[Federal Register Volume 62, Number 140 (Tuesday, July 22, 1997)]
[Notices]
[Pages 39245-39246]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-19137]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
National Committee on Vital and Health Statistics: Meetings
Pursuant to the Federal Advisory Committee Act, the Department of
Health and Human Services announces the following advisory committee
meetings.
Name: National Committee on Vital and Health Statistics (NCVHS),
Subcommittee on Health Data Needs, Standards, and Security.
Workgroup on Data Standards and Security.
Times and Dates: 9:00 a.m.-4:30 p.m., August 5, 1997; 8:30 a.m.-
4:30 p.m., August 6, 1997; 8:30 a.m.-4:00 p.m., August 7, 1997.
Place: Capital Hilton, 16th and K Streets, NW., Washington, DC
20201.
Status: Open.
Purpose: Under the Administrative Simplification provisions of
P.L. 104-191, the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), the Secretary of Health and Human Services is
required to adopt standards for specified transactions to enable
health information to be exchanged electronically. The law requires
that, within 24 months of adoption, all health plans, health care
clearinghouses, and health care providers who choose to conduct
these transactions electronically must comply with these standards.
The law also requires the Secretary to adopt a number of supporting
standards including standards for code sets and classification
systems and standards for security to protect health information.
The Secretary is required to consult with the National Committee on
Vital and Health Statistics (NCVHS) in complying with these
provisions. The NCVHS is the Department's federal advisory committee
on health data, privacy and health information policy.
To assist in the development of the NCVHS recommendations to
HHS, the NCVHS Subcommittee on Health Data Needs, Standards, and
Security has been holding a series of public meetings to obtain the
views, perspectives and concerns of interested and affected parties.
On August 5, and August 6, 1997, the Subcommittee's Working
Group on Data Standards and Security will hold a public meeting at
which they will receive input from the health care industry on
recommendations for security standards. The Subcommittee is
interested in receiving testimony that will provide an understanding
of the foundation of information security in health care as well as
the issues, barriers, and challenges that face the industry.
Representatives of the health care industry--health care providers,
payers, professional associations, vendors, and standards
development organizations--are being invited to testify and respond
to the Subcommittee's question on security issues in the
implementation of the administrative simplification provisions of
P.L. 104-191. The industry representatives are being asked to
address the questions (below) in writing, to make brief oral
presentations of their answers, and to answer further questions from
the Subcommittee. Other organizations that would like to submit
written statements on these issues are invited to do so.
On August 7, 1997, the Subcommittee will discuss issues,
recommendations, and its proposed workplan for the supporting
standards for the nine financial and administrative health care
transactions. The full NCVHS has already forwarded its
recommendations on the architecture for these nine transactions to
the Secretary.
Questions to be Addressed: Whereas not all questions are
applicable to all participants or their organizations, the following
set of questions illustrates the scope and complexity of the
security issues to be addressed by the Committee.
Policies and Procedures
What policies and procedures should be employed to
safeguard information?
How should these policies and procedures be
communicated to internal and external users as well as consumers?
How frequently are policies reviewed?
[[Page 39246]]
Do employees, agents, independent contractors, medical
staff, and vendors sign confidentiality statements?
What are the consequences of a security breach by an
individual? What type of disciplinary action is taken?
How do you protect employee health information,
particularly if you self-administer a benefit plan?
How do you monitor electronic files to detect
unauthorized changes or systematic corruption?
How do you protect backups? What abilities do you have
to recover files that become corrupted or lost?
Organization Commitment
What approaches have been successful in your
organization in obtaining upper management commitment to data
security? What approaches have been less than successful?
Who is accountable to manage the information security
program in your organization?
What level of authority should review and approve
policies?
Has your organization assigned staff dedicated to
information security? Please describe the reporting structure for
information security at your organization.
How do you determine who can have access to health
information? Do you have different classes of access based on the
sensitivity of the health information (e.g., more restrictive access
to HIV status or mental health diagnoses)?
Has cost been a factor in limiting your information
security program? How would you determine the appropriate cost of
security?
What factors should be considered in assessing the
costs and benefits of security? How should these factors be
weighted?
Based on your experience, what are the impediments to
implementing health information security measures?
How would federal legislation or regulations requiring
the protection of health information affect the information security
program at your organization?
Training
What are the objectives of your data security training
program?
Who receives training in information security?
How is training delivered?
Is training customized to user class?
How often is training repeated?
Technical Practices
Are unique passwords used?
Are tokens, smart cards, or biometrics used for
authentication?
Is access control handled through technology or through
policy?
How do you protect remote access points?
Is encryption used for internal or external
transmissions?
If you use encryption, do you use it for your password,
your patient identifier, your clinical information, or the entire
patient record message?
When you use encryption, do you use secure socket layer
(SSL), data encryption standard (DES), or another encryption
standard? Why did you select this particular encryption standard?
What are the initial and ongoing costs associated with
encryption?
Do you transmit or plan to transmit patient
identifiable information over the Internet? How is the information
to be safeguarded?
What physical security measures do you use?
Are different security practices required for a private
network?
What type of unique identifier do you use to identify
patient information?
Do you use electronic signatures? If yes, explain the
applications, the type of technology used, and liability issues, if
any.
Patient Awareness/Authorization
Are patients informed of your organization's policies
and procedures on information security? If so, how? Do you have
specific educational tools that you use to educate patients/
consumers?
Do patients review their information? How do patients
amend incorrect information (particularly if maintained
electronically)?
Do patients have access to the audit trail of all those
who have looked at their patient record?
Can patients request that their information not be
computerized?
Vendors and Data Security Consultants
What security features do your products employ?
What security features are customers asking for?
Is cost a factor?
Can security technology being used in other industries
be integrated into your products?
How do you help a client identify their data security
risks, threats, and exposures?
How do you help a client develop an effective data
security strategy, design, or architecture?
How do you avoid technology-dependent security
procedures and systems?
SDOs/Accreditation Organizations
What standards presently exist regarding security?
Are the existing standards adequate for adoption by the
Security of HHS?
What standards must organizations meet in order to be
accredited by your organization?
What plans are underway to address security
requirements?
Do you feel that there is a need for the federal
government to provide leadership in this area?
Contact Person for More Information: Substantive program
information as well as summaries of the meeting and a roster of
committee members may be obtained from Judy K. Ball, Committee
staff, Office of the Assistant Secretary for Planning and
Evaluation, DHHS, Room 440-D. Humphrey Building, 200 Independence
Avenue SW, Washington, DC 20201, telephone (202) 690-7100, or from
Marjorie S. Greenberg, Executive Secretary, NCVHS, NCHS, CDC, Room
1100, Presidential Building, 6525 Belcrest Road, Hyattsville, MD
20782, telephone (301) 436-7050. Information is also available on
the NCVHS home page of the HHS website: http://aspe.os.dhhs.gov/
ncvhs/.
Dated: July 14, 1997.
James Scanlon,
Director, Division of Data Policy, Office of the Assistant Secretary
for Planning and Evaluation.
[FR Doc. 97-19137 Filed 7-21-97; 8:45 am]
BILLING CODE 4151-04-M