Last winter, the Health and Human Services Health Information Technology Policy Committee gave the following broad charge to the Privacy and Security Tiger Team (Tiger Team).
The charge is as follows: “The Tiger Team is charged with making short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the American Recovery and Reinvestment Act of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”
Since February 2011, the Tiger Team has conducted a number of public meetings on a variety of issues related to achieving public trust in health IT. The Tiger Team released the findings for public comment on April 11, 2011. The Tiger Team presented their finding to the HITPC on April 13, 2011. The complete briefing can be viewed on the www.healthit.hhs.gov/portal.
The following is a summary of the Tiger Team recommendations:
- Organizations that are seeking to exchange information as part of the Nationwide Health Information Network (NwHIN) should be required to adopt baseline user authentication policies that require more than just user name and password for remote access. At least two factors should be required .
- For more sensitive, higher risk transactions, an additional authentication of greater strength may be required. Similar to the Drug Enforcement Agency policy covering prescribing controlled substances.
- The Office of the National Coordinator for Health Information Technology (ONC) should also work to develop and disseminate evidence about the effectiveness of various methods for authentication and reassess NwHIN policies accordingly.
- ONC should work with the National Institute of Science and Technology (NIST) to provide guidance to providers on trusted identification methods.
- Eligible Providers and Hospitals should deploy audit trails for a patient’s portal, and at least be able to provide these to patients upon request.
- Patient portals should include mechanisms that ensure information in the portal can be securely downloaded to a third party authorized by the patients.
- HIT Standards Committee should identify standard formats for data fields that are commonly used for matching patients (for example, name, DOB, zip, address, and gender)
The Tiger Team Findings were available for public comment for 30 days. In my next article, I will review the public comments.