Privacy panel calls for data encryption for information exchange
Healthcare providers should encrypt patient information when they share it with another provider, even in a case of the direct exchange of personal health information or data that is not facilitated by a health information exchange or other third-party organization.
The privacy and security workgroup of the Health IT Policy Committee made its recommendation for guarding patient data at a May 19 policy committee meeting.
In recent weeks the workgroup has been wrestling with determining at what point in a health information exchange it becomes necessary for providers to obtain consumer consent to approve an exchange.
The workgroup took the perspective of what a "reasonable patient would expect," said Deven McGraw, the panel's co-chair. McGraw is also director of the Health Privacy Project at the Center for Democracy and Technology.
The panel proposed that policies for encryption, limits on identifiable information in a message header and verification of the identification of the sending and receiving providers should govern one-to-one exchanges.
Encryption, which makes information unreadable until the intended recipient unlocks it, should be required, especially when the potential exists for transmitted data to be exposed, according to the recommendations.
Meaningful use or certification criteria or a modification of the Health Insurance Portability and Accountability (HIPAA) security rule could include that requirement, she said.
"If strong policies, such as the above, are in place and enforced, we don't think this scenario needs any additional individual consent beyond what is already required by current law," said McGraw.
Providers must conduct simple direct exchanges of health information as part of the first-stage requirements for meaningful use of electronic health records in order to qualify for financial incentives in 2011. Some providers might require a third party, such as a directory service, to assist even in a simple one-to-one exchange.
More complex health information exchanges or other models of exchange, such as state health information exchange, may require stronger policies, including patient consent, McGraw said.