This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "July 25, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
Line 62: Line 62:
 
*NCVHS Publications of Interest
 
*NCVHS Publications of Interest
 
**[https://www.ncvhs.hhs.gov/wp-content/uploads/2017/03/Framework-White-Paper-v9-2017-03-21.pdf NCVHS Health Data Framework The NCVHS Health Data Framework The NCVHS Health Data Frameworkv11-91-2016] NCVHS drafted two resources, a Data Structure and Methods Taxonomy to seed development of the Health Data Framework. These drafts offer a systematic approach to thinking, talking, and acting with respect to data. These resources also propose metadata to tag datasets to support re-use.
 
**[https://www.ncvhs.hhs.gov/wp-content/uploads/2017/03/Framework-White-Paper-v9-2017-03-21.pdf NCVHS Health Data Framework The NCVHS Health Data Framework The NCVHS Health Data Frameworkv11-91-2016] NCVHS drafted two resources, a Data Structure and Methods Taxonomy to seed development of the Health Data Framework. These drafts offer a systematic approach to thinking, talking, and acting with respect to data. These resources also propose metadata to tag datasets to support re-use.
**[https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2016-Ltr-Privacy-Minimum-Necessary-formatted-on-ltrhead-Nov-9-FINAL-w-sig.pdf NCVHS Recommendation on the HIPAA Minimum Necessary Standard 3-21-2017]]
+
**[https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2016-Ltr-Privacy-Minimum-Necessary-formatted-on-ltrhead-Nov-9-FINAL-w-sig.pdf NCVHS Recommendation on the HIPAA Minimum Necessary Standard 3-21-2017]
**
+
**The Committee’s overarching recommendation is that HHS should update its guidance on the minimum necessary standard to incorporate changes to HIPAA introduced by legislation since the Privacy Rule became effective, and to address known barriers to effective implementation. To that end, the Committee offers ten recommendations. The first six address substantive issues with the minimum necessary standard or implementation specifications that should be addressed in updated guidance. These are: Recommendation 1: HHS should clarify the independent obligations of business associates to comply with the minimum necessary standard and should develop specific guidance and instruction for business associates in this regard. HHS should also develop guidance for covered entities on oversight of business associate compliance with minimum necessary obligations. Recommendation 2: HHS should clarify the breach notification requirements pertaining to violations of the minimum necessary standard. HHS’ guidance should define the circumstances under which a breach of the minimum necessary standard occurs, at what level reporting is mandatory, and what types of enforcement may be expected for different violations. Recommendation 3: HHS should clarify the elements of an adequate “specific justification” that is required to use, disclose, or request a patient’s entire medical record. For example, HHS should illustrate with specific examples, use cases, or analytic methodologies circumstances that may legitimately warrant the use or disclosure of entire medical records and the justification that would be adequate to support each. The guidance also could recommend any special assurances about privacy and data security that covered entities should seek before supplying data for such uses. Recommendation 4: HHS should require covered entities and business associates to adopt a list of criteria they will consider, a procedure for evaluating a request in accordance with the criteria, and a governance structure that provides oversight of the minimum necessary determination process. Recommendation 5: The Committee recommends that HHS make no change to the current exception to the minimum necessary standard for treatment. Recommendation 6: In developing new Minimum Necessary guidance(s), HHS should specifically address the application of the minimum necessary standard to HIPAA named transaction standards for administrative functions pertaining to payment and operations. In particular, HHS’s guidance should address the applicability of the minimum necessary standard to new transactions, such as those involving attachments, and data exchanges involved in fulfilling alternative payment models.

Revision as of 04:01, 21 July 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes July 18, 2017
  3. (15 min)

News and Review Material

Discussion about Diagnosing and Treating Legal Ailments of the Electronic Health Record: Toward an Efficient and Trustworthy Process for Information Discovery and Release Potential for renewing EHR/Security work on Lifecycle Vocabulary with Reed Gelzer moved to August 1st call.

  • NCVHS Publications of Interest
    • NCVHS Health Data Framework The NCVHS Health Data Framework The NCVHS Health Data Frameworkv11-91-2016 NCVHS drafted two resources, a Data Structure and Methods Taxonomy to seed development of the Health Data Framework. These drafts offer a systematic approach to thinking, talking, and acting with respect to data. These resources also propose metadata to tag datasets to support re-use.
    • NCVHS Recommendation on the HIPAA Minimum Necessary Standard 3-21-2017
    • The Committee’s overarching recommendation is that HHS should update its guidance on the minimum necessary standard to incorporate changes to HIPAA introduced by legislation since the Privacy Rule became effective, and to address known barriers to effective implementation. To that end, the Committee offers ten recommendations. The first six address substantive issues with the minimum necessary standard or implementation specifications that should be addressed in updated guidance. These are: Recommendation 1: HHS should clarify the independent obligations of business associates to comply with the minimum necessary standard and should develop specific guidance and instruction for business associates in this regard. HHS should also develop guidance for covered entities on oversight of business associate compliance with minimum necessary obligations. Recommendation 2: HHS should clarify the breach notification requirements pertaining to violations of the minimum necessary standard. HHS’ guidance should define the circumstances under which a breach of the minimum necessary standard occurs, at what level reporting is mandatory, and what types of enforcement may be expected for different violations. Recommendation 3: HHS should clarify the elements of an adequate “specific justification” that is required to use, disclose, or request a patient’s entire medical record. For example, HHS should illustrate with specific examples, use cases, or analytic methodologies circumstances that may legitimately warrant the use or disclosure of entire medical records and the justification that would be adequate to support each. The guidance also could recommend any special assurances about privacy and data security that covered entities should seek before supplying data for such uses. Recommendation 4: HHS should require covered entities and business associates to adopt a list of criteria they will consider, a procedure for evaluating a request in accordance with the criteria, and a governance structure that provides oversight of the minimum necessary determination process. Recommendation 5: The Committee recommends that HHS make no change to the current exception to the minimum necessary standard for treatment. Recommendation 6: In developing new Minimum Necessary guidance(s), HHS should specifically address the application of the minimum necessary standard to HIPAA named transaction standards for administrative functions pertaining to payment and operations. In particular, HHS’s guidance should address the applicability of the minimum necessary standard to new transactions, such as those involving attachments, and data exchanges involved in fulfilling alternative payment models.