Purpose of HIPAA Administrative Simplification “to improve ... the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.” –from the statute
25
Embed
Purpose of HIPAA Administrative Simplification to improve... the efficiency and effectiveness of the health care system, by encouraging the development.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Purpose of HIPAA Administrative Simplification
“to improve ... the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain
health information.” –from the statute
Security/Privacy Services
A group of related services that, together, facilitate the integrity, confidentiality, interoperability and automation of healthcare information exchange in a SOA-based healthcare IT environment.
They address issues of entity authentication, authorization, access control and accountability.
Owned by Security TC, but… Cross discipline, cross domain approach.
Scope and Purpose
Security-as-a-Service within an SOA-oriented architecture implies the decomposition and decoupling of complex security processes that are typically integrated across infrastructure and applications into a set of encapsulated, loosely-coupled security/privacy services.
Scope and Purpose
Security-as-a-Service within an SOA-oriented architecture implies the decomposition and decoupling of complex security processes that are typically integrated across infrastructure and applications into a set of encapsulated, loosely-coupled security/privacy services.
Why do we care?
Encourages the deployment of interoperable services and applications
Reduces the cost of application development Facilitates the automation of certain healthcare
business processes
Scenario: Clinician Needs Patient Data
From viewpoint of Requestor/Recipient- Requesting Where is the patient data? Who’s the custodian? In what format can the data be sent? What courier services are available? How do I submit a request?
From viewpoint of Healthcare Information Custodian Who is requesting the data? Why should I let them see it? Do the Requestor’s privileges match my Policy?
Courier Service Deliver to intended recipient Don’t allow tampering Maintain confidentiality
From viewpoint of Requestor/Recipient- Receiving Who sent it? Do I trust them? Has it been tampered with? Can I understand what the Author intended to say?
Functional Capabilities
To include security/privacy functionality essential to enable or facilitate interoperability and automation including identity management, trust management, privilege and access management, auditing, etc. These would be as constrained as possible while still providing a complementary set of security services.
Identity and credentials of a resource requestor that can be authenticated must be transported to an resource access decision point where appropriate authorization policy is applied, an access control decision is enforced and all required audit events are recorded. Confidentiality of PHI is maintained at all times.
The xHIN technology represents both an architecture and a set of functional specifications that exhibits two essential attributes:
the ability to facilitate automation of clinical and business processes, and
high extensibility—the ease with which xHIN-based health information networks can be deployed, expanded and enhanced.
xHIN
oneness
TM
Security/Privacy Services
May include: Integrity Confidentiality Identity Management Access Control/Privilege Management
Access Decision Service Access Policy Provisioning Service
Audit Privacy Security
Entity Registry Service Facilitates the location of an entity’s PKI information and
other information required to accomplish the exchange of healthcare information.
Credential Authentication Service Credential Binding Service
Credentials may be bound to an Identity Trust Correlation Service De-identification, Re-identification, Pseudnonymization
Entity Registry Service
PKI identity services for entities are likely to be provided by many different parties- private, commercial and government. The Entity Registry Service facilitates the location of an entity’s PKI information and other information required to accomplish the exchange of healthcare information. The entity data may be maintained by an Identity Provider. This service may leverage the EIS.
Access Control/Privilege Management
Access Decision Service Taking into account asserted identity/credentials, target
resource and other factors, returns a decision allowing or denying access to the target resource.
May leverage Identity Authentication and Credential Authentication Services
Access Policy Provisioning
Next Steps
Reference/Resource Compilation Mailing List Telecon Schedule Sub-service Prioritization Initial Drafts