Skip to content

Building Public Trust in Electronic Health Information Exchange

Given the value that individuals place on the privacy of their health information, it is not surprising that there is a federal advisory committee charged with helping the Office of the National Coordinator for Health Information Technology protect the privacy and security of health information exchanged through electronic health records under the Medicare and Medicaid EHR Incentive Programs. This group — a subcommittee of the Health IT Policy Committee — is the aptly named privacy and security “Tiger Team.”

Background on the Privacy and Security Tiger Team

ONC first assembled the Tiger Team in June 2010. The group includes 15 members from the Health IT Policy Committee, the Health IT Standards Committee and the National Committee on Vital and Health Statistics.

As a matter of scope, the Tiger Team develops privacy and security recommendations for electronic HIE, in which health care providers must engage to demonstrate meaningful use of EHRs under the Medicare and Medicaid EHR Incentive Programs. Generally speaking, this includes electronic exchange for the purposes of treatment, care coordination, and quality and public health reporting.

Key Recommendations

To support the goal of building public trust and participation in electronic HIE, the Tiger Team has recommended a number of privacy and security policies for ONC’s consideration.

Compliance With Fair Information Practices

The Tiger Team’s first recommendation is arguably its least newsworthy, but it lays the foundation for the recommendations that follow. This first recommendation is important because it sets forth the Tiger Team’s baseline expectation that those engaging in electronic HIE will be good stewards of their patients’ health information. Specifically, the Tiger Team recommends that all entities involved in electronic HIE — including individual and institutional health care providers as well as third parties like Health Information Organizations (HIOs) — follow the Fair Information Practices (FIPs) included in ONC’s Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. ONC released the framework on Dec. 15, 2008, in an effort to establish a single, consistent approach to ensure the privacy and security of HIE conducted nationwide. ONC based the framework on the Code of Fair Information Practices originally released by the U.S. Department of Health Education and Welfare in 1973.

Among other principles, the FIPs recommend openness and transparency about policies, procedures and technologies that directly affect individually identifiable health information. The FIPs also recommend that individually identifiable health information be protected with reasonable administrative, technical and physical safeguards. The FIPs are widely thought of as best practices for secure information exchange and have formed the basis of a number of existing privacy- and security-related recommendations, including those in the Markle Foundation’s Architecture for Privacy in a Networked Health Information Environment. Thus, compliance with the FIPs is largely considered standard practice.

Use of HIOs and Other Third Party Intermediaries

One of the distinguishing features between electronic HIE and paper-based HIE is that electronic HIE often is performed through an HIO or other third party intermediary, a fact that introduces new and unique risks to the privacy and security of patient health information.

To address this risk, when health care providers engage in electronic HIE through an HIO or other third party intermediary, the Tiger Team recommends the HIO or other third party not be permitted to collect, use or disclose individually identifiable health information for any purpose other than to provide the services specified in its business associate or service agreement with a data provider, necessary administrative functions or as required by law.

The Tiger Team also recommends that the HIO or other third party’s business associate or service agreements set forth how they will use and disclose health information, including de-identified data, their data retention policies and their data security practices.


Consistent with HIPAA and many state laws, the Tiger Team suggests that health care providers need not obtain patient consent to electronically exchange a patient’s health information directly with another health care provider for treatment purposes. However, in a decision that — if implemented — could preclude use of the “consent to access” models employed by many HIE initiatives today, the Tiger Team recommends that when a health care provider is not in control of the decision to disclose his or her patients’ health information (e.g., certain circumstances in which an HIO is facilitating exchange), patients should be able to consent before a health care provider makes patients’ health information available to the HIO. The Tiger Team based this recommendation on the belief that the physician-patient relationship is the foundation for trust in HIE, and that health care providers are ultimately responsible for maintaining the privacy and security of their patients’ health information, even when they delegate responsibility for exchanging their patients’ information to an HIO.

A number of HIE initiatives have formally registered their opposition to this recommendation, arguing that it could limit the amount of health information available at the point of care to providers participating in HIE and that it overlooks the protections afforded by HIE models in which consent is obtained before health care providers access information previously released to an HIO.

Granular Consent

A second consent issue reviewed by the Tiger Team is the issue of “granular consent” — i.e., the ability of a patient to consent to the electronic exchange of certain types of health information but not others. The ability to identify certain types of health information as particularly sensitive and to protect them from exchange is an important facilitator for HIE. This is because federal and state laws often place stricter requirements on the exchange of sensitive health information (e.g., mental health and HIV/AIDS-related information) than non-sensitive health information. Without the ability to filter sensitive health information and treat it differently than non-sensitive health information, HIEs often are forced to exclude sensitive health information from exchange entirely. In addition, patients often indicate they would like to be able to pick and choose exactly which parts of their health information is shared with whom.

The Tiger Team reviewed whether EHRs can manage granular consent, and determined that while filtering and other technologies hold promise to protect sensitive health information and otherwise enable patients to pick and choose which health information to share, their availability and use today is limited. Thus, the Tiger Team recommends that ONC encourage innovation in this area through pilot programs and other strategies.

Patient Matching

Accurately matching patients to their health information is an operational detail that can be easily overlooked in discussions about the privacy and security of HIE. But it is a fundamental activity that has dangerous consequences when performed unsuccessfully. Accordingly, the Tiger Team makes a number of recommendations to ensure that one patient’s health information is not mistakenly attributed to another. 

The Tiger Team does not recommend that health care providers be required to use a particular data field (e.g., date of birth) to match patients to their health information, but when such a data field is used, the Tiger Team recommends its format be standardized to increase accuracy. The Tiger Team also recommends that health care providers evaluate the efficacy of their patient matching strategies and strive to improve their accuracy, and that ONC develop and disseminate best practices for patient matching.

According to the Tiger Team, HIOs can play an important role in patient matching by implementing matching accuracy programs or by setting minimum standards for matching accuracy with which their participants must abide.


Like the ability to accurately match patients to their health information, ensuring that health care providers attempting to exchange health information electronically are who they say they are is critical to successful HIE. This exercise is called authentication, and it is designed to protect against unauthorized access to patient health information. 

Authentication is necessary at both the organization level and the individual provider level.

To facilitate organization-level authentication, the Tiger Team endorses the use of digital certificates that provide a high degree of assurance regarding the organization’s identity. Digital certificates are electronic credentials that bind the identity of the certificate owner to a pair of electronic keys that can be used to encrypt and sign information digitally. Use of digital certificates is a standard authentication practice.

At the individual provider level, the Tiger Team recommends that health care organizations be responsible for confirming the identity of their individual EHR users (an activity known as “identity proofing”), and that they require at least two factors to authenticate EHR users who are attempting to exchange information remotely. Two-factor authentication requires the presentation of two different kinds of evidence (e.g., a password and a physical token) that someone is who they say they are. Because individual-level authentication requirements have the potential to interrupt a health care provider’s workflow, they can be controversial.

To ensure that appropriate standards are in place, the Tiger Team also recommends that ONC develop and disseminate evidence about the effectiveness of various methods of authentication and continually reassess any authentication requirements it develops.

New Privacy and Security Requirements Under Stage 2 of Meaningful Use

Under Stage 2 of the meaningful use incentive program, the Tiger Team recommends that eligible health care providers continue to perform a security risk assessment, as currently required under Stage 1 of meaningful use and HIPAA. The Tiger Team also recommends that health care providers be required to attest to having evaluated whether and how to encrypt or otherwise ensure the security of health information at rest in EHRs, data centers, mobile devices and various other locations.

This recommendation aims to address the unique risk that loss of electronic devices poses to the security of patients’ health information. The federal government has become particularly attuned to the rate at which health care providers lose laptops — and the amount of patient health information placed at risk when laptops are lost — as a result of the HITECH Act’s breach reporting provisions.

To ensure the privacy and security of patient health information when patients themselves are accessing it under Stage 2 of meaningful use, the Tiger Team recommends that eligible health care providers set their own patient identity proofing requirements and that use of a single authentication factor be sufficient for patient authentication. The Tiger Team further recommends that health care providers be required to track access to patient portals through audit trails that must be made available to patients upon request and that providers be open and transparent with patients about risks associated with the use of portals. These recommendations are particularly interesting in that they address an activity in which not many health providers are engaging yet — providing patients with electronic access to their health information.

Future of the Tiger Team’s Recommendations

Although the Tiger Team’s recommendations have neither the force of policy nor law, they are likely to factor strongly into ONC’s privacy- and security-related policymaking activity. 

While ONC has given no indication as to whether it agrees with the recommendations and, if it does, how it would adopt and enforce them, some speculate that ONC could adopt certain Tiger Team recommendations as “conditions of trust and interoperability,” or “COTIs,” that must be met to exchange information as part of the Nationwide Health Information Network. ONC may include these COTIs in a forthcoming proposed regulation addressing Nw-HIN governance. 

Thus, health IT stakeholders would be well-served to keep a close eye on both the Tiger Team’s ongoing activity and the development of Nw-HIN governance requirements.

Related Topics