Healthcare Information Security

Cybersecurity News

Tiger Team offers HITPC behavioral health recommendations

By Patrick Ouellette

- The Office of the National Coordinator (ONC) Health Information Technology Policy Committee (HITPC) held its June meeting yesterday, where the Privacy and Security Tiger Team provided an update of its recent work.

The Tiger Team has concentrated on Behavioral Health (BH) Data Segmentation lately and presented its recommendations to Health IT Policy Committee in regards to certification to enable exchange of behavioral health data from the Certification & Adoption Workgroup.

The team had previously reviewed CFR 42 Part 2, which applies to facilities and providers that receive federal funds for substance use treatment, and unanimously agreed with the HITPC that the voluntary behavioral health certification process is something ONC should pursue. Additionally, the Tiger Team received vendor feedback on sensitive information handling and Data Segmentation for Privacy (DS4P).

The HITPC approved the Tiger Team’s recommendations that the ONC use a slow “glide path” that would ramp up the receiving levels from document-level sequester (Level 1) to a local-use only solution (Level 2) to EHRs for general use and sharing advanced metadata and re-disclosure (Level 3).

Specific to Stage 3 Meaningful Use, the Tiger Team recommended that these items be included in the planning:

- Level 1, which the recipient EHR can receive and automatically recognize documents from Part 2 providers, but the document is sequestered from other EHR data, send and receive functionality in voluntary certification program for BH providers BH EHRs must be able to control which recipients can be sent Part 2-covered electronic documents.

- Level 1 receiver functionality as voluntary certification criterion for CEHR. Only recipient providers interested in being at level 1 would request capability from vendors.

- Moving from sender status quo – 0 – requires level 1 capabilities for sender and at least level 1 capabilities for recipient.

- Level 2 and 3 are beyond MU 3. However, progression less likely to occur if the ONC doesn’t lay the foundation for moving from level 0 to level 1 for both BH and EP/EH EHRs.

Additionally, there were pilots and guidance needed to clarify recipient response. According to the Tiger Team, sending providers should send restricted CCDAs only to recipients interested and able to receive them electronically. The question is whether this should be done contractually or informally and whether technical mechanisms can be developed to indicate recipient status. With those queries in mind, the Tiger Team made these policy recommendations:

- Identify unanticipated workflows and consequences resulting from physicians and staff using EHRs with level 1 functionalities

- Determine how recipient EHRs will be able to re-release Part 2 data if patient gives authorization

- Additional pilots will enable understanding of what the rules for accepting the obligations under levels 2 and 3 might be.

- Educate users on the obligations that come with Part 2 data, especially around re-disclosure

And Tiger Team said the HITSC should look at whether DS4P or any other standard is mature enough for BH or general EHR voluntary certification and to what degree of granularity.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks