Skip to Main Content


  1. Governor

Privacy and Security Work Group Minutes - June 28 2011 

June 28, 2011

Attendees (phone and in-person):

  • Chair: Ira Thompson, Infinite Systems Support
  • Joseph Duffy, Office of Health Information Technology (OHIT)
  • Ivan Handler, OHIT
  • Krysta Heaney, OHIT
  • Mark Chudzinski, OHIT
  • Thomas Daeng, Illinois Health Exchange Partners (IHEP)
  • Carl Gunter, University of Illinois SHARPS
  • Sabrina Hardenbergh, Community Health & Emergency Services, Inc.
  • Vince Keenan, Illinois Academy of Family Physicians
  • Steve Lawrence, IHEP
  • Jay McCutcheon, Lincoln Land HIE (LL HIE)
  • Crystal VanDeventer, LL HIE
  • Ron Warren, Infinite Systems Support


Chairman Ira Thompson opened the meeting at 2 p.m. The meeting was hosted by OHIT at the James R. Thompson Center, with a telephone conference call-in number provided for participants unable to attend in person. Roll call was taken.

Minutes Review:

Mark Chudzinski noted a correction to the minutes regarding consent management and audit trails, as well as a typo; pending corrections, the minutes from May 26, 2011, were unanimously approved.

ILHIE Update:

Mark Chudzinski provided the Work Group with one federal-level update and four state updates.

  1. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) at the end of May that would modify the HIPAA Privacy Rule's standard for accounting of disclosures of Protected Health Information (PHI). Currently, the Health Information Technology for Economic and Clinical Health (HITECH) Act, provides an exemption to the HIPAA Privacy Rule, for disclosures to carry out treatment, payment, and health care operations through an Electronic Health Record (EHR). The proposed modifications would remove this provision, requiring covered entities and business associates to account for disclosures of PHI to carry out treatment, payment, and health care operations if such disclosures occur through an EHR. The NPRM also proposes expanding the accounting provision to: 1) provide patients with the right to receive access reports indicating who has accessed electronic PHI in a designated record set, and 2) proposes changes to the existing accounting requirements to improve workability and effectiveness.

Mark Chudzinski noted that the requirements under the NPRM are not aligned with the EHR certification requirements under the Office of the National Coordinator (ONC).

  1. OHIT has launched an initiative to review the need for Health Information Exchange (HIE) standards at the state level. The current national status of health information standards is complex and challenging. The enabling legislation of the Illinois HIE Authority (the "Authority") imposes upon the Authority a duty to assume an active role in the development and adoption of health information exchange standards as applied to EHR systems and HIE systems in operation in the State of Illinois. OHIT welcomes the input of the Privacy & Security Work Group on the development of this initiative, and the involvement of Privacy & Security Work Group members in the substantive review and discussion of information technology standards.
  2. OHIT is continuing to explore with the University of Illinois Strategic Healthcare Information Technology (IT) Advanced Research Projects on Security initiative the prospect of collaboration in the creation of a pilot project involving the consent management services layer of the state-level Illinois HIE.
  3. The Authority, on June 22, 2011, appointed a 32-member Advisory Committee, which will be initially co-chaired by Stan Krok (CIO, Childrens Memorial Hospital) and Bill Odman (VP and Regional CIO, St. Mary's Good Samaritan). As part of the creation of the Advisory Committee, OHIT will be reviewing the role of existing Work Groups and their relation to, and possible absorption into, the new Advisory Committee.
  4. OHIT has issued its Request for Proposal (RFP) for the acquisition of the core elements of the Illinois HIE. Approximately fifty (50) vendors attended the vendor conference on June 13, 2011, and/or have expressed an interest in responding to the RFP. The RFP can be accessed on the State of Illinois Procurement Bulletin (Illinois BID reference 22021860) or through the Office of Health Information Technology Web site.

General HIE Project Updates:

Ivan Handler provided a summary analysis of the recent National Association of State Chief Information Officers (NASCIO) conference. One emerging theme from the conference was the challenge of provider authentication and the corresponding responsibility placed on HIEs to validate providers, including multifactor authentication. Ron Warren suggested the Provider Identification Number (NPI) be used as a baseline and incorporating biometrics to increase security. Ira Thompson suggested the use of passwords that expire on a periodic basis. Carl Gunter suggested using the authentication system of the Illinois Prescription Monitoring Program, the State program allowing physicians access to information regarding controlled substances, as a starting place to examine provider authentication. Ivan Handler noted that OHIT welcome the continued input of the Privacy & Security Work Group.

Audit Sub-Committee Update:

Ira Thompson stated there was nothing new to report.

Next Steps: The next meeting of the ILHIE Privacy & Security Work Group, was scheduled for July 26, 2011, at 2:00 pm.

Meeting Adjourned: 2:30 pm.