Title: Purpose of HIPAA Administrative Simplification
1Purpose of HIPAA Administrative Simplification
- to improve ... the efficiency and effectiveness
of the health care system, by encouraging the
development of a health information system
through the establishment of standards and
requirements for the electronic transmission of
certain health information. from the statute
2(No Transcript)
3(No Transcript)
4(No Transcript)
5Security/Privacy Services
- A group of related services that, together,
facilitate the integrity, confidentiality,
interoperability and automation of healthcare
information exchange in a SOA-based healthcare IT
environment. - They address issues of entity authentication,
authorization, access control and accountability.
- Owned by Security TC, but
- Cross discipline, cross domain approach.
6Scope and Purpose
- Security-as-a-Service within an SOA-oriented
architecture implies the decomposition and
decoupling of complex security processes that are
typically integrated across infrastructure and
applications into a set of encapsulated,
loosely-coupled security/privacy services.
7Scope and Purpose
- Security-as-a-Service within an SOA-oriented
architecture implies the decomposition and
decoupling of complex security processes that are
typically integrated across infrastructure and
applications into a set of encapsulated,
loosely-coupled security/privacy services.
8Why do we care?
- Encourages the deployment of interoperable
services and applications - Reduces the cost of application development
- Facilitates the automation of certain healthcare
business processes
9Scenario Clinician Needs Patient Data
- From viewpoint of Requestor/Recipient- Requesting
- Where is the patient data? Whos the custodian?
- In what format can the data be sent?
- What courier services are available?
- How do I submit a request?
- From viewpoint of Healthcare Information
Custodian - Who is requesting the data?
- Why should I let them see it?
- Do the Requestors privileges match my Policy?
- Courier Service
- Deliver to intended recipient
- Dont allow tampering
- Maintain confidentiality
- From viewpoint of Requestor/Recipient- Receiving
- Who sent it? Do I trust them?
- Has it been tampered with?
- Can I understand what the Author intended to say?
10Functional Capabilities
- To include security/privacy functionality
essential to enable or facilitate
interoperability and automation including
identity management, trust management, privilege
and access management, auditing, etc. These would
be as constrained as possible while still
providing a complementary set of security
services. - Identity and credentials of a resource requestor
that can be authenticated must be transported to
an resource access decision point where
appropriate authorization policy is applied, an
access control decision is enforced and all
required audit events are recorded.
Confidentiality of PHI is maintained at all times.
11Example Open Source EHR-S Function
HL7 EHR-S Function I.1.6Basic NHIN Access
HealthcareApplications/Components
Trust Registry
HealthcareFramework
Directory Access
Trust Network
Privacy
Communications
Authentication
CrossIndustryFramework
Identity Management
Security/ Encryption
Audit Services
Eclipse Base Framework
Execution Environment
Operating System
Computer Hardware
12Example Vendor ePrescription Sub-Profile
Vendors use the Healthcare Framework to build
specialized profiles and applications like
ePrescribing. Installable Eclipse plug-ins
encapsulate the functions required to support
profiles and applications.
13OverviewConceptual Healthcare Service
Architecture
Healthcare Service Bus (HSB)
Health Information Network
Health Information NetworkInfrastructure Services
Interoperability Services
Patient Information Services
Public Health Information Services
?
HL7 V3
?
?
Hospital, LTC,CCC, EPR
PhysicianOffice EMR
Lab System(LIS)
RadiologyCenterPACS/RIS
PharmacySystem
Public HealthServices
EHR Viewer
Physician/Provider
Physician/Provider
Physician/Provider
Lab Clinician
Radiologist
Pharmacist
Public Health Provider
POINT OF SERVICE
14Overview--Healthcare Service Architecture
Health Information Network
PhysicianOffice EMR
Physician/Provider
POINT OF SERVICE
15Open Health IT - HSB Messaging Stack
Healthcare Applications
HSB Support Services
Healthcare ProcessModel Execution Engine
LocalHealthcare Services
xHIN Protocols
xHIN Protocols
xHIN Protocols
xHIN Protocols
SOAP
SOAP
SOAP
SOAP
HTTP
HTTP
HTTP-S/MIME
HTTP
HTTP
Healthcare Service Bus
TCP/IP
Network Hardware
16(No Transcript)
17xHIN Identity Transport
Transport Envelope (http, smtp, file, )
SOAP Envelope
SOAP Header
wssSecurity
Sender ID Structural Role
Policy-based (Tier 0) Web Service Access Decision
Digital Signature (transport)
SenderFunctional Role
SAML Assertion Role
Encrypted(transport)
SAML Assertion Other
SenderOther
Other
Other
Policy-based (Tier 1) Target Object Access
Decision
SOAP Body
Query
Encrypted(transport,optional)
Document
Other
18xHIN extensible Health Information Network
TM
- The xHIN technology represents both an
architecture and a set of functional
specifications that exhibits two essential
attributes - the ability to facilitate automation of clinical
and business processes, and - high extensibilitythe ease with which xHIN-based
health information networks can be deployed,
expanded and enhanced.
19Security/Privacy Services
- May include
- Integrity
- Confidentiality
- Identity Management
- Access Control/Privilege Management
- Access Decision Service
- Access Policy Provisioning Service
- Audit
- Privacy
- Security
- Entity Registry Service
- Facilitates the location of an entitys PKI
information and other information required to
accomplish the exchange of healthcare
information. - Credential Authentication Service
- Credential Binding Service
- Credentials may be bound to an Identity
- Trust Correlation Service
- De-identification, Re-identification,
Pseudnonymization
20Entity Registry Service
- PKI identity services for entities are likely to
be provided by many different parties- private,
commercial and government. The Entity Registry
Service facilitates the location of an entitys
PKI information and other information required to
accomplish the exchange of healthcare
information. The entity data may be maintained
by an Identity Provider. This service may
leverage the EIS.
21Access Control/Privilege Management
- Access Decision Service
- Taking into account asserted identity/credentials,
target resource and other factors, returns a
decision allowing or denying access to the target
resource. - May leverage Identity Authentication and
Credential Authentication Services - Access Policy Provisioning
22Next Steps
- Reference/Resource Compilation
- Mailing List
- Telecon Schedule
- Sub-service Prioritization
- Initial Drafts
23Eclipse OHF Architecture Overview
Internet
Display
Devices
Eclipse
Telecom
Automotive
Healthcare
Runtime
UI
Workbench Services
Non-core Servicesand Plug-ins
Business Intelligence and Modeling
Resources
JFace
Data Tools
Basic XML Services
SWT
Development Tools
Text
Update
Help
Rules Processing
Dynamic Code/Schema Management
Security (OSGi)
Smart Token Support
Wireless Support
Metering
Eclipse Core
Windows or Linux OS
Computer Hardware
24Eclipse OHF Architecture Overview
Internet
Display
Devices
Eclipse
Applications
Healthcare
Runtime
UI
Workbench Services
Non-core Servicesand Plug-ins
Open Healthcare Framework
Business Intelligence and Modeling
Resources
JFace
Data Tools
Basic XML Services
SWT
Development Tools
XML Processing
Voice Services Support
HIPAA Support
Trust-based Network Support
EHR Support
Text
Update
Help
Web Service Support
Administrative Tools
Rules Processing
Dynamic Code/Schema Management
Security (OSGi)
Smart Token Support
Wireless Support
Metering
Eclipse Core
Windows or Linux OS
Computer Hardware
25Eclipse OHF Architecture Overview
Internet
Display
Devices
Training
Clinical Testing
Knowledge Services
ePrescription
Practice Management
CCR Client
Telecom Services
Payer Services
Clinical Data Capture Support
Administrative Support
Dictation/Transcription
Registry Services
Trust Services Support
Patient Services
Applications
XML Processing
Voice Services Support
HIPAA Support
Trust-based Network Support
EHR Support
Web Service Support
Administrative Tools
Open Healthcare Framework
Dynamic Code/Schema Management
Rules Processing
Security (OSGi)
Smart Token Support
Wireless Support
Metering
Eclipse Core
Windows or Linux OS
Computer Hardware