HHS Privacy and Security Tiger Team Findings Part 2

Last week, I summarized the Health and Human Services Health Information Technology Policy Committee Privacy and Security Tiger Team (Tiger Team)’s findings.

As a reminder, their charge was to “make short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act (ARRA) of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Their findings were put out for public comment April 11 –May 11, 2011. Below is a series of excerpts from the comments which represent the major points of discussion. The full set of comments can be viewed on the HHS Federal Advisory Committee Blog.

There should be a health industry discussion on general tracking and accounting of disclosures.  ARRA-HITECH proposed rules have not been released and there has been little industry discussion regarding how disclosures can be tracked especially in larger organizations where disclosure may occur. This is both a policy and a technology issue.
Methods for tracking exchange partners need to be developed.  Web site info with the ability for the patient to print should cover it, and maybe an annual signoff indicating they know where to find it if they want it. A NwHIN participant will have difficulty keeping track of all the potential indirect participants. If the level of HIEs gets to 225-250-plus keeping a list of the possible exchange partners becomes overwhelming and probably complicated for the individual to understand.
Confidentiality is crucial to reducing barriers to care for adolescents. It has long been recognized that if adolescents do not believe […]

HHS Tiger Privacy and Security Tiger Team Findings Part 1

Last winter, the Health and Human Services Health Information Technology Policy Committee gave the following broad charge to the Privacy and Security Tiger Team (Tiger Team).

The charge is as follows: “The Tiger Team is charged with making short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Since February 2011, the Tiger Team has conducted a number of public meetings on a variety of issues related to achieving public trust in health IT. The Tiger Team released  the  findings for public comment on April 11, 2011. The Tiger Team presented their finding to the HITPC on April 13, 2011. The complete briefing can be viewed on the www.healthit.hhs.gov/portal.

The following is a summary of the Tiger Team recommendations:

Organizations that are seeking to exchange information as part of the Nationwide Health Information Network (NwHIN) should be required to adopt baseline user authentication policies that require more than just user name and password for remote access. At least two factors should be required .
For more sensitive, higher risk transactions, an additional authentication of greater strength may be required. Similar to the Drug Enforcement Agency policy covering prescribing controlled substances.
The Office of the National Coordinator for Health Information Technology (ONC) should also work to develop and disseminate evidence about the effectiveness of various methods for authentication and reassess NwHIN policies accordingly.
ONC should work with the National Institute of Science and Technology (NIST) to provide guidance to […]

Google+