Last June the Privacy & Security Tiger Team workgroup was formed to focus on a range of privacy and security issues related to the HITECH Act. The members are from both the HIT Policy and HIT Standards Committees. Back when HIPAA laws were written, there was no implied or foreseen exchange of PHI data throughout the entire health care system beyond insurance and billing.
In August the workgroup put forward these core values:
- Patients should not be surprised to learn what happens to their health information.
- The provider-patient relationship is the foundation for trust in health information exchange.
- Providers are responsible for ensuring the privacy and security of patient information but may delegate functions to business associates if done in a trustworthy manner.
And their addition of this fourth value:
- Transparency about information exchange practices is a necessary component of establishing credibility with patients. In achieving greater openness and transparency for patients, we need to balance the need to give patients complete information on how their information is shared while at the same time providing information in a form that is manageable for patients to read and understand.
The team is now considering recommendations on authentication trust rules for PHI data between entities. They define authentication for this discussion as “the verification that a provider entity (such as a hospital or physician practice) seeking access to electronic protected health information is the one claimed, and the level of assurance is the degree of confidence in the results of an authentication attempt.” Comments are being solicited on the FACA Blog and they are accepting them through this Friday. Read the six questions they are focussing on and submit your comments to the Tiger Team.