Office of the Chief Privacy OfficerNational Committee for Vital & Health StatisticsJune 15, 2016Lucia Savage, J.D.ONC Chief Privacy Officer

ONC OCPO Update Consumer Education on Right of Access HIPAA Basics API Task Force Draft Recommendations Cybersecurity2

HIPAA Right of Access HIPAA requires disclosure of PHI when requested by an individual» Gives patients the right to access their heath information electronically if storedelectronically» Provides patients with the right to send a copy of their information to a third party» That copy can be required to be in an electronic format if the disclosing provider hasthat capability.– “Further, as technology evolves and PHI becomes more readily available via easy-touse digital technologies, the ability to provide very prompt or almost instantaneousaccess to individuals will increase. The Department [OCR] will continue to monitorthese developments.”» The third party can be an app, a competing provider, a friend or a familymember» It is ok for the person to request unencrypted email as the transmit method3

To Educate Consumers, We Made Some . . . Movies» Infographic» More materials coming Captioned in Spanish and English4

Other Patient Access Resources OCR Patient Access Guidance– guidance/access/index.html OCR Patient Access Blog Post– ndividualsright-under-hipaa-access-their.html# ONC Patient Access Blog Post– r-health-information/5

HIPAA Basics: The Real HIPAA Supports Interoperability--OCPO Blog Series OCPO launched a 4-part blog seriesentitled the “Real HIPAA SupportsInteroperability” on February 4» Blog 1: The Real HIPAA SupportsInteroperability» Blog 2: Background on HIPAA’s PU&D» Blog 3: Examples of CareCoordination, Care Planning, CaseManagement» Blog 4: Examples of QualityAssurance and Population-BasedActivities OCPO/OCR co-branded educational factsheets that provide practical, plainlanguage, examples with illustrations tosupplement the blog tsPermitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 1.3 MB] *Permitted Uses and Disclosures: Exchange for Treatment [PDF - 1.1 MB] *6

What are Permitted Uses and Disclosures--Treatment Permitted Uses and Disclosures (PU&D) are situations in which a coveredentity is permitted, but not required, to use and disclose PHI without firsthaving to obtain a written authorization from the patient.Basic Illustration of Permitted UsesPatient’s PHIat Physician’sOfficePatient’sPHI atHospitalExchange ofPatient’s PHISurgeonPhysicianHospitalPhysician’s Office7

Permitted Uses Fact Sheets Conducting quality assessmentand improvement activities Conducting case managementand care coordination (includingcare planning) Conducting population-basedactivities relating to improvinghealth or reducing health carecost Developing protocols Evaluating performance of healthcare providers and/or sheetsPermitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 1.3 MB] *Permitted Uses and Disclosures: Exchange for Treatment [PDF - 1.1 MB] *8

HIPAA Permitted Uses Allow Exchange of MH and BH InformationExchange ofPatient’s MHPHIPrimary CareProviderPhysician’s OfficeExchange ofPatient’s MHPHIPatient’swithBehavioralHealth PHILicensedProfessionalCounselorExchange ofPatient’s MHPHIBehavioral HealthClinic

Basic Choice: When is Opting required by law and what are the implications ofsuch a requirement? Our Final Interoperability Roadmapstates:By the end of CY 2016 ONC will identify adefinition of “Basic Choice” and providepolicy guidance regarding if/when BasicChoice should be offered, even when notrequired by law, based on recommendationsfrom the HITPC by the end of CY 2016. ONC can» Clarify the interoperability and healthimplications of offering choices aboutelectronic exchange that are notoffered about other mediaONC will refer to Basic Choice as apolicy decision to offer opt-in or optout of electronic exchange as a generalconcept.Part of a larger campaign to make privacycompliance automated and computable:new computable privacy web pages10

NGA Project – Developing a State Interoperability RoadmapTimeline and Objectives Sept 2015 to May 2017Phase IPhase IIPhase IIIState InteroperabilityRoadmapLearning &DialogueExpertRoundtableThru Jan 2016Phase IVApr 2016Technical Assistance& ImplementationJul 2016May 201711

API Joint Task Force charge: Identify perceived security concerns and real security risks that arebarriers to the widespread adoption of open APIs in healthcare.» For risks identified as real, identify those that are not already planned tobe addressed in the Interoperability Roadmap (for example, identityproofing and authentication are not unique to APIs); Identify perceived privacy concerns and real privacy risks that are barriersto the widespread adoption of open APIs in healthcare.» For risks identified as real, identify those that are not already planned tobe addressed in the Interoperability Roadmap (for example,harmonizing state law and misunderstanding of HIPAA); Identify priority recommendations for ONC that will help enableconsumers to leverage API technology to access patient data, whileensuring the appropriate level of privacy and security protection.12

Out of Scope for API TF MOTIVATION FOR LIMITED SCOPE Ultimately, the Task Force focused on needs specific to MU3 requirements and 2015 CHIT. Specifically, ourrecommendations focus on read-only access to a single patient’s record for disclosure to an app selected bythat patient, and used to access all or some data elements defined in the Common Clinical Data Set. Other “out of scope” issues include:»Terms of Use»Licensing Requirements»Policy Formation»Fee Structures»Certifying Authorities»Formulation of Standards»Electronic documentation of consents required by law or policy»Issues unique to writing new data into the EHR»Issues unique to annotating data in the HER»Health efficacy of the apps themselves13

APIs in the 2015 Edition Certification Rule Three API criteria» Lookup a patient» Retrieve part of a patient record» Retrieve an entire patient record Required security criteria» Authentication, authorization, & access control» Auditing» Encryption14

Timeline Task Force Meetings November 2015 through May 2016 Final recommendations submitted to Joint Federal Advisory Committee May17, 2016 Audio file available /17/joint-hit-committeemeeting15

Some of the API TF Recommendations It is ok to require apps to register themselves, but that should not cause undueburdens to patients pursuing their right of access Voluntary, private sector led app accreditation programs should be encouragedand physicians should continue to counsel and collaborate with their patientsabout using apps While providers releasing data to an app via an API must continue to protect thesecurity of their own system, it was also recognized that how a patients-chosenapp uses data downstream is not within scope for the protection of theprovider’s system ONC should continue to collaborate with FTC, OCR and other agencies toimprove patients health and privacy literacy ONC should expand CERHT criteria to ensure that an API’s audit trail is availableto an individual under the HIPAA Accounting for Disclosure rule. ONC clarify the applicability of identity proofing and authentication standardsfor use of patient-chosen apps requesting data from an API16

Security –detailed agenda Security Topics» Identity proofing» Cyber Information Sharing Act of 2015» Ethical Hacking17

Identity Proofing D3. Commitments 1. ONC, inconsultation with stakeholders,will establish and adopt bestpractices for provider andindividual/consumer identityproofing and authentication,including specific levels ofassurance, and will consult withOCR to ensure they are consistentwith the HIPAA Security Rule andbest practices already adopted forother comparable industries.18

Cyber Information Sharing Act of 2016Internal Analysis and ReportingThreat Sharing Task ForceSecurity Standards Task Force(b)(1)) Report.— (1) IN GENERAL.—Not later than 1 year after the date ofenactment of this Act, the Secretary shall submit to the Committee on Health,Education, Labor, and Pensions of the Senate and the Committee on Energy andCommerce of the House of Representatives a report on the preparedness of theDepartment of Health and Human Services and health care industrystakeholders in responding to cybersecurity threats.(c) Health Care Industry Cybersecurity Task Force.—(1) IN GENERAL.—Notlater than 90 days after the date of the enactment of this Act, the Secretary,in consultation with the Director of the National Institute of Standards andTechnology and the Secretary of Homeland Security, shall convene healthcare industry stakeholders, cybersecurity experts, and any Federal agenciesor entities the Secretary determines appropriate to establish a task force to—(d) Aligning Health Care Industry Security Approaches.—(1) IN GENERAL.—The Secretary shall establish, through a collaborative process with theSecretary of Homeland Security, health care industry stakeholders, theDirector of the National Institute of Standards and Technology, and anyFederal entity or non-Federal entity the Secretary determines appropriate, acommon set of voluntary, consensus-based, and industry-led guidelines, bestpractices, methodologies, procedures, and processes that19

Ethical Hacking According to Politico Cybersecurity May 12, 2016:» Defense Secretary Ash Carter said he was impressed by the "Hack thePentagon" program, the first phase of which ends today. More than 1,400hackers signed up for the bug bounty pilot initiative targeting Pentagonwebsites, with more than 80 bugs discovered that qualified for payouts so far."All of this is helping us be more secure, at a fraction of the cost thatexhaustively diagnosing ourselves would take," he said. "And we believe thisapproach, effectively crowd-sourcing cybersecurity, has great potential for us, asit does for a number of you around the table." ‘ If ethically hacking the Pentagon is helpful, how could this help security inthe healthcare sector?20

HIPAA Basics: The Real HIPAA Supports Interoperability --OCPO Blog Series OCPO launched a 4-part blog series entitled the "Real HIPAA Supports Interoperability" on February 4 » Blog 1: The Real HIPAA Supports . with the HIPAA Security Rule and best practices already adopted for other comparable industries. 19