 |
Return to detail page at www.hitsp.org | HITSP/TN900 |
| Prev TOC Next |
| HOME | ABOUT | MEMBERSHIP | NEWS & ANNOUNCEMENTS | MEETINGS | FAQ | CONTACT US | | Powered by American National Standards Institute |
|
Return to detail page at www.hitsp.org | HITSP/TN900 |
| Prev TOC Next |
As an introduction to the Healthcare Information Technology Standards Panel (HITSP) Security and Privacy Technical Note, this section provides a high level overview of this specification, acknowledges the copyright protections that pertain, and provides a list of key reference documents and background material. If you are already familiar with this information, proceed to Section 2.0 Security and Privacy Scope.
The Security and Privacy Technical Note provides the context for use of the HITSP Security and Privacy Constructs, based on the initial AHIC Use Cases. It includes a design map of existing standards and specifications that will be used to meet the stated requirements of the Use Cases. It references the Requirements, Design and Standards Selection document which describes the process by which the Use Cases were analyzed, candidate standards were identified and the design developed. As additional Use Cases are provided to HITSP, the HITSP team will update this document based on any new Security and Privacy requirements. This document will also be updated to reflect changes to the design and relationships of the constructs.
The HITSP SPI-TC designed the constructs described in this Technical Note to support a wide variety of security and privacy policies and technical frameworks. Consistent with the HITSP Technical Committee Terms of Reference, HITSP has not attempted to resolve privacy or security policy issues, risk management, healthcare application functionality, operating systems functionality, physical control specifications, or other low-level specifications. This approach is crucial because of the variety of requirements that the HITSP Security and Privacy Constructs will be called on to address.
As discussed in Section 2.0, many federal and state laws and/or regulations define the security and privacy policy requirements for individually identifiable health information. In developing the constructs described in this document, core concepts from several of these federal and state laws and regulations were considered, although a comprehensive, exhaustive review of all existing security and privacy laws and regulations was not done. Those laws/or regulations and organizational policies stipulate the administrative, physical, and technical mechanisms needed to enforce jurisdictional and organizational health privacy policies. The constructs presented herein constitute a technical foundation that is applicable to the various policy options defined by these federal and state laws, or by other business and organizational requirements.
While there is no single Security and Privacy framework universally accepted in the U.S. or internationally, HITSP identified, discussed, and considered a number of Security and Privacy frameworks emerging in the U.S. and in other countries. In particular, policies from Canada, the European Union, Australia, and global policies such as the ones developed by the Organization for Economic Cooperation and Development (OECD) were reviewed. Work is underway through HITSP and other groups to develop material relevant to a common reference framework for both Security and Privacy, which includes the HITSP Security and Privacy matrices (see www.HITSP.org). Subsequently, The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information [1] was published by HHS in December 2008.
HITSP identified a group of existing and emerging standards that may be used in guiding the implementation of the constructs (see Table 2-1 Guidance Standards).
In the context of electronic health information exchange, the management of privacy policies must transition from a strictly administrative paper-based function to the enablement of the technical functions needed for electronic management of privacy. As the expression of privacy policies mature from paper-based formats to unstructured electronic formats, and to structured and computable formats that are interoperable, security mechanisms to enforce these policies will increasingly need to align with structured electronic formats for security and privacy rules.
In defining the Security and Privacy Constructs described in this document, HITSP used a set of core concepts regarding privacy of health information that were derived from overarching federal, state and international laws and regulations (see Section 5.15.1). The SPI-TC also recognized that to manage security and privacy, healthcare organizations and technology vendors perform security, privacy, and business risk assessments (see Section 5.0). As technology grows more complex, a risk management framework that consists of risk management and prioritization tools is needed to facilitate problem analysis and prioritization work throughout the risk management assessment lifecycle. However, HITSP does not specify methodologies or risk management frameworks for conducting strategic or system-focused risk assessments, but encourages organizations implementing HITSP Interoperability Specifications to conduct both types of analysis. In addition, HITSP recognizes that a complete security program includes tasks to provide ongoing management and assurance that security objectives are being met, but such tasks are typically implementation-specific and therefore out of scope for HITSP Security and Privacy constructs.
Security and Privacy Constructs have evolved and will continue to evolve as new Use Cases, Value Cases, or other Harmonization requests are received by HITSP. The Harmonization Framework describes the hierarchy of HITSP Constructs, including Service Collaborations. Some Service Collaborations have a clear Security and Privacy focus, whereas others are focused on infrastructure, but include the appropriate underlying Security and Privacy considerations in the context of the healthcare workflow. The current set of Security and Privacy related Service Collaborations are discussed later in this document, and should be used in the context of the Implementation Specification calling for it, as per any other HITSP construct. It should be noted however, that the Service Collaborations are designed with the intent of maximizing reuse in anticipation of future harmonization requests.
COPYRIGHT NOTICE
2009 ANSI. This material may be copied without permission from ANSI only if and to the extent that the text is not altered in any fashion and ANSIs copyright is clearly noted.
OCTAVE
Throughout the HITSP SPI-TC documents, the term Individually Identifiable Health Information (IIHI) is used to depict health information considered to be identifiable to an individual. In this context, IIHI extends beyond the more focused and limited HIPAA term Protected Health Information (PHI), which is applicable to entities covered by HIPAA. The overall intent of HITSP is for standards to be applied to all health information and all entities that collect, access, maintain, use or disclose individually identifiable health information. The term Personal Health Information had the same meaning as IIHI.
This section provides a list of key reference documents and background material.
A list of key reference documents and background material is provided in the table below. These documents can be retrieved from the www.hitsp.org Web Site.
Table 1-1 HITSP Reference Documents
|
Reference Document |
Document Description |
|
Lists and defines the acronyms used in this document |
|
|
Provides definitions for relevant terms used by HITSP documents |
|
Return to detail page at www.hitsp.org | HITSP/TN900 |
| Prev TOC Next |