1 / 35

Date: June 28, 2010 Time: 11:00 am – 1:00 pm Location: NC Hospital Association

Date: June 28, 2010 Time: 11:00 am – 1:00 pm Location: NC Hospital Association 2400 Weston Parkway, Cary, NC 27513 Dial in: #: 1-866-922-3257 Participant Code: 654 032 36#. Agenda. Meeting Objectives.

wade-hooper
Download Presentation

Date: June 28, 2010 Time: 11:00 am – 1:00 pm Location: NC Hospital Association

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Date: June 28, 2010 Time: 11:00 am – 1:00 pm Location:NC Hospital Association 2400 Weston Parkway, Cary, NC 27513 Dial in:#: 1-866-922-3257 Participant Code: 654 032 36#

  2. Agenda

  3. Meeting Objectives • Develop recommendation on set of principles related to breach policy development • Develop recommendation on set of principles related to role-based access standards

  4. NC HIE Operational Plan Calendar Governance, Clinical/Technical Ops, Finance WG Meetings Legal/Policy WG Meetings Legal/Policy Subcommittee Meetings NC HIE Board Meetings Operational Plan version releases Operational Plan due to ONC WG conference calls as needed

  5. Clinical/Technical Operations WorkgroupGuiding Principles

  6. Principles for Statewide HIEClinical

  7. Principles for Statewide HIEClinical...Continued

  8. Principles for Statewide HIEClinical...Continued

  9. Principles for Statewide HIETechnical

  10. Principles for Statewide HIETechnical...Continued

  11. Core Privacy Principles

  12. Guiding Principles Outlined by NC HIT Task Force The HIT Task Force agreed on the following fundamental guiding principles: • The system must be consumer-centered. • Better health, not just better healthcare, must be the goal. • Appropriate privacy and security must be guaranteed. • Strong ethical standards must be adhered to. • Automating what we already do is not enough – we must work smarter. • HIT investments must support improved individual health as well as population health. • The system must be inclusive and comprehensive – encompassing all types of citizens and healthcare providers in all settings of care. • The system must be collaborative to achieve coordinated and integrated care. • Effectiveness and continuous quality improvement is fundamental. • Innovation will be required. • Sustainability is the key to long term success. • This is a marathon not a sprint.

  13. Guiding Principles Outlined by NC HIT Task Force Appropriate privacy and security must be guaranteed. • Individual personal health information must be protected. Consumers will accept sharing sensitive personal information if it is done on their behalf to assure that the right information is shared at the right time and for the right reasons. At times this means immediate and secure access to certain critical information from any location in the system.

  14. Core Privacy Principles Outlined by NC HIT Task Force Core Privacy Principles • The system must be transparent. Individuals must clearly understand how their information will be used. • Accurate complete and current health information is essential to improving the quality of delivery and results. • Individuals must have appropriate access rights to see their records and amend them as appropriate to ensure accuracy, completeness, and timeliness. • There should be a clear statement of the purposes and uses of information collected and used. • Only necessary information shall be collected and shared. • Consent release procedures shall be developed and followed for the use of information that goes beyond specified purposes. • Technical and administrative safeguards shall be built into the system. • Accountability and enforcement of compliance with security processes are essential to maintain confidence and widest possible use of HIT.

  15. Recap of Security Subcommittee Key Decisions

  16. Security Subcommittee – Key Decisions

  17. Security Subcommittee – Key Decisions

  18. Follow Up to June 18, 2010 Meeting-State Approaches to Filtering-PHR/Health Record Bank Patient Consent

  19. State HIE Filtering Policies • Different states have taken different approaches when it comes to “filtering” (e.g. excluding certain types of health records from exchange). 1currentcare currently includes only lab and pharmacy data.

  20. Inland Northwest Health Services • Beacon Community Grantee • 1HealthRecord is a secure, Internet-based service that allows patients to connect their medical record to their Google Health account. A collaboration of Spokane, Washington-based Inland Northwest Health Services (INHS), Heart Clinics Northwest, Physicians Clinic of Spokane and Rockwood Clinic. In partnership with Google Health, 1HealthRecord allows patients to securely import portions of their electronic medical record into a Google Health Account. Patients can: • Build online health profiles for themselves and their families • Import medical records from connected doctors, hospitals and pharmacies • Share information securely with a family member, doctors or caregivers • Patients must fill out an “Authorization for Release of Information” form.

  21. Working Draft for Discussion –Breach Principles for Statewide HIE

  22. Working Draft for Discussion - Breach Notification Principles for Statewide HIE

  23. Working Draft for Discussion

  24. Working Draft for Discussion

  25. Working Draft for Discussion

  26. Working Draft for Discussion

  27. Working Draft for Discussion –Role-Based Permissions Principles for Statewide HIE

  28. Working Draft for Discussion – Role-Based Permissions Principles for Statewide HIE

  29. Working Draft for Discussion

  30. Working Draft for Discussion

  31. ATTACHMENTS

  32. Key Decision Points: Breach • What should the minimum standards be for: • Alerting participant organizations of situations where patients’ information may have been inappropriately accessed? • Alerting patients of situations where their information may have been inappropriately accessed? • Mitigating the impact of inappropriate access of patient information? If so, how? • Jointly investigating situations where patients’ health information may have been inappropriately accessed? • Who should have responsibility for the above? Local or community HIEs? Participants? • Should the policies & procedures establish common sanction policies to address situations when individuals violate the policies and procedures for accessing patient information through a local or community HIE? • What should they be?

  33. Effective September 23, 2009, a CE must, following the discovery of a breach of protected health information, notify each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach.1 Only unauthorized acquisition, use or disclosure that poses a significant risk for financial, reputational , or other harm to the individual is considered a breach. A BA must, following the discovery of a breach of PHI, notify the CE of such breach and provide required information to the CE. Unauthorized acquisition, access, use or disclosure of PHI that compromises privacy or security If good faith belief unauthorized person would not have reasonably been able to retain PHI And not if Unintentional access by authorized person if in good faith and not re-disclosed in manner not permitted under Privacy Rule Inadvertent disclosure from one authorized individual to another at same CE, BA or arrangement New HITECH Breach Notification Requirements ButNot 1 Only breaches of “unsecured” PHI (e.g. PHI that is not encrypted or has not been destroyed in accordance with guidance issued by HHS at 74 Fed. Reg. 19006-19010) trigger the breach notification requirement.

  34. HITECH Breach Notification Requirements

  35. Role-Based Access Standards • Role-Based Access Standards can be a useful tool in the authorization process, establishing whether a particular user has the right, based on job function or responsibilities, to access protected health information.1 Relevant HIPAA Security Standards include Workforce Security (45 CFR § 164.308(a)(3)) and Information Access Management (45 CFR § 164.308(a)(4)).

More Related