NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Meeting of the Subcommittee on Privacy, Confidentiality and Security
March 21-22, 2019
3311 Toledo Road
Auditorium-Second Floor
Hyattsville, MD 20782
Thursday, March 21
| 9:00 a.m. | Welcome and Introductions
• Call to Order • Roll Call • Goals of this Beyond HIPAA Working Session • Restatement of Beyond HIPAA work to date
|
Linda Kloss
Chair, Subcommittee on Privacy, Confidentiality and Security
|
| 9:30 a.m. | Identifying Major Themes
Goal 1: Identify major themes in Health Information Privacy in light of the 10 years that have passed since NCVHS’s April 2008 Report, “Enhancing Protections for Uses of Health Data: A Stewardship Framework -Summary for Policy Makers” • Summarize major feedback received including comments and hearings (inputs) • Identify current state of health data uses and gaps in protections • Consider the evolving process • Remind participants of the 3 different scenarios that illustrate themes • Synthesize and reach consensus on major themes
|
NCVHS members with Expert
Panelists |
| 11:00 a.m. | Break | |
| 11:15 a.m. | Development of Guiding Principles
• Describe key opportunities for enhancing protections • Identify stewardship principles based on all of the inputs to date
Goal 1: Describe a pathway for improving private stewardship of health information over the next decade |
NCVHS members with Expert Panelists |
| 12:30 p.m. | Lunch | |
| 1:30 p.m. | Development of Guiding Principles (continued)
Goal 2: Describe a pathway for improving public stewardship of health information over the next decade |
NCVHS members with Expert Panelists |
| 3:15 p.m. | Break | |
| 3:30 p.m. | Development of Draft Recommendations
Participants review themes and make suggestions for potential recommendations to the Secretary |
NCVHS members with Expert Panelists |
| 5:00 p.m. | Public Comment | Rebecca Hines
NCVHS Executive Secretary |
| 5:15-5:30 p.m. | Closing Remarks & Adjourn | Linda Kloss
Chair, Subcommittee on Privacy, Confidentiality and Security |
Friday, March 22
| 8:30 a.m. | Welcome Back and Introductions
• Call to Order • Roll Call • Review Morning Work Plan |
Linda Kloss
Chair, Subcommittee on Privacy, Confidentiality and Security |
| 8:45 a.m. | Observations and Development of Draft Recommendations
Task 1: Review themes and identify potential recommendations |
Subcommittee Chair & Members |
| 10:15 a.m. | Break | |
| 10:30 a.m. | Observations and Development of Draft Recommendations, continued
Task 2: Begin drafting recommendations |
Subcommittee Chair & Members |
| 12:00 p.m. | Lunch | |
| 1:00 p.m. | Draft Report Outline
Task 3: Finalize draft outline of report and presentation to Executive Committee |
Subcommittee Chair & Members |
| 2:00 p.m. | Draft Letter to the Secretary
Task 4: Discuss letter, reach consensus on the timeline and next steps |
Subcommittee Chair & Members |
| 3:00 p.m. | Closing Remarks & Adjourn | Linda Kloss
Chair, Subcommittee on Privacy, Confidentiality and Security |
Goals of the Working Session
- Outline key principles for stewardship of health data in the environment described in the scan and the essential public and private levers to ensure appropriate governance.
- Develop recommendations to define a contemporary framework of data stewardship for the HHS Secretary, including a pathway for improving private and public sector governance of health information over the next decade.
- Building on NCVHS’s past work including the Environmental Scan, recent hearing, and letters to the Secretary, reach consensus on actions to update NCVHS’ 2008 report, “Enhancing Protections for Uses of Health Data: A Stewardship Framework – Summary for Policy Makers.”
- Identify key themes for communications with individuals, policymakers, and stakeholders in the private sector.
Background
NCVHS is charged with studying and identifying “privacy and security and access measures to protect individually identifiable health information in an environment of electronic networking and multiple uses of data.” As part of that charge, the Committee advises the Secretary and reports to Congress on the status of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) which establishes the regulatory framework for personally identifiable health information held by covered entities and business associates.
The Committee undertook a ‘Beyond HIPAA’ initiative to examine emerging health information privacy and security issues that are beyond the scope of HIPAA to consider a health data privacy and security framework for the 21st century. The goals for the Beyond HIPAA initiative are to:
- Describe the changing environment and identify the risks to privacy and security of confidential health information, highlighting promising policies, practices and technology;
- Propose integrative models for how best to protect individuals’ privacy and secure health data uses outside of HIPAA protections while enabling important uses, services and research;
- Formulate recommendations for the Secretary on actions that HHS might take; and
- Prepare a report for data stewardship.
The environmental scan findings are detailed in the report, “Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges,” available on the NCVHS website. The scan described the two spheres of health information: one that is regulated by HIPAA and the other that is largely unregulated. The scan addressed existing and emerging policy frameworks, practices, and technologies in the areas of: big data and analytics, personal health devices, the Internet of Things, and evolving technologies for privacy and security. It also examined privacy and data protection laws in other domains and changing consumer attitudes regarding health information privacy.
The Committee has considered the range of public and private action options to improve health data privacy and security beyond HIPAA focusing first on examples of uses that are at the intersection of the HIPAA regulated and unregulated spheres. These include health registries (populated with health information but often not covered by a business associate agreement), personal health devices, and applications that may exchange information with covered entities or business associates (but essentially operate in the unregulated world). At this juncture, the Committee is moving forward from study of the current environment to formulation of recommendations for action.
Upcoming NCVHS Meetings
June 5-6, 2019 Full Committee Meeting, Humphrey Building, Washington, DC
August 6-7, 2019 Subcommittee on Standards, ICD-11 Project, Humphrey Building, Washington, DC
October 3-4, 2019 Full Committee Meeting, Humphrey Building, Washington, DC