The Privacy and Security Aspects of e-Prescribing
Jodi Daniel, J.D., M.P.H.
10/7/2008
Slide: 1
Let me give you first Jodi Daniel from the office of the National Coordinator. Thank you very much good afternoon everybody. It is great to be here, and to see such a great crowd, and such a great audience like this in this conference entirely. I am the Director of Policy and Research at the Office of the National of Coordinator for Health IT and HHS, and I work on a lot of different policy issues, privacy and security are the two key policy issues that we face. Although you have heard some folks talk about other issues like licensure and liability and things like that, and these are all within my purview. I work closely with other federal agencies, division within HHS and with the private sector to try to identify the best the policies for Health Information Technology generally. I am going to talk a little bit about the Federal Government perspective on privacy and security policy for Health IT and e-Prescribing specifically; why privacy and security is so important in this area; what some of the activities of the Feds are doing in this area and then I end with not a comprehensive list but a sampling of some issues that folks should consider from the implantation standpoint when you are considering the privacy and security risks and challenges that you may face in implementing e-Prescribing systems.
Slide: 2
Our office was formed in 2004 by an executive order that established the office, The National Coordinator for Health IT and set a vision for developing a nationwide interoperable Health IT infrastructure. In that executive order there were key provisions about protecting the information and doing this a way that was secure and that was one of the key requirements that we have in doing all of our work.
Slide: 3
Secretary Leavitt, I hope most of you got to hear him this morning. He is a phenomenal speaker and he has a phenomenal champion for Health IT. It is one of his top 10 priorities at HHS and he made a statement about robust privacy and security protections being the underpinning of successful network for Health Information Exchange and he is taking this seriously and is working very hard with ONC and with us to try to identify some privacy and security policies this year.
Slide: 4
What so important is that when we are looking at privacy, and Health IT there is really a balance. There are no absolutes here. When you are trying to make sure that the information is protected and secure, the more restrictions you have in place to do that, the less accessible the information is to providers who are trying to treat patients. So, there is a real balance here that we are struggling with all the time. I actually was actually was involved in drafting the HIPAA privacy rules…no comments? You can keep your thoughts about that to yourself. I have been in rooms where I have had some rotten tomatoes thrown at me and others people were people think that is the greatest thing that has ever been put forth in the healthcare area. But when people ask why it is so complicated? It is because the healthcare system is so complicated. We come up with a very simple rule that protects information really well and make sure that is private. We could say you cannot release any information that you receive from a patient without their explicit authorization. And you say that and everybody says well that can’t work. You would basically shut the healthcare system down and prevent providers from treating patient, getting reimburse for care and the administrative of burden of doing that would be incredibly difficult. So there is a balance here and it is something… the tension is something that we deal with regularly in trying to address this issues.
Slide: 5
I am not going to go into… we have had lots of speakers talking about the benefits of Health IT and e-Prescribing. But it is the counter, the other side that we have to keep in mind when we work on privacy. We are trying to promote Health IT and e-Prescribing because of the benefits. We are addressing the privacy concerns because they are real concerns that people have as we are trying to mobilize the data to improve care.
Slide: 6
Nationwide health information network throughout the country via the internet.
I want to give the kind of big picture context just for one minute. What we are striving for at HHS is to promote a nationwide health information network, so to mobilize data from wherever the data resides, to whomever is sitting there in front of the patient trying to treat them. So this could be a community health center, this can be the VA health system; this can be your local doctor, or hospital. It could be a health information exchange organization and it could be any of these organizations. It can even be the consumer who has a personal health record and is trying to access the information through a network. The vision we have for this nationwide health information network is an internet-based exchange that was established with standard specifications, agreements and secure connections for that information sharing from the different points of care and from those different networks.
Slide: 7
When we are developing policies for Health IT generally; e-Prescribing specifically and privacies specifically, we have a couple of advisory committees that have been giving us input and there are a whole host of recommendations and folks who are interesting just stop on our web site. The American Health Information Community which you have heard a couple of speakers talk about which is the only one of about 350 advisory committees at HHS has that is personally chaired by the Secretary which shows the importance of this issues in the healthcare sector, from the Secretary’s view point. There is a confidentially, privacy and security work group that provide the advice to HHS on issues related to privacy and security and Health IT. There is also a national committee on vital and health statistics which has regular hearings on privacy and security as well and has had longstanding interest in Health IT. So there is a place let say if you are interested in what is going on? And what are some of the new recommendations coming down the pipe. They are the ones who are providing us some input on a regular basis.
Slide: 8
The AHIC is moving into the private sector. We are trying to transition it from the federal advisory committee which only advises HHS to a public private partnership that can advice the federal government as well as the private sector and have sort of more robust model for providing more detail specifications on how electronic health information exchange can work.
Slide: 9
Recently, with respect to this transition to the private sector entity, this public and private partnership. I just wanted to make it clear that we have heard concerns about privacy and security policy being transitioned over to this group because it would be in a private sector and that the federal government really has a role to play in consumer protection. So, what we’ve stated and Secretary Leavitt has stated is that Health IT privacy and security policy leadership were remain with the Federal Government. We will be working on these issues. We will continue to work on these issues. But what we expect is that this AHIC successor organization which is providing guidance on both to the public and private sector on health information exchange will be implementing the government policy and will be leading the development of organizational policies, the different participants would be expected to follow for purposes of exchanging health information.
Slide: 10
We also have been working very closely with the states because so much of the privacy law is at the state level not at the federal level. The HIPAA privacy rule is a foundation and it is such a floor and then the states can adopt more stringent privacy laws and many, many, many of them have and they are across the board, all different variations and forms on that theme. The variation makes it hard to exchange information across jurisdictional lines and the states have a role to play in making sure that their policies are consistent with Health IT and heath information exchange. So we have been working with state leadership, governor lead body the NGA is organized to identify and assess consensus solutions and ways to resolve state-level health IT issues including privacy and security issues and adoption issues. Two things that I would like to highlight is that they have recently put out a report with recommendations and they also put out a “Call to Action” two states to encourage adoption of the e-Prescribing. So may hear more from your individual states about either incentives or other kinds of ways that they are going to try to encourage e-Prescribing to be adopted.
Slide: 11
Graphic showing the circular nature of standards development.
We have standards to processes in placed to identify standards. The thing I want to highlight is that the Certification Commission for Healthcare Information Technology is a public- private organization that certifies Health IT products and incorporates security
Slide: 12
provisions in those products functionality, interoperability standards, and security. One of the speakers just said at the lunch presentation that CCHIT has stated that they will certify stand alone e-Prescribing systems next summer. So that is something that folks can look to. The benefit of a CCHIT certified product is that there is a minimum set of security requirements that must be built in and a minimum set of interoperability standards, so that if a physician or to adopt an e-Prescribing standard stand alone system, and later wants to migrate to a full EHR that they can do that, that it will be the same standards, the same security requirement, etc.
Slide: 13
Quickly, on HIPAA and e-prescribing, a couple of things I want to highlight here. The first question folks should ask is whether or not they are covered entity/business associates in most people would know that at this point. I am a lawyer so, I have probably ... everywhere because there are some limitations on who is a covered entity and which providers are covered entities. If you are a covered entity, some of the things you might want to consider and this is not an exhaustive list but are looking at your privacy rule or responsibilities particularly some in the administrative and safe guarding requirements and under the security rule conducting a new or updated risk assessment to figure out if adopting e-Prescribing might raise different questions or issues that you need to consider in protecting that information.
Slide: 14
If you are not covered entity and the reason I say this is that there are certain prescribers that may not engage in standard electronic transaction and therefore not be covered entities. You need to evaluate whether e-Prescribing will make you a covered entity and that has a lot implications. An e-prescribing stand alone product may still do formulary checks and benefit checks and other kinds of standard transactions that may make an entity that a healthcare provider that is not currently recovered entity or covered entity.
Slide: 15
Some questions to consider again not in exhaustive list just to start to get people start thinking about these issues are who might have access to an e-Prescribing systems on what types of restrictions should there be on their access? This raises questions about authentication whether or not you know how somebody is authenticated to the network, what rights they have once they have access to the e-Prescribing system? What types of security aspects should the organization is adopting? E-Prescribing be aware of audits, from a technical standpoint, but also some of the more administrative things you need to retrain your employees about the security requirements with respect to this new system. And then also talking with any network that you might be connected to, make sure that the information would be protected, as it is being shared across the network.
Slide: 16
This was already addressed by Kerry Weems in the lunch sessions about the e-Prescribing controlled substances proposed regulation that is out there now currently e-Prescribing and controlled substances is not permitted. They do have a proposed rule on the street. The security requirements are beyond this that required by CCHIT and in that proposed role and we are working with them on this specific provisions for the final role. We have raised some concerns about how the criteria they proposed may have a negative impact on adoption. So still to be determined.
Slide: 17
And, I just want to close with some upcoming federal activities we are doing a state law analysis of e-Prescribing laws and we should have that out. I think sometime maybe late summer, set something that we have available in our website, and I want close with what I think is really exciting. We are working on a privacy and security framework which we have promise will be out sometime this year and this year is getting shorter and shorter so very soon. People used to the word framework to me lots of different things you will hear, Tina mentioned a security framework they are working on this is really a fairly high level foundation that we would expect all participants in electronic health information exchange to follow. This is the baseline. It would not get into specific details of you must you know, particular types of technologies or standards so this is more of a policy baseline as opposed to specific standards based framework but it is something that we are going to be putting out to make sure that is a general framework for all participants in electronic health information exchange.
Slide: 18
And, with that I leave our web site for you get more information and look forward to questions at the end. Thank you.