Balancing PHI Message Transaction Requirements - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Cloud Storage

Balancing PHI Message Transaction Requirements

The privacy and security tiger team of the HIT Policy committee must balance a host of issues in determining the requirements for personal health information transactions.

The HIT Policy Committee's new Privacy and Security Tiger Team workgroup is striving to establish the requirements that intermediaries in personal health information (PHI) message transactions will be subject to.

Under HIPAA, parties which have access to PHI are deemed covered entities (CEs), required to establish business associate agreements (BAAs) which obligate them to handle the data in certain ways. With the rise of health information exchange under the HITECH Act, the Office of the National Coordinator created the Tiger Team to provide it with guidance in governing health information organizations (HIOs) -- or third-party intermediaries which have varying degrees of involvement with the messages.

Paul Egerman, a software entrepreneur and Co-Chair of the Tiger Team, said, "We hope we can get some policy guidelines in place prior to October when Stage 1 of Meaningful Use occurs." He said the team was working on two concepts in parallel -- making progress on a framework document put together by co-chair Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and advising NHIN Direct on questions that have arisen during its pilot project.

To clarify the group's mission, Egerman offered an analogy: "Imagine you were standing by a highway and saw an ambulance pass. That's interesting, but you don't know anything about the person in it, so it has nothing to do with PHI. But if the patient's name is written on the outside of the ambulance, then you know something about them."

Egerman and his team are engaged in an ongoing discussion about what parts of electronic data transmissions are visible, accessible or alterable to what types of entities. The team is then examining what types of policies should govern the behavior of particular entities in particular scenarios. According to team discussions, messages are composed of different elements, such as headers (the address) and payload (the main body of the message), wrapped in syntax and metadata, and sometimes encrypted. Questions revolve around the different policies that should govern passive routing (never opening the message) versus value-added routing (manipulating the content).

McGraw suggested the team adopt an overriding principle, which stipulated that no entity should obtain deeper access to PHI than was absolutely necessary to perform the function it was created to carry out. "At that point, what are the components that must be added to facilitate trust?" she asked.

The group endeavored to come up with classifications of data handling and exchange which could be drilled down upon and affixed with policy requirements. After an extensive debate, the following four categories were selected:

  1. Transactions with no intermediaries
  2. Transactions in which an intermediary routes the message, but has no access to it
  3. Transactions in which an intermediary obtains access to the message for some reason, but does not alter it
  4. Transactions in which an intermediary accesses the message and alters it

Dixie Baker, senior vice president and technical fellow at Science Applications International Corporation (SAIC), who shared with the group a model for categorizing transactions, also emphasized the importance of dealing with the "temporal" element of message handling, meaning how long intermediaries retained the message -- if at all -- and the onus placed upon them during their possession of it.

What was unclear was the onus, or task, placed upon the team by NHIN Direct, and questions even arose as to the exact nature and mission of that endeavor. Arien Malec, Coordinator for the NHIN Direct project, sent questions to Egerman, which he then posed to the group. Some members of the group thought NHIN Direct was intentionally planning to function "under the radar," meaning it would not access or alter the messages it handled. Others in the group, however, thought differently.

Team member Wes Rishel, vice president and distinguished analyst in Gartner's healthcare provider research practice, suggested the team get clarity rather than operate on false premises. "We need to state those conclusions and get them validated," he said.

Anthony Guerra is the founder and editor of, a site dedicated to serving the strategic information needs of healthcare CIOs. He can be reached at [email protected]

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll