Keeping Data Queries, Responses Secure

Tiger Team Examines Health Data Exchange Issues
Keeping Data Queries, Responses Secure

The Privacy and Security Tiger Team, which advises federal regulators, is tackling the issues involved in the exchange of patient information among healthcare providers using the query and response method.

See Also: OnDemand | What’s Old is New Again: Protecting Yourself From Check Fraud

The tiger team plans to make recommendations to the HIT Policy Committee in April that address several query/response scenarios. Those scenarios include: A HIPAA-compliant targeted data query by a healthcare provider to another provider for information needed when treating a patient; a targeted query by a healthcare provider to another provider for patient information in a situation where more stringent state privacy laws than HIPAA are in effect; and a non-targeted query, such as a provider sending a query via a health information exchange for all records about a patient from their previous healthcare providers, who are not known.

"We took up these query policy issues in response to a recommendation from the [HIT Policy Committee] information exchange workgroup that query/response capabilities be required for EHR certification in Stage 3" of the HITECH Act electronic health record incentive program, says Deven McGraw, who chairs the tiger team. "But any recommendations we craft can be used for Office of National Coordinator for Health IT in any way it sees fit."

In addition to beginning its work on the requirements for Stage 3 of the "meaningful use" incentive program, which starts in 2016, ONC is preparing a series of voluntary guidelines for secure health information exchange (see: Farzad Mostashari: HIE Security Vital).

In making its query/response policy recommendations, the tiger team's goals are to:

  • Not alter the rules that give providers the responsibility to share patient information responsibly and consistent with applicable law;
  • Reduce potential real or perceived barriers to exchange, such as through clarification regarding provider liability for responding to a query.

At its March 12 meeting, tiger team members discussed a number of fine points regarding scenarios involving HIPAA-compliant query/response.

For instance, some of the discussion focused on whether a healthcare provider sending a query for patient information and a provider receiving the query should be required to keep logs of those queries and the responses so that the information can be presented to patients upon request.

Other issues discussed included whether data queries should include specific patient identifying information, such as an individual's key demographic information, to help ensure the right patient's information is provided.

The tiger team will meet again on March 18 before making its final recommendations to the HIT Policy Committee, which advises ONC.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.