ONC Backs Off HIE 'Rules of Road' Nationwide Health Information Network Rule Shelved

The Office of the National Coordinator for Health Information Technology has dropped plans to draft regulations setting voluntary "rules of the road," including privacy and security guidelines, for health information exchanges to help pave the way for the national exchange of information.

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

Farzad Mostashari, M.D., who heads ONC, a unit of the Department of Health and Human Services, explains in a blog why the office has shelved plans to launch a Nationwide Health Information Network Governance Rule based on feedback to a request for information about the proposed regulation.

"We started with an RFI because we recognized that the health information exchange marketplace is still in its infancy, and we wanted to get broad input before issuing a proposed rule," Mostashari says. "Based on what we heard and our analysis of alternatives, we've decided not to continue with the formal rulemaking process at this time, and instead implement an approach that provides a means for defining and implementing nationwide trusted exchange with higher agility, and lower likelihood of regret."

The blog goes on to explain why ONC has veered away from drafting a formal NwHIN rule.

"First and foremost, we heard that there are a lot of promising health information exchange activities currently under way and emerging, perhaps more than is widely appreciated. There are also existing and emerging consortia and voluntary governance bodies, both for directed as well as query-based exchange. One concern we heard repeatedly was that the very act of beginning a regulatory process may actually slow the development of trusted exchange at a time when we cannot afford that."

Comments Pro and Con

ONC received a wide variety of comments in responses to its RFI. While some organizations sought mandatory, rather than voluntary compliance with national guidelines for information exchange, others advocated a go-slow approach toward HIE guidelines and cautioned against going beyond existing HIPAA privacy and security rules (see: Sorting Out NwHIN Comments).

For example, the College of Health Information Management Executives, which represents CIOs, urged the federal government not to use the NwHIN governance rule to change existing HIPAA regulations.

"CHIME is very uncomfortable with the notion that the NwHIN governance mechanism and the related CTEs [conditions for trusted exchange] could become a means for imposing requirements that go beyond the HIPAA privacy and security rules," CHIME officials said. "We urge, instead, that any perceived deficiencies in the HIPAA privacy and security rules be addressed directly, through changes in those rules following the usual opportunity for public input. "If such perceived deficiencies require statutory changes, then HHS should work with the Congress to address these issues."

In contrast, two consumer advocacy groups - the Center for Democracy & Technology the National Partnership for Women and Families - argued that new privacy and security guidelines that go beyond HIPAA requirements are essential.

"It will not be possible to give providers 100 percent assurance that the other providers with whom they share patient information will not breach or misuse that data. But HIPAA likely will not provide a sufficient foundation to alleviate the concerns of providers contemplating sharing data with other providers across a network," the consumer groups contend. "Consequently, it will be critical for NwHIN privacy and security governance conditions to focus on provider concerns about data sharing across a network that can be reasonably addressed through a set of additional NwHIN governance conditions."

Fear of Hobbling HIEs

In his blog, Mostashari points out: "Our goal is to encourage the exchange activities that are gaining steam across the country and across the industry, and not to hobble them. As we are accelerating the implementation and expectations of standards-based exchange in [HITECH Act] Stage 2 Meaningful Use, this is the last thing we want."

So instead of issuing a guidance, ONC "will continue to evaluate how and what consumer protections can be appropriately applied to health information exchange through existing regulatory frameworks, and we will work with our federal partners to do that," he adds.

However, Mostashari also warns that if the industry fails to continue making progress on secure health data exchange, ONC will again consider stepping in with formal rules.

"Let me assure you that if systemic problems or market break-downs emerge that might require regulatory action, we will again seek input from the public and our stakeholders, including the health IT policy and standards committees."

Additional HIE Security Guidance

Separate from its longstanding efforts to devise an NwHIN governance rule, ONC in March issued recommendations for privacy and security policies and procedures for federally funded health information exchanges (see: HIEs Get Privacy, Security Guidance).

Those guidelines, for example, stress the importance of encrypting patient information, using two-factor authentication, educating patients about information exchange and offering patients access to their records compiled from multiple sources.

The "program information notice" provides additional direction for federally funded HIEs "to tell them what we're looking for in their privacy and security frameworks," said Joy Pritts, ONC's chief privacy officer. Much of the guidance was based on recommendations from the Privacy and Security Tiger Team, which advises federal regulators.

The notice points out that federally funded HIEs that are not taking the recommended privacy and security steps must develop a "strategy, timeline and action plan for addressing these gaps."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.





Around the Network