December 21, 2007 Secretary U.S. Department Of Health And Human .

1y ago
7 Views
2 Downloads
793.01 KB
71 Pages
Last View : 1m ago
Last Download : 3m ago
Upload by : Farrah Jaffe
Transcription

December 21, 2007Honorable Michael O. LeavittSecretaryU.S. Department of Health and Human Services200 Independence Ave., S.W.Washington, D.C. 20201Dear Secretary Leavitt:I am pleased to present you with a report of the National Committee on Vital andHealth Statistics recommending actions for “Enhanced Protections for Uses of HealthData: A Stewardship Framework for ‘Secondary Uses’ of Electronically Collected andTransmitted Health Data.”1 This report and its recommendations were developed inresponse to a request from the Office of the National Coordinator on Health InformationTechnology to address the benefits, sensitivities, obligations, and protections of uses ofhealth data for quality measurement, reporting, and improvement; research; and otherpurposes that benefit the health of all Americans and the health care delivery system ofthe Nation.Over the course of the last seven months, NCVHS heard testimony anddeliberated about practical ways to ensure that benefits from more clinically richinformation, available electronically and shared through health information exchanges,are accompanied by appropriate data stewardship for individuals’ health data. Itreceived comments from representatives of provider organizations, professionalassociations, accrediting organizations, consumer representatives, health plans, qualityimprovement organizations, health information exchanges, data aggregators, researchand public health communities, and individual citizens.Today, the health industry relies upon the HIPAA construct of covered entitiesand business associates to protect health data. The recommendations in this report callfor a transformation to enhanced protections for all uses of health data by all users,independent of HIPAA covered entity status. NCVHS proposes that all organizationsand individuals with access to personal health data follow attributes of appropriate datastewardship. The American Medical Informatics Association defines health datastewardship as encompassing the responsibilities and accountabilities associated withmanaging, collecting, viewing, storing, sharing, disclosing, or otherwise making use ofpersonal health information. NCVHS recommendations describe the attributes of1NCVHS observes that “secondary use” of health data is an ill-defined term and urgesabandoning it in favor of precise description for each use of health data.

Page 2 – The Honorable Michael Leavittappropriate health data stewardship as including, but not limited to: accountability andchain of trust, transparency, individual participation, de-identification, securitysafeguards and controls, data quality and integrity, and oversight of data uses.The recommendations that are made in this report were guided by the goal ofenabling improvements in health and health care, while balancing other needs includingthe need to: maintain or strengthen individual’s health information privacy while enablingimprovements in health and health care, facilitate uses of electronic health information,increase the clarity and uniform understanding of laws and regulations pertaining toprivacy and security of health information, build upon existing legislation and regulationswhenever possible, and not result in undue administrative burden.In our deliberations, we identified several areas that require further analysis. Onearea is the process of de-identifying health data. There are many interpretations of whatde-identification means. We also heard concerns about the ability to re-identify data,even while applying the HIPAA definition of de-identification. A second area relates touses, and particularly the sale, of health data that are de-identified and therefore outsideof the protections of HIPAA. A third area relates to the potential overlaps betweenquality and research, and where enhanced oversight may be useful. NCVHS will befurther investigating and making subsequent recommendations in these areas. Finallythere are a number of approaches to enhancing protections for health data uses withina NHIN that may be most appropriately evaluated in the trial implementations and otherfederally-sponsored demonstrations. NCVHS would be pleased to assist in suchevaluations.We appreciate your consideration of this report. If you or your staff would like abriefing on the recommendations, please let me know. We are committed to seeingbenefits from uses of health data that can be achieved through health informationtechnology while ensuring the protection of individuals’ privacy.Sincerely,/s/Simon P. Cohn, M.D., M.P.H., ChairmanNational Committee on Vital and HealthStatisticsAttachmentcc: DHHS Data Council

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSReport to the Secretaryof the U.S. Department of Health and Human ServicesonEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected andTransmitted Health DataDecember 19, 2007

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health DataTable of ContentsTable of Contents . 2Executive Summary . 4Introduction . 11Purpose and Scope . 11Terminology . 11“Secondary Uses” of Health Data. 11Terms Describing Health Data . 12Organization of Report. 13Report Background . 13NCVHS Coverage of Topic. 13NCVHS Process . 14Testimony and Comment . 14Major Themes from Testimony about Uses of Health Data. 15Benefits from Uses of Health Data Enabled by Health Information Technology (HIT)and Health Information Exchange (HIE) . 15Potential for Harm from Uses of Health Data Enabled by HIT and HIE . 16HIPAA Privacy and Security Rules . 17Variation in State Laws . 17HIPAA Covered Entities and Business Associates . 18De-Identification . 18Organizations and Information Not Protected by HIPAA. 18Importance of Data Stewardship . 19Specific Uses of Health Data . 20Uses of Health Data for Treatment, Payment, and Healthcare Operations. 20Uses of Health Data for Quality Measurement, Reporting, and Improvement. 21Uses of Health Data in Research . 22Uses of Health Data for Public Health. 23Uses of Health Data in Exchange for Money or Other Financial Benefit . 24Guiding Principles for Making Recommendations on Enhanced Protections for Uses ofHealth Data . 26Observations and Recommendations . 261. Observations and Recommendations for Data Stewardship on Accountability andChain of Trust within HIPAA . 272. Observations and Recommendations for Data Stewardship on Transparency. 313. Observations and Recommendations for Data Stewardship on IndividualParticipation and Control over Personal Health Data Held by Organizations NotCovered by HIPAA Privacy and Security Rules. 344. Observations and Recommendations for Data Stewardship on De-Identification. 365. Observations and Recommendations for Data Stewardship on Security Safeguardsand Controls . 376. Observations and Recommendations for Data Stewardship on Data Quality andIntegrity. 382

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Data7. Observations and Recommendations for Data Stewardship on Oversight forSpecific Uses of Health Data . 398. Observations and Recommendations on Transitioning to a NHIN. 449. Observations and Recommendations on Additional Privacy Protections. 46Appendix A: NCVHS Members . 48Appendix B: Testifiers and Commenters on Uses of Health Data . 51Appendix C: Glossary of Terms . 55Appendix D: Data Stewardship Conceptual Framework for Health Data Uses . 66Appendix E: Abbreviations Used in this Report. 673

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health DataExecutive SummaryA transformation in health and health care is being enabled by health informationtechnology (HIT). Clinically rich information is now more readily available, in a morestructured format, and able to be electronically exchanged throughout the health andhealthcare continuum. As a result, the information can be better used for qualityimprovement, public health, and research, and can significantly contribute toimprovements in health and health care for individuals and populations. As thetransformation to health information exchange (HIE) and a nationwide healthinformation network (NHIN) occurs, there is an obligation to assure appropriate datastewardship1 over the uses of individuals’ health data.The National Committee on Vital and Health Statistics (NCVHS) was asked by theOffice of the National Coordinator for Health Information Technology (ONC) to developa conceptual and policy framework to balance the benefits, sensitivities, obligations, andprotections of what has typically been referred to as “secondary uses” of health data,including for quality and research uses. (NCVHS observes that “secondary use” ofhealth data is an ill-defined term and urges abandoning it in favor of precise descriptionfor each use of health data).In this Report, NCVHS summarizes the testimony it heard between June throughOctober 2007, drawing observations about the benefits and concerns surrounding usesof health data. The NCVHS proposes recommendations intended to provide a durableframework, for all uses of health data by all users, irrespective of whether the data isprotected health information collected and used by a HIPAA covered entity or businessassociate, or personal health information collected and used by an organization that isnot a HIPAA covered entity. This framework is intended to anticipate and address datastewardship needs in the transition to HIE, a NHIN, and beyond.Major Themes from TestimonyNCVHS heard a wide range of testimony on several major themes concerning uses ofhealth data, including both benefits and potential for harms: There is optimism for the growing number of benefits that can be achievedthrough uses of health data enabled by HIT and HIE. At the point of care, HITenhances access to information and affords patient safety alerts and healthmaintenance reminders. Across the continuum of care, HIE enables readilyaccessible information needed in an emergency, and more complete informationfor coordination of care among providers. For quality measurement, reporting,and improvement, automated and structured data collection affords the1The American Medical Informatics Association defines data stewardship as encompassing “theresponsibilities and accountabilities associated with managing, collecting, viewing, storing, sharing,disclosing, or otherwise making use of personal health information.”4

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Dataopportunity for efficient access to more comprehensive data and potentialidentification of new opportunities for improvement in care delivery. Clinical andpopulation research and disease prevention and control are aided by access tomore complete and timely data. There is potential for harms that may arise from uses of health data enabled byHIT and HIE. Erosion of trust in the healthcare system may occur when there isa divergence between what the individual reasonably expects health data to beused for and uses made for other purposes without the knowledge andpermission of the individual. Compromises to health care may result whenindividuals fail to seek treatment or choose to withhold information that couldimpact decisions about their care because either they do not understand or donot trust how their data might be used or their identity protected. Risk fordiscrimination, personal embarrassment, and group-based harm may beamplified as there is greater ability to compile longitudinal data, re-identify datathat have been de-identified, and share data through HIE.Additional themes address the nature of enhanced protections needed, includingattention to HIPAA Privacy and Security Rules, importance of data stewardship, and theneed to address issues in specific uses of health data – including for treatment,payment, and healthcare operations; for quality measurement, reporting, andimprovement; in research; for public health; and involving monetary exchange: Some commenters indicated that HIPAA provides adequate protections and mayneed only targeted administrative changes to address gaps or lack of clarity.Others observed that the relationship of business associates and their agents tocovered entities needs strengthening to ensure that the chain of trust createdthrough business associate contracts is assured and enables covered entities toprovide transparency about uses of protected health information. There wereconcerns expressed about uses of de-identified data in general, and in particularthe increasing ability to potentially re-identify data in merged databases. Therewere also cautions expressed about adding potentially burdensome and costlyprocesses to HIPAA that may yield counterproductive results. A number of commenters described the importance of data stewardship for alluses of health data. A wide range of comments were heard. Some observed thatcurrent regulations may not fully address the expanding interest of consumers intheir health data. They also observed that regulations may not fully address thepotential harms that may arise from expanded uses of HIT and HIE. There werealso segments of the general public that believed individuals have the only rolein data stewardship, calling for individual permission for all uses of health data. With respect to specific uses of health data, the following issues were raised:5

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Datao For treatment, payment, and healthcare operations as defined under theHIPAA Privacy Rule, commenters raised the issue that the area of“healthcare operations” was broad in scope and not well-understood. It wasnoted that trust may factor more heavily than laws and regulations withrespect to individuals and their privacy concerns as uses of data movedfurther away from the nexus of care.o For quality measurement, reporting, and improvement activities, the questionwas raised as to whether the HIPAA definition of healthcare operationsapplies. Reviewing this definition and considering testimony, NCVHSbelieves that current quality activities remain within the HIPAA definition ofhealthcare operations and that enhancing transparency and applying internaloversight may allay any concerns.o For research, it was observed that there were variations among federalagency regulations that would benefit from harmonization. There was alsoconcern expressed that as quality activities are becoming moresophisticated, some may be evolving into research, potentially without theprotections afforded by research on human subject regulations. The need todistinguish between quality and research and to appropriately shepherdquality into research was described.o Use of health data involving monetary exchange was identified as anincreasing concern. While there are instances where monetary exchange forhealth data is appropriate, there are uses that may result in harm, such aswhen individuals may not anticipate a use and as a result reduce their trustin their providers, or when there is undue influence over healthcaredecisions as a result of a use, or when protected health information is notproperly de-identified and is used to target marketing to individuals.Guiding PrinciplesNCVHS develops guiding principles to ensure its recommendations are consistent withthe testimony heard and its task. NCVHS developed the following guiding principles toevaluate each recommendation for enhanced protections for uses of health data in lightof new technologies. NCVHS recommendations for protections will:1. maintain or strengthen individual’s health information privacy2. enable improvements in the health of Americans and the healthcare deliverysystem of the Nation3. facilitate uses of electronic health information4. increase the clarity and uniform understanding of laws and regulations pertainingto privacy and security of health information6

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Data5. build upon existing legislation and regulations whenever possible6. not result in undue administrative burdenRecommendationsIn making its recommendations, NCVHS observes that currently, the healthindustry relies upon the HIPAA construct of covered entities and businessassociates to protect health data. Its recommendations call for a transformation,in which the focus is on appropriate data stewardship for all uses of health databy all users, independent of whether an organization is covered under HIPAA.NCVHS considers the attributes of data stewardship as including, but are notlimited to: accountability and chain of trust, transparency, individualparticipation, de-identification of health data, security safeguards and controls,data quality and integrity measures, and oversight of data uses. Therecommendations also recognize the circumstances under which datastewardship may apply and where there may need to be further analysis andother actions:1. Recommendations for Data Stewardship on Accountability and Chain ofTrust within HIPAA:a. Covered entities should be specific in their business associate contractsabout (i) what identifiable health data may be used and for what purpose, byboth the business associate and its agents, (ii) what HIPAA-de-identifieddata may be used and to whom they are supplied, (iii) requiring businessassociates to have contracts with their agents that are equivalent tobusiness associate contracts, and (iv) using the HIPAA definition for any deidentification of protected health information.b. Covered entities should confirm compliance by business associates with theterms of the business associate contract.c. HHS should provide guidance that any organization providing datatransmission of protected health information and that requires access on aroutine basis to the protected health information, such as an HIE or eprescribing gateway, is a business associate.2. Recommendations for Data Stewardship on Transparency. HHS should:a. Issue guidance to ensure that individuals have the opportunity to beinformed about all potential uses of their health data (i) through educationand clarity in the notice of privacy practices and other HIPAA administrativeforms and required documentation and (ii) making information availableabout the specific uses and users of protected health information, includingdisclosures to public health, when requested.b. Develop and maintain a multi-faceted national education initiative that wouldenhance transparency regarding uses and of health data in anunderstandable and culturally sensitive manner.7

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Data3. Recommendations for Data Stewardship on Individual Participation andControl over Personal Health Information Held by Organizations NotCovered by HIPAA Privacy and Security Rules. HHS should:a. Urge the Federal Trade Commission (FTC) to utilize its full authority withrespect to organizations that are not covered entities or business associatesunder HIPAA but that collect personal health information to ensure that (i)privacy policies on web sites collecting personal health information fullyinform users of the uses that will be made of their personal healthinformation and (ii) the organizations do not engage in misleadingadvertising or other deceptive trade practices.b. Assure that an authorization from the individual is obtained for collection,use, and disclosure of personal health information held by any organizationnot covered by HIPAA.4. Recommendations for Data Stewardship on De-identification:a. HHS should issue guidance to covered entities that the HIPAA definition ofde-identification (by statistical method or complete safe harbor definition) isthe only permitted means to de-identify protected health information.b. NCVHS believes there are significant concerns surrounding uses of deidentified data that warrant more thorough analysis. NCVHS will conducthearings to make subsequent recommendations.5. Recommendations for Data Stewardship on Security Safeguards andControls: HHS should issue guidance to covered entities to promote uses oftechnical security measures to reduce unauthorized access, and to ensure thattheir business associates and agents are fully compliant with the HIPAA SecurityRule authorization, access, authentication, and audit control requirements. Thisshould also be directed to organizations that are not covered entities thatmaintain and/or transmit personal health information.6. Recommendations for Data Stewardship on Data Quality and Integrity: HHSdata stewardship guidance should address the precision, accuracy, reliability,completeness, and meaning of data used for quality measurement, reporting,and improvement as well as other uses of health data.7. Recommendations for Data Stewardship on Oversight for Specific Uses ofHealth Data:a. Quality measurement, reporting, and improvement remain within the scopeof healthcare operations when conducted by covered entities, their businessassociates and their agents; across covered entities within an organizedhealth care arrangement; and when under the accountability and datastewardship principles inherent in HIPAA. These uses may benefit from avoluntary, proactive oversight process accountable to senior managementand governance of the institution to ensure there is compliance with HIPAA.8

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Datab. HHS should promote harmonization of research regulations within HHS andwith other Departments that oversee regulations on human researchprotections to ensure consistent privacy and human subject protection for allresearch efforts.c. HHS should encourage the Office for Human Research Protections (OHRP)in compiling its clarifying work on the research definition to continue to workcollaboratively with the Office for Civil Rights (OCR) and to leverage thetools starting to be used in the industry to aid in distinguishing howrequirements apply to uses of health data for quality and research,especially as questions relating to distinctions between research and qualityuses of health data under the HIPAA healthcare operations definition arise.HHS should also encourage OHRP to widely disseminate its clarifying work,including beyond the research community.d. HHS should foster the collaborative efforts between OHRP and OCR toidentify approaches to ensure that when a quality study becomesgeneralizable and evolves into research, that HIPAA Privacy and IRBrequirements are respected.e. Certain areas require further investigation, such as research based solely ondata from electronic health records, decedent research, and potential valuefor common oversight for quality and research within an organization.NCVHS will take the lead in working with OHRP and other federal agenciesto further study these areas and make recommendations as appropriate.8. Recommendations on Transitioning to a NHIN: NCVHS observes that at thistime, a definition of a NHIN and how it will be used has not reached sufficientmaturity to dictate how individual choice over uses of health data within a NHINshould or could be exercised. As a result, NCVHS recommends that trialimplementations and other federally-sponsored demonstrations should includeevaluation of: (i) the impact of applying good data stewardship, (ii) ways tomanage individuals’ authorizations, (iii) new methods or techniques to de-identifyhealth data, (iv) chain of trust mechanisms between covered entities andbusiness associates and their agents, (v) educational modalities to reach theirtarget audiences, and (vi) appropriate safeguards needed to ensure that there isno unintended harm to individuals as de-identified data may be sold to supportthe possible business models of a NHIN.9. Recommendations on Additional Privacy Protections – NCVHS haspreviously made several sets of recommendations setting the broad context forprivacy improvement, including that privacy rules should apply to all individualsand organizations that create, compile, store, transmit, or use personal healthinformation. States are already beginning to enact laws intended to broadenprotections. HHS should:a. Work with other federal agencies and Congress for more inclusive federalprivacy legislation; and in the absence of comprehensive privacy legislation,HHS should address the need for more limited legislation that expands the9

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health Datadefinition of covered entity under HIPAA, at a minimum to organizationssuch as vendors of personal health records systems that are not coveredentities or business associates.b. Work with other federal agencies and Congress for legislative or regulatorymeasures designed to eliminate or reduce as much as possible the potentialdiscriminatory effects of misuse of health data.c. Support the work of the Health Information Security and PrivacyCollaboration (HISPC) that would guide harmonization among state lawswhere applicable and pinpoint where states have made explicit differences.HHS should support a state law mapping repository that clarifies wherestates differ and which aspects of state laws are more stringent than HIPAA.10

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICSEnhanced Protections for Uses of Health Data:A Stewardship Framework for “Secondary Uses” of Electronically Collected and Transmitted Health DataIntroductionPurpose and ScopeA transformation in health and health care is being enabled by health informationtechnology (HIT). Clinically rich information is now more readily available, in a morestructured format, and able to be electronically exchanged throughout the health andhealthcare continuum. As a result, the information can be better used for qualityimprovement, public health, and research, and can significantly contribute toimprovements in health and health care for individuals and populations. As thetransformation to HIE and a NHIN occurs, there is an obligation to assure appropriatedata stewardship over the uses of

associations, accrediting organizations, consumer representatives, health plans, quality improvement organizations, health information exchanges, data aggregators, research and public health communities, and individual citizens. . Benefits from Uses of Health Data Enabled by Health Information Technology (HIT) and Health Information Exchange .

Related Documents:

December 2014 Monday December 1. Tuesday December 2. Wednesday December 3. Thursday December 4. Friday December 5. Saturday December 6. Sunday December 7. Monday December 8. Tuesday December 9 - Fall Semester Ends. Wednesday December 10- Reading Day. Thursday December 11- Final Examinatio

Mary Wolf—December 14 —December 6 Youth Birthdays Adelaide Bass—December 30 Addy Chytka—December 21 Nyabuay Diew—December 17 Quinn Feenstra—December 8 Blaine Fischer—December 21 Liam Fischer—December 22 Danielle Krontz—December 10 Hunter Lake—December 22 Hailey Lieber—December 15

2003-2006 Lincoln LS FORD: 2006 Zephyr 2001-2007 Crown Victoria 2007 MKZ 2002-2007 Taurus 2003-2005 Aviator 2004-2007 Focus 2003-2007 Navigator 2005-2007 Five Hundred, Freestyle, Mustang 2006-2007 Mark LT 2006-2007 Fusion 2001-2003 Explorer Sport MERCURY: 2001-2007 Explorer Sport Trac 2001-2007

Winter Break Begins/No Classes December 20 December 16 December 17 December 16 College Closed December 21 December 17 December 18 December 17 SPRING SEMESTER Spring Semester Begins : January 7, 2020 . January 5, 2021 : January 4, 2022 . January 4, 2023 : Martin Luther King Day/College Closed January 20 January 18 January 17 January 16

State Dept. Fees Misc. Travel Expenses Secretary 1/31/2017 2/1/2017 Border Security engagements; . Secretary 5/23/2017 5/24/2017 Employee engagement tour and CBP Leadership Conference New Orleans, Louisiana 654 Commercial air 273 Secretary

Assistants to the Secretary of Defense and/or Deputy Secretary of Defense, when specifically designated for such precedence level; Executive Secretary of the Department of Defense (see note 6) Defense Advisor U.S. Mission NATO, Secretary of Defense Representative to Europe CODE 4 Directors of Defense Agencies (see note 10)

As a club secretary, you have a special icon in your menu bar to access the Secretary Dashboard. This page displays club and meeting information, announcements and links to the club secretary's most commonly used resources. Member Admin: Use this tab on the Secretary Dashboard to access and update your club roster. Annual Report:

14 Principal Secretary Education- Primary & Higher Secondary, MS Building, Gate-2 979901 15 Principal Secretary Finance-AMS 01,Vidhana Soudha 999902 16 Principal Secretary Forest Ecology & Environment, MS Building, Gate-2 979906 17 Principal Secretary Food & Civil Supplies, Vikasa Soudha 989904 18 Principal Secretary Home, Vidhana Soudha 999910