Testimony by Gary Dickinson for March 19, 2001 NCVHS Subcommittee on Standards and Security Hearings

NCVHS Testimony - Gaps in Interchange Standards
Objective: Provider Enterprise-wide Infrastructure enabling HIPAA Privacy and Security

Submitted: 19 March 2001

By: Gary L. Dickinson
Manager, Health Care Standards
Per-Se Technologies, Inc.
268 W. Hospitality Lane, Suite 300
San Bernardino, California 92223

909-888-3282 Voice
909-888-4293 Fax

gary.dickinson@per-se.com

These comments focus on key provisions of the HIPAA privacy regulation (now final) and the HIPAA security regulation (as proposed).

While much has been made of the data interchange requirements related to HIPAA transactions and code sets, there has been relatively little focus on inter-application interchange requirements related to privacy and security. Although it may be conceivable to devise interchange/interface implementations on a one up, site by site, interface by interface basis, there is a far greater advantage in adopting industry standard specifications for these purposes.

This submittal focuses on the healthcare provider enterprise. It describes the need to devise and implement standards-based interchange solutions uniformly across all applications in the enterprise, enabling a common HIPAA privacy and security infrastructure, and ideally enabling a single point of administration. Following is an outline:

Section I, Page 2:

Characterizes a typical healthcare provider enterprise, including sources and points of access, data stores and interchange points for individually identifiable information.

Section 2, Pages 3-4:

Outlines key objectives for full implementation of HIPAA security and privacy provisions uniformly across the healthcare provider enterprise with a single point of administration.

Section 3, Pages 5-9:

Describes, in tabular form, interchange requirements to enable a common enterprise-wide infrastructure, fully engaging and uniformly implementing HIPAA privacy and security across all application systems in that enterprise. The table shows where interchange standards exist, where draft standards or implementation guides are in progress and/or where substantive gaps remain. (Gaps are noted with a "?".)

Key Interchange Requirements:

Master Registries:

Security Policy Domains
Application Functions
Health Record and its Subsets
Accountable Healthcare Parties, Agents and Roles

Authentication
Chain of Trust Audit Trails
Data State Audit Trails
Security Event Audit Trails
Sequestered Record Sets
Notice of Provider Privacy Policies
Consent for Routine Use
Authorization for Disclosure
Amendment Denial Recordkeeping

Section 1: The Typical Healthcare Provider Enterprise

Is comprised of:

Multiple sources and points of access of/for individually identifiable health information, including applications serving various functions, for example:
- Clinical, point of service/care applications;
- Automated devices: e.g., instruments, monitors;
- Hand-held personal access devices, fixed workstations;
- Department and function oriented applications;
- Electronic health record applications;
- Work flow applications;
- Decision support applications;
- Administrative and patient accounting applications;
- Data warehouses;
- Mediators: e.g., interface engines.
Multiple application data stores maintaining individually identifiable health information:
- The individual health record or some subset thereof;
Multiple points of interchange for individually identifiable health information:
- Between applications;
- Between applications and devices, workstations;
Network(s) interconnecting multiple applications, devices, workstations and interchanging individually identifiable health information:
- Intranet(s), spanning the enterprise;
- Extranet(s), connecting business associates;
- Public Internet.

Section 2: Key HIPAA Objectives for the Healthcare Provider

Uniform engagement of all application systems within the healthcare provider enterprise in a common privacy and security infrastructure and encompassing, for individually identifiable information:
- All sources, points of access
- All application data stores
- All points of interchange
Privacy, Confidentiality
- Of individually identifiable health information
- In designated record sets
Accountability, in terms of accountable parties:
- Organizations: e.g., providers, health plans
- Business units: e.g., department, services, specialties
- Individuals: e.g., practitioners, caregivers, system users
Accountability, in terms of accountable agents:
- Software: e.g., application software, interface engines
- Devices: e.g., instrument, monitors
Accountability, in terms of accountable actions:
- Healthcare services: e.g., provision, performance, completion
- Health records (containing individually identifiable information): origination (authorship), transcription, amendment, verification, translation, access/use, disclosure/transmittal, receipt, de-identification, archival, destruction
Auditability, Traceability
- Audit logs of accountable actions by accountable parties and agents
- Audit review tools
Authentication:
- User authentication: evidence of individual identity
- Data source/origin authentication: evidence of authorship, origination, amendment
- Data validation authentication: evidence of record/data verification, e.g.,
  - Of record/data content originated by another party
  - Of record/data content sourced by an automated device
- Data interchange authentication: evidence of record/data transmittal, receipt
Data Integrity
- Per HIPAA: persistence, non-alterability of data
- Per JCAHO: data accuracy, consistency, completeness
Chain of Trust: Trusted End-to-End Information Flow
- From Point of Record/Data Origination, Point of Service/Care
- To Point of Use or Disclosure, Point of Report, Point of Claims Submittal
HIPAA Infrastructure for the Healthcare Provider Enterprise
- Single Point of HIPAA Administration
  
  Configuration and control:
  - Master Registry of Security Policy Domains
  - Master Registry of Application Functions
  - Master Registry of the Health Record and Its Subsets
  - Master Registry of Accountable Healthcare Parties, Agents and Roles
  - Security Classifications for Application Functions (allowing access to individually identifiable health information)
  - Security Classifications for Health Records (containing individually identifiable health information)
  - Security Clearances for Healthcare Parties, Agents and Roles
- Single Point of HIPAA Inspection and Review
  - Audit Review :
    - Chain of trust audit events
    - Data state audit trail: initial and after each subsequent amendment
    - Security audit events
    - Message transmittal/receipt logs
  - Privacy Notice Distribution
  - Individual Consents for Use
  - Individual Authorizations for Disclosure
  - Individual Disclosure Logs
  - Individual Amendment Request Records
  - Individual Amendment Denial Records

Section 3: HIPAA Inter-Application Interchange Requirement(s) To Uniformly Enable Privacy and Security across the Healthcare Provider Enterprise	Interchange Standard, if any
Master Registry of Security Policy Domains Discrete domains within the health provider enterprise, each with a unique security policy Often coinciding with physical locations and/or business units: e.g., facilities, departments, services, specialties Interchange Req't, specific to each domain: Application functions Health record and its subsets Accountable health parties, agents and roles	? ? ?
Master Registry of Application Functions and the corresponding security classification(s) for each Registry of application functions involved in the origination, amendment, access/use/display, translation, disclosure, transmittal, receipt, de-identification, archival, destruction or other processing of individually identifiable health information Across the provider enterprise Including equivalent or comparable functions existing in two or more application domains Interchange Req't, specific to each application function: Security classification(s)	?
Master Registry of the Health Record and its Subsets and the corresponding security classification(s) for each Registry of the health record and its logical subsets (i.e., designated record sets), each containing individually identifiable health information Identifying each discrete data store within the provider enterprise Including legally sequestered subsets: e.g., psychotherapy notes, information from confidential sources, information pertaining to legal actions Interchange Req't, specific to the health record and its logical subsets: Security classifications	?
Master Registry of Accountable Healthcare Parties, Agents, Roles and the corresponding security clearance(s) for each Parties/roles accountable for the origination, amendment, use and disclosure of individually identifiable health information Parties/roles accountable for the provision, performance, completion of healthcare services Agents accountable for the origination, translation of individually identifiable health information Organizations: e.g., providers, health plans Business Units: e.g., departments, services, specialties Individuals: e.g., practitioners, caregivers, system users Roles: e.g., attending physician, consulting physician, resident, physicians assistant, pharmacist, nurse, unit secretary, therapist, student... Agents: e.g., application software, automated devices Interchange Req'ts Interchange of accountable Organization IDs and information Interchange of accountable Business Unit IDs and information Interchange of accountable Agent IDs and information Interchange of accountable Individual information Personal ID(s) Demographics Professional licenses, credentials Authorized role(s) Personal authentication details, digital certificates Clearances for application function access Clearances for information access, use Interchange of accountable Role information Role ID(s) Clearances for application function access Clearances for information access, use	? ? ? HL7 v2.4 HL7 v2.4 HL7 v2.4 ? ? ? ? ? ? ?
Authentication User authentication: evidence of individual identity Data source/origin authentication: evidence of authorship, origination, amendment Data validation authentication: evidence of record/data verification, e.g., Of record/data content originated by another party Of record/data content sourced by an automated device Data interchange authentication: evidence of record/data transmittal, receipt	? ? ? Multi-SDO Task Force, coord. by ANSI HISB
Chain of Trust - Trusted End-to-End Information Flow - Audit Trails Ensures auditability, traceability In terms of the flow of individually identifiable information From point of origination: e.g., point of service/care To point of use, point of disclosure, point of report, point of claim submittal Key points in the chain of trust=audit triggers Point of record/data origination Point of record/data amendment Point of record/data verification: e.g., Records or data sourced by another practitioner/user Records or data sourced by automated device Point of record/data translation: e.g., Language translation Translation from one code set or classification scheme to another Point of record/data access/use Point of record/data disclosure, transmittal Point of record/data receipt Point of record/data convergence: e.g., Aggregation, summarization, derivation Point of record de-identification Point of record archival Point of record destruction Interchange Req't : Chain of trust audit events	? (HL7 informative ballot pending)
Audit Trails for Data States Ensuring data integrity: persistence, permanence, non-alterability In terms of individually identifiable information 1) Initial record/data state: at point of record/'data origination 2-n) Subsequent record/data state(s): one for each amendment or translation of content Interchange Req't: Data state audit events	? (HL7 informative ballot pending)
Audit Trails for Security Events For example: Successful user signon Successful application function access Unsuccessful user signon, including attempts, retries User signoff: explicit or timeout Interchange Req't: Security audit events	? (HL7 informative ballot pending)
Sequestered Record Sets Including: Psychotherapy notes Information from confidential sources Information pertaining to legal actions Interchange Req't: Demarcation of record sets requiring special protection and/or sequestration	?
Notice of Provider Privacy Practices Pertaining to individually identifiable information Interchange Req't: Notation of patient's receipt of providers privacy notice	?
Consent for Routine Use Of individually identifiable information For treatment, payment, healthcare operations Interchange Req't: Notation of patient consent	?
Authorization for Disclosure Of individually identifiable information For purposes other than treatment, payment, healthcare operations For purposes other than legally permissible or required disclosures Authorization includes: Explicit description of information to be used or disclosed Purpose for each use or disclosure Name(s) or ID(s) of those authorized to make the requested use or disclosure Name(s) or ID(s) of those to whom the Covered Entity may make the requested use or disclosure Expiration date or expiration event, if any Interchange Req't: Patient authorization for disclosure	?
Amendment Denial Recordkeeping Includes detail: Individual's request for amendment Covered Entity's denial of amendment request Individual's statement of disagreement, if any Covered Entity's rebuttal, if any Interchange Req't: Recordkeeping detail associated with amendment request, attached to further disclosures of the designated record set which is subject of amendment request and denial	?

Section 3: HIPAA Inter-Application Interchange Requirement(s)

To Uniformly Enable Privacy and Security across the Healthcare Provider Enterprise

Interchange Standard, if any

Master Registry of Security Policy Domains

Discrete domains within the health provider enterprise, each with a unique security policy
Often coinciding with physical locations and/or business units: e.g., facilities, departments, services, specialties

Interchange Req't, specific to each domain:
Application functions
Health record and its subsets
Accountable health parties, agents and roles

?
?
?

Master Registry of Application Functions
and the corresponding security classification(s) for each

Registry of application functions involved in the origination, amendment, access/use/display, translation, disclosure, transmittal, receipt, de-identification, archival, destruction or other processing of individually identifiable health information
Across the provider enterprise
Including equivalent or comparable functions existing in two or more application domains

Interchange Req't, specific to each application function:
Security classification(s)

Master Registry of the Health Record and its Subsets
and the corresponding security classification(s) for each

Registry of the health record and its logical subsets (i.e., designated record sets), each containing individually identifiable health information
Identifying each discrete data store within the provider enterprise
Including legally sequestered subsets: e.g., psychotherapy notes, information from confidential sources, information pertaining to legal actions

Interchange Req't, specific to the health record and its logical subsets:

Security classifications

Master Registry of Accountable Healthcare Parties, Agents, Roles and the corresponding security clearance(s) for each

Parties/roles accountable for the origination, amendment, use and disclosure of individually identifiable health information
Parties/roles accountable for the provision, performance, completion of healthcare services
Agents accountable for the origination, translation of individually identifiable health information

Organizations: e.g., providers, health plans
Business Units: e.g., departments, services, specialties
Individuals: e.g., practitioners, caregivers, system users
Roles: e.g., attending physician, consulting physician, resident, physicians assistant, pharmacist, nurse, unit secretary, therapist, student...
Agents: e.g., application software, automated devices

Interchange Req'ts
Interchange of accountable Organization IDs and information
Interchange of accountable Business Unit IDs and information
Interchange of accountable Agent IDs and information

Interchange of accountable Individual information
Personal ID(s)
Demographics
Professional licenses, credentials
Authorized role(s)
Personal authentication details, digital certificates
Clearances for application function access
Clearances for information access, use

Interchange of accountable Role information
Role ID(s)
Clearances for application function access
Clearances for information access, use

?
?
?

HL7 v2.4
HL7 v2.4
HL7 v2.4
?
?
?
?

?
?
?

Authentication

User authentication: evidence of individual identity
Data source/origin authentication: evidence of authorship, origination, amendment
Data validation authentication: evidence of record/data verification, e.g.,
Of record/data content originated by another party
Of record/data content sourced by an automated device
Data interchange authentication: evidence of record/data transmittal, receipt

?
?

Multi-SDO Task Force, coord. by ANSI HISB

Chain of Trust - Trusted End-to-End Information Flow - Audit Trails

Ensures auditability, traceability
In terms of the flow of individually identifiable information
From point of origination: e.g., point of service/care
To point of use, point of disclosure, point of report, point of claim submittal

Key points in the chain of trust=audit triggers

Point of record/data origination
Point of record/data amendment
Point of record/data verification: e.g.,
Records or data sourced by another practitioner/user
Records or data sourced by automated device
Point of record/data translation: e.g.,
Language translation
Translation from one code set or classification scheme to another
Point of record/data access/use
Point of record/data disclosure, transmittal
Point of record/data receipt
Point of record/data convergence: e.g.,
Aggregation, summarization, derivation
Point of record de-identification
Point of record archival
Point of record destruction

Interchange Req't : Chain of trust audit events

?
(HL7 informative ballot pending)

Audit Trails for Data States

Ensuring data integrity: persistence, permanence, non-alterability
In terms of individually identifiable information

1) Initial record/data state: at point of record/'data origination
2-n) Subsequent record/data state(s): one for each amendment or translation of content

Interchange Req't: Data state audit events

?
(HL7 informative ballot pending)

Audit Trails for Security Events

For example:
Successful user signon
Successful application function access
Unsuccessful user signon, including attempts, retries
User signoff: explicit or timeout

Interchange Req't: Security audit events

?
(HL7 informative ballot pending)

Sequestered Record Sets

Including:

Psychotherapy notes
Information from confidential sources
Information pertaining to legal actions

Interchange Req't: Demarcation of record sets requiring special protection and/or sequestration

Notice of Provider Privacy Practices

Pertaining to individually identifiable information

Interchange Req't: Notation of patient's receipt of providers privacy notice

Consent for Routine Use

Of individually identifiable information
For treatment, payment, healthcare operations

Interchange Req't: Notation of patient consent

Authorization for Disclosure

Of individually identifiable information
For purposes other than treatment, payment, healthcare operations
For purposes other than legally permissible or required disclosures

Authorization includes:

Explicit description of information to be used or disclosed
Purpose for each use or disclosure
Name(s) or ID(s) of those authorized to make the requested use or disclosure
Name(s) or ID(s) of those to whom the Covered Entity may make the requested use or disclosure
Expiration date or expiration event, if any

Interchange Req't: Patient authorization for disclosure

Amendment Denial Recordkeeping

Includes detail:

Individual's request for amendment
Covered Entity's denial of amendment request
Individual's statement of disagreement, if any
Covered Entity's rebuttal, if any

Interchange Req't: Recordkeeping detail associated with amendment request, attached to further disclosures of the designated record set which is subject of amendment request and denial