Federal workgroup wants encryption even for direct HIE

The privacy and security workgroup of the federal Health IT Policy Committee is recommending that providers encrypt any personally identifiable patient information whenever they share data with others, even when a third-party health information exchange is not involved.

The workgroup is asking HHS officials to set policies for data encryption, limits on specificity in message headers and identity verification of both sender and receiver, even in direct, one-to-one exchanges, as part of final rules for "meaningful use" of EMRs, Government Health IT reports. Such rules are what a "reasonable patient would expect," said workgroup co-chair Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.

This recommendation takes into account new, tougher, HIPAA privacy and security rules, which come with increased penalties for violations. "If strong policies, such as the above, are in place and enforced, we don't think this scenario needs any additional individual consent beyond what is already required by current law," McGraw said.

Direct HIE likely will be a "stage 1" requirement of meaningful use. HHS promises a final rule in June.

For further details:
- take a look at this Government Health IT story