HIMSIG20081031

Jump to: navigation, search

Liberty Alliance Project
HIM SIG
Teleconference Meeting Notes
October 31, 2008
11am -12pm EDT
Author: Kurt Kolok

Attendance:

Pete Palmer, Wells Fargo
Rick Moore Ehealth Ohio
John Fraser MedNet
Bob Pinheiro IC
Mick Talley SEMHIE
Dave Weitzel Mitre
Gail Reynolds Aetna
Lisa Gallagher HIMMS
Kal Ayyar Yash LLC
Adrian Gropper Medcommons
William Yasnoff Guest Speaker

Brett McDowell Liberty Staff
Kurt Kolok Liberty Staff

Pete will get back to Britta re: the Tues. a.m. session.

Following is a link to a brief bio of Dr. Yasnoff:
http://wiki.projectliberty.org/index.php/Guest_Speaker_Bio

Issue of privacy certification:

Essentially as we make information more available for good purposes it is clear that it automatically becomes more available for nefarious purposes. It is more important now to protect privacy than at any other time prior. Patients have to be in control of their own information so each individual should be able to set their own privacy policy.

It is important for consumers to have third party verification that policies are good and that they are being followed. Patient Privacy Certified is a service organization to encourage and reward health IT systems that follow privacy practices and policies.

Privacy practices/policies should:
Serve public interest
Be independent (health professionals, privacy experts, etc…)
Be transparent
Require compliance & confidentiality.

Certification process: Security & privacy are related but not the same. We have to assure that the ‘locks on the doors’ are good before checking policy. Certification would require a security audit (HIPPAA security audits for one example).
--Pre-certification phase:
We audit against our criteria but we do not physically inspect a system.
We give candidates the opportunity to address anything that comes up.
Staff submits audit informatino to the ‘jury’ of experts (the staff needs to convince the jury of compliance).
Requires annual re-certification.

The basics of privacy policy include: --patients controlling all access to their information
--policy needs to be easily found & understood
--patients have to volunteer --patients cannot be profiled or targeted without their consent
--there are audit trails
--patients are notified of breaches
-- anyone who misuses the information is punished.

Certification is supported by multiple audit criteria, examples of audit criteria include:

1) Policy cannot have passive voice. When privacy policies are in passive voice no one knows who is doing what to whom. Even the organization that wrote the policy does not understand what that means or how things are getting done.
2) Control over who accesses each data item.
3) There have to be audit trails for all accesses.

The cost of certification is $25,000 and up; re-certification costs are lower. Certification is not guaranteed.

Metrics are developed to reflect policies or a set of beliefs, are you providing some set of metrics?
--Audit criteria are what the organization checks, they will not dig into applications and code. We are interested in your policy and how you articulate it. We review and monitor privacy policy. One of the services we provide is to check the policy continuously to make sure it has not changed. No one can guarantee privacy.

Have you set the boundaries related to where/how the patient controls their data?
--You have to define the boundaries of the application. For example, within PHR you could follow these policies. After review we would certify the PHR, not the entire organization. Our criteria is much stricter than with HIPPAA. We can only change how patient information is handled one application at a time. Once information is deposited in PHR, the patient would have control over what is in the PHR not over the original information. Information can get deposited into Microsoft Health Vault. Once the information is in Health Vault the patient controls the data. We do not want to interfere with sharing information; we just want to make sure that the patient consents to all sharing. Privacy certification has positive business value because you are assuring consumers that what you are telling them is what you are doing (through 3rd party review). Trust without verification is not very powerful.

Do you plan to remain an independent entity? Yes. We will not take government funding, we are funded 100% by certification fees. That is the only way we can maintain independence and integrity (as a stand-alone seal organization).

Why no relationship with other seal organizations? We have assembled a group of experts with specific knowledge of Health IT. As long as it is consistent with our principles we would be open to working with other organizations.

From ANTSI/HITSP point of view: we would appreciate any endorsements/blessings, positive comments. Would you consider adapting your protocols to those of ANTSI or HITSP? Our intention is to have the highest criteria of privacy policy. We do intend on publishing our criteria on the web, but we may not necessarily apply for ANTSI certification.

Essentially our view is that CCHIT has an important role to play in terms of functional certification. Privacy certification is different—having the functions to protect policy does not automatically mean it is protected. That is more of a policy verification in a working system (something CCHIT has not done). Consumers would be uncomfortable trusting government or vendors with their personal information.

The certification you are going to issue, Is the certification you are going to issue issued to the product or the organization? CCHIT verifies that a product has certain functions. You could verify things such as ‘product can produce audit trails’. But the product may allow that to be turned off, in that case. The organization needs to pass a security audit before certification is awarded.

Would the consumer know what the results of the audit were? Is that transparent? Typically the evidence submitted for certification would not typically be made available to the consumer, but we would not rule that out.

The intent is that you have to demonstrate that your security is sufficient and that you can enforce the privacy policy you present to us. ISO 27002 Audit would reflect good security. We are also willing to accept HIPPAA security audits (that does not require encryption of data in transit so you would have to explain how you were transporting it securely). Feedback/comments are welcome.

Are you exploring a data-centric approach to security? There are methodologies where you could maintain control of your data but share it in a way that you could process some sort of application.

Are you thinking about a data-centric approach where security is attached to the data? No. If the consumer decides not to share their info then it is protected. Dr. Peel’s privacy coalition put together 13 principles spanning the political spectrum. We took those principles and developed the audit criteria we felt was necessary to demonstrate compliance (PPRO organized the privacy coalition). We intend on turning those 13 principles into auditable criteria.

Have you had non-US input? Yes. Privacy and data protection elsewhere is much stronger than in the US.

Is the intent to be US-Domestic only or international? We are focused on the US, but would not mind if it became international. Data has to be stored someplace where there are appropriate data protection laws or in the U.S. Other countries are ahead of the US re: providing protection. The principles and audit criteria could easily be applied in other countries.

Action: Kurt will circulate the URL showing the PPEG summaries of LAP’s privacy summits with industry leaders (we are having another one in Tokyo the week of Nov. 3).

The only feasible way to deal with privacy is to let everyone set up their own privacy rules.

<b>If you are completely funded by certification fees how are you going to engage in research activities? It has to be based off of real requirements. For privacy-related research we would want to accept funding for it as long as it does not create a conflict.

Re: delegation of duties, indemnity, etc… if certification is removed do you bear any liability? Our intent is to deal with disputes through a reasonable arbitration process. We will accept responsibility for our own negligence and will be insured appropriately. If our intent is that you have certification we would not remove certification unless there was clear evidence of breaking the certification requirements. Our intent is solely to reward those who are submitting themselves to 3rd party certification. Certify and re-certify organizations that follow the policies.

Would you have some kind of review before certification is turned off? Yes. We would exhaust every option to resolve the situation.

Why not create a web service that the removal of certification/logo is detected and communicated? That is a good idea. The expectation is that people who want to be certified are going to follow the rules.

Do you have a requirements document for vendor certification such as that provided to Microsoft? Yes, Dr. Yasnoff will send a presentation to Pete for distribution to the mail list and wiki.

Meeting Adjourned

Retrieved from "http://wiki.projectliberty.org/index.php/HIMSIG20081031"
Personal tools