[Federal Register Volume 72, Number 89 (Wednesday, May 9, 2007)]
[Notices]
[Pages 26392-26394]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 07-2277]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Office of the National Coordinator for Health Information 
Technology; American Health Information Community Confidentiality, 
Privacy, and Security Workgroup; Meeting

ACTION: Announces of meeting.

-----------------------------------------------------------------------

SUMMARY: This notice announces the 11th meeting of the American Health 
Information Community Confidentiality, Privacy, and Security Workgroup 
in accordance with the Federal Advisory Committee Act (Pub. L. 92-463, 
5 U.S.C., App.)

DATES: June 22, 2007, from 10 a.m. to 4:30 p.m.[Eastern].

[[Page 26393]]


ADDRESSES: Hubert H. Humprey Building (200 Independence Avenue, SW., 
Washington, DC 20201), Conference Room 505A (please bring photo ID for 
entry into a Federal building).

FOR FURTHER INFORMATION: http://www.hhs.gov/health/ahic/confidentiality/ Purpose: The Workgroup Members will continue 
discussing the working hypothesis and evaluate the confidentiality, 
privacy, and security protections for participants in an electronic 
information exchange network at a local, state, regional, and 
nationwide level. The meeting will be available via Web cast. For 
additional information, go to: http://www.hhs.gov/healthit/cps_instruct.html.

SUPPLEMENTARY INFORMATION: The American Health Information Community 
Confidentiality, Privacy, and Security (CPS) workgroup is seeking 
public feedback on its working hypothesis. To submit comments via e-
mail (preferred), please send them to [email protected] (to ensure 
that your e-mail is received and appropriately filed, we ask that you 
put ``CPS June 2007 Public Comment'' in the subject line of your e-
mail) or mail your comments to Steven Posnack, Office of the National 
Coordinator (ONC), 330 C Street, SW., Suite 4090, Washington, DC 20201. 
Written testimony submitted by the public is not required to address 
all of the questions listed below, and answers to any or all of the 
questions will be accepted so long as they comply with the following 
guidelines. Comments should be double-spaced and submitted via e-mail 
or mail by 5 p.m. Eastern Daylight Time and June 4, 2007, in order to 
receive consideration by the CPS workgroup.
    For the past several months, the CPS workgroup has been refining 
the following ``working hypothesis'' as an approach to gather 
information and develop recommendations regarding the protections that 
should apply to certain persons and entities in a nationwide health 
information exchange environment. The main tenet of the ``working 
hypothesis'' is as follows:
    All persons and entities excluding consumers that participate in an 
electronic health information exchange network at a local, state, 
regional or nationwide level, through which individually identifiable 
electronic health information is stored, compiled, transmitted, or 
accessed, should be required to meet privacy and security criteria at 
least equivalent to relevant Health Insurance Portability and 
Accountability Act (HIPAA) Privacy and Security Rate requirements In 
this case, HIPAA is used to help establish a common understanding of 
what federal health information privacy and security requirements apply 
to whom and for what. Its inclusion in the ``working hypothesis'' 
should not be misinterpreted to mean the CPS workgroup is only 
considering HIPAA-focused recommendations. Rather, the CPS workgroup 
intends to evaluate, in the future, whether the overall, baseline 
standard for participating in these networks should be changed to a 
standard that is different from or exceeds the current HIPAA privacy 
and security rules.
    THe CPS workgroup is interested to hear from any party that may be 
affected by its ``working hypothesis.'' Responses should address the 
following questions in the sections below. Please reference the section 
with which your comment is associated when making a comment.

1. Enforceable Mechanisms

    The CPS workgroup understands that there may be one or more 
appropriate mechanisms to properly enforce and ensure that 
confidentiality, privacy, and security requirements are met in an 
electronic health information exchange environment Therefore, the 
workgroup is interested in comments on appropriate, effective, and 
feasible ways to enforce confidentiality, privacy, and security 
protections in this new environment. Comments will be considered by the 
workgroup for the purposes of developing one or more recommendations 
associated with the ``working hypothesis'' above.

2. Relevant Requirements

    For a given participant's characteristics and role in an electronic 
health information environment, certain confidentiality, privacy, and 
security requirements may be more relevant than others. The CPS 
workgroup requests comment as to whether particular confidentiality, 
privacy, and security requirements equivalent to those in the HIPAA 
Privacy and Security Rules should or should not apply to a particular 
type of person or entity and why. Please identify specific section(s) 
of the HIPAA Privacy and Security Rules. The following examples have 
been developed to identify the level of detail and specificity the 
workgroup is seeking in a response:

    Example 1: Similar to the treatment of health care 
clearinghouses under the HIPAA Privacy Rule it may not be 
appropriate for a health information exchange organization to 
provide privacy notices (Section 164.500(b)).
    Example 2: With respect to Section 164.510 of the HIPAA Privacy 
Rule, a health information exchange organization may not have a 
function analogous to a ``facility directory'' and therefore 
compliance with that type of requirement may not be appropriate.
3. Business Associates
    The CPS workgroup is concerned that an electronic health 
information exchange environment may lead to an unwieldy amount of 
contractual relationships in the form of business associate agreements 
each with their own specific confidentiality, privacy, and security 
nuances--with limited direct enforcement. The workgroup is seeking 
comments on the pros and cons of having business associates directly 
responsible for HIPAA requirements--not through contractual 
arrangements. If you are a business associate please answer the 
following questions:
    (A) How does your organization ensure compliance with the privacy 
and security policies of covered entities with whom it contracts, 
particularly when there are numerous contracts?
    (B) How do you handle business associate contracts with large 
numbers of covered entities including compliance with each covered 
entity's privacy policies?
    (C) How are business associate agreements negotiated? Do you have a 
standard contract?
    (D) How is the data protection compliance of subcontractors ensured 
and/or assessed?
    (E) Do you have subcontractors and how do you handle those 
agreements?
    (F) How would direct accountability for meeting relevant HIPAA 
requirements impact your business?

4. General Questions

    The CPS workgroup is seeking comment on any of the following 
additional questions.
    (A) What are the implications of having some entities performing 
similar services covered by federal law (e.g., HIPAA) and others not? 
For example, a personal health record (PHR) could be offered by a 
health plan (covered entity) and an independent PHR service provider 
(non-covered entity).
    i. How does this impact your competitiveness?
    ii How doe this impact your ability to exchange information with 
others?
    iii. Does contracting with non-covered entities create different 
levels of accountability and/or enforceability in the exchange of 
health information?
    (B) Assuming you are not a covered entity, what would be the 
implications of complying with enforceable confidentiality, privacy, 
and security requirements at least equivalent to relevant HIPAA 
principles?

[[Page 26394]]

    (C) Is there a minimum set of confidentiality, privacy, and 
security protections that you think everyone should follow, if not 
HIPAA, what?
    The meeting will be available via Web cast. For additional 
information, go to http://www.hhs.gov/healthit/ahic/cps_instruct.html.

    Dated: May 2, 2007.
Judith Sparrow,
Director, American Health Information Community, Office of Programs and 
Coordination, Office of the National Coordinator for Health Information 
Technology.
[FR Doc. 07-2277 Filed 5-8-07; 8:45 am]
BILLING CODE 4150-24-M