Should Encryption Be Mandated?Advisers ponder requirement for one-to-one exchanges
The Privacy and Security Workgroup of the HIT Policy Committee is considering security protections for all forms of information exchange, ranging from local, regional or statewide Health Information Exchanges to one-on-one communications.
The panel is calling attention to the need to ensure that even when one doctor shares information with another over the Internet, adequate security precautions are taken.
The role of encryption
For example, in its draft recommendations, the workgroup advocates mandating encryption for "one-to-one exchange from one provider to another for treatment purposes," even if the exchange is direct and not through an HIE.
"The content should not be able to be accessed by an unauthorized party while in transit, nor should an entity facilitating the transport have access to that data," says Deven McGraw, who chairs the workgroup. The attorney is director of the health privacy project at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization.
The encryption mandate could be included in a modification to the HIPAA security rule or an addition to the meaningful use requirements or certification criteria for the federal electronic health record incentive payment program under the HITECH Act, according to the workgroup.
The HITECH Act's breach notification rule already includes a powerful encryption incentive. It features a safe harbor that exempts organizations from reporting breaches of information that's encrypted in a certain way.
In the weeks ahead, the workgroup will "devote more intensive efforts to the policy and technology framework needed to govern health information exchange," McGraw says.
Ultimately, the HIT Policy Committee will make final recommendations to David Blumenthal, national coordinator for health information technology. That, in turn, could lead to new policies enacted by the Department of Health and Human Services.
"A comprehensive set of privacy and security protections that build on current law...is critical to building the foundation of trust that will support and enable meaningful use by providers, hospitals, consumers and patients," according to a workgroup statement.
The workgroup also is considering recommending limits on identifiable information in messages transmitted in one-to-one exchanges. "If you protect the content of the message, but if the subject of the e-mail says 'lab results for Mrs. Jones,' you've exposed health information to potential inappropriate access, use and disclosure," McGraw says.
In addition, the workgroup has identified the need for user identification and authentication technologies to facilitate exchanges.
"In order for providers to securely exchange messages over the Internet, they need a digital identity that can be proven or authenticated so that the receiving provider knows that it came from Dr. Smith," McGraw says. "And, similarly, the sending provider needs to trust that she is sending the message to the right receiving provider."
The to-do list
It remains to be seen whether the workgroup will recommend that all its guidelines for one-to-one exchanges, along with other requirements, be applied to HIEs.
The issues the workgroup will address in the weeks ahead, according to McGraw, include:
- Drilling down on all specific policies and technology requirements for all models of information exchange;
- Reviewing issues involved in getting patient consent to share their information;
- Providing "transparency" for patients about the use of their information.