#healthit #datainteroperability #digitalhealth

NIST’s Privacy Framework: Step-by-Step Instructions for Building a Privacy Program

February 5, 2020
Jill DeGraff
Compliance Program Implementation, Counseling on Privacy Laws and Data Protection Standards

NIST-Privacy-Framework-V1.0-Core About the NIST Privacy Risk Management Framework. NIST released the Privacy Risk Management Framework: an Enterprise Tool, v.1 on January 16, 2020. Aperture Law Group's Founder Jill DeGraff participated in early NIST workshops and began using preliminary drafts of the Framework with clients in May 2019. The Framework establishes a step-wise sequence of activities that is oriented around five core functions: Identify, Govern, Control, Communicate and Protect. Within each of these core functions, the Framework describes specific tasks and workstreams (activities and sub-activities, respectively). For example, an activity for the "Identify" function is to perform an inventory and mapping of all systems, products and services involved in data processing. Sub-activities include: producing an inventory of all systems/products and services that process data; and producing an inventory of all owner/operators of these systems, products and systems, and their respective roles in data processing. An organization that documents the activities described in the Framework can produce a deliverable Privacy Risk Management Plan. The Plan accomplishes three important steps of any company that wants to be "privacy forward". First, it documents factual predicates for establishing an organization's unique system of privacy controls. Second, it includes a narrative description of these privacy controls. …

I submitted a comment to the Office of the National Coordinator for Health IT today. Below is the text. Dear Dr. Rucker, I appreciate the opportunity to comment on the proposed rules for data interoperability, information blocking and the ONC’s health IT certification program. I counsel HIPAA covered entities and vendors of healthcare technologies on privacy, data security and contracts. This vantage point gives me a point of view about consumer privacy and data portability. I would like to offer my comments on the information blocking rule, particularly in regard to the "promoting privacy" exception and, more broadly, the policies that give effect to the individual right of access under HIPAA. The HIPAA Privacy Rule and Data Portability Between Covered Entities The HIPAA Privacy Rule includes detailed specifications that govern the permissible disclosure of PHI between covered entities, but it does not affirmatively require these disclosures to be made. This is a critical juncture where data portability gets stuck. The information blocking rule fills a critical gap in the HIPAA Privacy Rule, by inducing health care providers and their respective supply chains to facilitate data portability with other HIPAA covered entities, or else face negative consequences under the enforcement authorities…

Would Health IT APIs Become a Public Utility under the ONC’s Proposed Rules?

March 21, 2019
Jill DeGraff
Data Interoperability, Digital Health, HealthIT, Information Blocking, Technology Procurement and Contracting

The Cures Act directs the Office of the National Coordinator for Health IT (ONC) to implement Conditions and Maintenance of Certification that require EHR vendors to provide open APIs without special effort. In its proposed rule, the ONC not only proposes technical standards and technical outcome expectations to facilitate access, exchange and use of electronic health information using FHIR-based APIs; it also takes direct aim at rent-seeking business practices and behaviors that it believes interfere with data interoperability. This blog reviews the ONC proposal to restrict the fees that health IT developers would be permitted to charge for their certified API technologies, and offers some thoughts about the impact the fee proposals could have in the market. Background The ONC’s proposal to regulate fees on API technology would apply to EHR vendors, which would be required to implement the proposed certification criterion for FHIR-based “standardized API for patient and population services” within 24 months after final rules take effect. Other health IT vendors have the option of presenting API technologies to the ONC for testing and certification under the ONC Health IT Certification Program. API Technology Suppliers with certified API technologies would be subject to proposed Conditions and Maintenance of…