Privacy, Security Standards: What's Next?Federal Advisory Panel to Tackle Key Issues
As hospitals and clinics prepare to offer patients easier access to their electronic health records, a federal advisory group will work on standards designed to help safeguard data as it's downloaded and transmitted.
See Also: HIPAA Audits: A Revised Game Plan
In the months ahead, the Health IT Standards Committee also will work on standards for applying digital signatures, obtaining patient consent for health data disclosures and tagging data within records to protect sensitive health information, says John Halamka, co-chair of the committee. Halamka is CIO at Beth Israel Deaconess Medical Center in Boston.
The HIT Standards Committee advises the Office of the National Coordinator for Health IT on standards and implementation specifications related to the HITECH Act incentive program for EHRs. The standards indentified by the committee could ultimately become requirements for certification of EHR software used by healthcare providers who participate in the HITECH Act program.
Patient engagement requirements for Stage 2 of the HITECH EHR incentive program, which begins in 2014, require healthcare providers to enable patients to view, download and transmit their records, such as via a portal.
A notice published in the Federal Register May 16 states that the HIT Standards Committee expects to address a long list of topics, including transport of data to and from patients, image exchange, securing data at rest, digital signatures, longitudinal record sharing and application programming interfaces.
ONC will establish priority areas for the HIT Standards Committee based, in part, on recent policy recommendations ONC has received from its HIT Policy Committee., according to the notice.
For example, the HIT Policy Committee recently made recommendations to ONC on security and privacy issues related to various health information exchange scenarios (see Federal Advisers Tackle Secure HIE).
Among other privacy and security issues that will likely be tackled by the HIT Standards Committee, Halamka says, are standards related to obtaining patient consent for health information exchange.
The committee also will likely address issues related to digital signatures to ensure the integrity of health data as it's downloaded and transmitted, Halamka says. That can help ensure that the data "hasn't been modified," he explains.
In addition, the committee expects to soon receive an ONC progress report on data segmentation pilot projects under way as part of the Standards & Interoperability Framework, Halamka says.
The S&I Framework is a collaborative community of participants from the public and private sectors who are focused on providing the tools, services and guidance to facilitate health information exchange. The group describes data segmentation as "the process of sequestering from capture, access or view certain data elements that are perceived by a legal entity, institution, organization, or individual as being undesirable to share."
The S&I Framework data segmentation work will help guide the HIT Standards Committee over the next year in issues related to "tagging" sensitive data in patient records, such as mental health data, to prevent disclosure to others against patient's wishes during information exchange, Halamka says.
ONC's Data Segmentation Initiative was launched in 2011 after the President's Council of Advisors on Science and Technology recommended the use of metadata tags to help protect the security and privacy of sensitive health information during exchange (see Sequester: Health Data Security Impact.)
Privacy, Security Training
While the HIT Standards Committee gears up to tackle a variety of privacy and security issues in the months to come, the Department of Health and Human Services is preparing training on related topics.
For example, the HHS' Office for Civil Rights and the Workgroup for Electronic Data Interchange plan a series of webinars targeted to smaller healthcare organizations that will address a number of issues, including the HIPAA Omnibus Rule and the HIPAA Privacy Rule.