Notice of August 5-7, 1997 meeting of the NCVHS Subcommittee on Health Data Needs, Standards, and Security; Workgroup on Data Standards and Security

Federal Register Notice
July 22, 1997
(62 FR 39245)

DEPARTMENT OF HEALTH AND HUMAN SERVICES

National Committee on Vital and Health Statistics: Meetings

Pursuant to the Federal Advisory Committee Act, the Department of Health and Human Services announces the following advisory committee meetings.

Name: National Committee on Vital and Health Statistics (NCVHS), Subcommittee on Health Data Needs, Standards, and Security. Workgroup on Data Standards and Security.

Times and Dates: 9:00 a.m.-4:30 p.m., August 5, 1997; 8:30 a.m.- 4:30 p.m., August 6, 1997; 8:30 a.m.-4:00 p.m., August 7, 1997.

Place: Capital Hilton, 16th and K Streets, NW., Washington, DC 20201.

Status: Open.

Purpose: Under the Administrative Simplification provisions of P.L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Secretary of Health and Human Services is required to adopt standards for specified transactions to enable health information to be exchanged electronically. The law requires that, within 24 months of adoption, all health plans, health care clearinghouses, and health care providers who choose to conduct these transactions electronically must comply with these standards. The law also requires the Secretary to adopt a number of supporting standards including standards for code sets and classification systems and standards for security to protect health information. The Secretary is required to consult with the National Committee on Vital and Health Statistics (NCVHS) in complying with these provisions. The NCVHS is the Department's federal advisory committee on health data, privacy and health information policy.

To assist in the development of the NCVHS recommendations to HHS, the NCVHS Subcommittee on Health Data Needs, Standards, and Security has been holding a series of public meetings to obtain the views, perspectives and concerns of interested and affected parties.

On August 5, and August 6, 1997, the Subcommittee's Working Group on Data Standards and Security will hold a public meeting at which they will receive input from the health care industry on recommendations for security standards. The Subcommittee is interested in receiving testimony that will provide an understanding of the foundation of information security in health care as well as the issues, barriers, and challenges that face the industry. Representatives of the health care industry-health care providers, payers, professional associations, vendors, and standards development organizations-are being invited to testify and respond to the Subcommittee's question on security issues in the implementation of the administrative simplification provisions of P.L. 104-191. The industry representatives are being asked to address the questions (below) in writing, to make brief oral presentations of their answers, and to answer further questions from the Subcommittee. Other organizations that would like to submit written statements on these issues are invited to do so.

On August 7, 1997, the Subcommittee will discuss issues, recommendations, and its proposed workplan for the supporting standards for the nine financial and administrative health care transactions. The full NCVHS has already forwarded its recommendations on the architecture for these nine transactions to the Secretary.

Questions to be Addressed: Whereas not all questions are applicable to all participants or their organizations, the following set of questions illustrates the scope and complexity of the security issues to be addressed by the Committee.

Policies and Procedures

What policies and procedures should be employed to safeguard information?

How should these policies and procedures be communicated to internal and external users as well as consumers?

How frequently are policies reviewed?

Do employees, agents, independent contractors, medical staff, and vendors sign confidentiality statements?

What are the consequences of a security breach by an individual? What type of disciplinary action is taken?

How do you protect employee health information, particularly if you self-administer a benefit plan?

How do you monitor electronic files to detect unauthorized changes or systematic corruption?

How do you protect backups? What abilities do you have to recover files that become corrupted or lost?

Organization Commitment

What approaches have been successful in your organization in obtaining upper management commitment to data security? What approaches have been less than successful?

Who is accountable to manage the information security program in your organization?

What level of authority should review and approve policies?

Has your organization assigned staff dedicated to information security? Please describe the reporting structure for information security at your organization.

How do you determine who can have access to health information? Do you have different classes of access based on the sensitivity of the health information (e.g., more restrictive access to HIV status or mental health diagnoses)?

Has cost been a factor in limiting your information security program? How would you determine the appropriate cost of security?

What factors should be considered in assessing the costs and benefits of security? How should these factors be weighted?

Based on your experience, what are the impediments to implementing health information security measures?

How would federal legislation or regulations requiring the protection of health information affect the information security program at your organization?

Training

What are the objectives of your data security training program?

Who receives training in information security?

How is training delivered?

Is training customized to user class?

How often is training repeated?

Technical Practices

Are unique passwords used?

Are tokens, smart cards, or biometrics used for authentication?

Is access control handled through technology or through policy?

How do you protect remote access points?

Is encryption used for internal or external transmissions?

If you use encryption, do you use it for your password, your patient identifier, your clinical information, or the entire patient record message?

When you use encryption, do you use secure socket layer (SSL), data encryption standard (DES), or another encryption standard? Why did you select this particular encryption standard?

What are the initial and ongoing costs associated with encryption?

Do you transmit or plan to transmit patient identifiable information over the Internet? How is the information to be safeguarded?

What physical security measures do you use?

Are different security practices required for a private network?

What type of unique identifier do you use to identify patient information?

Do you use electronic signatures? If yes, explain the applications, the type of technology used, and liability issues, if any.

Patient Awareness/Authorization

Are patients informed of your organization's policies and procedures on information security? If so, how? Do you have specific educational tools that you use to educate patients/consumers?

Do patients review their information? How do patients amend incorrect information (particularly if maintained electronically)?

Do patients have access to the audit trail of all those who have looked at their patient record?

Can patients request that their information not be computerized?

Vendors and Data Security Consultants

What security features do your products employ?

What security features are customers asking for?

Is cost a factor?

Can security technology being used in other industries be integrated into your products?

How do you help a client identify their data security risks, threats, and exposures?

How do you help a client develop an effective data security strategy, design, or architecture?

How do you avoid technology-dependent security procedures and systems?

SDOs/Accreditation Organizations

What standards presently exist regarding security?

Are the existing standards adequate for adoption by the Security of HHS?

What standards must organizations meet in order to be accredited by your organization?

What plans are underway to address security requirements?

Do you feel that there is a need for the federal government to provide leadership in this area?

Contact Person for More Information: Substantive program information as well as summaries of the meeting and a roster of committee members may be obtained from Judy K. Ball, Committee staff, Office of the Assistant Secretary for Planning and Evaluation, DHHS, Room 440-D. Humphrey Building, 200 Independence Avenue SW, Washington, DC 20201, telephone (202) 690-7100, or from Marjorie S. Greenberg, Executive Secretary, NCVHS, NCHS, CDC, Room 1100, Presidential Building, 6525 Belcrest Road, Hyattsville, MD 20782, telephone (301) 436-7050. Information is also available on the NCVHS home page of the HHS website: http://aspe.os.dhhs.gov/ncvhs/.

Dated: July 14, 1997.

James Scanlon,
Director, Division of Data Policy, Office of the Assistant Secretary for Planning and Evaluation.

[FR Doc. 97-19137 Filed 7-21-97; 8:45 am]

BILLING CODE 4151-04-M