NIST Offers HIE Security Guidance

Report Outlines an Architecture for Health Information Exchanges
NIST Offers HIE Security Guidance
As hundreds of health information exchanges across the country ramp up their efforts to ease the sharing of electronic health records, a government agency has prepared a detailed report on how to create an HIE security architecture.

The National Institute of Standards and Technology within the Department of Commerce published the report, "Security Architecture Design Process for Health Information Exchanges." The purpose of the document, NIST says, is to "provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that demonstrates how these practices can be applied to the development of HIEs."

The 50-page NIST document presents a five-layered architecture design process to implement security and maintain privacy. The five layers are:

  • Capstone policies, which incorporate all requirements and guidance for protecting health information;
  • Enabling services required to implement the capstone policies, derived from common industry practices and customized to address HIEs' requirements;
  • Enabling processes, or scenarios for implementing services;
  • Notional architecture, which provides a blueprint to drive the selection of technical solutions and data standards;
  • Technology solutions and standards.

Emerging HIEs

Earlier this year, the e-Health Initiative estimated there were 73 operational HIEs in the U.S. and another 234 that are in the works. A survey by the organization found that only 18 percent of health information exchanges have a policy requiring patients to "opt-in" and give formal consent before any of their records are shared via the networks.

The HITECH Act, best known for providing Medicare and Medicaid financial incentives to hospitals and physicians for using electronic health records, also provided grants to states to support development of statewide HIEs.

Federal advisory groups are working on recommendations aimed at ensuring that EHRs transmitted over health information exchanges remain private.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.