The California Privacy and Security Board Eliminated

The Governor May Budget Revision for fiscal year 2011-2012 eliminates a number of state boards and commissions.   The California Privacy and Security Advisory Board is one of the boards that has been eliminated.  As a result, of this decision, all Cal PSAB functions officially ended effective June 30, 2011.

While the board activities will cease, the Health and Human Services Agency (HHSA) recognizes the importance of ongoing stakeholder input as California moves ahead with implementation of health information exchange.  The California Office of Health Information and Integrity (CalOHII) will continue to support stakeholder participation and input on privacy and security issues through its support of the Privacy and Security Steering Teams and associated privacy and security workgroups.  The work to establish the privacy and security policies that will enable the exchange of health information for better health care will continue and we urge each of you to continue to provide your valuable experience, advice and insight through these ongoing processes.

The CalPSAB and the CalPSAB stakeholder process began on October 2007 as the first ongoing stakeholder process focused on critical privacy and security issues that are raised as a result of the widespread implementation of electronic health records and health information exchange.  The CalPSAB and its accompanying stakeholder committee processes focused on privacy, security and legal issues quickly became an invaluable advisor to the HHSA.   As California begins the work to transform the healthcare information infrastructure, CalPSAB’s contributions and legacy will continue to influence how California resolves the complex privacy and security issues. 
 

 

• Advisory Board Archive
• Privacy Committee Archive
• Security Committee Archive
• Legal Committee Archive
• Education Committee Archive
• HIE Committee Archive
• HISPC Archive
• eHealth Archive

 

 

---

Advisory Board Archive

• Febuary 2010: PSAB California HIE Operational Plan
• August 2009: Integrated Privacy & Security Framework
• May 2009: California HIE and CalPSAB Coordination of HIE Efforts
• CalPSAB Focus Newsletter
  • January 2009
  • April 2009
• September 2009:  Approved Motions
• October2008:  Symposium
• October 2007 Press Release - Establishment of the CalSAB

 

2010 CalPSAB Board Member List

 

Advisory Board Meetings:

• January 13, 2010 - San Francisco
• February 01, 2010 - Conference Call
• March 10, 2010 - Southern CA
• June 9, 2010 - Sacramento
• October 12, 2010 - Sacramento
• December 9, 2010 - Conference Call
• 2009 Archive

Advisory Board Products:

• Summary of Comments on Board Motions and Guidelines
• CalPSAB Privacy and Security Principles for HIE - April 2009
• Approved Motions & Interim Privacy & Security Guidelines  

 

CalPSAB Milestones

March 2011 - CalPSAB Approves Recommended Security Guidelines for electronic Health Information Exchange 

The California Privacy & Security Advisory Board (CalPSAB) has recently approved all 51 Security Guidelines (via online survey) recommended by the CalPSAB Security Committee.  The guidelines are the result of over three years of public and private stakeholder collaboration with healthcare security and IT professionals throughout California.  Significant guidelines include two-factor authentication from “unsecured locations” and attribute-based authorization, similar to the recommended Authorization Framework for NHIN Exchange.  The guidelines are separated into four distinct domains (Administrative Controls, Business Continuity & Contingency Planning, Facility & Equipment Controls, and Data Protection & User Access Controls).

Since HIPAA Security Standards were developed prior to initial federal eHIE efforts, the Security Committee identified security gaps that needed to be addressed to adequately safeguard eHIE and engender public trust in eHIE.  As a result some guidelines have been modified from the HIPAA version and additional guidelines were created using NIST and ISO/IEC standards.

• CalPSAB Security Guidelines

March 4, 2011 - Two Factor Authentication
The Health IT Policy Committee has expressed its support for two-factor authentication for users who remotely access electronic health information through virtual private networks or online applications. Full article link: http://www.govhealthit.com/newsitem.aspx?nid=76416  

Link to: NHIN Exchange Authorization Framework

 

December 2010 – CalPSAB Announcement
A previous announcement on this Web site announced the restructuring of the Privacy and Security Committees with the creation of the Privacy and Security Steering Teams to function as the core membership for the respective committees.

The reason for the restructure of the Committees was due to the transitive nature of the majority of volunteers which resulted in difficulties developing and completing security and privacy policy recommendations in a timely manner.

At their last meeting, the Advisory Board recommended that the Committees be renamed as the “Advisory Committee” and Steering Teams should be appropriately renamed as the Privacy or Security Committee. This change is now in effect.

The Committees will function as the core membership of the Advisory Committees for the purpose of continuity of knowledge, leadership, oversight and guidance.

The Advisory Committees will serve as an advisory body for the Committees and provide resources for committee and issue task groups as well as vetting newly developed security policies.

 

CalPSAB Proposed Privacy & Security Guidelines:

• CalPSAB Proposed Privacy & Security Guidelines  - (Version 3 Posted for public comment October 2009)

CalPSAB Coordination with California Health Information Exchange and Technology

The California Health and Human Services Agency serves as the lead agency on HIE and HIT issues for the State.  Achieving electronic health information exchange (HIE) through the application of health information technology (HIT) is one of the cornerstones of the overall healthcare reform strategy in California.  The following shows the interaction between this effort and CalPSAB.

Questions or Need More Information? Email PSAB@ohi.ca.gov

 

---

Privacy Committee Archive

December 2010 - CalPSAB Privacy Announcement

A previous announcement on this website announced the restructuring of the Privacy Committee with the creation of the Privacy Steering Team to function as the core membership for the Privacy Committee.

The reason for the restructure of the Committee was due to the transitive nature of the majority of volunteers which resulted in difficulties developing and completing privacy policy recommendations in a timely manner.

At their October 2010 meeting, the Advisory Board recommended that the Privacy Committee be renamed as the “Privacy Advisory Committee” and ”Privacy Steering Team” should be appropriately renamed as the “Privacy Committee”. This change is now in effect.

The Privacy Committee will function as the core membership of the Privacy Advisory Committee for the purpose of continuity of knowledge, leadership, oversight and guidance.

The Privacy Advisory Committee will serve as an advisory body for the Privacy Committee and provide resources for committee and issue task groups as well as vetting newly developed privacy policies.

 

Privacy Advisory Committee Overview:

The Privacy Advisory Committee will serve as an advisory body for the Privacy Committee and provide resources for committee and issue task groups as well as vetting newly developed privacy policies.

 

Privacy Committee Task Groups:

• 2008-2010
  • Applicability (Joint Task Group)
  • Baseline
  • Consent Implementation
  • Verification of Identity

Privacy Committee Resources:

• Federal Law
  • 45.CFR: 164.501 Public Welfare Definitions
  • 45.CFR: 164.506 Pubic Welfare Uses and Disclosures
• Public Law
  • P.L. 97-248 Tax Equity and Fiscal Responsibility Act of 1982
• California Law
  • CA Civil Code 56 (CMIA) Definitions
  • CA Civil Code 56 (CMIA) Disclosures

Privacy Committee Meetings: 

The Privacy Committee meets twice a month in 2011 on the first and third Tuesday of each month unless cancelled due to mitigating factors. All meetings, agendas, and other materials are posted to the Calendar of Events as they become available.

Privacy Committee dates for 2011 are:

2011 Committee Meetings: 1st Quarter
January	01/04	Agenda
	01/18	Agenda
February	02/01	Agenda, Meeting Summary
	02/15	Cancelled
March	03/01	Agenda, Meeting Summary
	03/15	Agenda, Meeting Summary
April	04/05	Cancelled
	04/19	Agenda, Meeting Summary

The Privacy Advisory Committee will meet quarterly during 2011 on:

2011 Privacy Advisory Committee Quarterly Meetings
March 22	Agenda  Presentation, Meeting Summary

The Committee meetings of 2010 and related materials will remain available on the Calendar of Events on the corresponding meeting dates.

 

Privacy Committee Work Space:

• Health Care Operations Task Group (ON HOLD)
  • Business Associates - A Paper by US DHHS
• Federal Law
  • 45.CFR: 164.501 Public Welfare Definitions
  • 45.CFR: 164.506 Pubic Welfare Uses and Disclosures
• California Law
  • CA Civil Code 56 (CMIA) Definitions
  • CA Civil Code 56 (CMIA) Disclosures
• Public Law
  • P.L. 97-248 Tax Equity and Fiscal Responsibility Act of 1982

• Health Information Technology in El Dorado

  ACCEL (Access El Dorado) is a community-wide collaborative among public and private agencies designed to help create a coordinated community health care system for the people who live in El Dorado. The documents provided here are the policies and procedures of ACCEL’s Health Information Technology Program. These policies and procedures are the property of ACCEL and ACCEL is solely responsible for their development.

  Auditing and Reporting Policy

  Authorized User Confidentiality Agreement

  Automatic Log-off Policy

  Changes to Program Manual

  Confidentiality of Patient Information Policy

  Data Back-up Policy

  Data Transition Security Policy

  Definitions

  Disaster Recovery Policy

  Firewall Use Policy

  Information System Activity Review and Reporting Policy

  Insurance Policy

  Media Re-use Disposal Policy

  Risk Analysis Policy

  Risk Analysis Policy ext-v

  Security Awareness and Training Policy

  Support Model 5 V-Ext

  Support Model 5 V-Int

  Unique User Identification and Password Management Policy

  User Access Policy

  User Access Policy v-ext

  User Setup Full References

---

Security Committee Archive

What's New

---

Legal Committee Archive

• Ways California Civil Code §56.10(c)(14) is currently being used to disclose medical information
• Civil Code section 56.10(c)(14) and its legislative history

Legal Committee Work Space:

•  DURSA Task Group
  • NHIN DURSA Agreement
  • Troutman Sanders DURSA Presentation

---

Education Committee Archive

CalPSAB Education Committee Overview:

The California Privacy and Security Advisory Board (CalPSAB) Education Committee will develop educational resources and tools, for entities engaged in health information technology and exchange (HIT/E), around privacy and security standards. Implementation of these resources and tools will increase the understanding of how the technology works and ultimately increase confidence in the health information exchange system.

The Committee’s work will provide a framework for entities to develop their own educational resources. The Committee will develop educational tools, and determine how to target stakeholder audiences with specific message points. The Education Committee’s primary tasks will be:

• Develop a standardize consent form
• Develop generic educational tools to meet the greatest need
• Identify and expand access to existing educational tools

Current committee members include representatives from healthcare providers, consumers, technical experts, and policy advocates. The Committee welcomes participation from anyone interested in working on these issues particularly those in the marketing and public relations area.

Task Groups:

Active Task Groups

• Consent Task Group (March to July 2010)

Future Task Groups

• Consumer Task Group
• Provider Task Group

Committee Meetings:

Meets every 2nd Thursday of the month, unless otherwise indicated below due to conflicts of holidays and/or Board Meetings.

• Education Committee Kick Off Meeting - February 23, 2010

Committee Resources:

Toolkits are provided from the Health Information Security and Privacy Collaboration (HISPC) effort for both Consumer Education and Provider Education.  We wish to thank ONC, RTI and all those states who participated in developing these tools.

• Provider Education Toolkits
• Consumer Education Toolkits
• Committee Workspace

Education Committee Work Space: On Hold

• Sample Forms: 
  • CA HIPAA Authorization Release Form
  • Florida Agency for Health Care Administration (HIPAA)
• Nationwide HIEs and RHIOs: 
  • Healthcare Information Xchange of New York
  • Rhode Island's Health Information Exchange
• Nationwide Resources:
  • eHealth Initiative Toolkit
  • Ending the Document Game: Connecting and Transforming Your Healthcare Through Information Technology
  • Health Information Security and Privacy Collaboration (HISPC) National Conference
  • HISPC Consumer and Provider Educational Toolkits
  • Rhode Island Quality Institute
• Nationwide Associations, Foundations and Governmental Websites:
  • Agency for Healthcare Research and Quality (AHRQ)
    • AHRQ: Accessible Health Info Tech for Populations with Limited Literacy
    • AHRQ: Consumer Engagement in Developing Electronic Health Info System
  • State of California
    • CA Office of Privacy Protection
    • CA Economic Recovery
    • CA Health Information Technology (HIT)
  • Healthcare Information Technology Standards Panel(HITSP)
  • New York Health Information Technology (HIT)
  • Office of the National Coordinator for Health Information Technology (ONC)
  • Robert Wood Johnson Foundation
  • U.S. Dept. of Health and Human Services(HHS)
    • Privacy and Security Whitepaper Series
  • U.S. Government Accountability Office  

---

HIE Committee Archive

Health Information Exchange Committee

September 14, 2009:  HIE Committee Consent Survey Results

HIE Committee Charter

The HIE Committee Charter was approved by the HIE Committee on October 8, 2009.  

HIE Committee Charter

Membership

This Committee shall be made up of representatives from health information exchange organizations, entities that operate electronic health record systems, vendors, and consumers.  Membership will include representatives from Regional Health Organizations in California and HIE and EHR vendors in California.  All health information exchange entities either active or in the planning stages are welcome to become members.  Members of this committee may be members on other committees or the Advisory Board.

Purpose

The committee shall be tasked to:

• Provide  health information exchange organization perspective and advice on the privacy and security issues and guidelines
• Review and make recommendations on privacy and security guidelines
• Assist in the development of implementation strategies for privacy and security guidelines in a health information exchange setting
• Develop detailed guidelines for selected use cases that are applicable to HIE
• Review and inform the impact of detailed data elements supporting health information exchange
• Identify privacy and security issues where the guidelines are silent or are creating administrative issues in implementation
• Provide review of the privacy, security, legal and education committee proposals to the CalPSAB
• When requested, shall develop, comment on, or review issues that are not directly within the scope of privacy and security; e.g., HIE evaluation tools, sustainability models, clinical priorities and use cases, public health reporting, and quality measures, etc.

Committee Meetings:

Meets every 1st Thursday of the month, unless otherwise indicated below due to conflicts with holidays and/or board meetings.

• January 25, 2010 (Monday)
• March 24, 2010 (Wednesday - Combined Security & HIE Meeting)
• May 6, 2010
• July 1, 2010
• September 2, 2010
• November 4, 2010   

Committee Products:

• Coming Soon

---

HISPC Archive

Health Information Security and Privacy Collaboration (HISPC)

California’s participation in the Health Information Security and Privacy Collaboration (HISPC) initiated diverse public and private health care industry involvement toward securing the privacy and confidentiality of personal information in HIE. Recognizing California’s unique challenges due to its large population, geography, and industry, multiple stakeholders actively engaged in the three RTI project phases of data collection, solutions analysis, and implementation plan development throughout the eight month contract. The CA Team consisted of a public-private partnership between the California (State) Office of HIPAA Implementation (CalOHI) and the California Regional Health Information Organization (CalRHIO) managed the project. The team also included several nationally recognized legal, health, and technical experts including Manatt, Phelps, and Phillips, LLP, and the consulting firms of Object Health and Medical Management Services, and the RMA Consulting Group.

California’s Final Assessment of Variations and Analysis of Solutions – March 2007 (PDF-1020K)

California’s Final Implementation Plan – April 2007 (PDF-330K)
 

---

eHealth Archive

Achieving electronic health information exchange (HIE) through the application of health information technology (HIT) is one of the cornerstones of the overall healthcare reform strategy in California. Effective application of HIT and the implementation of interoperable HIE are key strategies to achieve the goals of better health care outcomes, efficiencies in the delivery of healthcare, and strengthening our emergency and disaster response preparedness. California State government is involved in many initiatives and projects that support these goals. This site will provide you with the latest news on what state entities are doing to achieve these goals as well as key links to national efforts to promote and implement HIE and HIT.

The California Health and Human Services Agency (CHHS) serves as the lead agency on eHealth issues for the State. CHHS works with the State Chief Information Officer (CIO), the Department of Managed Care and the Business, Transportation and Housing Agency to oversee the State’s HIE and HIT related efforts.

Visit the California eHealth website for continuing updates and new information on all major HIE/HIT activities. In addition to the latest news and developments, you will be able to obtain more information through links to the major HIE/HIT efforts underway in California.

• Link to California eHealth Website 

• Link to CalPSAB HIE Committee and their efforts

HIE Implementation: Several Road Blocks Exist and Consent May Be Integral In Moving Forward

This paper summarizes the roadblocks to implementing HIE, such as inadequacy in the laws and still developing technology. It suggests that patient consent may be an avenue for moving forward in the implementation of Health Information Exchange. It includes many attachments developed during the CalPSAB process.

• HIE Implementation: Several Roadblocks Exist.pdf

CalOHII White Paper: Analysis of the Risks Inherent in Implementing HIE Services & Strategies on How to Proceed in Development of HIE Policies and Standards

This paper integrates some of the existing HIE concerns identified during the CalPSAB process with an analysis of California laws and case interpretations on privacy. It provides three strategies for moving forward in developing HIE: patient consent, law harmonization and modernization, and to proceed incrementally; focusing on treatment first.

• Analysis of the Risks Inherent in Implementing HIE Services.pdf

American Recovery and Reinvestment Act of 2009

Following is CalOHII's analysis of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) portion of the American Recovery and Reinvestment Act of 2009.

• HITECH Act Summary (PDF-26K)

• HITECH Act Summary Matrix (PDF-161K) Note: This is a new version and we will be updating the document as new information is released.

• Final HITECH Portion of ARRA (DOC-346K)