Federal Health IT Plan: Pros and Cons

Observers Pinpoint Valuable Additions, Unfortunate Omissions

By , September 26, 2011.
Federal Health IT Plan: Pros and Cons


See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

ederal authorities deserve credit for adding privacy and security details to the final version of the Federal Health IT Strategic Plan, several observers say. But some still believe the document doesn't go far enough in spelling out specific action steps and priorities.

Earlier this month, the Department of Health and Human Services' Office of the National Coordinator for Health IT issued the final version of the plan, which was fine-tuned in light of 240 comments received about the draft version issued in March. The draft generate a wide range of criticisms (see Health IT Strategic Plan: A Critique).

"It's obvious some effort was put into broadening the view of this plan," says Mac McMillan, CEO at the security consultancy CynergisTek. "But it still falls short of what I think healthcare is going to need to fully realize the benefit of HIPAA and the HITECH Act."

McMillan says the final version of the plan, which serves as a blueprint for HHS' information technology policy priorities, "incorporates all the right areas of focus with respect to privacy and security, but misses the chance to address some important issues that will be critical to healthcare's future success in addressing data security." For example, he says the plan fails to address the security of medical devices, such as heart monitors and IV pumps. And he would have liked to have seen more details spelling out specifics on how to give HIPAA enforcement "a sharper set of teeth."

In addition, McMillan says the plan should have called for the "adoption of a recognized security framework and standard." In a recent interview, he advocated creation of a security standard, either through a federal mandate or an industry-led voluntary effort (see: Security in a Post-9/11 World.). "We still have 50 percent of hospitals who are lacking a full-time security person," he notes. "We still have a lot of hospitals that are not conducting regular risk assessments." That won't change, he argues, "until we have a credible standard with specific requirements that a network has to meet."

Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center in Vancouver, Wash., also laments a lack of privacy and security specifics in the final version of the plan. Compared to the draft, the final version "has more clarity of intent in the language and even a better voice of passion for the purpose," he says. Nevertheless, he contends that the final version mainly offers "promises to make progress."

Conflicting State Laws

Some observers, however, were pleased by some of the specific additions included in the final version of the plan.

For example, Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., criticized the draft version of the plan for failing to highlight "the conflicting nature of some of the federal and state regulations" dealing with privacy, which is impeding the progress of health information exchange.

So he was pleased that the final version addressed the issue. "It is good to see that they will be looking at the differences in the various state laws and how some may impede health information exchange in referral markets that cross state lines," the CIO says.

The final plan states: "ONC will work with state governments and state HIE grantees to identify and develop best practices to exchange health information electronically among states with varying privacy laws. In addition, ONC is exploring technology solutions to aid implementation in a computable format of patient consent and to enable information exchange among states."

Agency Collaboration Welcomed

Another important addition to the final version of the plan, some observers say, is the revelation that multiple agencies will be involved in setting guidelines for the privacy and security of information that's exchanged, including a new HHS Inter-Division Task Force and the Federal Health IT Task Force, which represents six government agencies, including HHS.

"It's important for HHS to coordinate with other agencies," says Lisa Gallagher, senior director, privacy and security, at the Healthcare Information and Management Systems Society. "There may be aspects of policies HHS could learn from other agencies."

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE GAO Weighs Benefits of Smart Cards

A government watchdog agency has laid out pros and cons for Medicare to adopt electronically...

Latest Tweets and Mentions

ARTICLE GAO Weighs Benefits of Smart Cards

A government watchdog agency has laid out pros and cons for Medicare to adopt electronically...

The ISMG Network