NIST Offers HIE Security GuidanceReport Outlines an Architecture for Health Information Exchanges
The National Institute of Standards and Technology within the Department of Commerce published the report, "Security Architecture Design Process for Health Information Exchanges." The purpose of the document, NIST says, is to "provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that demonstrates how these practices can be applied to the development of HIEs."
The 50-page NIST document presents a five-layered architecture design process to implement security and maintain privacy. The five layers are:
- Capstone policies, which incorporate all requirements and guidance for protecting health information;
- Enabling services required to implement the capstone policies, derived from common industry practices and customized to address HIEs' requirements;
- Enabling processes, or scenarios for implementing services;
- Notional architecture, which provides a blueprint to drive the selection of technical solutions and data standards;
- Technology solutions and standards.
Emerging HIEsEarlier this year, the e-Health Initiative estimated there were 73 operational HIEs in the U.S. and another 234 that are in the works. A survey by the organization found that only 18 percent of health information exchanges have a policy requiring patients to "opt-in" and give formal consent before any of their records are shared via the networks.
The HITECH Act, best known for providing Medicare and Medicaid financial incentives to hospitals and physicians for using electronic health records, also provided grants to states to support development of statewide HIEs.
Federal advisory groups are working on recommendations aimed at ensuring that EHRs transmitted over health information exchanges remain private.