Veterans Health AdministrationHealthcare Information Governance

Emerging Health Technologies Advancement Center (EHTAC)Virtual Demonstrati ons – Security Brown Bag May 24 t h , 2012

Healthcare Classifi cati on System for Security and Privacy

May 24, 2012

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

Overview:Existing classification standards and methodologies exist in the U.S. for handling of SENSITIVE information.

Presentation focuses on how the use of a Healthcare Classification System could resolve some of the issues related to proposed ONC Standards and Interoperability Data Segmentation pilot projects.

Uses standards based vocabulary for defining clinical documents confidentiality, sensitivity, obligation, and refrain policy attribute values, to protect the underlying clinical content.

2

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

Objectives:Data Segmentation Demonstration and Pilot projects will exercise defined aspects of the Implementation Guide in a real-world setting. The real-world pilots evaluate not only the technology and standards, but also provide a test bed to evaluate the interaction of technology, implementation support, and operational infrastructure required to meet Data Segmentation Use case objectives at the stakeholder or organization levels.

Value Statement:The Data Segmentation for Privacy initiative enables the sharing of patient data in compliance with policy, regulation, and patient consent directives. Data Segmentation for privacy supports these policies which require the protection of certain types of personal health information (PHI). Data Segmentation also provides a platform for patient control over the use and disclosure of their health information. The goal is to build patient trust and participation in the health care system.

3

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

4

Document Set Generation

CliniciansRequestPatient Record

LocalAuthorizationDecision

ServicingOrganizationPolicyDecision

DocumentAssemblyAndTagging

Creationof SecuredInnerPolicy Wrapper

Creationof SecuredOuterPolicy Wrapper

Permit Permit

Deny

Creation ofCompositeDocument Set

Deny

PatientConsent

OrganizationalPolicy

PatientConsent

OrganizationalPolicy

Requesting Organization Servicing Organization

Layered Security Service

Classification System

Document SetDelivered toRequesting Organization

ClinicalKnowledge

Policy DecisionDetermining Inclusion

Organizational Policy Law

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

5

C32 – Document TypeCurrently Exchanged on NwHIN

HL7 Privacy and Security Policy Vocabulary

Common Vocabulary

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

6

Encrypted Clinical Payload

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

7

Viewing Document Contents

Primary AccessAuthorizationDecision

PatientConsent

OrganizationalPolicy

Request to View

Originating Service Organization

Outer Envelope Has No Knowledge Of Content

DeliveryofClinicalDocument

Secure Key Management and Exchange

(Per

mit/

Den

y)

AssertCredentialsAnd Purpose of Use

Eac

h do

cum

ent

may

be

hand

led

diffe

rent

ly

Authorization DecisionBased on Sensitivity andConfidentiality of Content

Payload is unencryptedAnd evaluated againstPolicy.

(Per

mit/

Den

y)

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

8

Questions ?

VETERANS HEALTH ADMINISTRATION

Healthcare Classification System for Security and Privacy

9

Envelope Policy ControlsOuter - Handling InformationInner - Document Type, Sensitivity, and Confidentiality

Backup SLIDE