American Health Information Community

Confidentiality, Privacy, and Security Workgroup

Summary of the Tenth Web Conference of This Workgroup

Thursday, May 17, 2007

KEY TOPICS

1. Call to Order and Welcome

Judy Sparrow, AHIC Director, opened the Web conference and reminded those present that the Workgroup meetings are designed to meet the requirements of the Federal Advisory Committee Act. Workgroup members then introduced themselves.

2. Approval of Prior Meeting Summary/Opening Remarks

Kirk Nahra, Chair of the Confidentiality, Privacy, and Security (CPS) Workgroup, welcomed participants. Workgroup members were asked to approve the summary from the Workgroup’s April meeting; any questions or comments on this summary were to be submitted to Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) staff so that it can be finalized. This summary and other meeting materials are available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.

3. April American Health Information Community (AHIC) Meeting Summary

Steven Posnack, ONC, provided an update from the April 4 AHIC meeting:

• It was announced that there will be funding available for 7 to 10 pilot projects for the Nationwide Health Information Network trial implementations. The contract will be available in the coming months and awards will be made later this summer.

• There was discussion about the transition to the AHIC successor, which will be fully operational in 2009. This Workgroup will continue its activities as long as Secretary Leavitt chairs the AHIC. After his tenure, it is not yet clear which of the AHIC Workgroups will remain as part of a Federal Advisory Committee for the HHSand which will continue as a public-private partnership.

• The next round of use cases were released for comments. These use cases address consumer access to clinical information, quality, and medication management. More information is available at www.hhs.gov/healthit/usecases. Comments were accepted by ONC through Friday, May 25.

4. Consumer Empowerment (CE)/CPS Subgroup Update

Mr. Posnack reported that this subgroup has met several times and is reviewing the Consumer Empowerment Workgroup’s list of prioritized components of a personal health record (PHR) privacy policy. The subgroup is compiling a table of these categories, attributes, and definitions. The goal is to provide this work to the Certification Commission for Healthcare Information Technologyfor the certification of PHRs. A draft of this table will be ready for the June meetings of the CE and CPS Workgroups so that a discussion can begin regarding recommendations to AHIC from one or both Workgroups.

5. Patient Identity Proofing Presentation

Mr. Nahra commented that this presentation returned to an issue previously discussed by the Workgroup. Yuriy Dzambasow of A&N Associates, Inc. presented follow-up research on identity proofing for providers offering additional services beyond traditional journal services, such as interactions between a consumer and a third party. This presentation is available at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.

Mr. Nahra stated that an earlier concern of the Workgroup was that identity proofing recommendations might stifle the market. Based on these findings, he stated that he is no longer concerned about recommendations having a significant negative effect on providers. Other members commented that the threshold for identity proofing recommendations should be based on interconnectivity and that the Workgroup is not addressing journal services.

There was additional discussion about pursuing the recommendations formulated in January regarding identity proofing that is not conducted in person. At this point, the Workgroup supports in-person identity proofing as the “gold standard” and has not developed acceptable alternatives in the absence of a prior relationship. Previously discussed alternatives included knowledge-based authentication and using a trusted third party such as a notary public. Mr. Nahra closed this discussion by stating that he and the ONC staff will make a determination about whether the Workgroup will continue to discuss identity proofing. Workgroup members will send additional comments to ONC staff.

Action Item #1: Workgroup members will send additional comments to ONC on whether the Workgroup should pursue additional identity proofing recommendations.

6. Working Hypothesis Discussion

Mr. Nahra stated that the purpose of the working hypothesis model is to focus the discussion on a topic to build consensus. Once consensus has been reached, the working hypothesis will be formulated into a recommendation to forward to the AHIC. The goal for this meeting is to determine whether consensus can be reached and, if not, to determine what factual information needs to be obtained from testimony or other sources.

Mr. Nahra summarized that the working hypothesis represents the “level playing field” idea: that all entities engaged in health information exchange (HIE) should be required to meet privacy and security standards at least equivalent to the Health Insurance Portability and Accountability Act (HIPAA). He added that whether that standard should be “higher than HIPAA” will be the topic of the next working hypothesis.

Workgroup members had the following comments on the working hypothesis:

• The new language of “excluding consumers” should be set off in commas, so as not to imply “entities that exclude consumers.”

• There was much discussion regarding the need to add or modify the list of activities in HIE. The intention was that other activities could be subsumed in those listed. For example, “disposing” of data would require first storing it. It was agreed that “modify” should be added.

• There was discussion regarding whether the intention is to exclude consumers in all cases. HIPAA is the standard under discussion, and most of the HIPAA checklist would not be relevant to the consumer. The issue of family history information, in particular genetic testing of relatives, listed in consumer PHRs was offered as an example in which the consumer would be revealing individually identifiable information about someone other than himself. Workgroup members determined that this example does not fall under the principle of a “level playing field” but would be an important issue to raise at a later date.

• Regarding the list of geographic modifiers of the HIE network, there was much discussion on whether “international” should be added. Mr. Nahra stated that there is a difference between directly interacting with the network and downstream users of the data who are not interacting directly with the network. The main hypothesis is intended to cover direct participants, while Subhypothesis 3 discusses the “downstream” uses of data. Workgroup members offered examples, such as medical tourism or an international consultation on test results, in which the participant would be accessing the network directly. For international direct participants, enforceability might become an issue. An additional issue raised by the geographic modifiers is that Internet-based systems do not “reside” in any physical geographic location. For example, the Department of Defense (DoD) and American companies with employees worldwide would access the network both here and abroad. The Workgroup decided to delete the geographic modifiers.

• To distinguish between participants of the network and downstream users of data from the network, Workgroup members decided to use “participate directly” in the hypothesis instead of “interact” or “connect.” The term “participate” would cover paper outputs of the electronic network as well.

• The “level playing field” principle does not suggest that entities already above the HIPAA standard be brought down to this level. Indeed, if there is a higher standard, such as an applicable state law, the entity must follow the higher standard. Additionally, this principle is not suggesting that a single universal standard should be developed. These points could be clarified in the background discussion that accompanies recommendations submitted to AHIC.

Consensus #1: Based on the discussion, the working hypothesis will now read:

All persons and entities, excluding consumers, that participate directly in or comprise an electronic health information exchange network through which individually identifiable health information is stored, compiled, transmitted, modified, or accessed should be required to meet enforceable privacy and security criteria at least equivalent to any relevant HIPAA requirements.

Mr. Nahra then asked the Workgroup if this working hypothesis could become a recommendation. The Workgroup members agreed that, with a cover letter, the working hypothesis will be forwarded to the AHIC as a recommendation.

Consensus #2: The working hypothesis will be forwarded to the AHIC as a recommendation.

Mr. Nahra then led the discussion for Subhypothesis #1. The principle for this statement is that although the working hypothesis must have a mechanism to enforce it, the Workgroup does not want to be prescriptive about the type of enforcement mechanism. After discussion, the Workgroup members decided to add “enforceable” to the working hypothesis and delete Subhypothesis #1.

Consensus #3: “Enforceable” will be added to the working hypothesis and Subhypothesis #1 will not be a separate recommendation.

Mr. Nahra then moved the discussion to Subhypothesis #2, which expands on the relevancy concept in the main hypothesis. This is similar to the treatment of clearinghouses under HIPAA, which do not have to provide privacy notices. Mr. Nahra clarified that during the June meeting, the Workgroup will further define which “relevant” requirements should be “carved out” for certain entities and that this subhypothesis is serving as a placeholder for this discussion. Workgroup members decided that this subhypothesis does not need to be a recommendation and could be added to the background section of the cover letter.

Consensus #4: Subhypothesis #2 will not be a separate recommendation, and will instead be addressed in the background section of the cover letter.

Mr. Nahra then led a discussion of Subhypothesis #3. He stated that the principle of this subhypothesis is that the contractual standard is not as strong as an enforcement mechanism. He clarified that the intention is not to dismantle the HIPAA business associate model for downstream users of data but to have any direct participant covered by the standard directly. The possibility of a HIPAA-covered entity receiving a criminal penalty while a business associate only has its contract terminated is not a level playing field.

Workgroup members had the following comments on Subhypothesis #3:

• The language of the subhypothesis will be modified to make it consistent with the main hypothesis.

• The definition of “direct participant” was discussed in terms of scoping the recommendation. It was decided that the cover letter for the recommendations will include a definition of “direct participant.”

• Several members agreed that this subhypothesis allows the Workgroup to make a strong statement.

• One Workgroup member disagreed, stating that contracts could be an appropriate enforceable mechanism for direct participants.

Mr. Nahra reviewed that the consensus process does not need to be unanimous and the group had three options to discuss with regards to dealing with a dissenting opinion: to have no mention of the dissenting vote, to note in the cover letter that there was an objection, or to include a minority opinion letter written by the dissenting party. The dissenting member was comfortable with having his objection noted in the cover letter. Mr. Nahra stated that the goal is to forward these recommendations to the AHIC for the June meeting.

Consensus #5: Subhypothesis #3 will be forwarded with the main hypothesis as a recommendation to AHIC.

Action Item #2: The ONC staff will draft a cover letter to accompany the recommendations. Workgroup members will review this letter before it is submitted to the AHIC.

7. Planning for Next Meeting

Mr. Nahra summarized the two main topics for the June meeting:

1. The “relevance” idea that is, what parts of HIPAA might not be applicable to different entities

2. Whether the new electronic HIE environment requires a standard “more than HIPAA”

A Federal Register notice has been published, asking for comments on differences in the health care environment. These comments are due on June 4. Mr. Nahra stated that panel members for the next meeting on June 22 may be drawn from submitted comments. Workgroup members can also suggest panel participants.

Action Item #3: Workgroup members will submit to ONC a list of possible participants for the panel discussions on June 22.

Mr. Nahra then asked Workgroup members to review a chart disseminated for Workgroup members’ consideration, entitled “Privacy Rule Relevancy Sample Comparison”. This chart provides a method for examining the relevancy issue by listing specific privacy rules and whether they apply to types of participants. The principle is that all participants must follow all the rules unless there is a carve-out.

8. Public Comment

None.

9. Adjourn

Mr. Nahra thanked the participants, and the meeting was adjourned.

SUMMARY OF ACTION ITEMS AND CONSENSUS

Action Item #1: Workgroup members will send additional comments to ONC on whether the Workgroup should pursue additional identity proofing recommendations.

Consensus #1: Based on the discussion, the working hypothesis will now read:

All persons and entities, excluding consumers, that participate directly in or comprise an electronic health information exchange network through which individually identifiable health information is stored, compiled, transmitted, modified, or accessed should be required to meet enforceable privacy and security criteria at least equivalent to any relevant HIPAA requirements.

Consensus #2: The working hypothesis will be forwarded to the AHIC as a recommendation.

Consensus #3: “Enforceable” will be added to the working hypothesis and Subhypothesis #1 will not be a separate recommendation.

Consensus #4: Subhypothesis #2 will not be a separate recommendation, and will instead be addressed in the background section of the cover letter.

Consensus #5: Subhypothesis #3 will be forwarded with the main hypothesis as a recommendation to AHIC.

Action Item #2: The ONC staff will draft a cover letter to accompany the recommendations. Workgroup members will review this letter before it is submitted to the AHIC.

Action Item #3: Workgroup members will submit to ONC a list of possible participants for the panel discussions on June 22.

MEETING MATERIALS

Agenda

Updated Working Hypothesis

Dzambasow - Personal Health Records: Overview of Patient Identity Proofing Practices

Dzambasow - Personal Health Records: Follow-Up Research for Patient Identity Proofing Practices

Privacy Rule Relevancy Sample Comparison

Confidentiality, Privacy, and Security Workgroup

Members and Designees Participating in the Web Conference

Thursday, May 17, 2007

Members
Sylvia Au	Hawaii Department of Health
Steven Davis	Oklahoma Department of Mental Health and Substance Abuse Services
Jill Callahan Dennis	American Health Information Management Association
Don Detmer	American Medical Informatics Association
Lorraine Doo and Elizabeth Holland (for Tony Trenkle)	DHHS/Centers for Medicare & Medicaid Services
David McDaniel	Department of Veterans Affairs/Veterans Health Administration
Deven McGraw	National Partnership for Women and Families
Kirk Nahra	Wiley Rein, LLP
Steven Posnack (for Jodi Daniel)	DHHS/Office of the National Coordinator
Paul Uhrig	SureScripts, LLC
Thomas Wilder	America’s Health Insurance Plans
Mazen Yacoub (for Sam Jenkins)	Department of Defense/TRICARE Management Activity

Disclaimer: The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.