Balancing PHI Message Transaction Requirements - InformationWeek
Cloud // Cloud Storage
01:01 AM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Balancing PHI Message Transaction Requirements

The privacy and security tiger team of the HIT Policy committee must balance a host of issues in determining the requirements for personal health information transactions.

The HIT Policy Committee's new Privacy and Security Tiger Team workgroup is striving to establish the requirements that intermediaries in personal health information (PHI) message transactions will be subject to.

Under HIPAA, parties which have access to PHI are deemed covered entities (CEs), required to establish business associate agreements (BAAs) which obligate them to handle the data in certain ways. With the rise of health information exchange under the HITECH Act, the Office of the National Coordinator created the Tiger Team to provide it with guidance in governing health information organizations (HIOs) -- or third-party intermediaries which have varying degrees of involvement with the messages.

Paul Egerman, a software entrepreneur and Co-Chair of the Tiger Team, said, "We hope we can get some policy guidelines in place prior to October when Stage 1 of Meaningful Use occurs." He said the team was working on two concepts in parallel -- making progress on a framework document put together by co-chair Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and advising NHIN Direct on questions that have arisen during its pilot project.

To clarify the group's mission, Egerman offered an analogy: "Imagine you were standing by a highway and saw an ambulance pass. That's interesting, but you don't know anything about the person in it, so it has nothing to do with PHI. But if the patient's name is written on the outside of the ambulance, then you know something about them."

Egerman and his team are engaged in an ongoing discussion about what parts of electronic data transmissions are visible, accessible or alterable to what types of entities. The team is then examining what types of policies should govern the behavior of particular entities in particular scenarios. According to team discussions, messages are composed of different elements, such as headers (the address) and payload (the main body of the message), wrapped in syntax and metadata, and sometimes encrypted. Questions revolve around the different policies that should govern passive routing (never opening the message) versus value-added routing (manipulating the content).

McGraw suggested the team adopt an overriding principle, which stipulated that no entity should obtain deeper access to PHI than was absolutely necessary to perform the function it was created to carry out. "At that point, what are the components that must be added to facilitate trust?" she asked.

The group endeavored to come up with classifications of data handling and exchange which could be drilled down upon and affixed with policy requirements. After an extensive debate, the following four categories were selected:

  1. Transactions with no intermediaries
  2. Transactions in which an intermediary routes the message, but has no access to it
  3. Transactions in which an intermediary obtains access to the message for some reason, but does not alter it
  4. Transactions in which an intermediary accesses the message and alters it

Dixie Baker, senior vice president and technical fellow at Science Applications International Corporation (SAIC), who shared with the group a model for categorizing transactions, also emphasized the importance of dealing with the "temporal" element of message handling, meaning how long intermediaries retained the message -- if at all -- and the onus placed upon them during their possession of it.

What was unclear was the onus, or task, placed upon the team by NHIN Direct, and questions even arose as to the exact nature and mission of that endeavor. Arien Malec, Coordinator for the NHIN Direct project, sent questions to Egerman, which he then posed to the group. Some members of the group thought NHIN Direct was intentionally planning to function "under the radar," meaning it would not access or alter the messages it handled. Others in the group, however, thought differently.

Team member Wes Rishel, vice president and distinguished analyst in Gartner's healthcare provider research practice, suggested the team get clarity rather than operate on false premises. "We need to state those conclusions and get them validated," he said.

Anthony Guerra is the founder and editor of, a site dedicated to serving the strategic information needs of healthcare CIOs. He can be reached at

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll