Analysis: Security Elements of 'Trusted Exchange Framework'Some Proposals More Specific Than What's Required Under HIPAA
Federal regulators have released a draft of a trusted health data exchange framework with some detailed security components that go beyond HIPAA requirements. The goal is to advance secure, interoperable health data exchange nationally so that clinicians have quicker access to potentially life-saving information from multiple sources.
The voluntary framework - from the Department of Health and Human Services' Office of the National Coordinator for Health IT - proposes some security components that are more specific than what's required by HIPAA, acknowledging that not all of the participants in networks that adopt the framework will necessarily be HIPAA-covered entities or business associates. Those components include, for example, tougher breach notification requirements as well as detailed authentication requirements.
HHS is soliciting comments on the draft, including the security provisions. "We want to see if our perceptions are right and to hear from the industry about their experiences," an ONC spokesman tells Information Security Media Group.
The office is accepting comment on the 48-page draft framework until Feb. 18. Refinements will be made and a final draft released later this year.
"We recognize as we move to nationwide interoperability that more information has to be able to move, and move in wider circles," the ONC spokesperson says. The draft proposal includes the proposition that "HHS should adopt a general policy that identifiable health information should be afforded some baseline privacy and security protections wherever it is electronically accessed, maintained, transmitted or exchanged.
"There may be areas of the Trusted Exchange Framework that go beyond what HIPAA may require in some areas and establishes a minimum set of elements that not only covered entities and business associates, but entities that currently are not subject to HIPAA, would be following. And HIPAA is currently 'silent' about the specificity that ONC feels needs to be standardized/consistent across entities to improve interoperability."
The law is aimed at accelerating medical innovation, including easing the exchange of data among various health information networks to support timely, appropriate treatment decisions.
The Trusted Exchange Framework addresses network governance, said Don Rucker, M.D., national coordinator for health IT, during a Jan. 5 media briefing.
"This is around the network of networks concept, where these networks are typically moving very similar sets of information - and how do we get them connected," he says.
"In the current space, there are regional health information exchange networks, and networks that include direct participation of vendors, such as Commonwell [Health Alliance]," he says, referring to a non-profit vendor association that is made up of a number of health IT services firms.
"The request from Congress ... was that ONC work to provide a common agreement in these networks. This brings us immediately to what is potentially challenging with interoperability - a national challenge that has not been easy. Folks have made some great progress, but obviously there's a lot of work to be done." One of the approaches ONC is taking to achieve improved interoperability is the creation of a trusted exchange framework, he says.
The draft framework proposes policies, procedures and technical standards necessary to advance the "single on-ramp to interoperability" requested by Congress in the 21st Century Cures Act, he says.
Although implementation of the framework is voluntary, it will be facilitated through ONC in collaboration with a single "recognized coordinating entity, or RCE, which will be selected through a competitive process," ONC says.
The RCE will use the Trust Exchange Framework policies, procedures, technical standards, principles and goals to develop a single "common agreement" that qualified health information networks will voluntarily adopt, according to ONC.
The draft framework contains several key security-related components, notes Genevieve Morris, principal deputy national coordinator for health information technology. Those include:
- Common authentication processes of trusted health information network participants;
- A common set of rules for trusted exchange;
- A minimum core set of organizational and operational policies to enable the exchange of electronic health information among networks.
Morris says ONC worked closely with the HHS Office for Civil Rights - which enforces HIPAA - and the National Institute of Standards and Technology in crafting the security proposals. Some of the security components, however, appear to be far more specific than what's required by HIPAA.
The framework draft also notes that while ONC worked with OCR "to ensure that the proposed Trusted Exchange Framework aligns with HIPAA and does not contradict HIPAA requirements ... we anticipate that many end users may not be covered entities or business associates as defined by HIPAA, and the final [framework] must be broad enough to enable them to appropriately and securely access health information. Therefore, while the proposed Trusted Exchange Framework aligns with HIPAA requirements, it also specifies terms and conditions to enable broader exchange of health information."
Morris notes that ONC set "some minimum policy requirements around identity proofing and authentication levels, using the new National Institute of Standards and Technology 800-63 publication," referring to NIST's digital identity guidelines.
"We know that's a little bit of a shift for the industry to new levels, but based on the security issues that we face, we thought that was very important, and we are certainly looking forward to feedback on whether we hit the right level of security while not inhibiting access," she says.
The ONC's draft framework notes that each participant in a trusted exchange who is a covered entity or business associate must comply with all applicable breach notification requirements under HIPAA. Under HIPAA, covered entities and their business associates have 60 days to report to HHS and affected individuals major breaches involving 500 or more individuals.
In addition, the proposed framework says each participant must notify, in writing, the health information network much sooner. The participants must notify the network "without unreasonable delay, but no later than 15 calendar days after discovery of the breach in order to allow other affected parties to satisfy their reporting obligations," the framework draft says. "Upon receipt of such notice, the Qualified HIN shall be responsible for notifying, in writing, other participants affected by the breach within seven calendar days."
Morris says that in addition to those security components, "there are also requirements around OAuth 2.0 and using certificate and PKI [public key infrastructure] structures to ensure the right folks are accessing data. We realize as we move forward, there are large amounts of data that will be inherently moving around under the trusted framework and common agreement. So we made every effort to make sure that what we're putting in place is secure and safe for patients so that they can be sure that their data is going to be shared appropriately."
OAuth 2.0 is an authorization framework developed by the Internet Engineering Task Force OAuth Work Group.
ONC notes that the proposed trusted exchange framework supports a number of goals, including:
- Giving patients the ability to electronically access their health information;
- Enabling the exchange of population-level health information between healthcare providers and payer organizations accountable for the analysis of population health trends, outcomes and costs; and
- Using an application programming interfaces, or APIs, to encourage entrepreneurial, user-focused innovation to make health information more accessible and to improve electronic health record usability.