Notes from Privacy and Security Panel
Date: August 17, 2010
Time: 1:00pm-1:45pm

  • Deven McGraw, Privacy and Security Tiger Team Chair; Center for Democracy and Technology
  • Joy Pritts, Chief Privacy Officer, ONC
  • David McCallie, Cerner Corporation
Participants: Brian Behlendorf, Jonathon Bartels, Tony Calice, Janet Campbell, Gary Christensen, Jason Colquitt, Ron Cordell, Tim Cromwell, Rich Elmore, Zachary Gillen, Mark Gingrich, Beau Grantham, Uvinie Hettiaratchy, Susan Johnston, Don Jorgenson, Dan Kazzaz, Chris Lomonico, Umesh Madan, Arien Malec, Alex Matsukevich, John Moehrke, Parag More, Sean Nolan, Kris Olberg, Vassil Petyachev, Will Ross, Caitlin Ryan, Claudio Sanchez, Jason Siegel, Jas Singh, Mark Stine, Aaron Stranahan, John Theisen, Paul Tuten, Chris Voigt

Current Action Items
Due Date
Present Key Findings from Letter of Recommendation to the ONC/HHS
Deven McGraw
Send a prioritized list of policy items being discussed to Joy Pritts for review by HITPC on ongoing basis
Arien Malec

Deven McGraw
  • Summarized the Tiger Team’s letter of recommendation submitted to HHS

    • Scope: Electronic exchange of patient identifiable health information (PIHI) among known entities to meet Stage 1 of Meaningful Use (MU)
        • Looked to framing of the fair information practices (FIPs) by the ONC

    • Core Recommendation: Participants in health information exchange should follow the full complement of their fair information practices (FIPs) when handling personally identifiable health information (PIHI)

    • Key Areas Covered:
      • Use of intermediaries or third party service organizations
        • They should not collect any further information than necessary based on their contractual requirement by that covered entity
        • In short: “No more, no less”
        • Information to only be held as long as reasonably necessary
        • Third party service organizations must disclose how information will be used
        • Information bound by HIPAA
      • Directed exchange between providers
        • The provider is responsible for the security of what gets exchanged in terms of disclosure
        • Patient-provider trust relationship is the backbone
          • Not suggesting the provider trumps the patient
          • Also not trying to override the patient–provider relationship/conversation
        • ONC should not create additional layers
      • Right of the patient or provider to consent to exchange of personally identifiable health information
        • Assuming the FIPs are followed, then further patient consent is not necessary in addition to existing requirements
        • If the provider is not handling the patients PIHI, then consent needs to be meaningful
          • Ex: Patient needs to consent if the provider advances disclosure to an HIO
        • The person who is directly treating the patient holds the responsibility to educate them in meaningful consent
      • Granular consent through the technology
        • Ex: “I only want these parts shared” or “I only want to share with these people
        • Currently there is a lot of promising technology, but in early stages of development or adoption
        • The ONC has a role to stimulate innovation
        • Currently there is a limited role for technology – an example:
          • One can hide the field indicating they are HIV positive
          • However they cannot also hide doctors’ notes mentioning they are HIV positive or medicine prescriptions to control their HIV
David McCallie
  • Good news for NHIN Direct
    • Points out that since it is essentially directed exchange, it can go straight into implementation
      • No additional consent is required
      • No data segregation, logic, control, or further software is necessary
      • Allows HISPs to provide certain services on behalf of the provider (to encrypt messages)

  • Bad news for NHIN Direct
    • As Deven mentioned, granular consent is limited and presents issues
    • An opt-in/opt-out model is possible, but falls short of providing meaningful consent in certain cases
    • Raised concerns of possible “indirect exchange”
      • Believed this is an unanswered question
      • Noted that pilots will help discover and address such issues
      • “A lot more terrain to get through”
    • Believed NHIN Direct should move forward in an uncontroversial way
    • Raised some unresolved questions:
      • What does NHIN mean coming from the ONC?
      • What certificate signing authorities are valid?
      • Is it okay if “to” and “from” subject headers are not encrypted?
Joy Pritts
  • Asked how to prioritize these unresolved questions:
    • Do these questions need to be addressed by the ONC?
    • Even if they should be, are these key priority issues?
  • Referenced the former NHIN Governance work group
    • ONC was responsible for the “means for providing governance for NHIN”
Arien Malec
  • Identified two specific problems with the “NHIN Direct Project”
    • Name
    • Governance
      • Current work is piloting use of the specifications
      • Interim: local pilots running in compliance of existing state and federal laws
      • ONC cannot make formal rules regarding any project that is outside federal bounds or jurisdiction
      • Since NHIN Direct is a voluntary process for the organizations participating in the exchange, it falls outside of federal bounds
David McCallie
  • Noted the pilots give an opportunity to test the following:
    • Minimum credentialing
    • Minimum authenticating
  • Clarified that provider is a general reference to doctors/pharma, but not labs
  • Liked how the Tiger Team realizes there are different privacy and security concerns for the different use cases
Deven McGraw
  • Addressed the reuse and retention of PIHI:
    • The functions requiring such PIHI need to make clear what the PIHI is intended for
    • This way the PIHI is only used for what is necessary for that function
Jon Moehrke
  • Argued that directed exchange is only direct for an instance – only in one direction
Deven McGraw
  • Responded that you make the decision to whom to disclose and when to disclose
  • Noted the difference is that in indirect models one can get information from a repository
  • Asked group to distinguish between the “sender’s perspective” and the “receiver’s perspective”
  • Concluded that if the directed exchange doesn’t change at some point, then an additional layer of patient consent is not necessary
Arien Malec
  • Expressed his appreciation for the progress from the privacy and security committee a.k.a. Tiger Team