HIT Policy CommitteeHIT Policy Committee

Privacy & Security Tiger Team UpdatePrivacy & Security Tiger Team Update

Deven McGraw, Co-ChairCenter for Democracy & Technology

Paul Egerman, Co-Chair

June 25, 2010

Broad Charge

• The Office of the National Coordinator for Health Information Technology (ONC) formed a Privacy & Security Tiger Team under the auspices of the HIT Policy Committee to address privacy and security issues related to health information exchange that must be resolved over the summer.

• Members of the Tiger Team are comprised of individuals from the HIT Policy Committee and the HIT Standards Committee as well as National Committee on Vital and Health Statistics (NCVHS)

2

Tiger Team Members

• Deven McGraw, Center for Democracy & Technology, Co-Chair • Paul Egerman, Co-Chair • Dixie Baker, Science Applications International Corporation (SAIC) • Christine Bechtel, National Partnership for Women & Families • Rachel Block, New York State Department of Health • Neil Calman, The Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, EPIC Systems Corp. • Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center; NCVHS • David Lansky, Pacific Business Group on Health • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Micky Tripathi, Massachusetts eHealth Collaborative • Latanya Sweeney, Carnegie Mellon University

3

Proposed Schedule of Topics

4

Message Handling in Directed Exchange

• What are the policy guardrails for message handling in Directed Exchange?

• Who is responsible for establishing “trust” when messages are sent?

– The terms “message handling” and “directed exchange” refer to transporting patient data from one known provider to another where both providers are directly involved in the care of the patient who is the subject of the information. We assume communication channels are encrypted.

5

Categories of Message Handling

To frame the discussion, message handling has been classified into four categories:

A. No intermediary involved (exchange is direct from message originator to message recipient)

 B. Intermediary only performs routing and has no access to unencrypted PHI

(message body is encrypted and intermediary does not access unencrypted patient identification data)

C. Intermediary has access to unencrypted personal health information (PHI) (i.e.

patient is identifiable) - but does not change the data in the message body) D. Intermediary opens message and changes the message body (format and/or

data)  

6

Recommendations

• Unencrypted PHI exposure to an intermediary in any amount raises privacy concerns.

 • Fewer privacy concerns for directed exchange are found in models A and B above,

where no unencrypted PHI is exposed. ONC should encourage the use of such models.

 • Models C and D involve intermediary access to unencrypted PHI, introducing

privacy and safety concerns related to the intermediary’s ability to view and/or modify data. Clear policies are needed to limit retention of PHI and restrict its use and re-use.

• Our team may make further privacy policy recommendations concerning retention and reuse of data, Model D also should be required to make commitments regarding accuracy and quality of data transformation.

 • Intermediaries who collect and retain audit trails of messages that include

unencrypted PHI should also be subject to policy constraints.  • Intermediaries that support Models C and D require contractual arrangements with

the message originators in the form of Business Associate agreements that set forth applicable policies and commitments and obligations.

 

7

Establishing Exchange Credentials

We also addressed the question of whether establishing exchange “credentials” should be centralized or decentralized (i.e., who holds the “trust”?)

• The responsibility for maintaining the privacy and security of a patient's record rests with the patient's providers. For functions like issuing digital credentials or verifying provider identity, providers may delegate that authority to authorized credentialing service providers.   

• To provide physicians and hospitals (and the public) with some reassurance that this credentialing responsibility is being delegated to a “trustworthy” organization, the federal government (ONC) has a role in establishing and enforcing clear requirements and policies about the credentialing process, which must include a requirement to validate the identity of the organization or individual requesting a credential.

• State governments can, at their option, also provide additional rules for these authorized credentialing service providers.

8

Discussion Regarding “NHIN Direct” Project

• The basic technical model for Nationwide Health Information Network (NHIN) Direct should not involve intermediary access to unencrypted PHI (i.e., models A and B above).

• HHS should develop regulations, guidance and/or best practices to promote greater transparency to patients about direct electronic exchange of health information. – Regional Extension centers should also play a role in helping

providers to be transparent to patients about direct electronic exchange using this model.

9