agreed upon and built on?

12


Straw Response (for discussion)1. ONC should focus on facilitating entity-to-entity exchange; who is permitted

to access that information within the entity – role-based access – should be left to internal policies.– The working group is not clear why role-based access – which is typically determined

within an organization or institution – has a bearing on whether exchange can occur between organizations or institutions. We are trying to make sure exchange takes place between disparate entities; once the information is shared with another organization, how it is “triaged” within that organization to make sure it (1) is delivered to the person to whom it is specifically addressed/directed, in circumstances where a particular person is designated as the recipient, and (2) is accessed only by persons who have legal authority to access that record and have the properly assigned role within their organization or institution. These latter two decisions are made at the organization/institution level and the working group sees no clear reason why achieving interoperability requires standardization of these decisions.

2. Re: the issue of accounting for disclosures and investigating inappropriate access, the Policy Committee has already issued recommendations on those topics.

13


5. Are existing standards to support authorization in healthcare sufficient to meet the needs of an evolving nationwide learning health system?

6. What are the reasons for the relatively low uptake of existing standards?

14


Straw Response (for discussion)1. These are questions more appropriate for the

Standards Committee to resolve.

15

Workgroup Discussion – Section GConsistent representation of permission to collect, share and use identifiable health informationThough legal requirements differ across the states, nationwide interoperability requires a consistent way to represent an individual's permission to collect, share and use their individually identifiable health information, including with whom and for what purpose(s).

16

Interoperability Roadmap Section GConsistent representation of permission to collect, share and use identifiable health information

Charged Questions for Section G:1. Are states ready to collaborate on the issue of

permission? Why or why not? 2. What other methodologies, including technical

solutions, should also be considered to address this concern?

3. The Draft Interoperability Roadmap assumes that consent should persist with patient information; is this a valid assumption? What would be the impact of non-persistence on the interoperable movement of data?

17


Charged Questions for Section G:4. Is there agreement on approaching consent through

basic choice as it relates to TPO followed by granular choice supported by a set of nationwide harmonized rules?

5. What are the alternatives we should be considering? 6. What areas of health information should be

addressed first for granular choice?7. What are realistic timeframes?8. How should success be measured when addressing

the complexity of the rules environment?

18


1. Are states ready to collaborate on the issue of permission? Why or why not?

Straw Response (for discussion)1. We do not know the answer to the question. We agree collaboration would be

helpful and hope there is a willingness on the part of the states to come to the table. Harmonization of state law on consent – if the states were willing to address this – could help improve compliance with those laws, as well as enable the development of standards for communicating consents. • As the imperatives to exchange grow stronger, the distress levels felt by providers

who are unable to exchange due to lack of understanding of legal requirements and lack of technical mechanisms for achieving compliance will increase. This may help bring people to the table.

• States could consider whether the framework recommended by the National Committee on Vital and Health Statistics (NCVHS) – which established specific, defined categories for granular consent – would help them achieve some consensus on how to harmonize. Consider also whether the Uniform Law Commissioners could help in drafting harmonized approaches.

19


2. What other methodologies, including technical solutions, should also be considered to address this concern?

Straw Response (for discussion)1. Although this is not a “technical” solution, ONC should

evaluate the work done by the Social Security Administration (SSA) in formulating a universal authorization to share data that has enabled them to access data across states for consideration in disability determinations.

20


3. The Draft Interoperability Roadmap assumes that consent should persist with patient information; is this a valid assumption? What would be the impact of non-persistence on the interoperable movement of data?

Straw Response (for discussion)1. Achieving technical ability to “persist” consent or authorization is desirable – but

likely only in those circumstances where there is either a legal obligation for consent to be persisted and honored across settings, or in the circumstance of data shared directly by the patient.

• For some circumstances, having consent persist with the information is either legally required (e.g., pursuant to 42 C.F.R. Part 2 or other more granular consent laws) or would be desirable. At a minimum, consents need to be clearly communicated in circumstances where law or policy requires consent for sharing. In our work on query for patient records, as well as on granular consent and data segmentation, we have repeatedly recommended having a standard way of communicating consent to share where such consent is required. But there is concern that in the absence of a legal obligation to obtain the consent of the patient, it may not be possible for that consent to be honored downstream – and individuals providing that consent need to understand this. Does persistence of a consent trigger an obligation (either in reality or perception) that the consent must be honored? In addition, if require consent to be persisted, do we risk creating an environment where consent becomes a de facto requirement because the absence of consent communicates that such sharing is not permitted?

21


4. Is there agreement on approaching consent through basic choice as it relates to TPO followed by granular choice supported by a set of nationwide harmonized rules?

5. What are the alternatives we should be considering?

6. What areas of health information should be addressed first for granular choice?

7. What are realistic timeframes?

22


Straw Response (for discussion)1. ONC should make sure it also focuses on assuring that exchange can occur in

circumstances governed by HIPAA (where choice is not necessarily articulated), in addition to focusing on choice circumstances.

2. Basic choice has been implemented in one form or another by a number of HIEs and other exchange settings – and achieving exchange among HIEs is a desirable near-term goal, which argues for some early focus on basic choice.

3. Because granular choice harmonization requires some significant work on the policy front, and work with multiple states, efforts to bring states together to begin the dialogue could be launched even while the standards focus is on enabling basic choice.

4. Consider whether there are intermediate options between basic and granular, because granular is typically defined as applying to types of data. Consider enabling choice at the level of provider or provider organization, and enabling patients to make more global choices (for example, all treating providers vs. being required to specifically name them) should they choose to do so.

23


8. How should success be measured when addressing the complexity of the rules environment?

Straw Response (for comment):

These are success metrics for the first 1-5 years of implementing the Roadmap.1. Issuance of more guidance on acceptable mechanisms for assuring legal

authorization to share information. (within 1-2 years)2. Greater exchange of information for treatment and care coordination,

particularly in circumstances where HIPAA governs (or there are no state laws that restrict sharing of information for those purposes). (1-5 years)

3. Achievement of consensus on definitions for basic choice would be itself a big milestone. (within 1-2 years)

4. Dialogue among states with respect to harmonization has commenced. (1-3 years)

24

Backup

25

HITPC - Privacy and Security

Workgroup Privacy and SecurityONC FACA WG Lead(s) Helen Caton-Peters, Kathryn MarchesiniONC SME Lucia Savage

Chair / Co-Chairs • Deven McGraw, Chair, Manatt, Phelps & Phillips, LLP• Stanley Crosley, Co-Chair, Drinker Biddle & Reath LLP

General Questions(as they apply to the assigned Roadmap section)

• Are the actions proposed in the draft interoperability Roadmap the right actions to improve interoperability nationwide in the near term while working toward a learning health system in the long term?

• What, if any, gaps need to be addressed? • Is the timing of specific actions appropriate? • Are the right actors/stakeholders associated with critical actions?

Roadmap Section • G. Consistent representation of permission to collect, share and use identifiable health information

• H. Consistent representation of authorization to access health information

Resources: Choice, Accounting of Disclosures, and Audit

• Choice– HITPC: 9/1/2010– HITPC: 2/8/2011– HITPC: 8/16/2011– HITPC: 10/18/2011– HITPC: 6/29/2012– NCVHS: 2/20/2008 – NCVHS: 11/10/2010– NCVHS: 8/29/2011

26

• Audit– HITPC: 2/8/2011– HITPC: 3/5/2010– HITPC: 4/18/2011– HITPC: 10/29/2013

• Accounting of Disclosures– HITPC: 1/22/2014

Source: http://www.healthit.gov/facas/health-it-policy-committee/health-it-policy-committee-recommendations-national-coordinator-health-it

Source: http://www.ncvhs.hhs.gov/recommendations-reports-presentations/

http://www.healthit.gov/sites/faca/files/hitpc_transmittal_p_s_tt_9_1_10_0.pdf

http://www.healthit.gov/sites/faca/files/hitpc-transmittal-letter-priv-sectigerteam-020211.pdf

http://www.healthit.gov/sites/faca/files/HITPC_PSTT_Transmit_8162011.pdf

http://www.healthit.gov/sites/faca/files/HITPC_Privacy_and_Security_Transmittal_Letter_10_18_11.pdf

http://www.healthit.gov/sites/faca/files/HITPC-Transmittal-Letter-Gov-RFI-FINAL.docx

http://www.ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf



http://www.healthit.gov/sites/faca/files/hitpc-transmittal-letter-priv-sectigerteam-020211.pdf

http://www.healthit.gov/sites/faca/files/pswg_recommendation_letter_regs_finalmarch_2010.pdf

http://www.healthit.gov/sites/faca/files/pswg_recommendation_letter_regs_finalmarch_2010.pdf

http://www.healthit.gov/sites/default/files/hitpc-transmit_privsectigerteam_apr11-signed.pdf

http://www.healthit.gov/sites/faca/files/Tiger%20Team%20Recommendation%20Transmittal_MU3RFC_FINALv3.docx

http://www.healthit.gov/sites/faca/files/PSTT_Transmittal010914.pdf

http://www.healthit.gov/sites/faca/files/PSTT_Transmittal010914.pdf

http://www.healthit.gov/facas/health-it-policy-committee/health-it-policy-committee-recommendations-national-coordinator-health-it

http://www.healthit.gov/facas/health-it-policy-committee/health-it-policy-committee-recommendations-national-coordinator-health-it

http://www.ncvhs.hhs.gov/recommendations-reports-presentations/

http://www.ncvhs.hhs.gov/recommendations-reports-presentations/

27

Core Values

• The relationship between the patient and his or her health care provider is the foundation for trust in health information exchange, particularly with respect to protecting the confidentiality of personal health information

• As key agents of trust for patients, providers are responsible for maintaining the privacy and security of their patients’ records

• We must consider patient needs and expectations. Patients should not be surprised about or harmed by collections, uses, or disclosures of their information

• Ultimately, to be successful in the use of health information exchange to improve health and health care, we need to earn the trust of both consumers and physicians

Core Tiger Team Recommendation – September 1, 2010All entities involved in health information exchange – including providersthird party service providers like Health Information Organizations (HIOs) and other intermediaries – should follow the full complement of fair information practices when handling personally identifiable health information.

Section G: Consistent Representation of Permission to Collect, Share and Use Identifiable Health Information: Critical Actions

28

Category 2015-2017 2018-2020 / 2021-2024Improve Health IT stakeholders’ understanding of existing HIPAA rules and how they support Interoperable exchange through permitted access, use and disclosure for TPO

1. Through education and outreach, federal government/Office for Civil Rights (OCR) will consider where additional guidance may be needed to help stakeholders understand how the HIPAA Privacy Rule permits health information to be exchanged (use and disclosure) for TPO without consent. 2. Federal and state governments, in coordination with organizational health information privacy policymakers, conduct outreach and disseminate educational materials and OCR guidance to LHS participants about Permitted Uses and Disclosure of health information and Individual Choice. 3. ONC will brief key stakeholders, possibly including NCSL, NGA, privacy advocates and Congress on findings regarding the complexity of the rules environment, especially the diversity among more restrictive state laws that seek to regulate the same concept, impedes computational privacy. 4. ONC, in collaboration with states, national and local associations, and other federal agencies will convene a Policy Academy on Interoperability with a particular focus on privacy as an enabler of interoperability.

Stakeholder input requested

Source: Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap, DRAFT v 1.0, p. 68.

http://healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf



29

Category 2015-2017 2018-2020 2021-2024

Align stakeholder adopted policies with existing HIPAA regulations for health info that is regulated only by HIPAA

For information that is regulated by HIPAA only, ONC will: 1. adopt at a policy level a standard definition of what is “Basic Choice” 2. adopt technical standards regarding how to ensure individuals are offered Basic Choice in a manner that can be captured electronically and in a manner in which the individual’s choice persists over time and in downstream environments, unless the individual makes a different choice.

3. A majority of state governments and stewards of health information (health care organizations, HIEs, etc.) revise regulations and policies to align with the federal definitions of permitted uses for data regulated solely by HIPAA and also aligning with the ONC standard on what constitutes Basic Choice and how it should be implemented, with the result being an established consensus background rules for the nation.

4. All of state governments and stewards of health information (health care organizations, HIEs, etc.) revise regulations and policies to align with the consensus on non- sensitive information that is permissible to exchange—or access, use and disclose—for TPO without an individual’s written consent establishing consensus background rules for the nation.





30

Category 2015-2017 2018-2020 2021-2024Align regulations and policies for electronic health info that is protected by laws in addition to HIPAA

1. State governments standardize existing laws pertaining to "sensitive" health information, particularly those regarding clinically sensitive and age-based rules, so that those laws mean the same things in all U.S. jurisdictions, without undermining privacy protections individuals have today. 2. Federal government, a majority of state governments and stewards of health information (health care organizations, HIEs, etc.) begin revising regulations, policies and programs for granular choice to align with the consensus categories of sensitive health information and rules for granular choice that establish consensus background rules for the nation.

3. Federal government, all state governments and stewards of health information (health care organizations, HIEs, etc.) revise regulations, policies and programs for granular choice to align with the consensus categories of sensitive health information and rules for granular choice that establish consensus background rules for the nation.





31

Category 2015-2017 2018-2020 2021-2024

Technical standards for basic choice

1. ONC, standards development organizations, health IT developers and appropriate stakeholders harmonize technical standards and implementation guidance for consistently capturing, communicating and processing basic choice across the ecosystem. 2. Technology developers begin implementing harmonized standards that document and communicate an individual’s basic choice.

3. Technology developers implement technical standards and implementation guidance for consistently capturing, communicating and processing individual choice. Adoption has begun, with 5% of exchangers using the standards regularly.

4. Technology developers implement technical standards and implementation guidance for consistently capturing, communicating and processing individual basic choice. Adoption continues, with a majority of exchangers using the standards regularly. 5. Basic choice standards are used widely to electronically capture individuals’ desire to have their health information included in research.





32

Category 2015-2017 2018-2020 2021-2024

Associate individual choice with data provenance

1. ONC, standards development organizations, health IT developers, health care providers and appropriate stakeholdersharmonize technical standards and develop implementation guidance for associating individual choice with data provenance to support choice 2. Technology developers begin to implement technical standards for associating individual choice with data provenance to support choice.

3. Technology developers implement harmonized technical standards for associating individuals’ choice with data provenance; adoption has begun, with 5% of exchangers using the harmonized standards regularly.

4. Technology developers implement harmonized technical standards for associating individuals’ choice with data provenance; adoption has begun, with a majority of exchangers using the harmonized standards regularly.




Section H: Consistent representation of authorization to access health information

33Source: Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap, DRAFT v 1.0, p. 73.

Category 2015-2017 2018-2020 2021-2024Develop New Policies and Regulations

1. ONC will convene workshops or listening sessions on the types of data sharing that may be required, by role, to support value-based purchasing. A major goal of the workshops will be to evaluate how close the nation can come to achieving its goals of the three-part aim using existing privacy rules.

2. Stakeholder input requested




Section H: Consistent representation of authorization to access health information

34Source: Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap, DRAFT v 1.0, p. 73.

Category 2015-2017 2018-2020 2021-2014Clarify Existing HIPAA Requirements

1. The HHS Office for Civil Rights will consider where additional guidance may be needed to help stakeholders understand how HIPAA Privacy and Security Rules apply in an environment where ACOs and other multi-stakeholder entities permeate the landscape in support of value-based purchasing.





interoperability roadmap comments privacy and security workgroup march 16, 2015

Documents