Purpose of HIPAA Administrative Simplification

1
Purpose of HIPAA Administrative Simplification

• to improve ... the efficiency and effectiveness
  of the health care system, by encouraging the
  development of a health information system
  through the establishment of standards and
  requirements for the electronic transmission of
  certain health information. from the statute

2
(No Transcript)
3
(No Transcript)
4
(No Transcript)
5
Security/Privacy Services

• A group of related services that, together,
  facilitate the integrity, confidentiality,
  interoperability and automation of healthcare
  information exchange in a SOA-based healthcare IT
  environment.
• They address issues of entity authentication,
  authorization, access control and accountability.
  
• Owned by Security TC, but
• Cross discipline, cross domain approach.

6
Scope and Purpose

• Security-as-a-Service within an SOA-oriented
  architecture implies the decomposition and
  decoupling of complex security processes that are
  typically integrated across infrastructure and
  applications into a set of encapsulated,
  loosely-coupled security/privacy services.

7
Scope and Purpose

• Security-as-a-Service within an SOA-oriented
  architecture implies the decomposition and
  decoupling of complex security processes that are
  typically integrated across infrastructure and
  applications into a set of encapsulated,
  loosely-coupled security/privacy services.

8
Why do we care?

• Encourages the deployment of interoperable
  services and applications
• Reduces the cost of application development
• Facilitates the automation of certain healthcare
  business processes

9
Scenario Clinician Needs Patient Data

• From viewpoint of Requestor/Recipient- Requesting
• Where is the patient data? Whos the custodian?
• In what format can the data be sent?
• What courier services are available?
• How do I submit a request?
• From viewpoint of Healthcare Information
  Custodian
• Who is requesting the data?
• Why should I let them see it?
• Do the Requestors privileges match my Policy?
• Courier Service
• Deliver to intended recipient
• Dont allow tampering
• Maintain confidentiality
• From viewpoint of Requestor/Recipient- Receiving
• Who sent it? Do I trust them?
• Has it been tampered with?
• Can I understand what the Author intended to say?

10
Functional Capabilities

• To include security/privacy functionality
  essential to enable or facilitate
  interoperability and automation including
  identity management, trust management, privilege
  and access management, auditing, etc. These would
  be as constrained as possible while still
  providing a complementary set of security
  services.
• Identity and credentials of a resource requestor
  that can be authenticated must be transported to
  an resource access decision point where
  appropriate authorization policy is applied, an
  access control decision is enforced and all
  required audit events are recorded.
  Confidentiality of PHI is maintained at all times.

11
Example Open Source EHR-S Function
HL7 EHR-S Function I.1.6Basic NHIN Access
HealthcareApplications/Components
Trust Registry
HealthcareFramework
Directory Access
Trust Network
Privacy
Communications
Authentication
CrossIndustryFramework
Identity Management
Security/ Encryption
Audit Services
Eclipse Base Framework
Execution Environment
Operating System
Computer Hardware
12
Example Vendor ePrescription Sub-Profile
Vendors use the Healthcare Framework to build
specialized profiles and applications like
ePrescribing. Installable Eclipse plug-ins
encapsulate the functions required to support
profiles and applications.
13
OverviewConceptual Healthcare Service
Architecture
Healthcare Service Bus (HSB)
Health Information Network
Health Information NetworkInfrastructure Services
Interoperability Services
Patient Information Services
Public Health Information Services
?
HL7 V3
?
?
Hospital, LTC,CCC, EPR
PhysicianOffice EMR
Lab System(LIS)
RadiologyCenterPACS/RIS
PharmacySystem
Public HealthServices
EHR Viewer
Physician/Provider
Physician/Provider
Physician/Provider
Lab Clinician
Radiologist
Pharmacist
Public Health Provider
POINT OF SERVICE
14
Overview--Healthcare Service Architecture
Health Information Network
PhysicianOffice EMR
Physician/Provider
POINT OF SERVICE
15
Open Health IT - HSB Messaging Stack
Healthcare Applications
HSB Support Services
Healthcare ProcessModel Execution Engine
LocalHealthcare Services
xHIN Protocols
xHIN Protocols
xHIN Protocols
xHIN Protocols
SOAP
SOAP
SOAP
SOAP
HTTP
HTTP
HTTP-S/MIME
HTTP
HTTP
Healthcare Service Bus
TCP/IP
Network Hardware
16
(No Transcript)
17
xHIN Identity Transport
Transport Envelope (http, smtp, file, )
SOAP Envelope
SOAP Header
wssSecurity
Sender ID Structural Role
Policy-based (Tier 0) Web Service Access Decision
Digital Signature (transport)
SenderFunctional Role
SAML Assertion Role
Encrypted(transport)
SAML Assertion Other
SenderOther
Other
Other
Policy-based (Tier 1) Target Object Access
Decision
SOAP Body
Query
Encrypted(transport,optional)
Document
Other
18
xHIN extensible Health Information Network
TM

• The xHIN technology represents both an
  architecture and a set of functional
  specifications that exhibits two essential
  attributes
• the ability to facilitate automation of clinical
  and business processes, and
• high extensibilitythe ease with which xHIN-based
  health information networks can be deployed,
  expanded and enhanced.

19
Security/Privacy Services

• May include
• Integrity
• Confidentiality
• Identity Management
• Access Control/Privilege Management
• Access Decision Service
• Access Policy Provisioning Service
• Audit
• Privacy
• Security
• Entity Registry Service
• Facilitates the location of an entitys PKI
  information and other information required to
  accomplish the exchange of healthcare
  information.
• Credential Authentication Service
• Credential Binding Service
• Credentials may be bound to an Identity
• Trust Correlation Service
• De-identification, Re-identification,
  Pseudnonymization

20
Entity Registry Service

• PKI identity services for entities are likely to
  be provided by many different parties- private,
  commercial and government. The Entity Registry
  Service facilitates the location of an entitys
  PKI information and other information required to
  accomplish the exchange of healthcare
  information. The entity data may be maintained
  by an Identity Provider. This service may
  leverage the EIS.

21
Access Control/Privilege Management

• Access Decision Service
• Taking into account asserted identity/credentials,
  target resource and other factors, returns a
  decision allowing or denying access to the target
  resource.
• May leverage Identity Authentication and
  Credential Authentication Services
• Access Policy Provisioning

22
Next Steps

• Reference/Resource Compilation
• Mailing List
• Telecon Schedule
• Sub-service Prioritization
• Initial Drafts

23
Eclipse OHF Architecture Overview
Internet
Display
Devices
Eclipse
Telecom
Automotive
Healthcare
Runtime
UI
Workbench Services
Non-core Servicesand Plug-ins
Business Intelligence and Modeling
Resources
JFace
Data Tools
Basic XML Services
SWT
Development Tools
Text
Update
Help
Rules Processing
Dynamic Code/Schema Management
Security (OSGi)
Smart Token Support
Wireless Support
Metering
Eclipse Core
Windows or Linux OS
Computer Hardware
24
Eclipse OHF Architecture Overview
Internet
Display
Devices
Eclipse
Applications
Healthcare
Runtime
UI
Workbench Services
Non-core Servicesand Plug-ins
Open Healthcare Framework
Business Intelligence and Modeling
Resources
JFace
Data Tools
Basic XML Services
SWT
Development Tools
XML Processing
Voice Services Support
HIPAA Support
Trust-based Network Support
EHR Support
Text
Update
Help
Web Service Support
Administrative Tools
Rules Processing
Dynamic Code/Schema Management
Security (OSGi)
Smart Token Support
Wireless Support
Metering
Eclipse Core
Windows or Linux OS
Computer Hardware
25
Eclipse OHF Architecture Overview
Internet
Display
Devices
Training
Clinical Testing
Knowledge Services
ePrescription
Practice Management
CCR Client
Telecom Services
Payer Services
Clinical Data Capture Support
Administrative Support
Dictation/Transcription
Registry Services
Trust Services Support
Patient Services
Applications
XML Processing
Voice Services Support
HIPAA Support
Trust-based Network Support
EHR Support
Web Service Support
Administrative Tools
Open Healthcare Framework
Dynamic Code/Schema Management
Rules Processing
Security (OSGi)
Smart Token Support
Wireless Support
Metering
Eclipse Core
Windows or Linux OS
Computer Hardware