TRENDING:

Tiger Team: No New Policies Needed

Group to Resubmit Privacy, Security Recommendations Marianne Kolbasuk McGee (HealthInfoSec) • July 16, 2013    
Tiger Team: No New Policies Needed

After going back to the drawing board, federal advisers have returned to their original conclusion: No special privacy or security policies are recommended at this time for non-targeted health data queries.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

Non-targeted queries include clinicians sending requests via a health information exchange network to locate all records about a patient from the individual's previous healthcare providers.

At a meeting on July 15, the Privacy and Security Tiger Team, a federal workgroup that advises the HIT Policy Committee, concluded that it will resubmit in August essentially the same recommendations it made to the committee earlier this year.

The tiger team decided to stick with its original recommendations after discussing a variety of privacy and security policy-related matters with leaders from several health information exchanges across the country. In a June 24 virtual hearing hosted by the tiger team, the HIE leaders described the various ways they are currently handling issues ranging from patient consent to disclosures of sensitive health data.

"Based on this testimony, we affirm our recommendation that at this time, no additional policies are needed for non-targeted forms of query," says tiger team chair Deven McGraw. The HIE leaders who testified "were very affirming in how careful they were" in their respective privacy and security policies for handling non-targeted queries, she says. '[They] have crafted policies that work for their communities."

Additionally, some testifiers expressed concern about having federal policy potentially disrupting the arrangements they had carefully implemented in their regions, according to supporting material the tiger team plans to submit to further explain its recommendations to the HIT Policy Committee at the committee's next meeting on Aug. 7.

The gist of those recommendations: Security and privacy policies used to protect patient data in directed queries - in which a clinician sends an electronic request for patient information to a specific, known data holder - should also apply to non-targeted queries. The tiger team will also again recommend against creating new policies that limit queries based on the geography of a patient or provider, the type of provider that holds patient records, or other factors.

Additional Work Requested

When the tiger team back in May first presented these same non-targeted query recommendations to the HIT Policy Committee, some committee members expressed concern that the proposals might not be robust enough to protect certain patient data, such as information related to substance abuse treatment.

The HIT Policy Committee - which advises the Office of the National Coordinator of Health IT - on May 7 instructed the tiger team to take a closer look at some possible policy issues involved with non-targeted queries (see: HIE Queries: Protecting Patient Privacy).

Subsequently, the Tiger Team hosted a June virtual hearing in which leaders of eight health information exchange organizations described their various policies regarding issues such as patient opt-in or opt-out forms of consent; disclosures of sensitive health data; geographic limitations in data sharing; and participant trust agreements (see: HIE Leaders Share Privacy Concerns).

Ultimately, those discussions led the tiger team right back to the same conclusions it previously reached.

The query proposals could be included in criteria for Stage 3 of the HITECH Act electronic health record incentive program, slated to begin in 2016.

In the supporting material the tiger team plans to submit with its recommendations to the HIT Policy Committee, the workgroup will describe why it decided to reaffirm its original recommendations, based in large part on the testimony of HIE leaders at the virtual hearing.

Previous
Sale of Drive on eBay Leads to Fine
Next
State Employee Suspended After Breach

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.