Skip to Main Content

Breadcrumb

  1. Governor
  2. hie.illinois.gov

ILHIE Privacy and Security Work Group Minutes - January 13 2011 

January 13, 2011

Attendees (phone and in-person):

  • Ira Thompson, Infinite Systems Support
  • Dr. Arnold Widen, Office of the Attorney General
  • John Burge, BMC Group
  • Jay McCutcheon, Southern Illinois University
  • Marilyn Thomas, Healthcare and Family Services
  • Crystal VanDaventer, Lincoln Land HIE

Office of Health Information Technology (OHIT)

  • Mark Chudzinski
  • Joseph Duffy
  • Krysta Heaney

Ira Thompson opened the meeting at 2 p.m., hosted by OHIT. The minutes from December 7, 2010, were approved.

Federal and State Update: Mark Chudzinski shared with the group three federal and four state updates.

  1. ONC All-Grantee Meeting. OHIT representatives attended a three-day HHS/ONC conference in Washington, D.C., in mid-December. The first two days had simultaneous meetings, arranged by 12 topics, including a track devoted to "Privacy and Security." The final day was an open forum, which allowed participants to form ad-hoc discussion groups. The conference's Privacy and Security track was apparently organized under the direction of ONC's Chief Privacy Officer, Joy Pritts. The first session of the Privacy and Security track was devoted to a presentation by Joy Pritts, which was Webcast ("Update on Privacy Regulations and Activities in the Office of the Chief Privacy Officer"); the five subsequent Privacy and Security sessions were not Webcast.
  2. ONC Privacy and Security Developments. As reported at prior meetings, the "Tiger Team," an advisory body to ONC, has made recommendations regarding the privacy and security of Protected Health Information (PHI). Two other official federal advisory bodies have now published their own sets of recommendations regarding PHI privacy and security, which are different from, and arguably divergent from, those of the Tiger Team. As reported at the last meeting, the National Committee on Vital Health Statistics (NCVHS), a federal advisory committee created by Congress, sent to the Secretary of HHS its "Recommendations Regarding Sensitive Health Information" on November 10, 2010. The President's Council of Advisors on Science and Technology (PCAST) in December published its "Report to the President, Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward."
    • Tiger Team. As reported at prior meetings, the Tiger Team recommendations would call for a significant departure from current federal PHI privacy law as embodied in HIPAA. The recommendations appear to have emerged from a process in which little consideration appears to have been given to practical clinical workflow implications and costs, and the resulting practical burdens on the development and implementation of HIEs. In her public presentation, Joy Pritts characterized the Tiger Team's mandate as being focused on technical topics.
    • NCVHS. The NCVHS report focuses attention on seven categories of PHI, which benefit from special protection under state laws, but which are not currently addressed by HIPAA. The NCVHS report urges additional investment in projects to fully appreciate the implications of potential new federal regulation, and expressly calls for the process to include consideration of "the feasibility, need for technical standards, effects on patient care, efficacy for privacy protection, benefits and costs, and other possible consequences of segmenting these categories and implementing granular patient consent for their use in particular contexts."
    • PCAST. The PCAST report laments the lack of interoperability between EHR systems, and advises that if urgent attention is not devoted to the development of "a universal exchange language for healthcare information and a digital infrastructure for locating patient records," the U.S. will not realize the benefits it is hoping to obtain from its investment in EHR and HIE technologies. The PCAST report also addresses PHI privacy and security considerations. The PCAST report finds fault with the current HIPAA law as not providing patients fully informed choices regarding the control of their PHI, but also finds that an unintended consequence of the current regime of federal and state law is to equate PHI protection with data sequestration, freezing its exchangeability, which is detrimental to medical research and, potentially, patient care. The recent modifications to HIPAA, "in particular those that require covered entities to track all disclosures to associates – will further stifle innovation in the health IT field while offering little additional real-world privacy protection." PCAST recommends that HIPAA be "reformulated," as its policies "need a major overhaul to enter the electronic age." The PCAST report concludes that a "tagged data element approach" is necessary for the identification and protection of PHI data elements that require special protection.
    • NPRM. In response to direct audience questions following her presentation, Joy Pritts would not speculate what next steps HHS/ONC would take with respect to the Tiger Team recommendations. Joy Pritts expressly declined to opine whether HHS/ONC will be seeking to make changes in current federal regulations and policies regarding PHI privacy and security through a formal rule-making process (e.g., NPRM).
    • State Objections. Representatives from several states publicly expressed their concerns, and to some extent opposition, to the process and direction of potential changes in current federal regulations and policies regarding PHI privacy and security being pursued by the Tiger Team.
  1. NHIN and NHIN Direct. The conceptual architecture of the proposed national HIE, NHIN, originally reflected a federated hierarchy, similar to our federal/state/local governmental structure, with local and regional HIEs linking into state-level HIEs, which in turn linked into NHIN. In 2009, ONC disclosed the NHIN Direct project, originally characterized as a corollary to NHIN, which would allow health delivery organizations to have direct access to the NHIN message routing system, without the need of passing through intermediate local, regional or state-level HIEs. Since its issuance on July 6, 2010, of a Program Information Notice (PIN), the ONC's evident focus on NHIN Direct appears to confirm the observations of industry analysts that HHS/ONC is not an enthusiastic advocate for a truly hierarchical federated national HIE architecture, fearing that proposed intermediate level HIEs will not succeed or will not be effective in the time frame needed to support the increasingly robust information exchange. In a September 2010 industry research report, Gartner notes that "The NHIN Direct approach leverages established Internet security protocols to the maximum and enables point-to-point communications without the overhead associated with HIEs, including organizational vetting, consumer identification services and consumer permission management. . . The policy simplifications associated with push use cases offer numerous opportunities to meet ad hoc requirements for information exchange much faster than the development and rollout of community model HIEs." In the absence of strong federal leadership, funding and statutory preemption to organize a consistent and efficient national infrastructure to facilitate national exchange of PHI across entity and political boundaries, we face a formidable challenge in having multiple potential HIE organizations and participants, with varying levels of financial viability, entrepreneurial business skill and political support, coordinating their efforts.
  2. OHIT Strategic Plan. OHIT resubmitted its Strategic and Operational Plan to HHS/ONC on December 10, 2010. The Plan was approved on December 21, 2010, allowing for the release of $17.7 million in HIE implementation funding to OHIT. OHIT understands that approximately 36 State Plans (of 56) were still awaiting HHS/ONC approval at the end of 2010.
  3. OHIT Business Plan. OHIT's business plan for the use of the ONC grant funds is due February 11, 2011, but OHIT understands that ONC will postpone the deadline. The new deadline date is presently unknown, but OHIT anticipates a March 30 or April 30, 2011 deadline date. OHIT intends to use most of the federal grant funds for funding the development and implementation of the state-level HIE core services, e.g., the Master Patient Index, Record Locator Service, Provider Directory. The OHIT business plan is being prepared with the assistance of an external consultant, Navigant.
  4. OHIT RFPs. Illinois' approved Strategic and Operational Plan reflects a change to OHIT's originally proposed implementation schedule. OHIT has agreed to immediately develop and implement an RFP for the acquisition by OHIT of the services of a Health Information Service Provider (HISP), to enable the creation of a directory of Illinois healthcare providers that would be capable of routing health information through the Direct Project. As a consequence, the preparation and issuance by OHIT of the ILHIE procurement RFP has been, regrettably, postponed.
  5. ILHIE Authority. Governor Quinn has not yet appointed the Board members of the ILHIE Authority. We are hopeful that will occur this month, and that the new Authority will begin functioning by March 15, 2011.

Audit Group Update: Ira Thompson provided the group with an update on recent activity related to audit and authentication services for the ILHIE. Ira and Ron Warren are currently working on developing an e-health forensic audit framework that will include, among others, HIPAA audit procedures, individual audit procedures, and NHIN specifications. The collection of audit documentation is ongoing.

General Updates and Next Steps: The next meeting of the Privacy and Security Work Group will be scheduled after the initial meetings with Patricia Cunningham, OHIT Chief Technology Officer, to discuss the new focus of the Privacy and Security Work Group on audit and authentication services.

Meeting adjourned at 3 p.m.