Authentication for NwHIN ParticipantsTiger Team Backs Using Federal Bridge Standards
At its May 23 meeting, the tiger team proposed that NwHIN participants use certificates that meet the Federal Bridge Certification Authority standards and that are issued by a certificate authority that's a member of the Federal Public Key Infrastructure framework.
The team made this recommendation because "virtually every healthcare organization will at some point need to exchange health information with a federal health agency," says Dixie Baker of SAIC, a team member who headed a subgroup that investigated the issue. Federal agencies are highly unlikely to accept a certificate unless it meets the Federal Bridge standards that they already use to ensure security, she notes.
The tiger team will present its recommendation to the Health IT Policy Committee on June 8. The committee advises the Department of Health and Human Services' Office of the National Coordinator for Health IT.
ONC is working on a governance rule spelling out guidelines for users of the NwHIN (see: Revised NHIN Governance Plan Advances). NwHIN is not an actual network, but "a set of policies, standards and services that enable the Internet to be used for secure and meaningful exchange of health information," according to the official government definition. The idea behind NwHIN is to pave the way for the exchange of electronic health records and other information coast-to-coast by linking various health information exchanges and other networks that all adhere to the same standards.
EHR CorrectionsAlso at its May 23 meeting, the tiger team continued its discussion of potential guidelines for accommodating corrections to electronic health records. HIPAA already spells out guidelines for how to deal with corrections requested by patients, but it does not address the issue of errors detected by healthcare providers.
After a lengthy discussion of the complex issues involved, Paul Egerman, team co-chair, boiled down the issues to:
- Be careful to avoid putting new obligations on physicians;
- Focus on making it technically possible to communicate information about corrections using available technologies;
- Consider certification requirements for electronic health record software that qualifies for future stages of the HITECH Act EHR incentive program that ensure the applications have the capability to propagate changes to correct errors; and
- Consider an EHR software certification requirement for keeping track of the source of all information, creating what amounts to an audit trail.
During their lengthy discussion, tiger team members appeared to be shying away from recommending a formal policy creating an obligation that providers notify others of errors. Team members seemed to agree that existing ethical obligations, including the Hippocratic Oath, already make this obligation clear. Instead, they focused on technical issues, such as how to notify others if a record sent to them contained an error or how to notify the source of a record of about an error that was detected when the recipient received the information through health information exchange
The tiger team will continue its discussion of potential recommendations on handling corrections at its next meeting June 3.
HIPAA IssuesThe also continued efforts to establish priorities for future meetings (see: Tiger Team Creates New To-Do List.) For example, at its June 16 meeting, it will hear a preliminary ONC "gap analysis" of the HIPAA Security Rule, comparing it to other industry standards and pinpointing potential gaps. The team hopes to conduct a more detailed analysis in the fall before making recommendations.
At meetings in July and August, the team will conduct an evaluation of various health information exchange models and the privacy and security issues that each model raises. Then it will consider privacy and security issues tied to various EHR models.
Other topics to be addressed in the fall include: patient portal issues beyond security, such as transparency on how patient information is used; policies and technologies that enhance prevention of internal, unauthorized access to patient information; and provider and consumer education on the use of de-identified data, such as to support research.