ACTION:

Announces of meeting.

SUMMARY:

This notice announces the 11th meeting of the American Health Information Community Confidentiality, Privacy, and Security Workgroup in accordance with the Federal Advisory Committee Act (Pub. L. 92-463, 5 U.S.C., App.)

DATES:

June 22, 2007, from 10 a.m. to 4:30 p.m.[Eastern].

ADDRESSES:

Hubert H. Humprey Building (200 Independence Avenue, SW., Washington, DC 20201), Conference Room 505A (please bring photo ID for entry into a Federal building).

FOR FURTHER INFORMATION:

http://www.hhs.gov/​health/​ahic/​confidentiality/​ Purpose: The Workgroup Members will continue discussing the working hypothesis and evaluate the confidentiality, privacy, and security protections for participants in an electronic information exchange network at a local, state, regional, and nationwide level. The meeting will be available via Web cast. For additional information, go to: http://www.hhs.gov/​healthit/​cps_​instruct.html.

SUPPLEMENTARY INFORMATION:

The American Health Information Community Confidentiality, Privacy, and Security (CPS) workgroup is seeking public feedback on its working hypothesis. To submit comments via e-mail (preferred), please send them to cps-wkg@hsrnet.com (to ensure that your e-mail is received and appropriately filed, we ask that you put “CPS June 2007 Public Comment” in the subject line of your e-mail) or mail your comments to Steven Posnack, Office of the National Coordinator (ONC), 330 C Street, SW., Suite 4090, Washington, DC 20201. Written testimony submitted by the public is not required to address all of the questions listed below, and answers to any or all of the questions will be accepted so long as they comply with the following guidelines. Comments should be double-spaced and submitted via e-mail or mail by 5 p.m. Eastern Daylight Time and June 4, 2007, in order to receive consideration by the CPS workgroup.

For the past several months, the CPS workgroup has been refining the following “working hypothesis” as an approach to gather information and develop recommendations regarding the protections that should apply to certain persons and entities in a nationwide health information exchange environment. The main tenet of the “working hypothesis” is as follows:

All persons and entities excluding consumers that participate in an electronic health information exchange network at a local, state, regional or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to relevant Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rate requirements In this case, HIPAA is used to help establish a common understanding of what federal health information privacy and security requirements apply to whom and for what. Its inclusion in the “working hypothesis” should not be misinterpreted to mean the CPS workgroup is only considering HIPAA-focused recommendations. Rather, the CPS workgroup intends to evaluate, in the future, whether the overall, baseline standard for participating in these networks should be changed to a standard that is different from or exceeds the current HIPAA privacy and security rules.

THe CPS workgroup is interested to hear from any party that may be affected by its “working hypothesis.” Responses should address the following questions in the sections below. Please reference the section with which your comment is associated when making a comment.

1. Enforceable Mechanisms

The CPS workgroup understands that there may be one or more appropriate mechanisms to properly enforce and ensure that confidentiality, privacy, and security requirements are met in an electronic health information exchange environment Therefore, the workgroup is interested in comments on appropriate, effective, and feasible ways to enforce confidentiality, privacy, and security protections in this new environment. Comments will be considered by the workgroup for the purposes of developing one or more recommendations associated with the “working hypothesis” above.

2. Relevant Requirements

For a given participant's characteristics and role in an electronic health information environment, certain confidentiality, privacy, and security requirements may be more relevant than others. The CPS workgroup requests comment as to whether particular confidentiality, privacy, and security requirements equivalent to those in the HIPAA Privacy and Security Rules should or should not apply to a particular type of person or entity and why. Please identify specific section(s) of the HIPAA Privacy and Security Rules. The following examples have been developed to identify the level of detail and specificity the workgroup is seeking in a response:

Example 1:

Similar to the treatment of health care clearinghouses under the HIPAA Privacy Rule it may not be appropriate for a health information exchange organization to provide privacy notices (Section 164.500(b)).

Example 2: With respect to Section 164.510 of the HIPAA Privacy Rule, a health information exchange organization may not have a function analogous to a “facility directory” and therefore compliance with that type of requirement may not be appropriate.

3. Business Associates

The CPS workgroup is concerned that an electronic health information exchange environment may lead to an unwieldy amount of contractual relationships in the form of business associate agreements each with their own specific confidentiality, privacy, and security nuances—with limited direct enforcement. The workgroup is seeking comments on the pros and cons of having business associates directly responsible for HIPAA requirements—not through contractual arrangements. If you are a business associate please answer the following questions:

(A) How does your organization ensure compliance with the privacy and security policies of covered entities with whom it contracts, particularly when there are numerous contracts?

(B) How do you handle business associate contracts with large numbers of covered entities including compliance with each covered entity's privacy policies?

(C) How are business associate agreements negotiated? Do you have a standard contract?

(D) How is the data protection compliance of subcontractors ensured and/or assessed?

(E) Do you have subcontractors and how do you handle those agreements?

(F) How would direct accountability for meeting relevant HIPAA requirements impact your business?

4. General Questions

The CPS workgroup is seeking comment on any of the following additional questions.

(A) What are the implications of having some entities performing similar services covered by federal law (e.g., HIPAA) and others not? For example, a personal health record (PHR) could be offered by a health plan (covered entity) and an independent PHR service provider (non-covered entity).

i. How does this impact your competitiveness?

ii How doe this impact your ability to exchange information with others?

iii. Does contracting with non-covered entities create different levels of accountability and/or enforceability in the exchange of health information?

(B) Assuming you are not a covered entity, what would be the implications of complying with enforceable confidentiality, privacy, and security requirements at least equivalent to relevant HIPAA principles?Start Printed Page 26394

(C) Is there a minimum set of confidentiality, privacy, and security protections that you think everyone should follow, if not HIPAA, what?

The meeting will be available via Web cast. For additional information, go to http://www.hhs.gov/​healthit/​ahic/​cps_​instruct.html.