A Department of Health and Human Services workgroup is wrestling with questions of whether existing laws are strong enough to protect the privacy of patient information conveyed using NHIN Direct, a set of specifications for helping healthcare organizations swap data electronically.

The workgroup has sent the Health Information Policy Committee broad recommendations for setting up a "trust framework" that applies to NHIN Direct. Panel members are now beginning to drill down into the details, starting with the business and legal requirements that apply.

Healthcare providers have to be assured that existing laws and business agreements safeguard the privacy and security of health information. If not, other measures may need to be taken to fill in the gaps, according to discussions ar a May 10 meeting of the committee's NHIN workgroup.

The panel is also weighing the privacy implications of when third-party network providers route patient data between healthcare organizations but do not themselves need access to the information.

David Lansky, the NHIN panel chairman and CEO of the Pacific Business Group on Health, said he was concerned about the capabilities and functions of such intermediary organizations.

"It's not what they do but what they can do, and what are the policies and controls we have around it," he said. "We have to take into consideration inadvertent and mischievous behavior," he added.

Short timetable
Lansky's panel has a short timetable for making its recommendations: The Office of the National Coordinator has said that it wants NHIN Direct ready to help providers become meaningful users of health IT by 2011. To accomplish that, planners expect to have NHIN Direct specifications ready for testing by October.

The NHIN Direct architecture has been developed so that routing organizations do not need to view the content of files it is transmitting, panelists said. Routing organizations would see an e-mail message header providing information on the type of file or what application will open it.

"It does not specify that this is, for example, lab results," said Farzad Mostashari, MD, senior adviser at ONC and its representative on the panel. "It could say it is a continuity of care document (CCD), and specify to open this up with a CCD reader."

But vulnerabilities may exist. For example, an organization that provides secure routing may use that as an opportunity to deliver other services that require access to content. Or routing services might be set up, "in such a way that it de facto leaves (routing organizations) access to unencrypted personal health information," Mostashari said.

"Whatever the additional requirements would be for those organizations, whether from the policy side or potentially legally, we need to make sure that there is public trust," Mostashari said.

Lansky said that his panel would coordinate with the committee's privacy and security work group on the two groups' overlapping concerns about privacy related to NHIN Direct.