'Tiger Team' Outlines Security Precautions

First Recommendations Focus on Simplest Exchanges
'Tiger Team' Outlines Security Precautions
A new federal "tiger team" on healthcare privacy and security is preparing its first set of recommendations, focusing on making sure organizations exchanging clinical information take adequate precautions.

The draft recommendations, focusing only on message handling, are designed to support NHIN Direct, a set of standards now in development for the simple exchange of healthcare data, such as when a primary care physician refers a patient to a specialist and transmits records. These exchange can occur with or without an intermediary.

Initial Recommendations

Draft recommendations discussed June 15 included:

  • Federal regulators should encourage those involved in simple data exchanges to limit privacy concerns by, where possible, avoiding the use of an intermediary or limiting the intermediary's role to routing messages. In this way, the intermediary would have no access to patient information.
  • If an intermediary is involved, clear policies are needed to limit the intermediary's retention of protected health information and restrict use of the data. The tiger team expects to spell out those policies later this summer.
  • Business associate agreements may be a tool for enforcing intermediary policies.
  • Providers may delegate responsibility for issuing digital credentials or verifying provider identity to third parties. The federal government should establish and enforce "clear requirements and policies about the credentialing process, which must include a requirement to validate the identity of the organization/individual requesting the credential."
  • The group plans to refine its recommendations in a conference call June 22 before presenting them to the HIT Policy Committee June 25. Ultimately, the Department of Health and Human Services will decide whether to enact the new policies.

    Creating a Framework

    In addition to recommendations regarding NHIN-Direct, the tiger team is discussing a very preliminary draft of a framework for privacy and security that would apply to all forms of local, regional, state and national health information exchange. On June 15, team members began debating all the details involved in one small aspect of the framework: giving patients access to their records via a health information exchange.

    After the discussion, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health Information Technology, urged team members to first focus on providing "a set of guardrails" for broad privacy and security guidelines for information exchange before doing a "deep dive" into all the details later this summer.

    On May 26, Pritts announced plans to form the tiger team, saying it was needed to centralize and intensify ongoing, highly fragmented efforts to define policies. ONC makes policy recommendations to the Department of Health and Human Services.

    In reaction to Pritts' announcement, several observers expressed hope that the new group would be a permanent effort to tackle a long list of healthcare privacy and security policy issues, which many federal advisory groups and governmental agencies are addressing. But initially, at least, the group is focusing exclusively on health information exchange issues.

    Once the tiger team completes its recommendations on information exchange this summer, it may consider whether to tackle other issues, says Deven McGraw, co-chair of the tiger group and director of the health privacy project at the Center for Democracy & Technology. "If this temporary structure we created to deal with immediate issues turns out to work really well, there will be pressure to continue it going forward," she acknowledges.

    Meeting on 'Consumer Choice'

    The tiger team plans an all-day meeting in Washington June 29, when a series of speakers will address the issue of "consumer choice technology" that deals with such issues as obtaining patient consent to exchange data.

    About the Author

    Howard Anderson

    Howard Anderson

    News Editor, ISMG

    Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.