Centered around the Health IT Policy Committee and the Privacy and Security Tiger Team’s guidance and recommendations, the Office of the National Coordinator for Health Information Technology (ONC) will soon provide its own voluntary health data exchange security strategies.
Farzad Mostashari, National Coordinator for Health Information Technology, told HealthcareInfoSecurity.com recently that he hopes to have these guidelines outside of a regulatory framework to the public by this spring. Mostashari explained that ONC will take a wait-and-see approach when it comes to forming concrete privacy and security regulations. But for now, it’s going to offer healthcare organizations voluntary advice for healthcare information exchange (HIE).
Among the highlights from the conversation was the emphasis that Mostashari placed on HIE authentication and encryption, two key pieces in securing healthcare data in an exchange.
It starts with the standards, having standards that have privacy and security built into them, baked into them, making sure that information is always encrypted as it flows. But it’s [also about making sure] that there’s authentication so we know who’s on either end; [that] we have an assurance that the person sending information is from the organization that they say they’re from and that that organization is following appropriate policies under their HIPAA and other obligations.
Though he also referenced the importance of new HIPAA omnibus regulations and how government guidance would revolve around these rules, he believes that business associates’ (BAs) roles in terms of privacy and security can be further clarified. Having these roles well-defined ensures that everyone in a data exchange is on a level playing field. Additionally, Mostashari discussed the significance of the Direct Project protocol that’s being worked on for HIEs:
The answer is use the Direct protocols, which are ubiquitously available and secure. To make that really sing, though, we need to establish what are called trust bundles of certificates.
How healthcare organizations react to these upcoming guidelines will affect the ONC’s future guidance, so specifically what it comes up with for HIE security advice should be meaningful.