The Health IT Privacy and Security Tiger team on July 5 laid out its agenda for addressing some of the more urgent health information privacy policy gaps confronting federal policymakers before the meaningful use plan goes into effect next year.

The team was formed to address privacy and security problems involving health information exchange (HIE) programs funded by the Office of the National Coordinator that must be resolved over the summer, said Paul Egerman, the team's co-chairman, at the Tiger team meeting.

Those include projects related to the Nationwide Health Information Network (NHIN), including NHIN Direct, a set of standards and services for point-to-point HIE; NHIN Exchange, a more robust HIE project, and NHIN Connect, the HIE toolset developed by federal healthcare agencies.

Over the summer, the team will also cover issues raised by state health information organizations funded by ONC, Egerman said, including data reuse; consumer consent; dealing with sensitive data; authentication and identity assurance; patient identification and matching; and NHIN governance, including accountability and enforcement.

The team decided to postpone three topics it believed were too complex to resolve over the summer, including, "patient issues such as authentication, identity assurance, access, corrections," as well as policies surrounding de-identified data and interstate HIE.

The Tigers also outlined their policy-making approach for addressing different variations of HIE: for every topic, it would make a separate recommendation for each of three models of HIE: peer-to-peer  exchange; a federated HIE model; and a centralized HIE model.

But once details of the agenda were presented, several Tiger team members took swipes at it.

Rachel Block, deputy commissioner for the New York State Department of Health, said tabling the interstate data issue while ONC was at the same time urging states to pursue interstate HIE did not make sense.

"I'm a little concerned about what it means to be putting that issue in the parking lot if were going to be asked to address (HIE) sooner rather than later in the context of state grant programs," she said.

Responding, ONC chief privacy officer Joy Pritts noted that ONC planned to put out a request for information on NHIN governance, "and that is the context in which this group is being asked to address that topic."
Carol Diamond, managing director of the Markle Foundation's healthcare program, said she was concerned that by picking HIE technology prototypes the team was making implicit policy recommendations. "This construct makes no sense to me because each one of these models (implies) many policy determinations," she said.

Block also noted that many HIEs are hybrids of the architectures - centralized and federated - that the Tiger team wants to address separately. "If you put these things in a box then it becomes very difficult to work with models that don't fit in the box," she said.

But Egerman said the team did not intend to "partition" policies for each model. "Probably everybody has a hybrid to one extent or another," he said. "But if we do our recommendations right hopefully we'll provide information that is useful to everybody."

Said Pritts: "We are discussing policies which we want to apply across a range of models and almost be model neutral - except where we want  to focus on aspects that might be characteristic of a particular model."
Micky Tripathi, chief executive officer of the Massachusetts eHealth Collaborative, supported the approach."The models are not wholly representative of what's out there," he said, "but it's a place to start."

The team meets next on July 9 to take up the issue of data reuse and retention.