Tugboat Captains & Clinicians Both are in Harms Way Presented to: Internet2 Conference Atlanta, GA - October 31, 2000 W. Holt Anderson, Executive Director.

Tugboat Captains & Tugboat Captains & CliniciansClinicians

Both are in Harms WayBoth are in Harms Way

Presented to:

Internet2 Conference

Atlanta, GA - October 31, 2000

W. Holt Anderson, Executive Director

NC Healthcare Information & Communications Alliance, Inc. (NCHICA)

2

Structure of PresentationStructure of Presentation

• Implementing a Vision

• HIPAA

• HealthKey

• NC Projects

• Federal PKI Bridge

• The Tugboat Captain

3

Implementing a VisionImplementing a Vision• “Paperless, person-centered health records by

2010.”• Adopted by the following organizations in NC:

– Medical Society

– Nurses Association

– Hospital Assn.

– Health Information Management Assn.

– Assn.of Local Health Directors

– Assn. of Pharmacists

– Health Care Facilities Assn.

– Assn. For Health Care Quality

– Assn. For Hospice & End of Life Care

4

5

Definition - Definition - Health RecordHealth Record

• A virtual digital record of an individual’s health information and all episodes of care

• This record is maintained by multiple providers and shared when necessary for care of that individual

(as allowed by patient consent and/or law)

• NOT a central “master file”of information

6

Enhancing the Enhancing the QualityQuality of Care of Care

• Preventing medical mishaps related to

drug interactions, handwriting, allergies,

transmissible diseases, etc.

(Automated delivery of information)

• Enhancing quality control through access

to information

7

Death by HandwritingDeath by Handwriting• Texas cardiologist

– Prescribed 20mg Isordil 4X / day

• Pharmacist– Filled 20mg Plendil 4X / hday = 80mg / day– Normally Plendil taken max 10mg / day

• 42-year old patient died of heart attack• Jury found MD and Pharmacist

responsible and awarded $450K to widow and three small children

USA Today 10-21-99

8

Controlling and Reducing Controlling and Reducing CostsCosts

Cost of paper records is said to be at least 25% of total health care costs.

• Minimize space requirements

• Reduce resources for filing, storage and retrieval of information

• Improve access time

• Less duplication

9

HIPAAHIPAAHealth Insurance Portability & Accountability Act of

1996 [PL 104-191]

• Administrative Simplification– Electronic Transactions & Codes– National Identifiers– Security & Electronic Signatures– Privacy

• Generally expected to be implemented by end of

2002

• Civil Monetary & Criminal Penalties

10

Federal Mandate under HIPAAFederal Mandate under HIPAA(in effect since 8/21/96)(in effect since 8/21/96)

• Section 1173(d)(2) of the Act stipulates that healthcare organizations (that maintain or transmit electronic patient information) shall maintain reasonable and appropriate administrative, technical, and physical safeguards to:– Ensure the integrity and confidentiality of patient

information– Protect against any reasonably anticipated threats or

hazards to the security or integrity of the information– Protect against unauthorized uses or disclosures of the

information– And, ensure the compliance of the officers and

employees of the organization with this provision.

11

ProposedProposed PrivacyPrivacy Regulation Regulation

• Covers electronic information (and products of and contributors to electronic information)

• Providers, Health Plans & Clearinghouses• Requires contracts with trading partners to assure

continuity of privacy (also in Security regs)• Permits sharing for care, claims, & certain

operations (QA, utilization review, credentialing) without patient consent

• Limited sharing for “national priority” activities• Requires written “fair information practices”

12

Penalties for Non-CompliancePenalties for Non-Compliance

• Violation of transaction or security standards

– Not more than $100 per violation, maximum of

$25,000/year

– No aggregate maximum

• Wrongful disclosures (privacy)

– Not more than $50,000 per violation

– Imprisonment for not more than one year

13

Penalties for Non-Compliance Penalties for Non-Compliance (cont)(cont)

• False Pretenses (privacy)

– Not more than $100,000 per violation

– Imprisonment not more than five years

• Intent to sell, transfer, or use (privacy)

– Not more than $250,000 per violation

– Imprisonment for not more than ten years

14

Scope of ComplianceScope of Compliance• More than just technology

– Policies– Operational Procedures– Physical Security– Business Partner Agreements– Personnel– Management & Supervision– Training

15

Security StandardSecurity Standard• Defined:

– Set of requirements with implementation

features that providers, health plans, and

clearinghouses must include in their operations

to assure that individual health information

remains secure.

• Scalable: applies to all size organizations; larger

organizations may be held to a higher standard.

16

Security Requirements by CategorySecurity Requirements by Category

CertificationChain of Trust AgreementsContingency PlanFormal Mechanisms: RecordsInfo Access ControlInternal AuditPersonnel SecuritySecurity ConfigurationSecurity Incident ProceduresSecurity Mgmt. ProcessTermination ProceduresTraining

Physical Safeguards

Assigned Security ResponsibilityMedia ControlsPhysical Access ControlsPolicy - Workstation UseSecure Workstation LocationSecurity Awareness Training

Administrative

Technical Security Services

Access ControlsAudit ControlsAuthorization ControlsData Authentication (corruption)Entity Authentication

Electronic Signature

Digital Signature

Technical Security Mechanisms

Communications/Network ControlsIntegrity ControlsMessage Authentication

Implementation Features Under Each Requirement

17

Technical Security MechanismsTechnical Security Mechanisms

Objective:

Ensure processes are in place to guard against unauthorized access to data that is transmitted over a communications network (intercept and interpret), and to protect systems from external access.

18

Communications--Open NetworkCommunications--Open Network

• Where the network is open (e.g., shared

data line, Internet, switched WAN), then

the following must be in place:– Alarm (sense abnormal conditions)

– Audit Trail

– Entity Authentication

– Event Reporting

– Encryption is stated as “should be employed”

19

If You Use Electronic SignaturesIf You Use Electronic Signatures• Must have:

– message integrity– non-repudiation– user authentication

• May have:– ability to add attributes– continuity of signature capability– countersignature capability– independent verifiability– interoperability– multiple signatures– transportability

HealthKeySecure E-Health Solutions

A Program funded byThe Robert Wood Johnson Foundation

21

HealthKey OriginsHealthKey Origins

Funded by $2.5 million Robert Wood Johnson

Foundation grant - Fall 1999

Collaboration to advance the development of

health information infrastructure

Market-driven, community-based approach

Coordinated pilot efforts in 5 states

22

HealthKey ParticipantsHealthKey Participants

Massachusetts Health Data Consortium (MHDC)

Minnesota Health Data Institute (MHDI) North Carolina Healthcare Information and

Communications Alliance (NCHICA) Utah Health Information Network (UHIN) Community Health Information Technology

Alliance (CHITA) -- WA

23

Identify interoperable, standards-based solutions to real business problems

Showcase pilot participants as leaders in testing evolving health information infrastructure

Identify approaches to achieve HIPAA compliance

HealthKey StrategyHealthKey Strategy

24

$64,000 Question$64,000 Question$64,000 Question$64,000 Question

Is PKI a valid infrastructure for thehealth industry?

If so, what is the likely architectural model?

25

Developed by Mitretek for the Federal Dept of Treasury/GSA

Allows validation of digital certificates from multiple CAs

Aggressive timeframe - demo by Spring 2000

Additional states/projects can tie in after pilot phase

MN & NCMN & NC to pilot Bridge CAto pilot Bridge CA

26

NCHICA PKI Projects– Rekmote access to immunization registry

– Shared access to clinical info for Medicaid

high-maintenance patients

– Remote primary care provider access to

neonatal/perinatal patient info

– Remote primary care provider access to

patient info for children with special needs

– Access to emergency dept. database

– Possible pharmacy application

27

MHDI PKI Projects– Access to Immunization data

– Transmit newborn screening results

from MN Dept of Health

– Provide secure access to Central Query

Service for eligibility inquiries

Other States– Additional projects underway

Provider Access to Provider Access to Immunization Registry Immunization Registry

Securely Securely

PAiRSPAiRS

29

What is PAiRS?What is PAiRS?

• Combines immunization records from both public and private sources in a common database

• Widely accessible, inexpensive and secure inquiry only access to immunization records via the Internet

• Reliably identifies relevant records for an individual in the absence of a unique identifier

30

Current Project StatusCurrent Project Status

• Approximately 1.5 million children (0-18) and an associated 12 million vaccine doses

• 28 pilot sites, 172 users

• Over $1 million in in-kind contributions

32

Challenges to Successful Challenges to Successful Implementation of PAiRS:Implementation of PAiRS:

• Initiation of use

• Recognition of PAiRS value

• Accessibility of computers

• Computer skills of nurses and physicians

• Busy practices with established service delivery methods

• Security & Interoperability

33

Where do we go from here?Where do we go from here?

• PAiRS participation expansion

• PKI for user authentication and security

• Regional PAiRS project - demonstration project to facilitate inter-state exchange of immunization information

35

NCEDDNCEDD Project Description Project Description

• 3 goals (putting down a railroad track)– select a standard data format

(DEEDS)– demonstrate secure data

exchange– statewide ED database for

injury surveillance, EMS outcomes, best practice (NCEDD)

36

Use of NCEDD DataUse of NCEDD Data• Public Health Surveillance

– Disasters, bioterrorism, reportable conditions

• Research using hospital discharge dataset– Injury surveillance, Trends/impact of new facilities, HMO

penetration, substance abuse indicators

• Linkages- outcomes, episode of care– EMS – Trauma Registry– Hospital Database

• Aggregate format– Oversight Committee of participating hospitals

NCEDD SecurityNCEDD Security

38

Security/Access ConcernsSecurity/Access Concerns

• Confidential data over Internet– Patient

– Facility

– Provider

• Authentication of users - multiple organizations– Public health staff - SCHS, Epidemiology

– STEER staff - Chapel Hill, Wilmington

– Participant hospitals ?

39

Federal PKI ApproachFederal PKI Approach(with thanks to Richard A. Guida, Chair, Federal PKI Steering Committee)(with thanks to Richard A. Guida, Chair, Federal PKI Steering Committee)

• Establish Federal PKI Policy Authority

• Develop/deploy Bridge CA using COTS– Four levels of assurance (emulate Canada)– Prototype early 2000, production mid 2000

• Deal with directory issues in parallel– Border directory concept; “White Pages”

• Use ACES (Access Certs for Electronic Services) for public transactions

40

FBCA OverviewFBCA Overview

• Non-hierarchical hub for interagency interoperability

• Ability to map levels of assurance in disparate certificate policies

• Ultimate “bridge” to CAs external to Federal government

• Directory contains only FBCA-issued certificates

41

FBCA PKI ArchitectureFBCA PKI Architecture

US Federal

42

Potential ArchitecturesPotential Architectures

• Multiple CAs within membrane, with

single signing key

• Single CA

• Multiple CAs within membrane, cross-

certified among themselves

43

Multiple CAs, Cross-certifiedMultiple CAs, Cross-certified

• In essence, the “quark” model

• Certificate path length may be +1

• Adding CAs within membrane should be straightforward albeit not necessarily easy

• Requires solving inter-product interoperability issues within membrane rather than outside - which is good

44

Current StatusCurrent Status

• Decision: cross-certified CAs within membrane

• Multiple vendor products: Initially Entrust and GTE for “prototype” FBCA

• Migration from prototype to production FBCA will entail adding other CAs inside the membrane

• GSA/FTS has responsibility to execute

45

PKI Use and Implementation PKI Use and Implementation IssuesIssues

• Misunderstanding what it can and can’t do

• Requiring legacy fixes to implement

• Waiting for standards to stabilize

• High cost - a yellow herring

• Interoperability woes - a red herring

• Legal trepidation - the brightest red herring

46

The Tugboat CaptainThe Tugboat Captain

TJ Hooper v. Northern Barge Company 60 F.2d 737 (2d Cir. 1932)

• Long Island Sound - storm comes up and tug loses barge

• Plaintiff was barge owner• Plaintiff found negligent because Captain

had no weather radioRationale: to avoid negligence, keep up with

technological innovations - they set the standard of care in the industry

The price of good navigation is The price of good navigation is eternal vigilance eternal vigilance

W. Holt Anderson, Executive Director

NC Healthcare Information & Communications Alliance, Inc. www.nchica.org

Thank you !Thank you !

www.nchica.org