HIMSIG20081017

Jump to: navigation, search

Liberty Alliance Project
HIM SIG
Teleconference Minutes
October 17, 2008
11:00am-12:00pm EDT
Author: Kurt Kolok

Attendance:

Guest Speaker, William Yasnoff
MedNet, John Fraser
eHealth Ohio, Rick Moore
Wells Fargo, Pete Palmer

Liberty Staff, Brett McDowell
Liberty Staff, Britta Glade
Liberty Staff, Kurt Kolok

Agenda:

1) Review/discuss open action items from Oct. 3 & Sept. 19 Minutes
2) Presentation of Patient Privacy Certified by Dr. William Yasnoff
3) Discuss the status of the HIE and Financial Systems Symposiums:
4) AOB

1) Review/discuss open action items from Oct. 3 & Sept. 19 Minutes
Oct. 3:

  • Action 20081003-1: John F. and Rick M. will help with the HIE (Health Information Exchange) Symposium.
  • Action 20081003-2: John F. will speak with Pete Palmer re: representing the financial sector (speaking about the IAF and what that means for identity assurance).
  • Action 20081003-4: Once the agenda and speakers are confirmed Helen will send the details to the mail list.
  • Action 20081003-5: Helen will speak with Pam re: the financial services speakers, keeping in mind that Pete Palmer may be interested in speaking.

Sept. 19: Action 20080919-1: Pete will find out the status of the Liberty Identity Assurance Assessors program.
Action 20080919-2: Pete will follow up with IAEG to see if they have already sent a letter to AHIC
Action 20080919-3: Britta will speak with Mari Franks re: logistics related to HIMMS.
Action 20080919-4: Pete will get in touch with Jim Gross, Rick and Helen to discuss a proposal to IAEG.
Action 20080919-5: Helen will communicate an agreed upon HIM SIG proposal to IAEG.
Action 20080919-6: Britta will confirm whether or not meeting room use under a Financial Systems Symposium co-sponsorship would be for a single meeting or a full day.

2) Presentation of Patient Privacy Certified by Dr. William Yasnoff (http://www.digitalhcp.com/2008/09/03/privacy.html)

We will postpone this agenda item until Oct. 31 in order to build more participation however Dr. Yasnoff spent today’s call providing an introduction to his presentation.

Dr. Yasnoff: Technically there are some challenges. A universal iconic ID for anyone works well with Liberty but patients have different demands than other types of users. As a physician with a PhD in computer science Dr. Yasnoff has been working in health identity for a number of years. He was responsible for getting health ID on the national agenda. In 2006 he founded the Health Record Banking Alliance (its aim is to identify a complete medical records solution to the health information infrastructure problem).

Privacy is a critical concern in terms of electronic record availability. We have to do a better job protecting privacy and need to increase privacy and protection in the privacy domain. Patient Privacy Certified (currently the CEO) is a non-profit of Dr. Deborah Peel’s focused on patient privacy rights. It takes the highest standards and creates audit criteria and certifies whether or not they comply. The group is currently certifying Microsoft’s Health Wall. Privacy certification is different than other types of certification because it is more of a policy exercise. We need to have security before we can have privacy.

LAP adopted work from the EAP (Electronic Authentication Partnership) and published the IAF (Identity Assurance Framework). IAF, in essence, is a rule for issuing types of IDs of varying strengths. There will then be an accreditation process for auditors.

Dr. Yasnoff: We require security authentication as a prerequisite as well as HIPAA certification, etc… The application and internal documents will be looked at for verification. Example: Privacy policy—anyone who has one needs to post it publicly. We have a large number of requirements for privacy policy. Privacy policy does not have any passive voice (such as ‘this will happen…’ without saying to whom). We do not want an ambiguous privacy policy. Getting rid of ambiguity has helped clarify what is being said.

We are committed to doing web page monitoring. Very few consumers read privacy policy. If a certified privacy entity changes their policy without notifying the organization then they lose their certification. We are planning to certify EHR vendors but we cannot certify something ‘in the box’—an application has to be running somewhere. We cannot certify security except in an operational environment. There is interest in certifying larger healthcare institutions, etc… We will not take money from anyone except for certification—all expenses have to be paid through certifications (still working on the pricing model). Typical fee may be $25,000-50,000+.

In order to maintain privacy every person should be able to set their own privacy settings. Consent needs to be explicit and voluntary.

Action 20081017-1: Pete will send information of IGF to Bill.

Dr. Yasnoff: Machine readable technology will enforce one’s privacy practices. An audit trail will be required, it is possible to implement automatic policies that test to make sure the audit trail exists.

IGF has the ability to enforce privacy practices in the protocol on the wire to bind policies with the data. It is for auditing one’s compliance to the various regimes. We need to connect IGF with HITSP work. The real solution is to let everyone set their own privacy policy with consent that is granular, time limited, entity limited so everyone can apply own sensitivities to the data. At last year’s HITSP meeting they were presenting their work on privacy framework. We cannot make sense of all of the privacy practices unless the government states what is required.

Dr. Yasnoff: Everyone has to be given their own control. Berkman Center for Internet & Society: VRM (Vendor Relationship Management—put the person in control of the information). This connects to health record banking idea (repository under patient control).
Resources:
www.healthbanking.org
www.yasnoff.com

HITSP is in the driver’s seat. Those in the private sector need to help the government identify what they should do to support this work.

What is the criteria around trust (it is much more vague than criteria for privacy)? Trust is more granular than every kind of trust you could imagine.
What if we took privacy policies and put them into levels? Not everyone has to have the same privacy policy.

Action 20081017-2: Brett will get Bill connected to the ID Governance Expert Group (Paul Madsen). 3) Discuss the status of the HIE and Financial Systems Symposiums:

Whatever we do for an education session, Pete and John will both help staff the booth and support the sessions.

4) AOB
None.

Meeting Adjourned

Retrieved from "http://wiki.projectliberty.org/index.php/HIMSIG20081017"
Personal tools