1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.

1

HIT Policy CommitteeHIT Policy Committee

HIT Standards Committee Privacy and HIT Standards Committee Privacy and Security Workgroup: Status ReportSecurity Workgroup: Status Report

Dixie Baker, SAIC

July 16, 2009

2

EHR Adoption Reimbursement Requirements

• In order to get reimbursed for adopting EHR, an eligible provider must meet two requirements:1. Acquire a certified EHR product or service

2. Demonstrate that he/she is using that product/service “meaningfully”

• The Standards Committee needs to recommend both:1. Criteria for certifying products

2. Criteria for demonstrating that an applicant is using that product meaningfully

3

EHR Adoption Reimbursement Requirements

• For privacy and security, certification that a defined function or service has been implemented in a product is not sufficient to demonstrate “meaningful use” (or even “use”) of that function or service

• The Privacy and Security Working Group has adopted an approach that addresses both the certification of products and the demonstration that a user is using the certified product “meaningfully”

4

“ARRA 8” Mapping Approach

Referenced Standards

ReferencedStandards

ReferencedStandards

ARRA Priority Areas of Focus

1 …2 …3 … …8 …

Privacy & Security Services

1 …2 …3 … …

CCHITCertification Criteria

CCHITCertification Criteria

HITSP Constructs

Mapping

Mapping

GapsAdoption Readiness

Product Certification

P&S Services Cert Criteria Standards Meets? 1 …2 …3 … …

…

5

“ARRA 8” Mapping Approach

…

…

Meets? Required to Use?

…

Referenced Standards

ReferencedStandards

ReferencedStandards

ARRA Priority Areas of Focus

1 …2 …3 … …8 …

Privacy & Security Services

1 …2 …3 … …

CCHITCertification Criteria

CCHITCertification Criteria

HITSP Constructs

Mapping

Mapping

P&S Services Cert Criteria Standards Meets? 1 …2 …3 … …

…

Product Certification

GapsAdoption Readiness

• Required Services are Configured• Secure IT Infrastructure • Secure Operations

• Current Risk Assessment• Current Contingency Plan

• Other TBD

“Meaningful Use” Demonstration

6

“ARRA 8” Derived Product Requirements (DRAFT)

ARRA Priority Areas of Focus Derived Privacy & Security Services

1. Technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information

• Identity management• User/entity authentication• Access control (identity- and/or role-based

for 2011; sensitivity-label based for 2015)• Consent management (2015?)• Encryption for transmission

2. NHIN • [Request meeting with Policy Committee’s HIE Workgroup]

3. EHR Certification • (all)

4. Technologies that as a part of a qualified electronic health record allow for an accounting of disclosures made by a covered entity

• Auditing • Consistent time• Inter-enterprise traceability (2013 or later)• Non-repudiation

7

“ARRA 8” Derived Product Requirements (DRAFT)

ARRA Priority Areas of Focus Derived Privacy & Security Services

5. The use of certified electronic health records to improve the quality of health care

• Document integrity protection• Transmission integrity protection• Non-repudiation• Service reliability

6. Technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals

• Encryption• Anonymization • Pseudonymization• Limited data set

7. Demographic Data • N/A

8. Special populations • N/A

8

Concerns re Draft “Meaningful Use” Goals, Objectives, & Measures (provided to Policy Committee)

• Focused exclusively on privacy and confidentiality – need to include security protections essential for safe, quality care– Data integrity protection– Availability of required services and information

• Question “HIPAA compliance” as objective and measure for “meaningful use” – when in fact it is required by law– Excluding entities “under investigation” for HIPAA violations

presumes guilt

• Need to address public health• Need to accommodate small practices as well as large

hospitals and integrated delivery networks