Toward Enhanced Information Capacities for Health: Achieving the Promise: NCVHS

NCVHS Concept Paper Looks How to Achieve the
Promise of Health Reform and Electronic Health Records
The National Committee on Vital and Health Statistics (NCVHS) met June 16-17, 2010 in Washington, DC, and used the NCVHS concept paper “Toward Enhanced Information Capacities for Health” as the basis of discussions for their 6oth Anniversary Symposium of the committee. The paper, issued May 26, 2010, focuses on policies HHS could establish to maximize the benefits that could be acheived through the appropriate use of the tremendous amount of health data that will be generated with Electronic Health Records.

The committee advises the Secretary of  HHS on policies toward health data, statistics, privacy, national health information policy, and Administrative Simplication of HIPAA.

NCVHS Concept Paper
“Toward Enhanced Information Capabilities for Health”
The text of the 11-page paper is reproduced in whole below.

EXECUTIVE SUMMARYHealth care reform and federal stimulus legislation have created an unprecedented opportunity to improve health and health care in the United States. The nation’s ability to seize this opportunity will depend greatly on the existence of robust health information capacities. The National Committee on Vital and Health Statistics (NCVHS) is the statutory advisory body on health information policy to the Department of Health and Human Services. On the occasion of the Committee’s 60th anniversary, this concept paper outlines its current thinking about the necessary information capacities and how NCVHS can help the Department guide their development.

We are entering a new chapter in the health and health care of Americans. The expansion of health care coverage, the infusion of new funds and adoption of standards for electronic health records (EHRs), and increased administrative simplification offer us the potential to use the enriched data generated to better address our country’s health and health care challenges. Having better information with which to measure and understand the processes, episodes, and outcomes of care as well as the determinants of health can bring considerable health benefits, not only to individuals but also to the population as a whole.

To be able to achieve the promise of these new developments, we need to be attentive to the underpinnings of the data, ensuring that they are easy to generate and use at the front lines as well as easy to reuse, manipulate, link, and learn from within a mantle of privacy and security. It is important to remember that the new data sources are not necessarily a replacement for traditional sources such as administrative and survey data, which play a key role in our infrastructure. Rather, the new sources present an opportunity to augment and enrich traditional sources. While efficiency may be gained by replacing some survey and administrative data with newer EHR data, we must continue to nourish and sustain the traditional data sources that offer unique and irreplaceable information for both clinical and population health purposes.

National health information capacities must enable not just better clinical care but also population health and the many synergies between the two. More specifically, health information policy should foster improved access to affordable, efficient, quality health care; enhanced clinical care delivery; greater patient safety; empowered and engaged patients and consumers; patient trust in the protection of their health information; continuous improvement in population health and the elimination of health disparities; and support of clinical and health services research. A major priority of health information policy should be to enable the multiple uses of data, drawn from the full range of sources, while minimizing burden. Most sources have primary uses for which they were designed; however, with adequate standardization, privacy protections, and technology, the data from many sources can be used for multiple purposes. Realizing the collective potential of all information sources is what will allow the U.S. to maximize the return on its investments in system reform and health IT for the benefit of all Americans.

As information capacities expand, it is critical that the information be comprehensive, timely, efficiently retrievable, and usable, with full individual privacy protections in place. “Comprehensive” refers to the inclusion not just of traditional health-related data, but also of data on the full array of determinants of health, including community attributes and cultural context. Usability of the data—whether for initial use or reuse―requires a well-coordinated effort to assure the accessibility and availability of information as well as its standardization.

NCVHS will continue to use its consultative and deliberative processes, working collaboratively with other HHS advisory committees, to help the Department meet these opportunities and challenges. Given the rapidity of the changes now under way, we cannot over-emphasize the urgency of this endeavor and the need to move ahead with deliberate speed.


Health care reform and federal stimulus legislation have created an unprecedented opportunity to improve health and health care in the United States. The nation’s ability to seize this opportunity will depend greatly on the existence of robust health information capacities. 1 To maximize the return on these enormous investments and make it possible to evaluate their impact, health information capacities must be carefully developed with an eye to their uses for improving health care and health for all Americans. New investments in EHRs and health information exchanges are important contributors, especially for clinical care, but the benefits from these investments will be limited unless the synergies with other types of health information are recognized and used. Population-level data from vital statistics systems, surveys, and public health surveillance and health care administrative data are equally important information sources. Assuring that all these sources are adequately developed and supported and can be integrated appropriately is essential to developing the information capacities the nation needs.

The National Committee on Vital and Health Statistics, the Department’s statutory advisory body on health information policy, has long assisted the Department in the development of national health information policy, providing thought leadership and expert advice in the areas of population health, privacy, standards, the NHII/NHIN, health care quality, and more. Nearly ten years ago, NCVHS put forward a vision for a national health information infrastructure in its 2001 report, Information for Health,2 followed in 2002 by a vision for 21st century health statistics.3 Today, as data and communication capacities explode and health care coverage expands, new thinking and visioning are needed to clarify the information capacities that will make it possible to meet our national goals for better health and health care for all Americans. On the occasion of the Committee’s 60th anniversary, this concept paper outlines its current thinking about the required capacities and their development.

In 2009, as course-altering legislation was unfolding, NCVHS began to consider how it could assist the Department’s development of the necessary information capacities.4 All four NCVHS subcommittees have contributed to the early thinking on this subject, and all plan further work

1 We use the term capacities in the sense of the ability to perform or produce. That is, information capacities are understood in relation to specific needs, purposes, and functions of information.
2 NCVHS, Information for Health: A Strategy for Building the National Health Information Infrastructure, November 2001.
3 NCVHS, Shaping a Health Statistics Vision for the 21st Century, November 2002.
4 As part of this process, NCVHS in 2009 commissioned two authors of the 2002 health statistics vision report to help the Committee consolidate and update its recommendations. Their report to the Committee is posted on the NCVHS website. < >
in their respective domains, as described below. 5 The Committee has crafted a highly effective process for bringing multiple points of view and areas of expertise to bear as it develops recommendations to the Secretary, and this process is well suited to the work that lies ahead. NCVHS will continue to use its consultative process to create venues for dialog, eliciting input and perspectives from stakeholders and experts regarding critical challenges, potential opportunities, and next steps. It will use this external input and its own broad expertise to help the Department develop health information policies that are commensurate with new opportunities and needs. Given the rapidity of the changes now under way, we cannot over- emphasize the urgency of this endeavor and the need to move ahead with deliberate speed.

INFORMATION CAPACITIES FOR HEALTH AND HEALTH CAREPublic sector involvement in health information has a long history. State, local, and federal agencies have gathered information through vital records, hospital and ambulatory data sets, public health surveillance, population surveys, and other sources to monitor health trends, identify threats, and guide interventions to protect and promote health. Congress initiated a new type of government involvement in 1996 when the Health Information Portability and Accountability Act (HIPAA) recognized the importance of protecting individuals’ health care information while improving the efficiency of health care delivery through standardized electronic administrative transactions. Most recently, the American Recovery and Reinvestment Act of 2009 (ARRA) began another type of intervention, providing financial incentives for health IT adoption in the nation’s hospitals and physician offices as well as funding for infrastructure support.

While much current attention is focused on the ARRA funding of health IT and critical associated tasks such as defining and implementing “meaningful use” of EHRs, a broader perspective is required to take full advantage of evolving opportunities. Widespread use of optimally configured, standardized EHRs will greatly expand the information available on health care services, users, and providers. However, promoting the health and wellness of the population also requires information about those who have not received health care services, among other things, as well as information on other determinants of health beyond traditional health care, including environmental, social, and economic factors.6

In short, national health information capacities must support a broad array of uses and purposes that include improving access to affordable and efficient quality health care, supporting clinicians in delivering care, empowering and engaging patients and consumers in their care,
5 At present, NCVHS has subcommittees on population health, standards, quality, and privacy/confidentiality/security.
6 See the NCVHS-developed graphic of the determinants of health on page 9 of its report on a vision for 21st century health statistics (see note 3).
ensuring patient safety, promoting patient trust, eliminating health disparities, monitoring and improving population health, and supporting health services and clinical research. As these capacities are developed, it is critical that the information being collected be comprehensive, timely, efficiently retrievable, and usable, and that individual privacy be protected.

In the Committee’s view, this requires a well-coordinated effort that assures the following:

1.  Accessibility and availability of information. The availability of sufficient, timely information from relevant sources must be assured to meet the priority needs of diverse users (including clinicians, consumers, purchasers, payors, researchers, public health officials, regulators, and policymakers) for taking action and evaluating outcomes. To minimize burden, wherever possible data should be collected once, for multiple appropriate uses by authorized users. Where appropriate, the capacity to connect data from multiple sources should be provided.

2.  Standardization. Standardization is necessary to enable interoperability for the efficient collection and timely sharing of information among all types of users. Robust standards should be assured through the definition, application, and adoption of terminologies, codes, and messaging in the areas of reimbursement, public health, regulation, statistical use, clinical use, e-prescribing, and clinical documents.

3.  Privacy, confidentiality, and security protections. With the increasing adoption of interoperable electronic health records technology, along with the move toward global access to health data and emerging new uses of data, methods of access and information availability raise significant new and unique privacy and security concerns. Appropriate privacy, confidentiality, and security protections; data stewardship; governance; and an understanding of shared responsibility for the proper collection, management, sharing, and use of health data are critical to addressing these concerns.

Each is briefly discussed below.


In today’s world, the boundaries between health care, population health, and even individual personal health management are permeable, and information exchange is increasingly multi- directional. The domains traditionally called “public health” and “health care” are increasingly intertwined, often sharing broad, common information sources and capacities. For example, promoting the health and wellness of individuals and the population requires attention to health determinants including not only the treatment and prevention of disease and the nature of community health resources but also environmental, housing, educational, nutritional, economic, and other influences. Continuously improving the quality, value, and safety of health care involves, among other things, research and knowledge management, meaningful performance measurement, education and workforce development, and support for personal and family health management. Finally, improving health and health care on a national scale requires monitoring and eliminating health disparities and assessing the health status of all Americans, including vulnerable sub-populations.

A major priority of health information policy should be to facilitate these interconnections and enable the multiple uses of information for current and emerging data needs. With health IT, complemented by the necessary privacy protections and data stewardship and facilitated by well designed standards, data can be combined to create richer information and used to address a broad array of current and emerging health and health care issues. Realizing the collective potential of all information sources is what will allow the U.S. to maximize the return on its investments in system reform and health IT for the benefit of all Americans.

At present, the major sources of data on health are:

       Surveys (interview and examination) and Censuses    Public health surveillance data (e.g., notifiable disease reporting, medical device reporting)        Health care data (EHRs, HIEs, registries, and other such as prescription history, labs, imaging)
      Administrative data (claims, hospital discharge data, vital records)
      Research data (community-based studies, clinical trials, research data repositories)

Another essential set of sources for understanding health is the information on influences on health (including transportation, housing, air and water quality, land use, education, and economic factors) managed by various public and private sector agencies. In addition to all these well-established sources, new ones such as personal health records and computerized personal health monitoring devices are emerging with the potential to contribute to understanding health at individual and population levels. Social networking content has the potential to provide yet another new and novel resource.

Most data sources have primary uses for which they were designed. However, given adequate standardization, privacy protections, and informatics technology, these sources have great potential to be used for multiple purposes. For example, EHR data elements are collected to document and manage clinical care, but also can be used for public health reporting (such as communicable diseases and medication safety) and to evaluate population health and conduct health services research. Surveys are principally for population-level analysis, but survey information also contributes to clinical care. Vital records not only provide information about births and deaths, but also serve as the “bookends” of population health data. Administrative data (ICD-9-CM disease codes and CPT-4/HCPS procedure codes) were initially used for management and reimbursement, but today play a critical role in quality assessment and public health monitoring (e.g., quality and safety indicators and disease prevalence evaluation). As we look to the future, the goal is to leverage all these sources, when appropriate, and expand their utility for understanding personal and population health and their determinants while carefully protecting the confidentiality of the data they contain.

To bring about the needed improvements and efficiencies and draw all possible benefit from the large and growing investment in health IT, the emerging information capacities must enable both more effective and cost-effective clinical services and population health promotion, and their many synergies. This can be facilitated through multi-directional data sharing and linkages to generate information that is comprehensive and broadly representative. It will be critical to break down the silos that now make it difficult to share and connect data. This requires addressing the policy, institutional, technical, and other barriers that contribute to the existing silos. A workforce trained to take advantage of the broader data and informatics capacities is also essential. Detailed local data are needed to enable understanding of health and health care at local neighborhood, community, sub-population, and other levels of aggregation. Key decisions about health and health care are made at the local level, and we envision the potential to meet these needs in ways not previously possible. Finally, a critical use of population health data, especially with the advent of health care reform, is to assess the effectiveness, comparative effectiveness, and equity of health care.

Because resources are limited and burden must be minimized, information policy must set priorities regarding which data are most important in order to target investments in data collection. As noted, burden can be minimized by collecting data once for multiple uses. At least in the near term, provided that data can be put in the hands of trusted stewards, enhanced administrative data may be a powerful component that reduces the burden of multiple collections. As new capacities come on line, it may be possible to curtail or redirect some current collection activities.

An important criterion is that information, whatever its source, must be meaningful to users. Experience has demonstrated that having relevant data and information available does not ensure that it is accessible in a timely manner and useful form to the full range of potential users. Delays may be created by approval processes or regulatory requirements, as well as by the lack of data handling and analysis capacities that could enable a user to pose a question, indentify relevant data sources, and request a report that is understandable and protects the privacy of data sources. Ensuring access to useful information is a critical part of the challenge. An overarching goal of all these endeavors is to assure that data can be converted into information and ultimately into knowledge that can answer the priority questions about personal and population health in the U.S. and enable effective decisions and actions to improve them.


The purposes of health information standards are to ensure the efficient, secure, safe, and effective delivery of high quality health care and population health services; to support the information exchange needs of health care, public health, and research; and to empower consumers to improve their health.

The impending implementation of the next generation of HIPAA standards, the enactment of The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and the recent signing of health reform into law are creating an unprecedented convergence of driving forces, foundational components, technology advances and capabilities, and regulatory requirements. Together, these assets can help create a common national pathway toward achieving the vision and policy priorities of a 21st century health system that relies on a strong health information and health information technology foundation. The past five years have seen a remarkable transformation in the adoption and use of standards for electronic exchange of health information. The transformation encompasses privacy and security standards, standards for administrative and financial transactions, the establishment of unique identifiers, and more recently the adoption of standards for codifying, packaging, and transmitting clinical information between and across health care organizations. This rapidly evolving transformation is moving us closer to the ideal of a fully interoperable electronic health information collection and exchange environment that supports all functions and needs of the country’s health and health care ecosystem, as discussed in the previous pages.

Data standards provide a key architectural building block that supports the collection, use, and exchange of health information. Health information standards have been developed and are being adopted and implemented in many different areas. Capturing information in codified format through standard representations such as clinical vocabularies and terminologies, code sets, classification systems, and definitions is a key strategy for achieving semantic interoperability. The inclusion of standardized metadata, which describe characteristics of the data such as provenance, increases the potential for assessing the reliability and validity of the data for aggregation, research, and other uses. Organizing and packaging data through defined electronic message and document standards to be accessed and exchanged via standardized electronic transport mechanisms and protocols achieves access and exchange of health information. The availability and integrity of health information is protected and ensured through the deployment of security standards, thus guaranteeing confidentiality and privacy of protected health information. Finally, the certification of health information technology for Meaningful Use depends on the wise deployment and use of health information standards.


With the move toward the management of health data in electronic form, there is a significant opportunity to enhance health data access, utility in patient care, and important secondary uses. The opportunity is further enhanced through the emergence of new methods to exchange health data, both on a regional and national basis. However, the ability to realize the potential of electronic health data depends greatly on ensuring that uses are appropriate and individuals’ reasonable privacy, confidentiality, and security expectations are met.

Individuals should have the right to understand how their health data may be used, and to provide consent where appropriate. Often, consent is difficult, as not all uses are known at the time the health data are collected. Further, standards do not yet exist to track an individual’s consent as data are exchanged. Although many of the population health uses described in this concept paper involve aggregated or de-identified health data, legitimate concerns exist about group harms and possible re-identification. In addition, the possibility of using health data from emerging information sources, such as personal health record systems, raises unique privacy concerns.

NCVHS has discussed many of these privacy challenges in numerous reports and letters to the Secretary. Most notably, NCVHS published two reports, a Primer on health data stewardship 7 and Recommendations on Privacy and Confidentiality, 2006-2008. Both are available on the NVCHS website.8

Further work is necessary to develop the privacy, confidentiality, and security standards that should apply as these data uses continue to evolve. In addition, work is needed to establish governance structures to provide the proper oversight of entities that exchange and use health data. In essence, governance is the accountability for ensuring that proper data stewardship (as described in the NCVHS Primer cited above) is practiced. To differentiate between governance and data stewardship, data stewardship is focused on the internal practices of the entity that uses health data, whereas governance is focused on the oversight of such entities to ensure that their data stewardship practices are adequate. Such oversight includes initially approving entities that have access to data, ensuring that such entities appropriately use and protect data, and ensuring that entities that misuse data are appropriately sanctioned.

THE WAY FORWARDTaken together, today’s emerging policy opportunities and the nation’s longstanding health challenges create a situation of considerable urgency for the United States. The openness to bold new approaches offered by recent legislation will disappear quickly. Given that the U.S. lags behind most other industrialized countries in the health status of its citizens, we must seize the opportunities to maximize the health benefits and begin to assess whether the huge investments are indeed having the desired impact.

This paper has noted the critical federal role in devising health information policy to support national health goals. Federal leadership is more needed than ever to create the comprehensive approaches that will guide the development of information capacities and coordinate efforts by actors in the public and private sectors. Whatever progress is made in the critical transition to electronic health records, clinical data alone will not suffice; broad information capacities that

An NCVHS Primer: Health Data Stewardship―What, Why, Who, How, December 2009.

draw on all the sources and serve all the purposes discussed in this paper will be necessary. This will require shoring up the data resources for public functions such as surveys, safety surveillance, and vital records, along with strategic thinking to determine what capacities will be needed in the future and how to guide their development. Many issues require research and demonstration as part of a prioritized, adequately funded research agenda. In addition, further investments in a trained workforce are needed, to ensure the availability of professionals and leaders who can properly use information resources for analysis and decision-making.

As it develops policies and strategies, the Department has always invited input from experts and stakeholders; and NCVHS has long helped to facilitate this dialogue and distill the key messages and lessons. NCVHS will continue to use its consultative and deliberative processes, working collaboratively with other HHS advisory committees, to help the Department meet the current opportunities and challenges. As noted, all NCVHS subcommittees plan to be involved in this effort; this report is an early installment on subcommittee and full Committee work plans for the coming 18 months or more. NCVHS expects to develop recommendations on a research agenda, which may be the focus of one or more hearings. Each of the subcommittees is identifying the key issues in its domain, to be pursued through workshops, hearings, and internal deliberations as NCVHS develops recommendations for the Secretary. The subcommittees’ preliminary thinking is outlined below.


Over the next two years, the NCVHS Subcommittee on Quality will focus on supporting the development of meaningful measures, leveraging both existing and emerging data sources (e.g., patient-generated data, remote monitoring, personal health records), and in particular identifying significant opportunities and gaps. Critical to meaningful measurement is the availability of relevant data elements that could be easily captured using certified EHR technology and functionality, among other tools. The Subcommittee on Quality will identify emerging health data needs for a health system where the individual engages in his or her health and health care. As a near-term priority, the Subcommittee will address the data needs of person-centered health and health care, emphasizing coordination and continuity of care across a continuum of services. A longer term goal is to develop a national strategy to leverage clinically rich health data to address important national questions about determinants of health and disease.


The NCVHS Subcommittee on Privacy, Confidentiality and Security will focus its efforts on providing recommendations that support national priorities, in coordination with such groups as the ONC HIT Policy Committee’s Privacy and Security Workgroup. In the next year, the Subcommittee plans to develop recommendations regarding governance as well as a framework for the identification and appropriate management of sensitive data. The Subcommittee will also consider transparency and the role of patient consent. In addition, it will continue to review and make recommendations regarding new privacy, confidentiality, and security regulations; compliance with these regulations; and strategies for effective enforcement.


Health care reform legislation now provides a new opportunity to continue the administrative simplification that began under HIPAA―a process in which NCVHS will remain heavily involved. The NCVHS Subcommittee on Standards will continue to meet its responsibilities related to HIPAA; will implement the many administrative simplification responsibilities assigned by the Health Reform Act of 2010; and will meet new requests for recommendations on the use of standards to enhance interoperability of the transmission and semantics of health data as they arise. As we look to the future, several goals stand out with respect to standards. The Subcommittee will seek to ensure a comprehensive framework and roadmap for health information standards that support the national health IT strategic framework, vision and policy priorities; the public health policy agenda; the NCVHS proposed data stewardship framework; a national research agenda that includes comparative effectiveness; and the needs of all data users.


Understanding the population’s health and its determinants relies on multiple data sources, including population surveys, clinical data, administrative data (notably, birth and death records and billing data on use of health services), and public health and environmental reporting systems. At the national level, Federal agencies such as the National Center for Health Statistics are charged with developing methods, assessing validity, and reporting national population health information. As we envision building a comparable capacity for communities and states across America, the quality of information and its timeliness will be central to success. The Subcommittee on Population Health will focus on facilitators and barriers to data linkage at state and local levels as a critical part of health information infrastructure, specifically linking EHR data with existing administrative and local survey data. Fundamental to understanding population health is describing the underlying population, which also comprises those who have not seen a doctor recently or have refused to respond to a survey. The work of the Subcommittee will focus on methods to ensure that linked data sources provide valid health information, including methods to adjust for missing data and methods to protect privacy.

ONC Plans new Privacy and Security Task Force

Chief Privacy Officer for Health IT Joy Pritts
announces new Privacy & Security Task Force
Per slide (ppt slide set) from May 26, 2010 Privacy and Security Workgroup of Health IT Standards Committee, ONC Chief Privacy Officer “Joy Pritts (had) talked to Workgroup about ONC’s plan to create a Privacy and Security Task Force, under HITPC (HIT Policy Committee), to work intensively over the summer to define privacy and security policy to be applied consistently across ONC projects and programs.”
“–Workgroup encouraged involvement of technical experts in Task Force and offered support.
“–Privacy and Security Workgroup efforts to consider and recommend standards, implementation specifications, and certification criteria will abate pending policy decisions from the new Task Force.”

Howard Anderson, Managing Editor of reported ” ‘it became quite apparent that a number of workgroups were working on little pieces of this at the same time, and the issues were overlapping, and we didn’t really want to proceed in that fashion very much longer,’ Pritts told a meeting of ONC’s Health Information Technology Policy Committee on May 26.”

Safeguarding Health Information: Building Assurance through HIPAA Security

2010 HIPAA Conference from NIST and OCR: 
Safeguarding Health Information: Building Assurance through HIPAA Security
May 11-12, 2010

The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety; and, the Breach Notification regulations requiring HIPAA covered entities and their business associates to notify individuals when their health information is breached.

“NIST’s (National Institute of Standards and Technology) mission, as a non-regulatory federal agency within the U.S. Department of Commerce, is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

“This conference will provide a forum to discuss the current HIT security landscape, as well as practical strategies, tips, and techniques for implementing the requirements of the HIPAA Security Rule.”

Click this link to view the final agenda with presentation summaries (updated May 7).

Presentations - 2010 HIPAA
Links below all open pdf versions of presentations.

Tuesday, May 11 (Day 1):

Welcoming Remarks from OCR
Susan McAndrew – Deputy Director for Privacy, HHS Office for Civil Rights

Welcoming Remarks from NIST
William Barker – Chief Cybersecurity Advisor, NIST Information Technology Laboratory

Tips and Techniques for Conducting Risk Assessments
Pat Toth – NIST
Marissa Gordon-Nguyen – HHS/OCR

Keynote Address
Georgina Verdugo—Director, HHS Office for Civil Rights
Howard Schmidt – White House Cybersecurity Coordinator

Standards and Certification Interim Final Rule
Steve Posnack – HHS/ONC
Lisa Carnahan – NIST

Panel: Breach Notification
Christina Heide – Health Information Privacy Division, HHS/OCR
Cora Tung Han – Division of Privacy and Identity Protection, Federal Trade Commission (FTC)

Security of Health Devices
Elliot Sloane – Drexel University

Security Considerations for New Media and Healthcare
Sharon Finney – Corporate Data Security Officer, Adventist Health System

Update on OCR Enforcement of the Privacy and Security Rules
Marilou King – Civil Rights Division, HHS Office of General Counsel
David Holtzman – Health Information Privacy Division, HHS/OCR

Wednesday, May 12 (Day 2):

FTC Information Security
Alain Sheer – Attorney, Division of Privacy and Identity Protection, FTC

Strategies for Developing and Implementing Contingency Plans
David Holtzman – Health Information Privacy Division, HHS/OCR
Marianne Swanson – NIST

Logging and Auditing in a Healthcare Environment
Mac McMillan – Cynergistek, Inc

Panel: HIPAA Security Compliance: An Industry Perspective
Panel Slides
Sue Miller – WEDI
Lisa Gallagher – HIMSS
Robert Tennant – MGMA
Dan Rode – AHIMA

HIE Security Architecture
John Kelly – Director, eBusiness Architecture, Harvard Pilgrim Healthcare

Security Implementation Considerations for Mobile and Wireless Technologies
Matt Sexton – Booz Allen

Encryption Standards
Matt Scholl – Group Manager, Security Management and Assurance, Computer Security Division, NIST

HIPAA Security Standards: Guidance on Risk Analysis Issued by Office of Civil Rights

HIPAA Security Standards: Guidance on Risk Analysis
DRAFT Posted 5/7/10
The Office of Civil Rights (OCR)  in the Dept of Health and Human Services issued its first guidance in a series required by HITECH on the HIPAA Security Rule. The rule, summarized in an article by Dom Nicastro for HealthLeaders Media on May 12, 2010, quotes Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, “The guidance is an effective primer in that it summarizes basic information about the required risk analysis within the security rule that has existed since the early days of HIPAA,” while it’s not a “one-size-fits all blueprint.”

The document is available on the OCR site.
Guidance document reproduced below in html text. 
PDF Version.
Footnote references are numbered in bold italics within parentheses, such as (1) , and with references at the end of the document.
“OCR encourages the public to offer feedback on this guidance. OCR staff will carefully review all public comments to determine how to improve these materials. Comments can be provided via the following e-mail address:”


The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. (1) (45 C.F.R. §§ 164.302 – 318.) This series of guidances will assist organizations (2) in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI). The guidance materials will be developed with input from stakeholders and the public, and will be updated as appropriate.

We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. (3) An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

We note that some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST). NIST, a federal agency, publishes freely available material in the public domain, including guidelines. (4) Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI. Therefore, non-federal organizations may find their content valuable when developing and performing compliance activities.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.

Risk Analysis Requirements under the Security Rule

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The following questions adapted from NIST Special Publication (SP) 800-66 (5) are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

 Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
 What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
 What are the human, natural, and environmental threats to information systems that contain e-PHI?

In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)

The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate.

Organizations should use the information gleaned from their risk analysis as they, for example:

            Design appropriate personnel screening processes. (45 C.F.R. §164.308(a)(3)(ii)(B).)
            Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
            Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
            Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
            Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

Important Definitions

Unlike “availability”, “confidentiality” and “integrity”, the following terms are not expressly defined in the Security Rule. The definitions provided in this guidance, which are consistent with common industry definitions, are provided to put the risk analysis discussion in context. These terms do not modify or update the Security Rule and should not be interpreted inconsistently with the terms used in the Security Rule.


Vulnerability is defined in NIST Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”

Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of e-PHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.


An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:

           Natural threats such as floods, earthquakes, tornadoes, and landslides.

           Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to e-PHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.

           Environmental threats such as power failures, pollution, chemicals, and liquid leakage.


An adapted definition of risk, from NIST SP 800-30, is:

“The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to—

          1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
         2. Unintentional errors and omissions
        3. IT disruptions due to natural or man- made disasters
       4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

Elements of a Risk Analysis

There are numerous methods of performing risk analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule. Some examples of steps that might be applied in a risk analysis process are outlined in NIST SP 800-30. (6)

The remainder of this guidance document explains several elements a risk analysis must incorporate, regardless of the method employed.

Scope of the Analysis

The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization’s risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.

Data Collection

An organization must identify where the e-PHI is stored, received, maintained or transmitted. An organization could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on e-PHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)

Identify and Document Potential Threats and Vulnerabilities

Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

Assess Current Security Measures

Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

The security measures implemented to reduce risk will vary among organizations. For example, small organizations tend to have more control within their environment. Small organizations tend to have fewer variables (i.e. fewer workforce members and information systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk to the confidentiality, availability and integrity of e-PHI in a small organization may differ from those that are appropriate in large organizations. (7)

Determine the Likelihood of Threat Occurrence

The Security Rule requires organizations to take into account the probability of potential risks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are “reasonably anticipated.”

The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§ 164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)

Determine the Potential Impact of Threat Occurrence

The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.

The output of this process should be documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)

Determine the Level of Risk

Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.

The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

Finalize Documentation

The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is a direct input to the risk management process.

Periodic Review and Updates to the Risk Assessment

The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.

A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. For example, if the covered entity has experienced a security incident, has had change in ownership, turnover in key staff or management, is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed to ensure the e-PHI is reasonably and appropriately protected. If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed. Performing the risk analysis and adjusting risk management processes to address risks in a timely manner will allow the covered entity to reduce the associated risks to reasonable and appropriate levels. (8)

In Summary

Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.


The Security Series papers available on the Office for Civil Rights (OCR) website, , contain a more detailed discussion of tools and methods available for risk analysis and risk management, as well as other Security Rule compliance requirements. Visit  for the latest guidance, FAQs and other information on the Security Rule.

Several other federal and non-federal organizations have developed materials that might be helpful to covered entities seeking to develop and implement risk analysis and risk management strategies. The Department of Health and Human Services does not endorse or recommend any particular risk analysis or risk management model. The documents adherence to any or all of the standards contained in these materials prove substantial compliance with the risk analysis requirements of the Security Rule. Rather, the materials are presented as examples of frameworks and methodologies that some organizations use to guide their risk analysis efforts.

The National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, is responsible for developing information security standards for federal agencies. NIST has produced a series of Special Publications, available at , which provide information that is relevant to information technology security. These papers include:

 Guide to Technical Aspects of Performing Information Security Assessments (SP800115)

 Information Security Handbook: A Guide for Managers (SP800-100; Chapter 10nprovides a Risk Management Framework and details steps in the risk management process)

 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP800-66; Part 3 links the NIST Risk Management Framework to components of the Security Rule)

 A draft publication, Managing Risk from Information Systems (SP800-39)

The Office of the National Coordinator for Health Information Technology (ONC) has produced a risk assessment guide for small health care practices, called Reassessing Your Security Practices in a Health IT Environment, which is available at this link (pdf).

The Healthcare Information and Management Systems Society (HIMSS), a private consortium of health care information technology stakeholders, created an information technology security practices questionnaire, available at . The questionnaire was developed to collect information about the state of IT security in the health care sector, but could also be a helpful self-assessment tool during the risk analysis process.

The Health Information Trust Alliance (HITRUST) worked with industry to create the Common Security Framework (CSF), which is available at . The risk management section of the document, Control Name: 03.0, explains the role of risk assessment and management in overall security program development and implementation. The paper describes methods for implementing a risk analysis program, including knowledge and process requirements, and it links various existing frameworks and standards to applicable points in an information security life cycle.


(1) Section 13401(c) of the Health Information Technology for Economic and Clinical (HITECH) Act.

(2) As used in this guidance the term “organizations” refers to covered entities and business associates. The guidance will be updated following implementation of the final HITECH regulations.

(3) The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20, 2003, 68 FR 8334.

(4) The 800 Series of Special Publications (SP) are available on the Office for Civil Rights’ website–specifically, SP 800-30 – Risk Management Guide for Information Technology Systems.(

(5) See NIST SP 800-66, Section #4 “Considerations When Applying the HIPAA Security Rule.” Available at

(6) Available at

(7) For more information on methods smaller entities might employ to achieve compliance with the Security Rule, see #7 in the Center for Medicare and Medicaid Services’ (CMS) Security Series papers, titled “Implementation for the Small Provider.” Available at

(8) For more information on methods smaller entities might employ to achieve compliance with the Security Rule, see #6 in the Center for Medicare and Medicaid Services’ (CMS) Security Series papers, titled “Basics of Risk Analysis and Risk Management.” Available at .

HIT Policy Committee May 19 Meeting: Workgroup Updates

Updates on Meaningful Use, NHIN, Health IT Strategic Plan,
Information Exchange, Privacy & Security Plus
Opening Remarks from Blumenthal and ONC Update from Daniel

May 19, 2010        
10:00 a.m. to 2:45 p.m. [Eastern Time]
Washington, DC
See documents and how to participate below:
AGENDA  (PDF Version)
10:00 a.m. CALL TO ORDER – Judy Sparrow
Office of the National Coordinator for Health Information Technology
10:05 a.m. Opening Remarks – David Blumenthal, MD, MPP
National Coordinator for Health Information Technology
10:15 a.m. Review of the Agenda
– Paul Tang, Vice Chair of the Committee
10:30 a.m. Strategic Plan Workgroup: Health IT Strategic Framework
–Paul Tang, Chair
–Jodi Daniel, Co-Chair
11:15 a.m. Information Exchange Workgroup Update
–Deven McGraw, Chair
–Micky Tripathi, Co-Chair
11:45 a.m. LUNCH BREAK
12:45 p.m. Meaningful Use Workgroup Update
–Paul Tang, Chair
–George Hripcsak, Co-Chair
1:15 p.m. Privacy & Security Policy Workgroup Update
–Deven McGraw, Chair
–Rachel Block, Co-Chair
2:00 p.m. NHIN Workgroup Update
–David Lansky, Chair
–Farzad Mostashari, Co-Chair
2:15 p.m. ONC Update
–Jodi Daniel, Office of the National Coordinator
2:30 p.m. Public Comment
2:45 p.m. Adjourn

Meeting Documents

  • Agenda [PDF - 304 KB]
  • Strategic Plan Workgroup: Health IT Strategic Framework [PPT - 1.78 MB]
  • Information Exchange Workgroup [PPT - 427 KB]
  • Meaningful Use Workgroup [PPT - 664 KB]
  • Privacy & Security Policy [PPT - 1.18 MB]
  • How to Participate

    • At least 10 minutes prior to the meeting start time, please go to:
      • (If for any reason the link does not work, simply copy and paste the URL into your browser’s address bar)
      • Select “enter as a guest” 
      • Type your first and last name into the field 
      • Click “enter room” 
    • Test Your System:
      • You will need to have an up-to-date version of Flash Player to view the webconference.  Please test your system prior to the meeting by visiting Exit Disclaimer
      • When running this system test, you do not need to install the Adobe Connect Add-in (step 4 of the test), as that is not relevant to this meeting.
    * Please note:  Space in the Web conference is limited.  If for any reason you are unable to log in, you can still dial in via phone to listen to the audio (numbers below). 


    • You may listen in via computer or telephone.
      • US toll free:   1-877-705-6006
      • International Direct:  1-201-689-8557
      • Confirmation Code: HIT Committee Meeting  


    • You can now watch & listen via your iPhone or iPod Touch (requires Wi-Fi). Here is how:
      • You must acquire the Connect Pro App for the iPhone/IPod Touch
        • On a computer – iTunes> Applications folder
        • On your mobile device – App Store
      • Search for the “Adobe Connect Pro” App
      • Follow the App Store steps to download the application
      • Once you have the app installed on your mobile device, you can simply follow the link & instructions above for participating in the Web conference.

    For more information, please go to: Exit Disclaimer If you have any technical questions, please send an email to

    HIPAA Privacy Rule Accounting: Nine Questions from HHS Focusing on PHI Disclosures

    Nine Questions About HIPAA Privacy Rule Accounting
    for PHI Disclosures; Asked by HHS Office of Civil Rights 
    Excerpted from Federal Register under Proposed Rules section on Monday, May 3, 2010. (Vol. 75, No. 84; Page 23214). These are selections from the Request for Information about accounting for disclosures of protected health information (PHI). See PDF for full text and how to submit written comments, requested by May 18, 2010.

    HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Request for Information
    AGENCY: Office for Civil Rights, Department of Health and Human Services.

    45 CFR Parts 160 and 164  RIN 0991–AB62

    ACTION: Request for information.

    SUMMARY: Section 13405(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act expands an individual’s right under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to receive an accounting of disclosures of protected health information made by HIPAA covered entities and their business associates. In particular, section 13405(c) of the HITECH Act requires the Department of Health and Human Services (‘‘Department’’ or ‘‘HHS’’) to revise the HIPAA Privacy Rule to require covered entities to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. This document is a request for information (RFI) to help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform the Department’s rulemaking in this area.

    DATES: Submit comments on or before May 18, 2010.

    II. Questions
    1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes?

    2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?

    3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals?

    4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained?

    5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure—i.e., would it be sufficient to describe the purpose generally (e.g., for ‘‘for treatment,’’ ‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute ‘‘health care operations?’’ On what do you base this assessment?

    6. For existing electronic health record systems:
    (a) Is the system able to distinguish between ‘‘uses’’ and ‘‘disclosures’’ as those terms are defined under the HIPAA Privacy Rule? Note that the term ‘‘disclosure’’ includes the sharing of information between a hospital and physicians who are on the hospital’s medical staff but who are not members of its workforce.
    (b) If the system is limited to only recording access to information without regard to whether it is a use or disclosure, such as certain audit logs, what  nformation is recorded? How long is such information retained? What would be the burden to retain the information for three years?
    (c) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for disclosures (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure?
    (d) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is such a feature being utilized and what are its benefits and drawbacks?
    (e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different departments maintain different electronic health record systems and an accounting of disclosures for treatment, payment, and health care operations would need to be tracked for each system)?
    (f) Does the system automatically generate an accounting for disclosures under the current HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out treatment, payment, and health care operations)?
               i. If yes, what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations? Would there be additional hardware requirements (e.g., to store such accounting information)? Would such an accounting feature impact system performance?
               ii. If not, is there a different automated system for accounting for disclosures, and does it interface with the electronic health record system?

    7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature?

    8. What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and health care operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems?

    9. Is there any other information that would be helpful to the Department regarding accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations?

    Dated: April 26, 2010.
    Georgina Verdugo,
    Director, Office for Civil Rights.
    See PDF for full text and how to submit written comments, requested by May 18, 2010.

    Related articles
    Mary Mosquera reported on May 3, 2010 in Government HealthIT, “To help guide the Health and Human Services Department in tightening rules for health information privacy, HHS has asked providers, payers and consumers to comment on the benefits and burdens of accounting for the disclosure of protected health information, even if the data is intended for treatment and billing purposes.”
    Dom Nicastro, wrote a background and review of questions on May 3, 2010, for HealthLeaders Media.
    Joseph Goedert wrote brief report in HealthData Management on May 3, 2010.

    Health IT Listening Session Apr 6 Agenda Set: Strategic Framework

    Listening Agenda set for Health IT Strategic Framework Session
    HIT Policy Committee Strategic Plan Workgroup
    Tuesday, April 6, 2010

    Per Office of the National Coordinator (ONC) for Health IT, “The objective of the listening session is to obtain feedback from the healthcare community regarding the Health IT Strategic Framework which will become foundation for the updates to the Federal Health IT Strategic Plan. The Health IT Strategic Plan will focus on 2011 through 2015 time period as well as lay the ground work for the period beyond 2015 to create a learning health system through the effective use of HIT.”

    Presentation [PPT - 1.60 MB]

    AGENDA (pdf version)
    12:00 Welcome
         –Jodi Daniel, JD, MPH, Co-Chair, Strategic Plan Workgroup
    12:10 Overview of the Health IT Strategic Framework Paper: Development & Vision
         –Paul Tang, MD, Vice Chair, HIT Policy Committee, Chair, Strategic Plan Workgroup
    12:25 Learning Health System
         –Presenter / Moderator: Patricia Brennan – 10 min
         –Public Comments – 25 min
    1:00 Meaningful Use of Health Information Technology
         –Presenter / Moderator : Paul Tang – 10 min
         –Public Comments – 25 min
    1:35 Policy and Technical Infrastructure
         –Presenter / Moderator: Paul Egerman – 10 min
         –Public Comments – 25 min
    2:10 Privacy and Security
         –Presenter / Moderator: Deven McGraw – 10 min
         –Public Comments – 25 min
    2:45 Open Discussion, Closing Remarks & Next Steps
         –Paul Tang

    Registration required:
    Visit to register to attend the session.  Meeting materials will be posted at as they become available.

    For more details about strategic framework, please see earlier post on e-Heathcare Marketing.

    ONC Releases Whitepaper on Consumer Consent Options for Electronic HIE

    ONC Releases Whitepaper on Consumer Consent Options for Electronic Health Information Exchange
    Emailed from ONC on March 24, 2010
    “The whitepaper examines issues regarding whether, to what extent, and how individuals should have the ability to exercise control over their health information in an electronic health information exchange environment.  It looks at existing approaches and details policy options, considerations, and analysis.  This whitepaper will serve as input to, and be reviewed by, the HIT Policy Committee’s Privacy and Security Workgroup as it prepares to make recommendations related to consumer consent in an electronic health information exchange environment.  The whitepaper is the first in a series of privacy and security reports developed by George Washington University under contract with ONC.”

    Privacy and Security Whitepaper Series
    Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis

  • Cover Page and Executive Summary [PDF - 40 KB]
  • Consumer Consent Options — Complete Whitepaper [PDF - 735 KB]
  • Appendix A: State Model Table [PDF - 73 KB]
  • Appendix B: State Law Table [PDF - 62 KB]
  • Appendix C: Other Countries [PDF - 60 KB]
  • Privacy and Security and Health Information Technology
    Excerpted from ONC on March 24, 2010.
    “Electronic health information exchange promises an array of potential benefits for individuals and the U.S. health care system through improved clinical care and reduced cost. At the same time, this environment also poses new challenges and opportunities for protecting individually identifiable health information. In health care, accurate and complete information about individuals is critical to providing high quality, coordinated care. If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to individually identifiable health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences. Coordinated attention at the Federal and State levels is needed both to develop and implement appropriate privacy and security policies. Only by engaging all stakeholders, particularly consumers, can health information be protected and electronically exchanged in a manner that respects variations in individuals’ views on privacy and access.”

    (The section above labelled “Privacy and Security Whitepaper Series” contains the links to the first White Paper. ONC shared additional resources shown below.)

    Other Resources

    “Safeguarding Health Information: Building Assurance through HIPAA Security”– Conference Sponsored by HHS/OCR and NIST

    “Safeguarding Health Information: Building Assurance through HIPAA Security”– Conference Sponsored by HHS/OCR and NIST
    May 11-12, 2010
    Excerpts from NIST site on March 22, 2010

    Sponsors: Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and National Institute of Standards and Technology (NIST).

    “CIOs & Information Security Officers of HIPAA covered entities & business associates; others responsible for the security of electronic health info; HIT consultants & attorneys.”

    Purpose: “The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety; and, the Breach Notification regulations requiring HIPAA covered entities and their business associates to notify individuals when their health information is breached.”

    “NIST’s mission, as a non-regulatory federal agency within the U.S. Department of Commerce, is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

    “This conference will provide a forum to discuss the current HIT security landscape, as well as practical strategies, tips, and techniques for implementing the requirements of the HIPAA Security Rule.”

    Topics: “Plenary sessions will discuss a variety of current and important HIT and HIPAA Security Rule topics, including updates on OCR’s administration and enforcement of the HIPAA Security Rule, risk assessments and contingency planning, logging and auditing in a healthcare context, security of health devices, and security considerations for mobile/wireless technologies and new media in healthcare, industry panels discussing breach notification rules and the state of compliance with the Security Rule and much more.”

    Voice of America
    Wilbur Cohen Building, Auditorium
    330 Independence Avenue, SW
    Washington, DC 20237
    (Public Entrance on C Street, SW)

    Agenda Draft
    On-Line Registration
    Registration Fee: $75
    Registration closes on 05/04/2010
    Refund requests must be submitted in writing by 05/04/2010 

    Joseph Goedert, HealthDataManagement, broke story on March 19, 2010.