81 FR 10635 - Health IT Policy Committee and Health IT Standards Committee: Schedule and Recommendations
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary Federal Register Volume 81, Issue 40 (March 1, 2016)
Office of the Secretary
Federal Register Volume 81, Issue 40 (March 1, 2016)
| Page Range | 10635-10636 | |
| FR Document | 2016-04238 |
[Federal Register Volume 81, Number 40 (Tuesday, March 1, 2016)] [Notices] [Pages 10635-10636] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-04238] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary Health IT Policy Committee and Health IT Standards Committee: Schedule and Recommendations AGENCY: Office of the National Coordinator for Health Information Technology, Department of Health and Human Services. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: This notice fulfills obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. [[Page 10636]] 111-5), which amended the Public Health Service Act (PHSA). Section 3003(b)(3) of the PHSA mandates that the Health IT Standards Committee (HITSC) develop an annual schedule for the assessment of policy recommendations developed by the Health IT Policy Committee (HITPC) and publish the schedule in the Federal Register. This notice fulfills the requirements of section 3003(b)(3) and updates the HITSC schedule posted in the Federal Register on August 10, 2015. This notice also meets the requirements under sections 3002(e) and 3003(e) for publication in the Federal Register of recommendations made by the HITPC and HITSC, respectively. Further, this notice serves to meet the requirements of section 3004(a)(3) for publication in the Federal Register of determinations by the Secretary of Health and Human Services regarding HITSC-recommended certification criteria endorsed by the National Coordinator for Health Information Technology. FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy, Office of the National Coordinator for Health Information Technology, 202-690-7151. SUPPLEMENTARY INFORMATION: This notice fulfills obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), which amended the Public Health Service Act (PHSA). Health IT Standards Committee Schedule Section 3003(b)(3) of the PHSA mandates that the Health IT Standards Committee (HITSC) develop an annual schedule for the assessment of policy recommendations developed by the Health IT Policy Committee (HITPC) and publish it in the Federal Register. The HITSC's schedule for the assessment of HITPC recommendations updates the HITSC schedule published on August 10, 2015, and is as follows: The National Coordinator for Health Information Technology (National Coordinator) will establish priority areas based in part on recommendations received from the HITPC regarding health IT standards, implementation specifications, and/or certification criteria. Once the HITSC is informed of those priority areas, it will: (A) Identify the best mechanism by which to organize itself in order to respond to the National Coordinator within 90 days with, at a minimum, the following: (1) An assessment of what standards, implementation specifications, and certification criteria are currently available to meet the priority area; (2) An assessment of where gaps exist (i.e., no standard is available or harmonization is required because more than one standard exists) and identify potential organizations that have the capability to address those gaps; and (3) A timeline, which may also account for the National Institute of Standards and Technology (NIST) testing, where appropriate, and include dates when the HITSC is expected to issue recommendations to the National Coordinator. (B) In responding to the National Coordinator: (1) Approve a timeline by which it will deliver recommendations to the National Coordinator; and (2) Determine whether to establish a task force to conduct research and solicit testimony, where appropriate, and issue recommendations to the full committee in a timely manner. (C) Advise the National Coordinator, consistent with the accepted timeline in (B)(1) and after NIST testing, where appropriate, on standards, implementation specifications, and/or certification criteria, for the National Coordinator's review and determination whether or not to endorse the recommendations, and possible adoption of the proposed recommendations by the Secretary of the Department of Health and Human Services (Secretary). The standards and related topics which the HITSC is expected to address in 2016 include, but may not be limited to: Quality measurement; precision medicine; security; consumer-mediated information exchange; public health; technical interoperability experience in the field; and updates to the Office of the National Coordinator for Health Information Technology (ONC)'s Interoperability Standards Advisory(ies). HITPC and HITSC Recommendations Sections 3002(e) and 3003(e) of the PHSA provides for publication of HITPC and HITSC recommendations in the Federal Register. ONC will post all recommendations received from the HITPC on its Web site at: https://www.healthit.gov/facas/health-it-policy-committee/health-it-policy-committee-recommendations-national-coordinator-health-it. ONC will post all recommendations received from the HITSC on its Web site at: https://www.healthit.gov/facas/health-it-standards-committee/health-it-standards-committee-recommendations-national-coordinator. All prior recommendations received from the HITPC and HITSC can be found at these respective Web site addresses. HITSC Privacy and Security Recommendations Section 3004(a)(3) of the PHSA provides for publication in the Federal Register of determinations by the Secretary regarding HITSC- recommended certification criteria endorsed by the National Coordinator. On March 30, 2015, ONC issued a notice of proposed rulemaking with comment period for the 2015 Edition health IT certification criteria (80 FR 16804). Subsequently, on June 5, 2015, the HITSC submitted a transmittal letter to the National Coordinator which contained the HITSC recommendations for the adoption of two new certification criteria for the ONC Health IT Certification Program. The two certification criteria are: 1. A criterion for encrypting authentication credentials; and 2. A multi-factor authentication criterion for user access to health information. The National Coordinator endorsed these recommendations for consideration by the Secretary and the Secretary has determined that it is appropriate to propose adoption of these two new certification criteria through rulemaking. Therefore, the Secretary, within a reasonable period of time, will propose adoption of the certification criteria noted above in an available and appropriate notice of proposed rulemaking. Authority: 42 U.S.C. 300jj-11-14; Office of the National Coordinator for Health Information Technology; Delegation of Authority (74 FR 64086, Dec. 7, 2009). Dated: February 23, 2016. Karen DeSalvo, National Coordinator for Health Information Technology. [FR Doc. 2016-04238 Filed 2-26-16; 4:15 pm] BILLING CODE 4150-45-P
![Federal Register / Vol. 81, No. 40 / Tuesday, March 1, 2016 / Notices 10635
Breach Notification Rule 7 which company does with the data that it has information is being shared with, or
requires notification to affected collected. Types of practices that could sold to, third parties? How should
individuals when a breach of data be in scope for the MPN include, but are anonymized or de-identified
occurs. not limited to: Sale of data, including information be defined for the purposes
We are considering creating a new geo-location data; sale of anonymized or of the MPN? What existing definitions
version of the MPN that would expand de-identified data, with or without of ‘‘anonymized’’ or ‘‘de-identified’’
its scope beyond PHR companies and restrictions on re-identification; sale of information are widely in use that could
include more types of information identifiable data; sale of statistics be potentially leveraged in conjunction
practices. A modernized MPN would aggregated from identifiable data; use of with the MPN to clearly convey these
serve as a voluntary resource for health data by the original collector to market practices to consumers? 8
technology developers who want to give products to the consumer; allowing 8. Information portability: How
notice of their information practices to third parties to use the data for should the MPN describe to consumers
their users in an understandable way. marketing purposes; allowing whether an application enables the
Therefore, ONC requests public government agencies to access the data, consumer to download or transmit their
comment from consumers, mobile and and for what purposes (such as law health information? How should the
web application developers, privacy enforcement or public health); allowing MPN describe the consumer’s ability to
advocates, user experience and design researchers at academic and non-profit retrieve or move their data when the
experts, and other health technology institutions to access either identifiable relationship between the consumer and
stakeholders on any updates that should or de-identified data; access to the data the health technology developer
be made to the content of the MPN to by employers, schools, insurance terminates? Examples include if a
make it more useful to both health companies or financial institutions with consumer ends their subscription to a
technology developers and consumers. or without the consumer’s consent; and particular health technology service, or
While we encourage comments on all retention or destruction of consumer when a health technology developer’s
aspects of the MPN, ONC specifically data when the relationship between the product is discontinued.
seeks comment on the topics specified health technology developer and ONC seeks broad input from
below. We note that the MPN does not consumer terminates. stakeholders on updating the MPN so
recommend best practices to health 4. Sharing and storage: What privacy that the tool is useful for current health
technology developers, and we do not and security issues are consumers most technology developers and consumers.
seek recommendations about best concerned about when their information Individuals and organizations with
practices. Rather, ONC seeks comment is being collected, stored, or shared? common interests are urged to both
concerning what information practices Examples could include whether a coordinate and consolidate their
health technology developers should health technology developer stores comments.
disclose to consumers and what information in the cloud or on the Authority: 42 U.S.C. 300jj–11; Office of the
language should be used to describe consumer’s device, or whether the National Coordinator for Health Information
those practices in an updated MPN. information collected is accessed, used, Technology; Delegation of Authority (76 FR
Examples of information practices disclosed, or stored in another country. 58006, Sept. 19, 2011).
below are included to clarify the intent 5. Security and encryption: What Dated: February 23, 2016.
of the questions, but are not intended to information should the MPN convey to Karen DeSalvo,
be exhaustive. ONC invites commenters the consumer regarding specific security
National Coordinator for Health Information
to discuss any examples that are practices, and what level of detail is Technology.
relevant to the broad issues of which appropriate for a consumer to
[FR Doc. 2016–04239 Filed 2–26–16; 4:15 pm]
types of personal information and understand? For example, a health
BILLING CODE 4150–45–P
information practices should be technology developer could state that
addressed in an updated MPN. the product encrypts data at rest, or that
1. User scope: What types of health it uses 128-bit or 256-bit encryption. DEPARTMENT OF HEALTH AND
technology developers, including non- How can information about various HUMAN SERVICES
covered entities and potentially HIPAA- security practices, often technical in
covered entities, could and should use nature, be presented in a way that is Office of the Secretary
an updated voluntary MPN? understandable for the consumer?
2. Information type: What information Examples could include encryption at Health IT Policy Committee and Health
types should be considered in and out rest or encryption in transit, or whether IT Standards Committee: Schedule and
of scope for the MPN? Examples could information is encrypted on the device Recommendations
include, but are not limited to: Names, or in the cloud.
account access information, credit card 6. Access to other device information: AGENCY: Office of the National
numbers, IP address information, social What types of information that an Coordinator for Health Information
security numbers, telephone numbers application is able to access on a Technology, Department of Health and
(cell and landline), GPS or geo-location consumer’s smartphone or computer Human Services.
data, data about how a consumer’s body should be disclosed? How should this ACTION: Notice.
functions ranging from heart rate to be conveyed in the MPN? Examples SUMMARY: This notice fulfills obligations
menstrual cycle, genomic data, and include a health application accessing under the Health Information
the content of a consumer’s text
asabaliauskas on DSK5VPTVN1PROD with NOTICES
exercise duration data such as number Technology for Economic and Clinical
of steps or miles clocked. messages, emails, address books, photo Health (HITECH) Act, Title XIII of
3. Information practices: What types libraries, and phone call information. Division A and Title IV of Division B of
of practices involving the information 7. Format: How should the MPN
the American Recovery and
types listed in Question 2 above should describe practices about the format in
Reinvestment Act of 2009 (Pub. L.
be included in the MPN? An which consumer information is stored
information practice is what the or transmitted (e.g., individually 8 See, e.g., 45 CFR 164.514(a) (HIPAA Privacy
identifiable or de-identified, aggregate, Rule) as a potential standard for de-identification of
7 16 CFR part 318. or anonymized), particularly when their protected health information.
VerDate Sep<11>2014 20:18 Feb 29, 2016 Jkt 238001 PO 00000 Frm 00071 Fmt 4703 Sfmt 4703 E:\FR\FM\01MRN1.SGM 01MRN1](https://thefederalregister.org/doc/81_FR_10675/page/1.svg)
![10636 Federal Register / Vol. 81, No. 40 / Tuesday, March 1, 2016 / Notices
111–5), which amended the Public within 90 days with, at a minimum, the standards-committee/health-it-
Health Service Act (PHSA). Section following: standards-committee-recommendations-
3003(b)(3) of the PHSA mandates that (1) An assessment of what standards, national-coordinator. All prior
the Health IT Standards Committee implementation specifications, and recommendations received from the
(HITSC) develop an annual schedule for certification criteria are currently HITPC and HITSC can be found at these
the assessment of policy available to meet the priority area; respective Web site addresses.
recommendations developed by the (2) An assessment of where gaps exist
(i.e., no standard is available or HITSC Privacy and Security
Health IT Policy Committee (HITPC)
harmonization is required because more Recommendations
and publish the schedule in the Federal
Register. This notice fulfills the than one standard exists) and identify Section 3004(a)(3) of the PHSA
requirements of section 3003(b)(3) and potential organizations that have the provides for publication in the Federal
updates the HITSC schedule posted in capability to address those gaps; and Register of determinations by the
the Federal Register on August 10, (3) A timeline, which may also Secretary regarding HITSC-
2015. This notice also meets the account for the National Institute of recommended certification criteria
requirements under sections 3002(e) Standards and Technology (NIST) endorsed by the National Coordinator.
and 3003(e) for publication in the testing, where appropriate, and include On March 30, 2015, ONC issued a
Federal Register of recommendations dates when the HITSC is expected to notice of proposed rulemaking with
made by the HITPC and HITSC, issue recommendations to the National comment period for the 2015 Edition
respectively. Further, this notice serves Coordinator. health IT certification criteria (80 FR
to meet the requirements of section (B) In responding to the National 16804). Subsequently, on June 5, 2015,
3004(a)(3) for publication in the Federal Coordinator: the HITSC submitted a transmittal letter
Register of determinations by the (1) Approve a timeline by which it
to the National Coordinator which
Secretary of Health and Human Services will deliver recommendations to the
contained the HITSC recommendations
regarding HITSC-recommended National Coordinator; and
(2) Determine whether to establish a for the adoption of two new certification
certification criteria endorsed by the criteria for the ONC Health IT
task force to conduct research and
National Coordinator for Health Certification Program. The two
solicit testimony, where appropriate,
Information Technology. certification criteria are:
and issue recommendations to the full
FOR FURTHER INFORMATION CONTACT: committee in a timely manner. 1. A criterion for encrypting
Michael Lipinski, Office of Policy, (C) Advise the National Coordinator, authentication credentials; and
Office of the National Coordinator for consistent with the accepted timeline in 2. A multi-factor authentication
Health Information Technology, 202– (B)(1) and after NIST testing, where criterion for user access to health
690–7151. appropriate, on standards, information.
SUPPLEMENTARY INFORMATION: This implementation specifications, and/or The National Coordinator endorsed
notice fulfills obligations under the certification criteria, for the National these recommendations for
Health Information Technology for Coordinator’s review and determination consideration by the Secretary and the
Economic and Clinical Health (HITECH) whether or not to endorse the Secretary has determined that it is
Act, Title XIII of Division A and Title IV recommendations, and possible appropriate to propose adoption of these
of Division B of the American Recovery adoption of the proposed two new certification criteria through
and Reinvestment Act of 2009 (Pub. L. recommendations by the Secretary of rulemaking. Therefore, the Secretary,
111–5), which amended the Public the Department of Health and Human within a reasonable period of time, will
Health Service Act (PHSA). Services (Secretary). propose adoption of the certification
The standards and related topics criteria noted above in an available and
Health IT Standards Committee which the HITSC is expected to address appropriate notice of proposed
Schedule in 2016 include, but may not be limited rulemaking.
to: Quality measurement; precision Authority: 42 U.S.C. 300jj–11–14; Office of
Section 3003(b)(3) of the PHSA
medicine; security; consumer-mediated the National Coordinator for Health
mandates that the Health IT Standards
information exchange; public health; Information Technology; Delegation of
Committee (HITSC) develop an annual
technical interoperability experience in Authority (74 FR 64086, Dec. 7, 2009).
schedule for the assessment of policy
the field; and updates to the Office of Dated: February 23, 2016.
recommendations developed by the
the National Coordinator for Health
Health IT Policy Committee (HITPC) Karen DeSalvo,
Information Technology (ONC)’s
and publish it in the Federal Register. National Coordinator for Health Information
Interoperability Standards
The HITSC’s schedule for the Technology.
Advisory(ies).
assessment of HITPC recommendations [FR Doc. 2016–04238 Filed 2–26–16; 4:15 pm]
updates the HITSC schedule published HITPC and HITSC Recommendations BILLING CODE 4150–45–P
on August 10, 2015, and is as follows: Sections 3002(e) and 3003(e) of the
The National Coordinator for Health PHSA provides for publication of HITPC
Information Technology (National and HITSC recommendations in the DEPARTMENT OF HEALTH AND
Coordinator) will establish priority areas Federal Register. ONC will post all HUMAN SERVICES
based in part on recommendations recommendations received from the
asabaliauskas on DSK5VPTVN1PROD with NOTICES
received from the HITPC regarding National Institutes of Health
HITPC on its Web site at: https://
health IT standards, implementation www.healthit.gov/facas/health-it-policy- National Institute on Aging; Notice of
specifications, and/or certification committee/health-it-policy-committee- Closed Meeting
criteria. Once the HITSC is informed of recommendations-national-coordinator-
those priority areas, it will: health-it. ONC will post all Pursuant to section 10(d) of the
(A) Identify the best mechanism by recommendations received from the Federal Advisory Committee Act, as
which to organize itself in order to HITSC on its Web site at: https:// amended (5 U.S.C. App.), notice is
respond to the National Coordinator www.healthit.gov/facas/health-it- hereby given of the following meeting.
VerDate Sep<11>2014 20:18 Feb 29, 2016 Jkt 238001 PO 00000 Frm 00072 Fmt 4703 Sfmt 4703 E:\FR\FM\01MRN1.SGM 01MRN1](https://thefederalregister.org/doc/81_FR_10675/page/2.svg)
Document Created: 2018-02-02 14:59:44
Document Modified: 2018-02-02 14:59:44
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Contact | Michael Lipinski, Office of Policy, Office of the National Coordinator for Health Information Technology, 202-690-7151. | |
| FR Citation | 81 FR 10635 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR