Purpose of Meeting 2/3/2010. Agree on recommendations/comments to present to Policy Committee on privacy and security section of meaningful use (MU) notice of proposed rulemakingAgree on recommendations that are not specific to the proposed rule but instead signal the workgroup's intent to focus
1. Comments/Recommendations on Meaningful Use Proposed Rule; Future Policy/Standards Priorities Health IT Policy Committee
Privacy & Security Workgroup
DRAFT - 2/2/10 1
2. Purpose of Meeting – 2/3/2010 Agree on recommendations/comments to present to Policy Committee on privacy and security section of meaningful use (MU) notice of proposed rulemaking
Agree on recommendations that are not specific to the proposed rule but instead signal the workgroup’s intent to focus on candidates for priorities for further standards development and stage 2 meaningful use criteria. DRAFT - 2/2/10 2
3. MU Privacy & Security Proposed Objective & Measure Stage 1 Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities
Stage1 Measure: Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary DRAFT - 2/2/10 3
4. Recommendations to Strengthen Existing Criteria Make clear that for EPs and Hospitals who have never conducted a security assessment, the requirement is to conduct such an assessment (not review). The option to review assessments should only be for those entities who have recently conducted a security assessment [within XX years?]
-Thus, for new adopters, the security assessment should take place in the first payment year; year 2 should be a review to assess any new threats
-Entities significantly upgrading technology to meet MU criteria should be required to do a new security assessment in the first payment year, with reviews satisfying the criteria in subsequent years [all years?]
-Ask ONC/OCR/Standards Committee [others?] to come up with criteria that should trigger a security review
DRAFT - 2/2/10 4
5. Recommendations to Strengthen Existing Criteria (2) Provide guidance to EPs and Hospitals on how to conduct an appropriate security assessment
Guidance on HIPAA security audits issued by OCR would be of most help in focusing entities on critical issues.
Materials from CMS, ONC, OCR, NIST should be made available through multiple channels, including state HIEs, Medicaid offices, CMS regional offices, regional extension centers, and others.
Entities using external security auditors should be able to submit external audit (and implementation of any recommended improvements) as proof of meeting measure [or just have on hand in the event of an audit?] DRAFT - 2/2/10 5
6. Recommendations to Strengthen Existing Criteria (3) Clarify what is meant by “implement security updates as necessary.”
This should involve more than merely installing security updates from the EHR Technology Vendor; decisions to install those upgrades should be based on needs identified in the security assessment.
Implementing “necessary updates” should include addressing any deficiencies identified in the security audit, including determining whether the entity is making appropriate and effective use of the new security technical functionalities that are present in Certified EHR Technology (see more below). DRAFT - 2/2/10 6
7. Recommendations re: MU Criteria Originally Approved by the Policy Committee Restore requirement to comply with HIPAA Privacy and Security Rules as a Stage 1 Objective, per recommendations 2-4 (next slide). Rationale:
It’s not clear that meaningful users ought to be held to a higher standard for privacy and security protections than others who access, use and disclose electronic protected health information.
Compliance with the HIPAA Privacy and Security Rules should be the baseline standard, and entities applying for federal funds for health IT should not be eligible if they are under investigation for a significant HIPAA violation.
In the future, if [when?] we adopt additional privacy and security recommendations, we can determine whether they ought to be imposed through modifications to (or guidance under) the HIPAA rules or through the MU criteria.
Complying with state privacy laws is also critical – but difficult to police/operationalize as part of meaningful use. DRAFT - 2/2/10 7
8. Recommendations re: MU Criteria Originally Approved by the Policy Committee (2) Establish that EPs and Hospitals have not met MU privacy and security objectives if they have received a notice of determination of OCR’s intent to impose a civil monetary penalty due to willful neglect of the privacy and security rules.
Doesn’t apply to State AG actions, although states could ask to impose this as a state-level Medicaid MU criteria.
These criteria are satisfied when OCR issues a letter closing the investigation [or the final appeal has been adjudicated?]
With respect to criminal HIPAA investigation, applies only in the event of an investigation of the entire entity (not one individual). Criteria are not satisfied if criminal case is filed by federal authorities
DRAFT - 2/2/10 8
9. Rationale for HIPAA MU Payment “Suspension” Not a full bar – just a suspension of payments until this MU criteria is satisfied [or permanent in the year that any fines or civil monetary penalties are paid?].
Note: need to determine if failure to resolve within a payment year acts as permanent bar to MU payment under ARRA. [Is Workgroup is concerned about a permanent bar in a payment year [?], and would prefer for funding to be held in escrow until matter is resolved [?]]
Limited to criminal actions at the enterprise level and the most egregious level of civil offense – willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the …provision violated.” DRAFT - 2/2/10 9
10. Additional MU Recommendations [For further Workgroup discussion: Recommendation regarding requirements to actually use the security functionality in certified EHR Technology:
Requirement to implement security upgrades includes implementing required elements of the HIPAA security rule using the certified EHR functionalities.
For addressable requirements that implicate use of the technical functionalities in certified EHR Technology, entities should be required to document why they declined to use/operationalize a security functionality that was present in the EHR. [Alternative: make them requirements and not just addressable under MU.]
Urge OCR to consider revisions to the security rule regarding “addressable” implementation specifications that could easily be operationalized by entities using certified technology.
With respect to the Accounting of Disclosure requirements, the implementation of that functionality should be addressed in OCR’s implementation regulations, which are due in mid 2010. ] DRAFT - 2/2/10 10
11. Additional MU Requirements (2) Make clear that MU criteria regarding uses of health information do not override existing state or federal law setting parameters around access, use and disclosure of health information. DRAFT - 2/2/10 11
12. Additional Concerns & Future Policy & Standards Priorities Access control (consent management)
Patient consent or authorization is required by state or federal law to access, use or disclose health data in certain contexts. In addition, entities can voluntarily adopt stronger consumer choice requirements than those in law. It is critical that EHR technology be able to manage these choices/preferences.
In Table 1 of the IFR, it states that a “complete EHR or EHR module must include the capability to…verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information…”
Table 2B, row 5, speaks to an ability for the technology to enable receivers of identity information to make “access control decisions.”
However, the standard in the interim final rule – 170.210(d) – notes that the Secretary has adopted as a standard that cross enterprise transactions contain “sufficient identity information that the receiver can make access control decisions…”
It’s not clear to the Privacy and Security Workgroup that this identity information is sufficient for access control, as it doesn’t indicate whether the person is authorized to access the information.
DRAFT - 2/2/10 12
13. Additional Concerns & Future Policy & Standards Priorities (2) It is critical that Certified EHR Technology include a standard or technical functionality to verify that a person or entity seeking access to health data is authorized to receive it. If it cannot be included in the standards final rule, we ask the Standards Privacy and Security Workgroup to make this a priority for its work in 2010.
Also a priority should be a standard or technical functionality related to data segmentation consistent with future Policy Committee recommendations.
DRAFT - 2/2/10 13
14. Additional Concerns & Future Policy & Standards Priorities (3) We note that the NHIN Workgroup will be drilling down into more detail on issues such as authentication and identity across a network, and a trust framework.
We look forward to working closely with the NHIN workgroup to come up with recommendations that establish a strong and accountable trust framework for the secure exchange of data across networks. DRAFT - 2/2/10 14