[Federal Register Volume 62, Number 140 (Tuesday, July 22, 1997)]
[Notices]
[Pages 39245-39246]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-19137]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


National Committee on Vital and Health Statistics: Meetings

    Pursuant to the Federal Advisory Committee Act, the Department of 
Health and Human Services announces the following advisory committee 
meetings.

    Name: National Committee on Vital and Health Statistics (NCVHS), 
Subcommittee on Health Data Needs, Standards, and Security. 
Workgroup on Data Standards and Security.
    Times and Dates: 9:00 a.m.-4:30 p.m., August 5, 1997; 8:30 a.m.-
4:30 p.m., August 6, 1997; 8:30 a.m.-4:00 p.m., August 7, 1997.
    Place: Capital Hilton, 16th and K Streets, NW., Washington, DC 
20201.
    Status: Open.
    Purpose: Under the Administrative Simplification provisions of 
P.L. 104-191, the Health Insurance Portability and Accountability 
Act of 1996 (HIPAA), the Secretary of Health and Human Services is 
required to adopt standards for specified transactions to enable 
health information to be exchanged electronically. The law requires 
that, within 24 months of adoption, all health plans, health care 
clearinghouses, and health care providers who choose to conduct 
these transactions electronically must comply with these standards. 
The law also requires the Secretary to adopt a number of supporting 
standards including standards for code sets and classification 
systems and standards for security to protect health information. 
The Secretary is required to consult with the National Committee on 
Vital and Health Statistics (NCVHS) in complying with these 
provisions. The NCVHS is the Department's federal advisory committee 
on health data, privacy and health information policy.
    To assist in the development of the NCVHS recommendations to 
HHS, the NCVHS Subcommittee on Health Data Needs, Standards, and 
Security has been holding a series of public meetings to obtain the 
views, perspectives and concerns of interested and affected parties.
    On August 5, and August 6, 1997, the Subcommittee's Working 
Group on Data Standards and Security will hold a public meeting at 
which they will receive input from the health care industry on 
recommendations for security standards. The Subcommittee is 
interested in receiving testimony that will provide an understanding 
of the foundation of information security in health care as well as 
the issues, barriers, and challenges that face the industry. 
Representatives of the health care industry--health care providers, 
payers, professional associations, vendors, and standards 
development organizations--are being invited to testify and respond 
to the Subcommittee's question on security issues in the 
implementation of the administrative simplification provisions of 
P.L. 104-191. The industry representatives are being asked to 
address the questions (below) in writing, to make brief oral 
presentations of their answers, and to answer further questions from 
the Subcommittee. Other organizations that would like to submit 
written statements on these issues are invited to do so.
    On August 7, 1997, the Subcommittee will discuss issues, 
recommendations, and its proposed workplan for the supporting 
standards for the nine financial and administrative health care 
transactions. The full NCVHS has already forwarded its 
recommendations on the architecture for these nine transactions to 
the Secretary.
    Questions to be Addressed: Whereas not all questions are 
applicable to all participants or their organizations, the following 
set of questions illustrates the scope and complexity of the 
security issues to be addressed by the Committee.

Policies and Procedures

     What policies and procedures should be employed to 
safeguard information?
     How should these policies and procedures be 
communicated to internal and external users as well as consumers?
     How frequently are policies reviewed?

[[Page 39246]]

     Do employees, agents, independent contractors, medical 
staff, and vendors sign confidentiality statements?
     What are the consequences of a security breach by an 
individual? What type of disciplinary action is taken?
     How do you protect employee health information, 
particularly if you self-administer a benefit plan?
     How do you monitor electronic files to detect 
unauthorized changes or systematic corruption?
     How do you protect backups? What abilities do you have 
to recover files that become corrupted or lost?

Organization Commitment

     What approaches have been successful in your 
organization in obtaining upper management commitment to data 
security? What approaches have been less than successful?
     Who is accountable to manage the information security 
program in your organization?
     What level of authority should review and approve 
policies?
     Has your organization assigned staff dedicated to 
information security? Please describe the reporting structure for 
information security at your organization.
     How do you determine who can have access to health 
information? Do you have different classes of access based on the 
sensitivity of the health information (e.g., more restrictive access 
to HIV status or mental health diagnoses)?
     Has cost been a factor in limiting your information 
security program? How would you determine the appropriate cost of 
security?
     What factors should be considered in assessing the 
costs and benefits of security? How should these factors be 
weighted?
     Based on your experience, what are the impediments to 
implementing health information security measures?
     How would federal legislation or regulations requiring 
the protection of health information affect the information security 
program at your organization?

Training

     What are the objectives of your data security training 
program?
     Who receives training in information security?
     How is training delivered?
     Is training customized to user class?
     How often is training repeated?

Technical Practices

     Are unique passwords used?
     Are tokens, smart cards, or biometrics used for 
authentication?
     Is access control handled through technology or through 
policy?
     How do you protect remote access points?
     Is encryption used for internal or external 
transmissions?
     If you use encryption, do you use it for your password, 
your patient identifier, your clinical information, or the entire 
patient record message?
     When you use encryption, do you use secure socket layer 
(SSL), data encryption standard (DES), or another encryption 
standard? Why did you select this particular encryption standard?
     What are the initial and ongoing costs associated with 
encryption?
     Do you transmit or plan to transmit patient 
identifiable information over the Internet? How is the information 
to be safeguarded?
     What physical security measures do you use?
     Are different security practices required for a private 
network?
     What type of unique identifier do you use to identify 
patient information?
     Do you use electronic signatures? If yes, explain the 
applications, the type of technology used, and liability issues, if 
any.

Patient Awareness/Authorization

     Are patients informed of your organization's policies 
and procedures on information security? If so, how? Do you have 
specific educational tools that you use to educate patients/
consumers?
     Do patients review their information? How do patients 
amend incorrect information (particularly if maintained 
electronically)?
     Do patients have access to the audit trail of all those 
who have looked at their patient record?
     Can patients request that their information not be 
computerized?

Vendors and Data Security Consultants

     What security features do your products employ?
     What security features are customers asking for?
     Is cost a factor?
     Can security technology being used in other industries 
be integrated into your products?
     How do you help a client identify their data security 
risks, threats, and exposures?
     How do you help a client develop an effective data 
security strategy, design, or architecture?
     How do you avoid technology-dependent security 
procedures and systems?

SDOs/Accreditation Organizations

     What standards presently exist regarding security?
     Are the existing standards adequate for adoption by the 
Security of HHS?
     What standards must organizations meet in order to be 
accredited by your organization?
     What plans are underway to address security 
requirements?
     Do you feel that there is a need for the federal 
government to provide leadership in this area?
    Contact Person for More Information: Substantive program 
information as well as summaries of the meeting and a roster of 
committee members may be obtained from Judy K. Ball, Committee 
staff, Office of the Assistant Secretary for Planning and 
Evaluation, DHHS, Room 440-D. Humphrey Building, 200 Independence 
Avenue SW, Washington, DC 20201, telephone (202) 690-7100, or from 
Marjorie S. Greenberg, Executive Secretary, NCVHS, NCHS, CDC, Room 
1100, Presidential Building, 6525 Belcrest Road, Hyattsville, MD 
20782, telephone (301) 436-7050. Information is also available on 
the NCVHS home page of the HHS website: http://aspe.os.dhhs.gov/
ncvhs/.

    Dated: July 14, 1997.
James Scanlon,
Director, Division of Data Policy, Office of the Assistant Secretary 
for Planning and Evaluation.
[FR Doc. 97-19137 Filed 7-21-97; 8:45 am]
BILLING CODE 4151-04-M