'Tiger Team' Recommendations Endorsed

Address Security for Simplest Data Exchanges
'Tiger Team' Recommendations Endorsed
The first set of recommendations from a new federal privacy and security "tiger team" cleared an important hurdle June 25. The Healthcare Information Technology Policy Committee approved the recommendations, designed to help ensure the privacy and security of patient information exchanged between two organizations.

The recommendations, which apply to one-to-one exchanges in general, also are designed to support NHIN Direct, a set of federal standards now in development for the simple exchange of healthcare data, such as when a primary care physician refers a patient to a specialist and transmits records. These exchanges can occur with or without an intermediary.

The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology within the Department of Health and Human Services. Ultimately, HHS approves all policies.

ONC will develop and start testing specifications for NHIN Direct later this summer, says Douglas Fridsma, acting director of ONC's office of interoperability and standards.

Initial Recommendations

In explaining the recommendations to the committee, Paul Egerman, the tiger team's co-chair, stressed that organizations directly exchanging information without the use of an intermediary, such as a health information exchange, should encrypt the data.

Highlights of the recommendations include:

  • When intermediaries, such as HIEs or electronic prescription networks, are involved in simple data exchanges and can open messages, the government should set guidelines to limit intermediaries' retention of patient information and restrict use and re-use of the information. The tiger team will make further recommendations on these guidelines.
  • Intermediaries that open messages and reformat or otherwise alter the contents "should be required to make commitments regarding the accuracy and quality of data transformation."
  • Intermediaries that collect and retain audit trails of messages that include unencrypted patient information should be subject to policy constraints.
  • Healthcare organizations exchanging data should enter business associate agreements with intermediaries that set forth policies, commitments and obligations.
  • Healthcare organizations may delegate to third parties, such as HIEs, the responsibility for issuing digital credentials or verifying provider identity. The ONC should establish and enforce "clear requirements and policies about the credentialing process, which must include a requirement to validate the identity of the organization/individual requesting the credential." State governments can provide additional rules.

Intermediaries' Roles

Egerman noted that some functioning health information exchanges, including the New England Health Exchange Network, open messages to check them for correct formatting. Other intermediaries, such as the Surescripts network for electronic prescriptions, open messages that physicians submit to rearrange the data and change the codes to a format that a particular pharmacy can accept.

In both these particular cases, and in many other instances, the intermediary has access to patient-identifiable data, he noted. Thus, the government needs to create guidelines for how they handle the information, he added.

What's Ahead?

In May, Joy Pritts, ONC's chief privacy officer, announced plans to form the tiger team, saying it was needed to centralize and intensify ongoing, highly fragmented efforts to define policies.

In July, the tiger team will draft much more detailed privacy and security recommendations that would apply to all forms of data exchange at the local, regional, state and national level. These also will be used to help guide development of the National Health Information Network. NHIN is a group of standards for secure data exchange at the local, regional, state and national level.

Development of standards and policies to guide health information exchange clearly is a long-term process.

For example, in August, ONC will issue a "request for information" seeking ideas for creating NHIN "governance" policies to help build trust in various networking efforts, says Mary Jo Deering, an ONC staff member.

A proposed rule on NHIN governance will be issued in early 2011, she says. The rule will address a wide variety of interoperability issues, including how to handle patient consent and identity verification, she says. Regulators ultimately must also determine whether to mandate that all HIEs use the NHIN standards, she adds.

To participate in the federal incentive program created by the HITECH Act, which provides hospitals and physicians with extra Medicare or Medicaid payments for using electronic health records, the healthcare providers must prove they are making "meaningful use" of certified EHRs. In the first phase, however, the only data exchange requirement is that they use an EHR system that demonstrates the "capability" of accommodating data exchange, notes David Blumenthal, M.D., national coordinator for health information technology.

"We are counting on the ability of vendors to continue to mature their products after they are installed," he says, referring to eventual improvements in EHRs' data exchange capabilities and tougher next-generation standards for "meaningful use."

Busy Schedule

The tiger team will hold an all-day meeting in Washington June 29. A series of speakers, including consumer advocates, will address the issue of "consumer choice technology," such as applications used to obtain patient consent to exchange data.

The tiger team also has slated 10 other meetings between now and mid-August. It will make its second round of recommendations to the HIT Policy Committee July 21 and present a final report Aug. 19.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.