Understanding HIPAA, the Trusted Exchange Framework, and Cybersecurity

Healthcare data is becoming an increasingly common target for cyberattacks. Forrester Research warned a year ago that “healthcare breaches will become as large and common as retail breaches,” further predicting the Anthem breach that reached 80 million patients as a commonplace occurrence in the future. In this environment, organizations that handle sensitive health data are struggling to balance the need for better collaboration and record-keeping among trusted partners with the need to maintain strong security practices and meet compliance regulations.

To help organizations navigate this tricky course, federal regulators have developed a voluntary health data exchange framework that is complementary to cybersecurity practices, compliance requirements, and the need for safe health data exchange.

The Need for Interoperability

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act are in place to help guide organizations to better health data cybersecurity as well as health record interoperability. In addition to protecting data, patient health and safety is often dependent on timely and accurate data exchange among healthcare organizations (HCOs). This establishment of an interoperable health system is still underdeveloped and in need of improvement. To address this need, government offices developed the Trusted Exchange Framework.

What Is the Trusted Exchange Framework?

The two-part draft of the framework, developed by the Department of Health and Human Services Office of the National Coordinator for Health IT, provides principles and guidance for health information networks (HINs) as well as specific conditions and terms that organizations will have to agree to in order to participate. The security goals include a common authentication process for HIN participants, an agreed-upon rule set for trusted exchanges, and baseline operational and organizational policies for health data exchange.

On the interoperability side, federal regulators would like the framework to enable patients to electronically access their health data, enable HCOs to securely exchange health data, and encourage organizations to employ APIs to continue to innovate and improve health record accessibility, security, and usability.

The Framework vs. HIPAA

The goal of this new Trusted Exchange Framework is to “advance secure, interoperable health data exchange nationally so that clinicians have quicker access to potentially life-saving information from multiple sources,” according to HealtcareInfoSecurity.com. So how does that happen within the data protection requirements of regulations such as HIPAA?

Framework developers ensured that the proposed framework not contradict any HIPAA requirements, aligning framework guidelines with HIPAA. In fact, the Trusted Exchange Framework is meant to provide more detailed and wider reaching security and data exchange guidance than HIPAA and HITECH specify. Therefore, HCOs that handle private health-related data will have clearer guidance on compliance, security, and data exchange.

Secure Data Exchange

There is no doubt that healthcare data will continue to come under attack. However, patient safety and privacy are also major concerns. To address all three aspects of health data management—security, compliance, and safe exchange with trusted partners—companies need to consistently evaluate their data handling processes and practices, invest in IT audits to expose gaps, and review and evaluate the Trusted Exchange Framework to provide the best possible data protection and treatment of patients.