Balancing PHI Message Transaction Requirements - InformationWeek
Cloud // Cloud Storage
01:01 AM

Balancing PHI Message Transaction Requirements

The privacy and security tiger team of the HIT Policy committee must balance a host of issues in determining the requirements for personal health information transactions.

The HIT Policy Committee's new Privacy and Security Tiger Team workgroup is striving to establish the requirements that intermediaries in personal health information (PHI) message transactions will be subject to.

Under HIPAA, parties which have access to PHI are deemed covered entities (CEs), required to establish business associate agreements (BAAs) which obligate them to handle the data in certain ways. With the rise of health information exchange under the HITECH Act, the Office of the National Coordinator created the Tiger Team to provide it with guidance in governing health information organizations (HIOs) -- or third-party intermediaries which have varying degrees of involvement with the messages.

Paul Egerman, a software entrepreneur and Co-Chair of the Tiger Team, said, "We hope we can get some policy guidelines in place prior to October when Stage 1 of Meaningful Use occurs." He said the team was working on two concepts in parallel -- making progress on a framework document put together by co-chair Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and advising NHIN Direct on questions that have arisen during its pilot project.

To clarify the group's mission, Egerman offered an analogy: "Imagine you were standing by a highway and saw an ambulance pass. That's interesting, but you don't know anything about the person in it, so it has nothing to do with PHI. But if the patient's name is written on the outside of the ambulance, then you know something about them."

Egerman and his team are engaged in an ongoing discussion about what parts of electronic data transmissions are visible, accessible or alterable to what types of entities. The team is then examining what types of policies should govern the behavior of particular entities in particular scenarios. According to team discussions, messages are composed of different elements, such as headers (the address) and payload (the main body of the message), wrapped in syntax and metadata, and sometimes encrypted. Questions revolve around the different policies that should govern passive routing (never opening the message) versus value-added routing (manipulating the content).

McGraw suggested the team adopt an overriding principle, which stipulated that no entity should obtain deeper access to PHI than was absolutely necessary to perform the function it was created to carry out. "At that point, what are the components that must be added to facilitate trust?" she asked.

The group endeavored to come up with classifications of data handling and exchange which could be drilled down upon and affixed with policy requirements. After an extensive debate, the following four categories were selected:

  1. Transactions with no intermediaries
  2. Transactions in which an intermediary routes the message, but has no access to it
  3. Transactions in which an intermediary obtains access to the message for some reason, but does not alter it
  4. Transactions in which an intermediary accesses the message and alters it

Dixie Baker, senior vice president and technical fellow at Science Applications International Corporation (SAIC), who shared with the group a model for categorizing transactions, also emphasized the importance of dealing with the "temporal" element of message handling, meaning how long intermediaries retained the message -- if at all -- and the onus placed upon them during their possession of it.

What was unclear was the onus, or task, placed upon the team by NHIN Direct, and questions even arose as to the exact nature and mission of that endeavor. Arien Malec, Coordinator for the NHIN Direct project, sent questions to Egerman, which he then posed to the group. Some members of the group thought NHIN Direct was intentionally planning to function "under the radar," meaning it would not access or alter the messages it handled. Others in the group, however, thought differently.

Team member Wes Rishel, vice president and distinguished analyst in Gartner's healthcare provider research practice, suggested the team get clarity rather than operate on false premises. "We need to state those conclusions and get them validated," he said.

Anthony Guerra is the founder and editor of, a site dedicated to serving the strategic information needs of healthcare CIOs. He can be reached at

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll