Empowering Patients and Enabling Providers

Transcription

1 Empowering Patients and Enabling Providers WITH HEALTH INFORMATION PRIVACY Terry Callahan - Managing Director

2 Agenda

3 About HIPAAT Provider of consent management and auditing for personal/protected health information (PHI) privacy Enables organizations to manage privacy both proactively and reactively Benchmarked best practices of multiple jurisdictions Committed to standards, their advancement and adoption Participant in HHS initiatives

4 Best Practices Canada Health Infoway: Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture EHRS Blueprint UK: The Tees Confidentiality Model: an Authorisation Model for Identities and Roles UK NHS: Sealed Envelopes Briefing Paper: Selective Alerting Approach

5 Standards/Profiles Initiatives HL7: Privacy, Access, and Security Services (PASS) project Community-Based Collaborative Care (CBCC) Audit Trail and Node Authentication (ATNA) Cross-Enterprise Document Sharing (XDS.b) extensible Access Control Markup Language (XACML) Cross-Enterprise Security and Privacy Authorization (XSPA)

6 Support of HHS Initiatives Policy HISPC III ( ) Intrastate and Interstate Consent Policy Options Collaborative Standards adoption HITSP ( ) Security, Privacy & Infrastructure Technical Committee Implementation NHIN II Forum 5 (2008) technology deployed in support of NCHICA Service Interface Specifications: Consumer Preferences

7 HHS NHIN II Forum 5 (Dec. 2008)

8 HHS NHIN II Forum 5 (Dec. 2008)

9 Service-oriented Architecture (SOA) Benefits of SOA to consent management consistent, interoperable privacy capabilities for all EMR/EHRs (large & small), with minimal overhead and integration moves the heavy lifting of evaluating a user s authorization to access PHI away from EMR/EHRs to web-based services privacy management with virtually no impact on workflow modifications to access control policies are made networkwide in real time

10 Evolution of Technology Version 1.0 ( ) Bundled - Clinical testing (consent & auditing) Version 2.0 ( ) SOA - Commercialized (IBM NHIN) Version 3.0 ( ) HITSP-recommended standards - TP20, TP30, T15, T16 Version 3.1 ( ) ARRA/HITECH Tools - Supports Accounting of Disclosures & breach alerting & reporting - IHE XDS.b / CDA R2 (dual documents)

11 HIPAAT Technology Highlights Standards-based interfaces enable application developers to incorporate consumer preferences without affecting app performance Accommodates individual, organizational and jurisdictional privacy policies IHE ATNA-compliant auditing with comprehensive reporting Server apps, web apps and database access are Java-based

12 Market Engagement Included as the consent management solution by major HIT vendor primed bids for: Four(4) multi-hospital Diagnostic Imaging Domain Repositories Two(2) Provincial Electronic Health Record (EHR) systems U.S. Health Information Exchanges (HIEs) Included in one(1) Beacon Initiative (as proposed)

13 Agenda

14 What is Consent Management? Consent Management is a process that: Enables individuals to establish privacy preferences to decide Who may collect, use or disclose their PHI (e.g. Dr. Jon Smith; primary care team) What PHI may be accessed (e.g. lab reports) For what purposes (e.g. treatment) Under what circumstances (e.g. emergency) Supports the creation, management and enforcement of individual, organizational and jurisdictional privacy policies through access control mechanisms

15 Balancing Patient Privacy & Safety Consent management supports patient care while respecting patient privacy: empowers consumers with privacy choices about the collection, use and disclosure of their PHI enables providers to override patient privacy restrictions in an emergency ( break the glass ), when permitted by patient and by law

16 Consent Directives "Consent directive" refers to the explicit granting or withholding of consent to the collection, use or disclosure of specified PHI One or more consent directives (rules) forms a policy whether it be individual, organizational, jurisdictional Examples of directives: Individual: only share my lab reports in an emergency Organizational: Allow all providers to collect, use or disclose all patient PHI (opt out/implied consent model) Jurisdictional: Only specifically-authorized individuals (e.g. groups, departments, providers) shall have access to mental health records

17 Consent Management: Extending RBAC Authenticating and assigning a role through role-based access control has proven to be inadequate for managing privacy policies. Consent management allows you to block access to PHI in accordance with privacy preferences, even when a user s role would typically permit access.

18 Consent Management: Extending RBAC An example: All physicians in the Mountain and District Health Information Exchange have access to Jim Robertson s PHI by virtue of their role. However, Dr. Tony Sanchez is Jim s colleague and Jim does not want Tony to have access. Consent management allows us to block Jim s PHI specifically from Tony.

19 Lifecycle of a Consent Directive

20 Consent Management High Level

21 Consent Management Components Administrator Patient/individual Patient/Provider/Privacy Officer Clinician Clinician

22 Agenda

23 HIPAAT Solution Components Administrator Patient/individual Patient/Provider/Privacy Officer Clinician

24 Our Products HIPAAT s consent management and auditing solution includes: myconsentminder Privacy esuite (SOA-based consent engine) Privacy Manager Universal Audit Repository Toolkits: JCVI and ATNA Auditlog Toolkit

25 Our Products HIPAAT s consent management and auditing solution includes: myconsentminder Policy administration point (PAP) Consumer-facing individuals electronically record their privacy policies using conventional, user-friendly forms (Web templates) Based on OASIS extensible Access Control Markup Language (XACML) and Health Level 7 (HL7) standards Privacy esuite (consent engine) Privacy Manager Universal Audit Repository Toolkits

26 Our Products HIPAAT s consent management and auditing solution includes: myconsentminder Privacy esuite (consent engine) Policy information point (PIP), Policy administration point (PAP) and Policy decision point (PDP) Based on Service-oriented Architecture (SOA) Supports XACML/XSPA and HL7 Appropriate for any environment involving health information exchange Privacy Manager Universal Audit Repository Toolkits

27 Our Products HIPAAT s consent management and auditing solution includes: myconsentminder Privacy esuite (consent engine) Privacy Manager Front-end software application appropriate at the point of service Supports XACML/XSPA and HL7 Policy enforcement point (PEP) Enforces existing directives/policies by allowing or denying access to PHI Provides break-the-glass (override) access, when permitted by individual and legislation Universal Audit Repository Toolkits

28 Our Products HIPAAT s consent management and auditing solution includes: myconsentminder Privacy esuite (consent engine) Privacy Manager Universal Audit Repository Stand-alone central repository of audit events Java-based and IHE-ATNA compliant (yr IV upgradeable) Logs all access and attempted access - to PHI and consent directives Provides automatic breach alerts, e.g. of break-the-glass access to PHI Offers simple search and report capabilities Toolkits

29 Our Products HIPAAT s consent management and auditing solution includes: myconsentminder Privacy esuite (consent engine) Privacy Manager Universal Audit Repository Toolkits Java Consent Validation Interface (JCVI) Allows EMR/EHR solutions to communicate with Consent Validation Services Based on XACML/XSPA/HL7 ATNA Auditlog Toolkit Enables non-compliant apps to generate and send ATNA audit messages to a central ATNA audit repository

30 Agenda

31 PO View of Template Policy Evelyn Woods

32 PO View of Details of Same Policy

33 Sample Manual Disclosure Report

34 BTG Privacy Officer Alert Potential Breach

35 Details of #281 BTG Alert

36 Agenda

37 Summary Enables providers, organizations and jurisdictions to both proactively and reactively manage privacy Design supports HITECH provisions for Accounting of Disclosures and Breach Alerts Architected to allow for a distributed consent management model where multi-state interaction is desired Benchmarked best practices from multiple jurisdictions Committed to standards and their adoption Participant in HHS initiatives

38 Contact Us

39 Agenda