Trust Relationships in the Health Care Enterprise - Webs of Trust

Transcription

1 Trust Relationships in the Health Care Enterprise - Webs of Trust Ronald B. Williams Application and Security Architectures Technology & Systems Planning Kaiser Foundation Health Plan, Inc. A Business View

2 Serving over 9.1 Million Members in 19 States and the District of Columbia 10,000 Physicians Kaiser Permanente 90,000+ Employees And a Lot of Hardware Open Group, Wednesday, April 29th,

3 Agenda Responsibilities of Data Processing Entities Health Care Trust Relationships Intra-organizational relationships Extra-organizational relationships CA s for the Health Care Enterprise Issues, Organizational & Technical Open Group, Wednesday, April 29th,

4 Disclaimer The examples contained in this presentation are intended as examples of trust relationships that may exist in the health care enterprise, and as such are not intended to be either exhaustive or definitive of any actual trust relationships in this or any other health care enterprise. This presentation will self destruct in 15 minutes. Open Group, Wednesday, April 29th,

5 Responsibilities of Data Processing Entities Europe Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1 Open Group, Wednesday, April 29th,

6 "WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (HIPAA) 2 "SEC (a) OFFENSE.--A person who knowingly and in violation of this part-- "(1) uses or causes to be used a unique health identifier; "(2) obtains individually identifiable health information relating to an individual; or "(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b). Open Group, Wednesday, April 29th,

7 "WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION "SEC (b) PENALTIES.--A person described in subsection (a) shall-- "(1) be fined not more than $50,000, imprisoned not more than 1 year, or both; "(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and "(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. Open Group, Wednesday, April 29th,

8 Intra-organizational Trust Kaiser Permanente - 3 Corporations Kaiser Foundation Health Plan, Inc. Administers Health Plans Provides IT Services for Medical Groups and Hospitals Kaiser Foundation Hospitals, Inc. Administers Facilities and Non-Physician health care staff Kaiser Permanente Medical Groups Physician Services to Kaiser Members Open Group, Wednesday, April 29th,

9 Kaiser Corporations Financial & Administrative Data Kaiser Foundation Health Plan, Inc. Clinical Data Financial & Administrative Data Kaiser Permanente Kaiser Foundation Hospitals, Inc. Clinical Data Permanente Permanente Medical Permanente Groups Medical Permanente Groups Medical Groups Medical Groups Open Group, Wednesday, April 29th,

10 Primary Trust Relationships Our Members Individual Small Business Health Plans Corporate Health Plans Corporate Services Occupational Health and Safety Emergency Health Services Open Group, Wednesday, April 29th,

11 Kaiser Permanente & Member Kaiser Permanente Administration Lab & Test Results Physician Communication Advice Nurse / Call Center Benefits Information Appointments Claims Information Business & Clinical Data Family & Business Medical Plans Individual Small Business Corporate Emergency & Occupational Health Open Group, Wednesday, April 29th,

12 Extra-organizational Trust Relationships Governmental Agencies Health and Human Services Health Care Financing Administration (HCFA) (Medicare/Medicaid) Centers for Disease Control and Prevention State Health Departments County and Local Health Departments Open Group, Wednesday, April 29th,

13 Extra-organizational (continued) Quasi-regulatory Health Plan Employer Data and Information Set (HEDIS ) National Committee for Quality Assurance (NCQA) Joint Commission on the Accreditation of Healthcare Organizations Open Group, Wednesday, April 29th,

14 Kaiser Permanente & Regulatory and Quasi-Regulatory Bodies Kaiser Permanente Claims Outcomes Disease Management Finance & Administration Clinical & Financial Data Regulatory Agencies HCFA (Medicare/Medicaid) Centers for Disease Control & Prevention State Health Departments HEDIS NCQA JCAHO Open Group, Wednesday, April 29th,

15 Kaiser - External Relationships Affiliates Physician Networks Referral Providers Alliance Hospitals Occupational and Emergency Health Services Laboratory and Pharmacy Services Open Group, Wednesday, April 29th,

16 Kaiser Permanente & External Service Providers Kaiser Permanente Physicians Clinical Units Scheduling & Appointments Benefits Administration Finance & Administration Pharmacies Non-Kaiser Service Providers Laboratories Clinical & Business Data Affiliate Physician Providers Referral Providers Alliance Hospitals Open Group, Wednesday, April 29th,

17 Trust Relationships - Kaiser s Constellation Kaiser Foundation Health Plan, Inc. Non-Kaiser Service Providers Family & Business Medical Plans Kaiser Foundation Hospitals, Inc. Permanente Permanente Medical Permanente Groups Medical Permanente Groups Medical Groups Medical Groups Regulatory Agencies Open Group, Wednesday, April 29th,

18 Possible CA Scenario Health Care Organizational CA s Kaiser Foundation Health Plan, Inc. Kaiser Foundation Hospitals, Inc. Permanente Permanente Medical Permanente Groups Medical Permanente Groups Medical Groups Medical Groups Kaiser Permanente Members Governmental CA s HCFA (Medicare/Medicaid) Quasi-Regulatory CA s NCQA Other Industry CA s State Health Departments Centers for Disease Control & Prevention HEDIS JCAHO Other Health Care Service Providers Open Group, Wednesday, April 29th,

19 Organizational Issues Aside from legally mandated trust relationships What value does a trusted third party as CA bring to the healthcare trust environment? to what extent we will do it (CA) ourselves? What can healthcare enterprises due to facilitate and standardize interoperability between trusting partners Open Group, Wednesday, April 29th,

20 Full Featured PKI? How much does an authentication infrastructure cost? When will we have a full featured Security Infrastructure based on PK technology which will give us Standardized Authorization Engines Enterprise Level Audit-ability An acceptable hierarchical trust model Open Group, Wednesday, April 29th,

21 Imperfect Prognostications Large healthcare organizations will be likely establish there own CA s Geodesic (Masse & Fernandez 3 ) trust relationships will characterize inter-organizational healthcare trust policy Elvis will be elected President in the year 2000 Open Group, Wednesday, April 29th,

22 References 1 Directive of the European Parliament and of the Council of 24, October Health Insurance Portability and Protection Act of Risk Management in PKI s (Masse & Fernandes) [Thanx, Bob!] Open Group, Wednesday, April 29th,

23 Ronald Becker Williams Strategic Planning Specialist Application and Security Architecture Technology & Systems Planning KPInformation Technology vox: (818) fax: (818) Open Group, Wednesday, April 29th,