NIST’s Privacy Framework: Step-by-Step Instructions for Building a Privacy Program

NIST-Privacy-Framework-V1.0-Core About the NIST Privacy Risk Management Framework.  NIST released the Privacy Risk Management Framework: an Enterprise Tool, v.1 on January 16, 2020.  Aperture Law Group's Founder Jill DeGraff participated in early NIST workshops and began using preliminary drafts of the Framework with clients in May 2019. The Framework establishes a step-wise sequence of activities that is oriented around five core functions:  Identify, Govern, Control, Communicate and Protect.  Within each of these core functions, the Framework describes specific tasks and workstreams (activities and sub-activities, respectively).   For example, an activity for the "Identify" function is to perform an inventory and mapping of all systems, products and services involved in data processing.  Sub-activities include: producing an inventory of all systems/products and services that process data; and producing an inventory of all owner/operators of these systems, products and systems, and their respective roles in data processing. An organization that documents the activities described in the Framework can produce a deliverable Privacy Risk Management Plan.  The Plan accomplishes three important steps of any company that wants to be "privacy forward".  First, it documents factual predicates for establishing an organization's unique system of privacy controls.  Second, it includes a narrative description of these privacy controls. …

Read More

Proposed Interoperability Rules Receive Unreserved Endorsement from Past Policymakers

Health Affairs published a blog post yesterday, penned by each of the former National Coordinators for Health IT.  They offer unanimous and unreserved bipartisan support for the ONC and CMS' proposed health IT interoperability rules.  Their unified show of support delivers a significant counterweight to comments made by influential industry groups, which recommend a longer window to implement the rules or completely different approaches. Here is a highlight of the comments made the former health IT policy leaders: Rapid advancement of APIs enabled by data standards is critical. Open APIs have been safely and effectively deployed in other industries, including financial services, energy and retail consumer services. HL7 FHIR is an appropriate foundational standard for open APIs in healthcare. Efforts to further advance this standard is critical. Regulators did well to include clinical notes and their provenance as data elements in the U.S. Core Data for Interoperability, so that they can be included in the first set of required open API standards. Real world testing of open APIs will be a critical implementation step for the safe and effective adoption of open APIs in healthcare. Expansion of the interoperability and API framework to health plans is game-changing. Including health plans…

Read More

I submitted a comment to the Office of the National Coordinator for Health IT today.   Below is the text. Dear Dr. Rucker, I appreciate the opportunity to comment on the proposed rules for data interoperability, information blocking and the ONC’s health IT certification program. I counsel HIPAA covered entities and vendors of healthcare technologies on privacy, data security and contracts.  This vantage point gives me a point of view about consumer privacy and data portability.  I would like to offer my comments on the information blocking rule, particularly in regard to the "promoting privacy" exception and, more broadly, the policies that give effect to the individual right of access under HIPAA. The HIPAA Privacy Rule and Data Portability Between Covered Entities The HIPAA Privacy Rule includes detailed specifications that govern the permissible disclosure of PHI between covered entities, but it does not affirmatively require these disclosures to be made.  This is a critical juncture where data portability gets stuck.  The information blocking rule fills a critical gap in the HIPAA Privacy Rule, by inducing health care providers and their respective supply chains to facilitate data portability with other HIPAA covered entities, or else face negative consequences under the enforcement authorities…

Read More

Privacy Panel for ACT-IAC’s Healthcare Cybersecurity and Privacy Form

I participated in a privacy panel on April 23, 2019 during ACT-IAC's Health Security, Privacy and Practice Forum.  Special thanks to moderator Eric Larson, co-panelists Jamie Danker and LaShaunne Graves and all who contributed their comments and questions during the Q&A. Some key takeaways: 1. All panelists agree on the importance of "baking" privacy into system design and applications.  We need to move beyond static programs that rely primarily upon policies and training to active systems of monitoring and accountability. 2. Jamie noted that cybersecurity tends to be better resourced in federal agencies than privacy, which puts consumer privacy interests  risk 3. Government agencies can improve trust by not only disclosing all the ways that a personally identifiable information may be used and disclosed, but reinforcing its privacy commitments in demonstrable ways within information flows. 4. Privacy issues are rising in federal health agencies because of rising demand to adopt modern technologies and use data in new ways to advance public welfare interests.  As a result, settled practices for balancing personal and public welfare interests need to be reexamined. 5.  Protecting privacy needs to be at the forefront of federal agency missions.  

Read More

The ONC Doesn’t Address Financing for Data Interoperability. It Needs To.

In the dot.com era, I worked for a technology company that helped online retailers securely process credit card payments.  We provided a toolkit for web developers, so their sites could accept standardized card information from consumers.  After authorizing them to our servers, we exchanged payment transactions on the backend with the payment card industry's established payment processing infrastructure.  The network charged a nominal transaction fee; we added a small transaction fee on top of that; and online merchants paid this fee from proceeds for the goods and services they sold to consumers. These steps were essential for paving the last virtual mile between consumers and retailers.  In healthcare, data interoperability isn't limited to paving the virtual last mile because the standards for data interoperability's infrastructure are still being codified.  Setting these standards, and creating guardrails to protect public and private investments in the nation's health IT infrastructure, are the point of the Cures Act's provisions for modernizing health information technology.  The ONC's recently proposed rules on data interoperability and its health IT certification program would set these standards and guardrails for the immediate time, informed by industry engagement and consensus around the technical components of data interoperability.  Alongside these standards…

Read More

Co-Production: Reframing Innovation in Healthcare

One of the panelists today at ACT-IAC’s Health Innovation Day was Verily’s Vivian Lee, MD, Ph.D.  Asked for her thoughts on what will drive innovation in health care forward, Vivian offered a new mental model, organized around the idea of co-production. Industrial engineers look at co-production as a problem and solution when an organization’s pursuit of its mission depends on the behavior of actors outside of its control.  As Vivian observed, co-production occurs in our system of producing elementary and secondary education.  While teachers and schools deliver curriculum, parents support the production of education in their homes and through their contributions to the school community.  Another example is trash removal.  Municipal trash services take our trash away for processing, but they depend on residents putting their trash in bins and taking their bins to the curb. Co-production is a problem in need of solutions throughout healthcare.  Clinical outcomes depend on the actions of patients and their healthcare providers.  Payors and providers are not aligned in their pursuit of the quadruple aim, yet they offer differentiated capabilities to improve quality and cost of care.  There are some co-production issues that are event harder to tackle, stemming from social determinants and implicating…

Read More

Would Health IT APIs Become a Public Utility under the ONC’s Proposed Rules?

The Cures Act directs the Office of the National Coordinator for Health IT (ONC) to implement Conditions and Maintenance of Certification that require EHR vendors to provide open APIs without special effort.  In its proposed rule, the ONC not only proposes technical standards and technical outcome expectations to facilitate access, exchange and use of electronic health information using FHIR-based APIs; it also takes direct aim at rent-seeking business practices and behaviors that it believes interfere with data interoperability.  This blog reviews the ONC proposal to restrict the fees that health IT developers would be permitted to charge for their certified API technologies, and offers some thoughts about the impact the fee proposals could have in the market. Background The ONC’s proposal to regulate fees on API technology would apply to EHR vendors, which would be required to implement the proposed certification criterion for FHIR-based “standardized API for patient and population services” within 24 months after final rules take effect.  Other health IT vendors have the option of presenting API technologies to the ONC for testing and certification under the ONC Health IT Certification Program.  API Technology Suppliers with certified API technologies would be subject to proposed Conditions and Maintenance of…

Read More

Summaries of the ONC’s Proposed Data Interoperability Rule

A GitHub repository to display high-level and selectively detailed summaries of the ONC's proposed rules is live.  If you've never used GitHub, it's a great way to start collaborating in the software developer community.  If you already use GitHub, the summaries are an invitation to collaborate and engage with you about the ONC's proposals for data interoperability. To access GitHub, you first need to register an account.  After that, click on either of the links in the first paragraph  to begin reading the summaries.  Not all sections of the proposed rule have been summarized, but more of them will be over time.  Meantime, feel free to contribute! Follow links in the Table of Contents to sections that have been summarized. Also, the ONC has provided informal resources on HealthIT.gov to help the public better understand the proposed rule.  The ONC's presentation to HIMSS about the Proposed Rule is a good starting point. The comment period is open until 5pm on May 3, 2019. If you want to submit comments, go to the Federal eRulemaking Portal and upload your comments in MS Word (preferred), MS Excel or Adobe PDF.  If you want help with analyzing any portion of the rules, or…

Read More

With Recent Rulemaking, the ONC and CMS Give Digital Health Innovators A Map for the Emerging Data Interoperability Highway

On February 11, 2019, the Office of the National Coordinator for Health Information Technology (ONC) released its Notice of Proposed Rulemaking for implementing data interoperability provisions of the 21st Century Cures Act.  Under the proposed rule, all health information technology (HIT) vendors that sell “certified electronic health record technology” (CEHRT) to health care providers will be required to meet new security, data governance and API standards, once final rules take effect.  The proposed rule also describes steps to end business practices that emerged during the years when electronic health records were being adopted, which Congress viewed as anti-competitive. In a related announcement, the Centers for Medicare and Medicaid Services (CMS) released a Proposed Rule to promote data interoperability by health plans that participate in the Medicare, Medicaid or the CHIP program, or that issue qualified health plans in the individual health insurance marketplace. Both proposed rules mark a long-awaited step towards standardizing the rules of the road for data interoperability in healthcare.   Of course, the industry hasn’t been sitting on their heels.  Epic’s App Orchard, Xealth’s API marketplace and Apple Health Record are examples of the kind of tracks that are already being laid to connect consumers with their health…

Read More

Is It Too Soon for Blockchain in Healthcare?

Blockchain generates a lot of hype and more than a little notoriety because of its ties to cryptocurrencies. While the healthcare industry understandably seeks to avoid hype and notoriety, and mostly waits for emerging technologies to prove themselves in other industries, ignoring blockchain would be a mistake. The main reason is that it alters the strategic mindset: It offers a fresh perspective for solving some of the vexing business challenges in health IT. In a fragmented health system, the business challenges swamp the technical ones. An example of how blockchain alters perspective is illustrated in a new white paper, Crowdsourcing Provider Directory Maintenance, written by a team led by Kyle Culver of Humana and Andrew Beal of Ernst & Young. Kyle was one of the winners in the 2017 Blockchain Challenge sponsored by HHS’ Office of the National Coordinator for Health IT. In the paper, the authors examine how to keep provider directories current through a blockchain lens. In setting up the problem, the authors observe that health plans currently manage separate provider directory silos that are rife with inaccuracies. Provider demographics can change so rapidly that it is hard to keep these directories up-to-date. I’ve seen how quickly the…

Read More