HIMSS on ONC's privacy and security guidelines for HIE

By Lisa A. Gallagher, BSEE, CISM, CPHIMS
09:01 AM

On March 22, 2012, the Office of the National Coordinator issued important privacy and security guidance to State Designated Entities that have received awards under the State Health Information Exchange Cooperative Agreement Program.

The document provides direction to states and SDEs on approaches to ensuring private and secure health information exchange. It addresses concerns from state leaders and other stakeholders that health information exchange efforts have been hampered and slowed by the lack of consistent approaches to core privacy and security issues. The document is, therefore, intended to provide clear national guidance.

[Related: Hawaii and Virginia state HIEs switch on Direct messaging.]

The guidance in this issuing document, called a Program Information Notice  or PIN, builds from the privacy and security and governance recommendations of the ONC Health IT Policy Committee as well as the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.

Following the P&S Framework model, the document provides guidance in eight domains:

  1. Individual access - Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information (IIHI) in a readable form and format.
  2. Correction - Where HIE entities store, assemble or aggregate IIHI, such as longitudinal patient records with data from multiple providers, HIE entities should make concrete plans to give patients electronic access to their compiled IIHI and develop clearly defined processes (1) for individuals to request corrections to their IIHI and (2) to resolve disputes about information accuracy and document when requests are denied.
  3. Openness and transparency - Where HIE entities store, assemble or aggregate IIHI, individuals should have the ability to request and review documentation to determine who has accessed their information or to whom it has been disclosed. All policies and procedures consistent with the recipient’s Privacy and Security Framework should be communicated to individuals in a manner that is appropriate and understandable.
  4. Individual choice - Where HIE entities serve solely as information conduits for directed exchange of IIHI and do not access IIHI or use IIHI beyond what is required to encrypt and route it, patient choice is not required beyond existing law. Such sharing of IIHI from one health care provider directly to another is currently within patient expectations.

Where HIE entities store, assemble or aggregate IIHI beyond what is required for an initial directed transaction, HIE entities should ensure individuals have meaningful choice regarding whether their IIHI may be exchanged through the HIE entity. This type of exchange will likely occur in a query/response model or where information is aggregated for analytics or reporting purposes.

5. Collection, use and disclosure limitation – In principle, a healthcare provider should only access the minimum amount of information needed for treatment of the patient.

Providers requesting or accessing IIHI by electronic means for “treatment” should have or be in the process of establishing a treatment relationship with the patient who is the subject of the requested information.

6. Data quality and integrity - Where HIE entities store, assemble or aggregate IIHI, they should implement strategies and approaches to ensure the data exchanged are complete and accurate and that patients are correctly matched with their data. Processes should also be developed and documented to detect, prevent, and mitigate any unauthorized changes to, or deletions of, individually identifiable health information.

HIE entities that store, assemble or aggregate IIHI should also develop processes to communicate corrections in a timely manner to others with whom this information has been shared.

Recipients should describe their patient matching approach including the accuracy threshold achieved.

7. Safeguards – HIE entities should conduct a thorough assessment of risks and vulnerabilities.

Encryption. HIE entities should provide for the exchange of already encrypted IIHI, encrypt IIHI before exchanging it, and/or establish and make available encrypted channels through which electronic health information exchange could take place.

Authentication and Authorization. An HIE entity should only facilitate electronic health information exchange for parties it has authenticated and authorized.

8. Accountability - HIE entities should ensure appropriate monitoring mechanisms are in place to report and mitigate non-adherence to policies and breaches. Reasonable mitigation strategies should be established and implemented as appropriate, including notice to individuals of privacy violations and security breaches.

The issuing document, or PIN, requires the SDEs to take specific action regarding the guidance:

  • Determine which domains and relevant guidance need to be addressed based on the architectural approach the recipient is taking.
  • Review existing privacy and security policies and practices to identify where the recipient’s approach aligns with the specific guidance provided for each domain (see “State Health Information Exchange Cooperative Agreement Program Guidance on Privacy and Security Frameworks”), and where gaps exist.
  • Where privacy and security policies and practices align with the specific guidance provided for each domain, include these policies and practices as part of the 2012 annual SOP update.
  • Where there are gaps in recipient privacy and security policies and practices, i.e., a domain is not addressed or policies are not in alignment with the specific guidance provided for each domain, include a strategy, timeline and action plan for addressing these gaps in the 2012 SOP update.

The guidance document also includes two templates that can be used to determine which domains and specific guidance are applicable to the specific architectural approach the HIE is employing.  The guidance is applicable to all ONC State Health Information Exchange Cooperative Agreement Program recipients, whether the recipient is a state government or and SDE. These recipients are required to submit to ONC their privacy and security frameworks consisting of all relevant statewide policies and practices.

[Related: Cloud-based services for public health  and HIE.]

More broadly, HIEs can use this guidance to assess their own privacy and security frameworks, governance structure, and associated policies and procedures with the goal of establishing consistent approaches to core privacy and security challenges to facilitate stakeholder trust and rapid progress in health information exchange.

This article originally appeared on the HIMSS Blog.