Healthcare Information Security

Cybersecurity News

Tiger Team assesses BA responsibilities for data intermediaries

By Patrick Ouellette

- In addition to changing the Virtual Hearing on Accounting of Disclosures date from Sept. 6 to Sept. 30 at 11:45 a.m., the HIT Policy Committee Privacy & Security Tiger Team evaluated the security obligations that EHR data intermediaries have during quality measurement during yesterday’s meeting.

The September virtual panel hearing will be divided into functional groups and will have the option of submitting written testimony and taking part in a Q&A with the HITSC Privacy and Security Workgroup and the NCVHS Privacy, Confidentiality & Security Subcommittee afterward.

Privacy and security considerations for data intermediaries in relation to Stage 3 Meaningful Use

Next on the agenda was discussing the background and privacy and security needs for EHR data intermediaries. The Data Intermediary Tiger Team (DITT), which the Health IT Policy Committee (HITPC) and the Quality Measures Work Group (QMWG) formed in preparation for Stage 3 of the EHR Incentive Program, has two goals:

- Specify the role and functions of intermediaries in e-measure reporting and feedback, including their role in measurement calculation, submission, data transformation, data governance, and bi-directional communications with providers.

- Explore the current and desired future state of intermediaries. Contribute recommendations on data intermediary roles, including those related to privacy and security.

Data intermediaries

1. Provider inputs information into EHR.

2. EHR performs the capture.

3. DI calculates data analytics on behalf of provider and reports clinical quality data to CMS/Payer.

4. CMS/Payer transmits back to provider or to DI (which sends to provider) for quality improvement.

To the extent in which Data Intermediaries perform data analytics and other functions on behalf of HIPAA-covered health care providers, they are business associates (BAs), which are responsible for use & disclosure requirements of HIPAA Privacy & Security Rules. The Tiger Team said that best practices for data intermediaries are consistent with current guidance on Physician Quality Reporting System (PQRS) and Outcome Research Yields Excellence (ORYX) vendors.

CMS Proposed Rule on Revisions to Payment Policies under Physician Fee Schedule (78 FR 43362 7/19/2013) proposes QCDRs must enter into and maintain with its eligible professionals appropriate BA agreements that provide for QCDRs receipt of patient specific data from the EPs as well as the QCDRs public disclosure of quality measure results.

The Tiger Team used testing the secure transmission capability of DI part of module (differing from current modular approach) or attesting to or furnishing copy of BA agreement as examples of what should be Stage 3 Meaningful Use criteria.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...