HIEs Get Privacy, Security GuidanceRecommendations Target Federally Funded Exchanges
Health information exchanges that have received federal funding now have a new set of federal recommendations for privacy and security policies and procedures.
The guidelines, for example, stress the importance of encrypting patient information, using two-factor authentication, educating patients about information exchange and offering patients access to their records compiled from multiple sources.
The Department of Health and Human Services' Office of the National Coordinator for Health IT on March 22 issued a "program information notice" that provides additional direction for federally funded HIEs "to tell them what we're looking for in their privacy and security frameworks," says Joy Pritts, ONC's chief privacy officer. Much of the guidance is based on recommendations from the Privacy and Security Tiger Team, which advises federal regulators, she adds.
The HITECH Act, part of the economic stimulus package, is providing more than $500 million for statewide and regional HIEs under "cooperative agreements," Pritts notes. Under those agreements, "we can say this is what we'd like to see you do," she adds.
The program information notice containing the guidance points out that HIEs that are not taking the recommended privacy and security steps must develop a "strategy, timeline and action plan for addressing these gaps."
NwHIN Rule in Works Too
In addition to the program information notice for federally funded HIEs, regulators are continuing work on a broader Nationwide Health Information Network Governance Rule, Pritts acknowledges.
"My suspicion is that the governance rule will have a broader applicability," she says, meaning the rule could apply to HIEs whether or not they receive federal funds. She would not predict when that proposed regulation, mandated under the HITECH Act, might be published.
Privacy, Security Guidelines
Among the recommendations included in the program information notice for federally funded HIEs, Pritts explained in a March 27 presentation at the National HIPAA Summit and an interview with HealthcareInfoSecurity, are:
Encryption. The notice includes "a strong recommendation about encrypting health information before exchanging it or just making sure that the channels that it is exchanged through are encrypted," she says.
Patient consent. HIEs that store, assemble or aggregate individually identifiable health information should ensure individuals have "meaningful choice" regarding whether their information may be exchanged through an HIE. The tiger team said "meaningful consent" can accommodate either an opt-out approach, which informs patients their information will be exchanged unless they choose to opt out, or the opt-in approach, in which patients are required to approve the exchange of their information in advance.
"What's really key here is that ... the individual understands how their information is going to be exchanged," Pritts says. As a result, providers participating in HIEs should educate patients and also inform them that they can revoke their consent for exchange at any time. Plus, participation in an HIE should not be used as a condition for receiving treatment.
Granular consent. The guidelines encourage HIEs to develop policies and technical approaches that offer individuals more granular consent for information exchange than just having all or none of their information exchanged. Thus, for example, a patient could grant consent for exchanging a portion of their information.
Access to records. HIEs that store, assemble or aggregate patient records with data from multiple providers should make concrete plans to give patients electronic access to their compiled information, according to the guidelines. They also should develop clearly defined processes for individuals to request corrections to their information and to resolve disputes about information accuracy. Pritts says this recommendation is important because "if a provider can go to one place and get your entire medical record, why can't you?"
Authentication. ONC recommends HIEs use two-factor authentication for those exchanging information using NIST 800-63 version 1.0.2 as a guide.
Requesting information. Providers requesting or accessing patient information electronically should be involved in treating the patient or in the process of establishing a treatment relationship with the patient, the guidelines note.