Transcript Document 7145491

Tugboat Captains &
Clinicians
Both are in Harms Way
Presented to:
Internet2 Conference
Atlanta, GA - October 31, 2000
W. Holt Anderson, Executive Director
NC Healthcare Information & Communications Alliance, Inc. (NCHICA)
Structure of Presentation
•
•
•
•
•
•
Implementing a Vision
HIPAA
HealthKey
NC Projects
Federal PKI Bridge
The Tugboat Captain
2
Implementing a Vision
• “Paperless, person-centered health records by
2010.”
• Adopted by the following organizations in NC:
–
–
–
–
–
–
–
–
–
Medical Society
Nurses Association
Hospital Assn.
Health Information Management Assn.
Assn.of Local Health Directors
Assn. of Pharmacists
Health Care Facilities Assn.
Assn. For Health Care Quality
Assn. For Hospice & End of Life Care
3
4
Definition - Health Record
• A virtual digital record of an individual’s
health information and all episodes of care
• This record is maintained by multiple
providers and shared when necessary for
care of that individual
(as allowed by patient consent and/or law)
• NOT a central “master file”of information
5
Enhancing the Quality of Care
• Preventing medical mishaps related to
drug interactions, handwriting, allergies,
transmissible diseases, etc.
(Automated delivery of information)
• Enhancing quality control through access
to information
6
Death by Handwriting
• Texas cardiologist
– Prescribed 20mg Isordil 4X / day
• Pharmacist
– Filled 20mg Plendil 4X / hday = 80mg / day
– Normally Plendil taken max 10mg / day
• 42-year old patient died of heart attack
• Jury found MD and Pharmacist
responsible and awarded $450K to
widow and three small children
USA Today 10-21-99
7
Controlling and Reducing Costs
Cost of paper records is said to be at
least 25% of total health care costs.
• Minimize space requirements
• Reduce resources for filing, storage and
retrieval of information
• Improve access time
• Less duplication
8
HIPAA
Health Insurance Portability & Accountability Act of
1996 [PL 104-191]
• Administrative Simplification
–
–
–
–
Electronic Transactions & Codes
National Identifiers
Security & Electronic Signatures
Privacy
• Generally expected to be implemented by end of
2002
• Civil Monetary & Criminal Penalties
9
Federal Mandate under HIPAA
(in effect since 8/21/96)
• Section 1173(d)(2) of the Act stipulates that healthcare
organizations (that maintain or transmit electronic patient
information) shall maintain reasonable and appropriate
administrative, technical, and physical safeguards to:
– Ensure the integrity and confidentiality of patient
information
– Protect against any reasonably anticipated threats or
hazards to the security or integrity of the information
– Protect against unauthorized uses or disclosures of the
information
– And, ensure the compliance of the officers and
employees of the organization with this provision.
10
Proposed Privacy Regulation
• Covers electronic information (and products of and
contributors to electronic information)
• Providers, Health Plans & Clearinghouses
• Requires contracts with trading partners to assure
continuity of privacy (also in Security regs)
• Permits sharing for care, claims, & certain
operations (QA, utilization review, credentialing)
without patient consent
• Limited sharing for “national priority” activities
• Requires written “fair information practices”
11
Penalties for Non-Compliance
• Violation of transaction or security standards
– Not more than $100 per violation, maximum of
$25,000/year
– No aggregate maximum
• Wrongful disclosures (privacy)
– Not more than $50,000 per violation
– Imprisonment for not more than one year
12
Penalties for Non-Compliance
(cont)
• False Pretenses (privacy)
– Not more than $100,000 per violation
– Imprisonment not more than five years
• Intent to sell, transfer, or use (privacy)
– Not more than $250,000 per violation
– Imprisonment for not more than ten years
13
Scope of Compliance
• More than just technology
– Policies
– Operational Procedures
– Physical Security
– Business Partner Agreements
– Personnel
– Management & Supervision
– Training
14
Security Standard
• Defined:
– Set of requirements with implementation
features that providers, health plans, and
clearinghouses must include in their operations
to assure that individual health information
remains secure.
• Scalable: applies to all size organizations; larger
organizations may be held to a higher standard.
15
Security Requirements by Category
Administrative
Certification
Chain of Trust
Agreements
Contingency Plan
Formal Mechanisms:
Records
Info Access Control
Internal Audit
Personnel Security
Security Configuration
Security Incident
Procedures
Security Mgmt.
Process
Termination
Procedures
Training
Physical
Safeguards
Assigned Security
Responsibility
Media Controls
Physical Access Controls
Policy - Workstation Use
Secure Workstation
Location
Security Awareness
Training
Electronic
Signature
Digital Signature
Technical Security
Mechanisms
Communications/Network
Controls
Integrity Controls
Message Authentication
Technical Security
Services
Access Controls
Audit Controls
Authorization Controls
Data Authentication
(corruption)
Entity Authentication
Implementation Features Under Each Requirement
16
Technical Security Mechanisms
Objective:
Ensure processes are in place to guard
against unauthorized access to data that is
transmitted over a communications network
(intercept and interpret), and to protect
systems from external access.
17
Communications--Open Network
• Where the network is open (e.g., shared
data line, Internet, switched WAN), then
the following must be in place:
– Alarm (sense abnormal conditions)
– Audit Trail
– Entity Authentication
– Event Reporting
– Encryption is stated as “should be employed”
18
If You Use Electronic Signatures
• Must have:
– message integrity
– non-repudiation
– user authentication
• May have:
– ability to add attributes
– continuity of signature capability
– countersignature capability
– independent verifiability
– interoperability
– multiple signatures
– transportability
19
HealthKey
Secure E-Health Solutions
A Program funded by
The Robert Wood Johnson Foundation
HealthKey Origins

Funded by $2.5 million Robert Wood Johnson
Foundation grant - Fall 1999

Collaboration to advance the development of
health information infrastructure

Market-driven, community-based approach

Coordinated pilot efforts in 5 states
21
HealthKey Participants
Massachusetts Health Data Consortium
(MHDC)
 Minnesota Health Data Institute (MHDI)
 North Carolina Healthcare Information
and Communications Alliance (NCHICA)
 Utah Health Information Network (UHIN)
 Community Health Information
Technology Alliance (CHITA) -- WA

22
HealthKey Strategy
 Identify
interoperable, standards-based
solutions to real business problems

Showcase pilot participants as leaders in
testing evolving health information
infrastructure

Identify approaches to achieve HIPAA
compliance
23
$64,000 Question
Is PKI a valid
infrastructure for the
health industry?
If so, what is the likely
architectural model?
24
MN & NC to pilot Bridge CA
 Developed
by Mitretek for the Federal
Dept of Treasury/GSA
 Allows
validation of digital certificates
from multiple CAs
 Aggressive
timeframe - demo by
Spring 2000
 Additional
states/projects can tie in
after pilot phase
25

NCHICA PKI Projects
– Rekmote access to immunization registry
– Shared access to clinical info for Medicaid
high-maintenance patients
– Remote primary care provider access to
neonatal/perinatal patient info
– Remote primary care provider access to
patient info for children with special needs
– Access to emergency dept. database
– Possible pharmacy application
26

MHDI PKI Projects
– Access to Immunization data
– Transmit newborn screening results
from MN Dept of Health
– Provide secure access to Central Query
Service for eligibility inquiries

Other States
– Additional projects underway
27
Provider Access to
Immunization Registry
Securely
PAiRS
What is PAiRS?
• Combines immunization records from both
public and private sources in a common
database
• Widely accessible, inexpensive and secure
inquiry only access to immunization records
via the Internet
• Reliably identifies relevant records for an
individual in the absence of a unique identifier
29
Current Project Status
• Approximately 1.5 million children (0-18)
and an associated 12 million vaccine
doses
• 28 pilot sites, 172 users
• Over $1 million in in-kind contributions
30
Challenges to Successful
Implementation of PAiRS:
•
•
•
•
•
Initiation of use
Recognition of PAiRS value
Accessibility of computers
Computer skills of nurses and physicians
Busy practices with established service
delivery methods
• Security & Interoperability
32
Where do we go from here?
• PAiRS participation expansion
• PKI for user authentication and security
• Regional PAiRS project - demonstration
project to facilitate inter-state exchange of
immunization information
33
NCEDD Project Description
• 3 goals (putting down a
railroad track)
– select a standard data format
(DEEDS)
– demonstrate secure data
exchange
– statewide ED database for
injury surveillance, EMS
outcomes, best practice
(NCEDD)
35
Use of NCEDD Data
• Public Health Surveillance
– Disasters, bioterrorism, reportable conditions
• Research using hospital discharge dataset
– Injury surveillance, Trends/impact of new facilities,
HMO penetration, substance abuse indicators
• Linkages- outcomes, episode of care
– EMS
– Trauma Registry
– Hospital Database
• Aggregate format
– Oversight Committee of participating hospitals
36
NCEDD Security
Security/Access Concerns
• Confidential data over Internet
– Patient
– Facility
– Provider
• Authentication of users - multiple organizations
– Public health staff - SCHS, Epidemiology
– STEER staff - Chapel Hill, Wilmington
– Participant hospitals ?
38
Federal PKI Approach
(with thanks to Richard A. Guida, Chair, Federal PKI Steering Committee)
• Establish Federal PKI Policy Authority
• Develop/deploy Bridge CA using COTS
– Four levels of assurance (emulate Canada)
– Prototype early 2000, production mid 2000
• Deal with directory issues in parallel
– Border directory concept; “White Pages”
• Use ACES (Access Certs for Electronic
Services) for public transactions
39
FBCA Overview
• Non-hierarchical hub for interagency
interoperability
• Ability to map levels of assurance in
disparate certificate policies
• Ultimate “bridge” to CAs external to
Federal government
• Directory contains only FBCA-issued
certificates
40
FBCA PKI Architecture
US Federal
41
Potential Architectures
• Multiple CAs within membrane, with
single signing key
• Single CA
• Multiple CAs within membrane, crosscertified among themselves
42
Multiple CAs, Cross-certified
• In essence, the “quark” model
• Certificate path length may be +1
• Adding CAs within membrane should be
straightforward albeit not necessarily
easy
• Requires solving inter-product
interoperability issues within membrane
rather than outside - which is good
43
Current Status
• Decision: cross-certified CAs within
membrane
• Multiple vendor products: Initially
Entrust and GTE for “prototype” FBCA
• Migration from prototype to production
FBCA will entail adding other CAs
inside the membrane
• GSA/FTS has responsibility to execute
44
PKI Use and Implementation
Issues
• Misunderstanding what it can and can’t do
• Requiring legacy fixes to implement
• Waiting for standards to stabilize
• High cost - a yellow herring
• Interoperability woes - a red herring
• Legal trepidation - the brightest red herring
45
The Tugboat Captain
TJ Hooper v. Northern Barge
Company 60 F.2d 737 (2d Cir. 1932)
• Long Island Sound - storm comes up and
tug loses barge
• Plaintiff was barge owner
• Plaintiff found negligent because Captain
had no weather radio
Rationale: to avoid negligence, keep up with
technological innovations - they set the
standard of care in the industry
46
The price of good navigation is
eternal vigilance
W. Holt Anderson, Executive Director
NC Healthcare Information & Communications Alliance, Inc.
www.nchica.org
Thank you !
www.nchica.org