1 / 15

HIT Policy Committee Meeting September 18, 2009

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health IT, HHS. HIT Policy Committee Meeting September 18, 2009. Health IT Privacy and Security.

jerod
Download Presentation

HIT Policy Committee Meeting September 18, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health IT Privacy and Security PolicyJodi Daniel, J.D., M.P.H.Director, Office of Policy and Research, Office of the National Coordinator for Health IT, HHS HIT Policy Committee Meeting September 18, 2009

  2. Health IT Privacy and Security • Success of health information technology and exchange rests on consumer and provider confidence in privacy and security protections • Privacy and security are fundamental building blocks for Meaningful Use • Leverage technology to improve protections HITPC

  3. ARRA Builds On Privacy and Security Foundation Federal Privacy Laws State Privacy Laws Guidance Policy Development Efforts HITPC

  4. ARRA Changes the Game

  5. ARRA Privacy and Security Related Provisions Business Associates (OCR) Certain HIPAA Privacy & Security Rule requirements apply to business associates (BAs) Entity that provides data transmission of personal health information (PHI) to a covered entity (CE) or BA, and requires routine access, and vendor that provides PHR as part of an EHR, must have a BA agreement New breach notification requirements For covered entities and business associates (OCR) For vendors of PHRs and other non-covered entities (FTC) Guidance on technologies/methodologies for rendering PHI unusable, unreadable, or indecipherable (ONC/OCR) HITPC

  6. ARRA Privacy and Security Related Provisions • Provides individual right to restrict disclosures to a health plan for payment or health operations or for items and services paid “out of pocket” • Requires CE to limit use, disclosure and requests for PHI to limited data sets, as possible, or minimum necessary • Guidance on minimum necessary • CEs and BAs to provide accounting of disclosures through EHRs for for treatment, payment, operations • CE must provide copy of PHI in electronic format to individual or other designees if CE has an EHR HITPC

  7. ARRA Privacy and Security Related Provisions • Prohibits CE/BA from remuneration for PHI without authorization (with some exceptions for exchanges) • Limits other CE/BA communication about products or services when entity received remuneration • Regulations to require clear opt-out for CE fundraising communication with individual • Study and recommendations to Congress for privacy and security (P&S) requirements for non-CE PHR vendors (ONC/FTC) HITPC

  8. ARRA Privacy and Security Related Provisions • Enforcement: • Extends HIPAA civil and criminal penalties to BAs • Changes civil penalty structure • Provides State Attorneys General (AGs) with authority to enforce HIPAA • Provides that employees/individuals can be criminally liable • Requires periodic audits to ensure compliance HITPC

  9. ARRA Privacy and Security Related Provisions • Studies and reports: • Annual report on compliance with HIPAA Rules (OCR) • Report on protections for non-HIPAA CEs (ONC) • Report on best practices related to the disclosure among health care providers of PHI for treatment (Comptroller General) • Guidance on implementation of de-identification provisions (OCR/ONC) • Study definition of “psychotherapy notes” (SAMHSA) • Education • Regional privacy advisors to provide education (OCR) • National outreach and education (OCR/ONC) HITPC

  10. HHS Regulations to Implement ARRA Privacy Provisions • Breach Notification • RFI in April 2009 • IFR published in August 2009 • Effective September 23, 2009 • Comment period ends October 23, 2009 • Enforcement • HIPAA Modifications • Effective Dates vary: • February 2010 for most provisions • Enforcement February 2009 HITPC

  11. ARRA P&S Topics for HITPC • Technologies that protect the privacy of health information and promote security in an EHR, including: • Segmentation and protection from disclosure of specific and sensitive IIHI with the goal of minimizing the reluctance of patients to seek care • Use and disclosure of limited data sets • Infrastructure that allows for accurate exchange • Technologies for an accounting of TPO disclosures • Technologies that allow IIHI to be rendered unusable, unreadable, or indecipherable to unauthorized individuals • Methods to facilitate security access to PHI by an individual or person assisting in care HITPC

  12. Role of Privacy and Security Standards • Enablers to protect information • Must be part of a comprehensive approach HITPC

  13. Product Standards – domains Access control Encryption and decryption Accounting and audit Authentication Consent management Consumer EHR HIPAA de-identification Data integrity Transmission Security Infrastructure Standards – areas Consistent time Document exchange Service access Domain name service Directory access HIT Standards Committee: Privacy and Security Recommendations HITPC

  14. P&S Policy Input and Guidance Beyond ARRA • Reports on State laws • Privacy white papers • Further development of Nationwide Privacy and Security Framework HITPC

  15. Today’s Hearing

More Related