Federal Health IT Plan Beefed Up

Final Version Includes More Privacy, Security Details
Federal Health IT Plan Beefed Up
Faced with criticism for a lack of details and vision in its original draft of the Federal Health IT Strategic Plan 2011-2015, federal authorities have beefed up some privacy and security details in the final version. For example, the final version highlights a multi-agency effort to explore "broader privacy and security policies that may be necessary to ensure trust in electronic health information exchange."

Critics of the draft plan that the Department of Health and Human Services' Office of the National Coordinator for Health IT unveiled in March said it offered mainly a rehash of ongoing projects (See: Health IT Strategic Plan: A Critique). For example, Mac McMillan, CEO at the consulting firm CynergisTek, said the plan "just struck me as not being forward-thinking enough and not really getting into the issues that need to be resolved."

A section of the final plan on "protecting the confidentiality, integrity and availability of health information" is far more detailed than the draft version.

For example, it includes a new description of an ongoing effort to "resolve federal policy direction" on a set of privacy and security issues related to health information exchange by year's end. ONC will present recommendations from its health information policy and standards committees to a new "HHS Inter-Division Task Force that is charged with establishing policy direction in this arena. ONC will then gather broader federal feedback through the Federal Health IT Task Force." The task force, formed by President Obama in 2010, encompasses six agencies, including HHS.

Key areas that will be addressed include:

  • Individual choice to participate in health information exchange;
  • Access limitations and transparency for electronic health information exchange;
  • Security, including provider and patient authentication and de-identification of personal health information;
  • Integrity of health information;
  • Secondary uses of health information for the purposes of quality improvement, public health and research; and
  • In consultation with the Federal Trade Commission, potential regulation models with respect to personal health records.

The strategic plan notes that the upcoming governance rule for the Nationwide Health Information Network, a set of standards for data exchange, likely will include many of these privacy and security components.

Granular Consent

In a new section, the plan notes ONC is investigating, through research and potential demonstration projects, ways to offer patients the ability to give consent for some, but not all, of their personal health information to be exchanged, or what it calls "granular patient choice" or "data segmentation" (see: EHR Queries for Research to be Tested).

Also in the works is a pilot test by ONC and the Substance Abuse and Mental Health Services Administration of service specifications and reference models for segmenting patient records based on the sensitivity of information. This pilot will be "broadly applicable, but particularly useful in the context of exchanging behavioral health information," the plan notes.

Varying State Laws

Acknowledging that some stakeholders have identified the variance in state health privacy laws as an impediment to exchanging health information across state lines, the final version of the plan notes: "ONC will work with state governments and state HIE grantees to identify and develop best practices to exchange health information electronically among states with varying privacy laws. In addition, ONC is exploring technology solutions to aid implementation in a computable format of patient consent and to enable information exchange among states."

In another addition, the final version of the plan states, "ONC is aware of the potential for the use of EHRs to facilitate fraud and will consider how to address the potential for fraud through its existing policies and programs."

The plan notes that ONC is developing a national framework for "high-assurance physician identity management." The framework will provide a "simple but highly trustworthy means of assuring that physicians are who they claim to be in health information exchange." Federal stakeholders, including the Centers for Medicare and Medicaid Services and the Department of Veterans Affairs, will test the framework.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network