Tiger Team Creates New 'To-Do' List

Privacy and Security Topics Prioritized
Tiger Team Creates New 'To-Do' List
Among the many subjects the Privacy and Security Tiger Team will tackle in the weeks ahead is determining whether more guidelines are needed on the issues of accommodating corrections to electronic health records and ensuring data integrity.

In addition to beginning work on these topics at its May 4 meeting, the team also formed a subgroup that will address guidelines governing certificate authorities that issue digital certificates to authenticate those involved in health information exchange.

The tiger team makes recommendations to the Health IT Policy Committee, which advises the Office of the National Coordinator for Heath Information Technology. Its recommendations eventually could wind up in a variety of federal rules and regulations, including those for the HITECH Act electronic health record incentive program.

Going Beyond HIPAA?

On Wednesday, the team began fleshing out questions to address as it determines whether to recommend supplementing what the HIPAA privacy and security rules specify on the issues of records corrections and data integrity.

Team co-chair Paul Egerman, a software entrepreneur, said one key issue to resolve is whether the EHR software certification criteria for future stages of the incentive program should include a provision spelling out how the software must accommodate making corrections requested by patients or others.

Another key issue involves "how to best protect patients against downstream propagation of an error in health information," said Deven McGraw, team co-chair. She's director of the health privacy project at the Center for Democracy & Technology. McGraw and others suggested the team should dive into how to prevent records containing errors from being passed along to others via health information exchange. The team also plans to consider the obligations of recipient organizations for notifying "source organizations" of any errors detected.

The team will continue considering recommendations regarding the records corrections and data integrity issues at its next meeting, May 23.

Other Privacy, Security Issues

In other action, the newly formed subgroup on certificate authorities was asked to prepare a report by June 3. The group will consider such issues as defining a mechanism for establishing the legitimacy and trustworthiness of a certificate authority that issues digital certificates for those involved in health information exchange.

The team also made tentative plans to evaluate:

  • Issues associated with remotely hosted EHRs that use the cloud computing model. The Office of the National Coordinator for Health IT is conducting a study on the security practices used by vendors offering hosted EHRs.
  • The privacy and security issues involved in HIEs that use the query and response model. In this model, for example, a physician could make a query to multiple sources in search of all available information about a patient.
  • How the HIPAA security rule compares to other industry standards and whether there are gaps in what it addresses.
  • Policies and technologies to prevent unauthorized access to patient information by those inside a healthcare organization.
  • Patient portal issues beyond security, including transparency, "so that patients aren't suddenly shocked to learn about how their data is being stored or being used," Egerman said.

The team is accepting suggestions for other topics it should address through May 11 on its blog, which offers a detailed guide to the recommendations the team has made so far.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.