- In addition to changing the Virtual Hearing on Accounting of Disclosures date from Sept. 6 to Sept. 30 at 11:45 a.m., the HIT Policy Committee Privacy & Security Tiger Team evaluated the security obligations that EHR data intermediaries have during quality measurement during yesterday’s meeting.
The September virtual panel hearing will be divided into functional groups and will have the option of submitting written testimony and taking part in a Q&A with the HITSC Privacy and Security Workgroup and the NCVHS Privacy, Confidentiality & Security Subcommittee afterward.
Privacy and security considerations for data intermediaries in relation to Stage 3 Meaningful Use
Next on the agenda was discussing the background and privacy and security needs for EHR data intermediaries. The Data Intermediary Tiger Team (DITT), which the Health IT Policy Committee (HITPC) and the Quality Measures Work Group (QMWG) formed in preparation for Stage 3 of the EHR Incentive Program, has two goals:
- Specify the role and functions of intermediaries in e-measure reporting and feedback, including their role in measurement calculation, submission, data transformation, data governance, and bi-directional communications with providers.
- Explore the current and desired future state of intermediaries. Contribute recommendations on data intermediary roles, including those related to privacy and security.
1. Provider inputs information into EHR.
2. EHR performs the capture.
3. DI calculates data analytics on behalf of provider and reports clinical quality data to CMS/Payer.
4. CMS/Payer transmits back to provider or to DI (which sends to provider) for quality improvement.
To the extent in which Data Intermediaries perform data analytics and other functions on behalf of HIPAA-covered health care providers, they are business associates (BAs), which are responsible for use & disclosure requirements of HIPAA Privacy & Security Rules. The Tiger Team said that best practices for data intermediaries are consistent with current guidance on Physician Quality Reporting System (PQRS) and Outcome Research Yields Excellence (ORYX) vendors.
CMS Proposed Rule on Revisions to Payment Policies under Physician Fee Schedule (78 FR 43362 7/19/2013) proposes QCDRs must enter into and maintain with its eligible professionals appropriate BA agreements that provide for QCDRs receipt of patient specific data from the EPs as well as the QCDRs public disclosure of quality measure results.
The Tiger Team used testing the secure transmission capability of DI part of module (differing from current modular approach) or attesting to or furnishing copy of BA agreement as examples of what should be Stage 3 Meaningful Use criteria.