NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Meeting of the Subcommittee on Privacy, Confidentiality and Security
March 21-22, 2019

3311 Toledo Road
Auditorium-Second Floor
Hyattsville, MD 20782

 

Thursday, March 21

9:00 a.m. Welcome and Introductions

•    Call to Order

•    Roll Call

•    Goals of this Beyond HIPAA Working Session

•    Restatement of Beyond HIPAA work to date

 

Linda Kloss

Chair, Subcommittee on Privacy, Confidentiality and Security

 

9:30 a.m. Identifying Major Themes

Goal 1: Identify major themes in Health Information Privacy in light of the 10 years that have passed since NCVHS’s April 2008 Report, “Enhancing Protections for Uses of Health Data: A Stewardship Framework -Summary for Policy Makers”

•    Summarize major feedback received including comments and hearings (inputs)

•    Identify current state of health data uses and gaps in protections

•    Consider the evolving process

•    Remind participants of the 3 different scenarios that illustrate themes

•    Synthesize and reach consensus on major themes

 

NCVHS members with Expert

Panelists

11:00 a.m. Break
11:15 a.m. Development of Guiding Principles

•    Describe key opportunities for enhancing protections

•    Identify stewardship principles based on all of the inputs to date

 

Goal 1: Describe a pathway for improving private stewardship of health information over the next decade

NCVHS members with Expert Panelists
12:30 p.m. Lunch
1:30 p.m. Development of Guiding Principles (continued)

Goal 2: Describe a pathway for improving public stewardship of health information over the next decade

NCVHS members with Expert Panelists
3:15 p.m. Break
3:30 p.m. Development of Draft Recommendations

Participants review themes and make suggestions for potential recommendations to the Secretary

NCVHS members with Expert Panelists
5:00 p.m. Public Comment Rebecca Hines

NCVHS Executive Secretary

5:15-5:30 p.m. Closing Remarks & Adjourn Linda Kloss

Chair, Subcommittee on Privacy, Confidentiality and Security

 

Friday, March 22

8:30 a.m. Welcome Back and Introductions

•    Call to Order

•    Roll Call

•    Review Morning Work Plan

Linda Kloss

Chair, Subcommittee on Privacy, Confidentiality and Security

8:45 a.m. Observations and Development of Draft Recommendations

Task 1: Review themes and identify potential recommendations

Subcommittee Chair & Members
10:15 a.m. Break
10:30 a.m. Observations and Development of Draft Recommendations, continued

Task 2: Begin drafting recommendations

Subcommittee Chair & Members
12:00 p.m. Lunch
1:00 p.m. Draft Report Outline

Task 3: Finalize draft outline of report and presentation to Executive Committee

Subcommittee Chair & Members
2:00 p.m. Draft Letter to the Secretary

Task 4: Discuss letter, reach consensus on the timeline and next steps

Subcommittee Chair & Members
3:00 p.m. Closing Remarks & Adjourn Linda Kloss

Chair, Subcommittee on Privacy, Confidentiality and Security

 

Goals of the Working Session

  • Outline key principles for stewardship of health data in the environment described in the scan and the essential public and private levers to ensure appropriate governance.
  • Develop recommendations to define a contemporary framework of data stewardship for the HHS Secretary, including a pathway for improving private and public sector governance of health information over the next decade.
  • Building on NCVHS’s past work including the Environmental Scan, recent hearing, and letters to the Secretary, reach consensus on actions to update NCVHS’ 2008 report, “Enhancing Protections for Uses of Health Data: A Stewardship Framework – Summary for Policy Makers.”
  • Identify key themes for communications with individuals, policymakers, and stakeholders in the private sector.

 

Background

NCVHS is charged with studying and identifying “privacy and security and access measures to protect individually identifiable health information in an environment of electronic networking and multiple uses of data.” As part of that charge, the Committee advises the Secretary and reports to Congress on the status of the

Health Insurance Portability and Accountability Act of 1996 (HIPAA) which establishes the regulatory framework for personally identifiable health information held by covered entities and business associates.

The Committee undertook a ‘Beyond HIPAA’ initiative to examine emerging health information privacy and security issues that are beyond the scope of HIPAA to consider a health data privacy and security framework for the 21st century. The goals for the Beyond HIPAA initiative are to:

  1. Describe the changing environment and identify the risks to privacy and security of confidential health information, highlighting promising policies, practices and technology;
  2. Propose integrative models for how best to protect individuals’ privacy and secure health data uses outside of HIPAA protections while enabling important uses, services and research;
  3. Formulate recommendations for the Secretary on actions that HHS might take; and
  4. Prepare a report for data stewardship.

The environmental scan findings are detailed in the report, “Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges,” available on the NCVHS website. The scan described the two spheres of health information: one that is regulated by HIPAA and the other that is largely unregulated. The scan addressed existing and emerging policy frameworks, practices, and technologies in the areas of: big data and analytics, personal health devices, the Internet of Things, and evolving technologies for privacy and security. It also examined privacy and data protection laws in other domains and changing consumer attitudes regarding health information privacy.

The Committee has considered the range of public and private action options to improve health data privacy and security beyond HIPAA focusing first on examples of uses that are at the intersection of the HIPAA regulated and unregulated spheres. These include health registries (populated with health information but often not covered by a business associate agreement), personal health devices, and applications that may exchange information with covered entities or business associates (but essentially operate in the unregulated world). At this juncture, the Committee is moving forward from study of the current environment to formulation of recommendations for action.

 

 

Upcoming NCVHS Meetings

June 5-6, 2019                 Full Committee Meeting, Humphrey Building, Washington, DC

August 6-7, 2019             Subcommittee on Standards, ICD-11 Project, Humphrey Building, Washington, DC

October 3-4, 2019            Full Committee Meeting, Humphrey Building, Washington, DC