The Privacy and Security Tiger Team is continuing its efforts to flesh out a comprehensive privacy and security policy framework for electronic health information exchange. The framework is intended to build on current law (HIPAA, Health Insurance Portability and Accountability Act) and is based on the fair information practice principles articulated by the Office of the National Coordinator for Health Information Technology (ONC) in its “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (first released on December 15, 2008).    (more…)

The Privacy & Security Tiger Team is currently considering policy recommendations to ensure that authentication “trust” rules are in place for information exchange between provider-entities (or organizations).  We are currently evaluating these trust rules at the organizational level, and as such, our scope here does not include authentication of individual users of electronic health record (EHR) systems.  For purposes of this discussion, authentication is the verification that a provider entity (such as a hospital or physician practice) seeking access to electronic protected health information is the one claimed, and the level of assurance is the degree of confidence in the results of an authentication attempt.  (more…)