Tiger Team Creates New 'To-Do' ListPrivacy and Security Topics Prioritized
In addition to beginning work on these topics at its May 4 meeting, the team also formed a subgroup that will address guidelines governing certificate authorities that issue digital certificates to authenticate those involved in health information exchange.
The tiger team makes recommendations to the Health IT Policy Committee, which advises the Office of the National Coordinator for Heath Information Technology. Its recommendations eventually could wind up in a variety of federal rules and regulations, including those for the HITECH Act electronic health record incentive program.
Going Beyond HIPAA?On Wednesday, the team began fleshing out questions to address as it determines whether to recommend supplementing what the HIPAA privacy and security rules specify on the issues of records corrections and data integrity.
Team co-chair Paul Egerman, a software entrepreneur, said one key issue to resolve is whether the EHR software certification criteria for future stages of the incentive program should include a provision spelling out how the software must accommodate making corrections requested by patients or others.
Another key issue involves "how to best protect patients against downstream propagation of an error in health information," said Deven McGraw, team co-chair. She's director of the health privacy project at the Center for Democracy & Technology. McGraw and others suggested the team should dive into how to prevent records containing errors from being passed along to others via health information exchange. The team also plans to consider the obligations of recipient organizations for notifying "source organizations" of any errors detected.
The team will continue considering recommendations regarding the records corrections and data integrity issues at its next meeting, May 23.
Other Privacy, Security IssuesIn other action, the newly formed subgroup on certificate authorities was asked to prepare a report by June 3. The group will consider such issues as defining a mechanism for establishing the legitimacy and trustworthiness of a certificate authority that issues digital certificates for those involved in health information exchange.
The team also made tentative plans to evaluate:
- Issues associated with remotely hosted EHRs that use the cloud computing model. The Office of the National Coordinator for Health IT is conducting a study on the security practices used by vendors offering hosted EHRs.
- The privacy and security issues involved in HIEs that use the query and response model. In this model, for example, a physician could make a query to multiple sources in search of all available information about a patient.
- How the HIPAA security rule compares to other industry standards and whether there are gaps in what it addresses.
- Policies and technologies to prevent unauthorized access to patient information by those inside a healthcare organization.
- Patient portal issues beyond security, including transparency, "so that patients aren't suddenly shocked to learn about how their data is being stored or being used," Egerman said.
The team is accepting suggestions for other topics it should address through May 11 on its blog, which offers a detailed guide to the recommendations the team has made so far.