HIT Standards Committee: Tiger Team issues info exchange privacy policies

The Privacy and Security Tiger Team has a finite amount of time to determine how to protect personal health information (PHI), particularly in the growing trend of message handling in directed exchanges where intermediaries may be required, and therefore, an increased exposure to risk, explained Deven McGraw, Chair of Privacy & Security Tiger Team, during the HIT Standards Committee meeting on June 30.

The Office of the National Coordinator for Health IT formed the Privacy and Security Tiger Team under the auspices of the HIT policy Committee to address privacy and security issues related to health information exchange that must be resolved over the summer. Members of the Tiger Team are comprised of individuals from the HIT Policy Committee and the HIT Standards Committee.

McGraw said that team would return to larger workgroup process in the Fall, and the team “won’t last longer the summer due to the intensity” of the expectations.

When addressing message handling in directed exchange, the Tiger Team evaluated two questions:
  • What are the policy guardrails for message handling in directed exchange?
  • Who is responsible for establishing “trust” when messages are sent?

The terms “message handling” and “directed exchange” refer to transporting patient data from one known provider to another where both providers are directly involved in the care of the patient who is the subject of the information.

The Tiger Team categorized message handling under four models:
A. No intermediary involved;
B. Intermediary only performs routing and has no access to unencrypted PHI (message body is encrypted and intermediary does not have access);
C. Intermediary has access to unencrypted PHI (i.e., patient is identifiable but does not the data in the message body); and
D. Intermediary opens message and changes the message body (format and/or data).
    “Unencrypted PHI exposure to an intermediary in any amount raises privacy concerns,” McGraw said. “Fewer privacy concerns for directed exchange are found in models A and B above where no unencrypted PHI is exposed.”

    Models C and D involve intermediary access to unencrypted PHI, introducing privacy and safety concerns related to the intermediary’s ability to view and/or modify data, said McGraw, who added that “clear policies are needed to limit retention of PHI and restrict its use and re-use.”

    Model D also should be “required to make commitments regarding accuracy and quality of data transformation,” she said. “Intermediaries who collect and retain audit trails of messages that include unencrypted PHI should also be subject to policy constraints.”

    Intermediaries that support models C and D require contractual arrangement with the message originators in the form of a business associate agreement that sets forth applicable policies and commitments and obligations, according to the Tiger Team.

    “The ideal is that if an intermediary is merely performing a routing function, then they shouldn’t be exposed to PHI, but if they need access to the information, it needs to be protected,” McGraw said.

    The Tiger Team is seeking to establish exchange credentials, and questioned where this is a centralized or decentralized role. First, they reinforced that the responsibility for maintaining for privacy and security of a patient’s record rests with the patient’s provider(s). However, to provide physicians and hospitals, as well as the public, with some reassurance that this credentialing responsibility is being delegated to a “trustworthy” organization, McGraw said that federal agencies also have a role.

    Regarding the NHIN Direct Project, she said the basic technical model for NHIN direct should not involve intermediary access to unencrypted PHI (i.e., models A and B).

    The Department of Health and Human Services should develop regulations, guidance and/or best practices to promote greater transparency to patients about direct electronic exchange of health information, according to the Tiger Team. Also, regional extension centers should play a role in helping providers to be transparent to patients about direct electronic exchange using this model.

    During the question and answer section of the presentation, participants questioned whether an HIE qualifies as intermediary, which came to an inconclusive end. As McGraw noted, “There is more work do on these topics.”

    Around the web

    The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

    The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

    Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.