The HIT Policy Committee’s new Privacy and Security Tiger Team workgroup is striving to establish the requirements that intermediaries in personal health information (PHI) message transactions will be subject to.
Under HIPAA, parties which have access to PHI are deemed covered entities (CEs), required to establish business associate agreements (BAAs) which obligate them to handle the data in certain ways. With the rise of health information exchange under the HITECH Act, the Office of the National Coordinator created the Tiger Team to provide it with guidance in governing health information organizations (HIOs) — or third-party intermediaries which have varying degrees of involvement with the messages.
Paul Egerman, a software entrepreneur and Co-Chair of the Tiger Team, said, “We hope we can get some policy guidelines in place prior to October when Stage 1 of Meaningful Use occurs.” He said the team was working on two concepts in parallel — making progress on a framework document put together by co-chair Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and advising NHIN Direct on questions that have arisen during its pilot project.
To clarify the group’s mission, Egerman offered an analogy: “Imagine you were standing by a highway and saw an ambulance pass. That’s interesting, but you don’t know anything about the person in it, so it has nothing to do with PHI. But if the patient’s name is written on the outside of the ambulance, then you know something about them.”
Egerman and his team are engaged in an ongoing discussion about what parts of electronic data transmissions are visible, accessible or alterable to what types of entities. The team is then examining what types of policies should govern the behavior of particular entities in particular scenarios. According to team discussions, messages are composed of different elements, such as headers (the address) and payload (the main body of the message), wrapped in syntax and metadata, and sometimes encrypted. Questions revolve around the different policies that should govern passive routing (never opening the message) versus value-added routing (manipulating the content).
McGraw suggested the team adopt an overriding principle, which stipulated that no entity should obtain deeper access to PHI than was absolutely necessary to perform the function it was created to carry out. “At that point, what are the components that must be added to facilitate trust?” she asked.
The group endeavored to come up with classifications of data handling and exchange which could be drilled down upon and affixed with policy requirements. After an extensive debate, the following four categories were selected:
- Transactions with no intermediaries
- Transactions in which an intermediary routes the message, but has no access to it
- Transactions in which an intermediary obtains access to the message for some reason, but does not alter it
- Transactions in which an intermediary accesses the message and alters it
Dixie Baker, senior vice president and technical fellow at Science Applications International Corporation (SAIC), who shared with the group a model for categorizing transactions, also emphasized the importance of dealing with the “temporal” element of message handling, meaning how long intermediaries retained the message — if at all — and the onus placed upon them during their possession of it.
What was unclear was the onus, or task, placed upon the team by NHIN Direct, and questions even arose as to the exact nature and mission of that endeavor. Arien Malec, Coordinator for the NHIN Direct project, sent questions to Egerman, which he then posed to the group. Some members of the group thought NHIN Direct was intentionally planning to function “under the radar,” meaning it would not access or alter the messages it handled. Others in the group, however, thought differently.
Team member Wes Rishel, vice president and distinguished analyst in Gartner’s healthcare provider research practice, suggested the team get clarity rather than operate on false premises. “We need to state those conclusions and get them validated,” he said.