Cloud // Cloud Storage
01:01 AM
How to Keep Mobile Threats at Bay
Jun 01, 2016
With savvy cybercriminals using vulnerabilities in apps, networks, and operating systems to gain c ...Read More>>

Balancing PHI Message Transaction Requirements

The privacy and security tiger team of the HIT Policy committee must balance a host of issues in determining the requirements for personal health information transactions.

The HIT Policy Committee's new Privacy and Security Tiger Team workgroup is striving to establish the requirements that intermediaries in personal health information (PHI) message transactions will be subject to.

Under HIPAA, parties which have access to PHI are deemed covered entities (CEs), required to establish business associate agreements (BAAs) which obligate them to handle the data in certain ways. With the rise of health information exchange under the HITECH Act, the Office of the National Coordinator created the Tiger Team to provide it with guidance in governing health information organizations (HIOs) -- or third-party intermediaries which have varying degrees of involvement with the messages.

Paul Egerman, a software entrepreneur and Co-Chair of the Tiger Team, said, "We hope we can get some policy guidelines in place prior to October when Stage 1 of Meaningful Use occurs." He said the team was working on two concepts in parallel -- making progress on a framework document put together by co-chair Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and advising NHIN Direct on questions that have arisen during its pilot project.

To clarify the group's mission, Egerman offered an analogy: "Imagine you were standing by a highway and saw an ambulance pass. That's interesting, but you don't know anything about the person in it, so it has nothing to do with PHI. But if the patient's name is written on the outside of the ambulance, then you know something about them."

Egerman and his team are engaged in an ongoing discussion about what parts of electronic data transmissions are visible, accessible or alterable to what types of entities. The team is then examining what types of policies should govern the behavior of particular entities in particular scenarios. According to team discussions, messages are composed of different elements, such as headers (the address) and payload (the main body of the message), wrapped in syntax and metadata, and sometimes encrypted. Questions revolve around the different policies that should govern passive routing (never opening the message) versus value-added routing (manipulating the content).

McGraw suggested the team adopt an overriding principle, which stipulated that no entity should obtain deeper access to PHI than was absolutely necessary to perform the function it was created to carry out. "At that point, what are the components that must be added to facilitate trust?" she asked.

The group endeavored to come up with classifications of data handling and exchange which could be drilled down upon and affixed with policy requirements. After an extensive debate, the following four categories were selected:

  1. Transactions with no intermediaries
  2. Transactions in which an intermediary routes the message, but has no access to it
  3. Transactions in which an intermediary obtains access to the message for some reason, but does not alter it
  4. Transactions in which an intermediary accesses the message and alters it

Dixie Baker, senior vice president and technical fellow at Science Applications International Corporation (SAIC), who shared with the group a model for categorizing transactions, also emphasized the importance of dealing with the "temporal" element of message handling, meaning how long intermediaries retained the message -- if at all -- and the onus placed upon them during their possession of it.

What was unclear was the onus, or task, placed upon the team by NHIN Direct, and questions even arose as to the exact nature and mission of that endeavor. Arien Malec, Coordinator for the NHIN Direct project, sent questions to Egerman, which he then posed to the group. Some members of the group thought NHIN Direct was intentionally planning to function "under the radar," meaning it would not access or alter the messages it handled. Others in the group, however, thought differently.

Team member Wes Rishel, vice president and distinguished analyst in Gartner's healthcare provider research practice, suggested the team get clarity rather than operate on false premises. "We need to state those conclusions and get them validated," he said.

Anthony Guerra is the founder and editor of, a site dedicated to serving the strategic information needs of healthcare CIOs. He can be reached at

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.