HHS Tiger Privacy and Security Tiger Team Findings Part 1

Last winter, the Health and Human Services Health Information Technology Policy Committee gave the following broad charge to the Privacy and Security Tiger Team (Tiger Team).

The charge is as follows: “The Tiger Team is charged with making short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Since February 2011, the Tiger Team has conducted a number of public meetings on a variety of issues related to achieving public trust in health IT. The Tiger Team released  the  findings for public comment on April 11, 2011. The Tiger Team presented their finding to the HITPC on April 13, 2011. The complete briefing can be viewed on the www.healthit.hhs.gov/portal.

The following is a summary of the Tiger Team recommendations:

Organizations that are seeking to exchange information as part of the Nationwide Health Information Network (NwHIN) should be required to adopt baseline user authentication policies that require more than just user name and password for remote access. At least two factors should be required .
For more sensitive, higher risk transactions, an additional authentication of greater strength may be required. Similar to the Drug Enforcement Agency policy covering prescribing controlled substances.
The Office of the National Coordinator for Health Information Technology (ONC) should also work to develop and disseminate evidence about the effectiveness of various methods for authentication and reassess NwHIN policies accordingly.
ONC should work with the National Institute of Science and Technology (NIST) to provide guidance to […]

Safeguarding EHRs from Snoopers

With the National Health Information Network Direct (NHIN Direct) working to create a standard for the transfer of Electronic Health Records (EHRs), the need for segmented and secure patient records is becoming apparent to all who are working on this technology. A segmented EHR would allow for providers with different roles to access only the portions of the EHR relevant to their task.  Protecting personal health information through the use of data segmentation is partially rooted in state and federal privacy laws addressing abuse of information.

Such laws include: HIPAA – Privacy Rule, HIPAA – Security Rule, the federal Confidentiality of Alcohol, and GW SPHHS Department of Health Policy ES-1 Drug Abuse Patient Records regulations (Part 2).  These laws protect the exchange of health information without patient consent.

Lesser-known but equally stringent state laws protect a broad range of information. For example, health data related to minors or incidents of sexual violence1.  Other justifications for the use of data segmentation in protecting health data include established principles of patient autonomy and the need to encourage greater patient trust and participation in the health care system.

Data segmentation provides the potential means of protecting specific elements of health information. Both within an EHR and in broader electronic exchange environments, segmentation can prove useful in implementing current legal requirements and honoring patient choice.

Most patients want to control access to their medical records, and restrict which parts of their medical record are accessed.  Not all health providers need access to the patient’s full record (for example, billing clerks and X-Ray technicians), but they do require access to portions of the record.

This capability for patients to have complete control over their EHR is slightly ahead of the current US law.  However, […]