Upload
martin-lyons
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
1
HIT Policy CommitteeHIT Policy Committee
HIT Standards Committee Privacy and HIT Standards Committee Privacy and Security Workgroup: Status ReportSecurity Workgroup: Status Report
Dixie Baker, SAIC
July 16, 2009
2
EHR Adoption Reimbursement Requirements
• In order to get reimbursed for adopting EHR, an eligible provider must meet two requirements:1. Acquire a certified EHR product or service
2. Demonstrate that he/she is using that product/service “meaningfully”
• The Standards Committee needs to recommend both:1. Criteria for certifying products
2. Criteria for demonstrating that an applicant is using that product meaningfully
3
EHR Adoption Reimbursement Requirements
• For privacy and security, certification that a defined function or service has been implemented in a product is not sufficient to demonstrate “meaningful use” (or even “use”) of that function or service
• The Privacy and Security Working Group has adopted an approach that addresses both the certification of products and the demonstration that a user is using the certified product “meaningfully”
4
“ARRA 8” Mapping Approach
Referenced Standards
ReferencedStandards
ReferencedStandards
ARRA Priority Areas of Focus
1 …2 …3 … …8 …
Privacy & Security Services
1 …2 …3 … …
CCHITCertification Criteria
CCHITCertification Criteria
HITSP Constructs
Mapping
Mapping
GapsAdoption Readiness
Product Certification
P&S Services Cert Criteria Standards Meets? 1 …2 …3 … …
…
5
“ARRA 8” Mapping Approach
…
…
Meets? Required to Use?
…
Referenced Standards
ReferencedStandards
ReferencedStandards
ARRA Priority Areas of Focus
1 …2 …3 … …8 …
Privacy & Security Services
1 …2 …3 … …
CCHITCertification Criteria
CCHITCertification Criteria
HITSP Constructs
Mapping
Mapping
P&S Services Cert Criteria Standards Meets? 1 …2 …3 … …
…
Product Certification
GapsAdoption Readiness
• Required Services are Configured• Secure IT Infrastructure • Secure Operations
• Current Risk Assessment• Current Contingency Plan
• Other TBD
“Meaningful Use” Demonstration
6
“ARRA 8” Derived Product Requirements (DRAFT)
ARRA Priority Areas of Focus Derived Privacy & Security Services
1. Technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information
• Identity management• User/entity authentication• Access control (identity- and/or role-based
for 2011; sensitivity-label based for 2015)• Consent management (2015?)• Encryption for transmission
2. NHIN • [Request meeting with Policy Committee’s HIE Workgroup]
3. EHR Certification • (all)
4. Technologies that as a part of a qualified electronic health record allow for an accounting of disclosures made by a covered entity
• Auditing • Consistent time• Inter-enterprise traceability (2013 or later)• Non-repudiation
7
“ARRA 8” Derived Product Requirements (DRAFT)
ARRA Priority Areas of Focus Derived Privacy & Security Services
5. The use of certified electronic health records to improve the quality of health care
• Document integrity protection• Transmission integrity protection• Non-repudiation• Service reliability
6. Technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals
• Encryption• Anonymization • Pseudonymization• Limited data set
7. Demographic Data • N/A
8. Special populations • N/A
8
Concerns re Draft “Meaningful Use” Goals, Objectives, & Measures (provided to Policy Committee)
• Focused exclusively on privacy and confidentiality – need to include security protections essential for safe, quality care– Data integrity protection– Availability of required services and information
• Question “HIPAA compliance” as objective and measure for “meaningful use” – when in fact it is required by law– Excluding entities “under investigation” for HIPAA violations
presumes guilt
• Need to address public health• Need to accommodate small practices as well as large
hospitals and integrated delivery networks