Privacy, Security Obstacles to Health Data Exchange PersistReport Identifies Challenges; ONC's DeSalvo Offers Progress Report
Privacy and security challenges are among the key obstacles to achieving electronic health records interoperability and nationwide secure exchange of health information, according to a new government watchdog report.
See Also: 2016 State of Threat Intelligence Study
But Karen DeSalvo, M.D., the leader of the Office of the National Coordinator for Health IT, in Oct. 1 testimony before a Senate committee, described how officials are attempting to help address those obstacles. The strategy will be spelled out soon in a revised version of ONC's 10-year interoperability roadmap, which was released in draft form earlier this year.
The Government Accountability Office's new report, Electronic Health Records: Nonfederal Efforts to Help Achieve Health Information Interoperability, describes five key lingering obstacles to achieving EHR interoperability:
- Insufficiencies in health data standards;
- Variation in state privacy rules;
- Difficulty in accurately matching all the right records to the right patient;
- The costs involved in achieving the goals, and;
- The need for governance and trust among entities, such as agreements to facilitate the sharing of information among all participants in an initiative.
The GAO had been asked by members of Congress to review the status of efforts by entities other than the federal government "to develop infrastructure that could lead to nationwide interoperability of health information." It based its report on a study of 18 initiatives, including the California Association of Health Information Exchanges, the Statewide Health Information Network of New York and the eHealth Initiative.
Over the last year, Congress has held a number of hearings examining EHR interoperability and secure health data exchange. Because approximately $30 billion has been spent so far on HITECH Act incentive payments to hospitals and physicians for making "meaningful use" of EHRs, Congress is scrutinizing whether taxpayers are getting a return on this investment, such as by making it easier for all caregivers to access potentially life-saving information through health information exchange (see Senate Scrutinizes EHR Interoperability).
At the Oct. 1 hearing, ONC leader DeSalvo told the Senate Committee on Health, Education, Labor and Pensions that her office, a unit of the Department of Health and Human Services, soon would issue the final streamlined version of a 10-year interoperability roadmap, incorporating revisions based on public comments.
"Our actions over the next year will focus on continuing to build the economic case for interoperability, including increasing incentives and improving the regulatory and business environments; coordinating with health information technology stakeholders to coalesce around a shared set of technical standards; exposing and discouraging health information blocking; and ensuring the implementation of robust privacy and security protections," she testified.
ONC also recently issued an advisory seeking public comment until Nov. 6 on "the best available standards and implementation specifications" for interoperability. Among the standards highlighted in the document is the Direct protocol, which supports secure email messaging in healthcare.
Some security and privacy experts say that beyond the efforts of the federal government, the private sector must also take steps to overcome challenges related to EHR interoperability and secure health data exchange. "Healthcare organizations need to push harder for vendors to work toward better interoperability standards," says Keith Fricke, principal consultant at the consulting firm tw-Security.
In the meantime, healthcare entities must pay attention to the risks that arise when attempting EHR data interoperability, he says. "Healthcare organizations will need to add a new dimension to their HIPAA risk assessment process and program - evaluating the risks of integrating with interoperable EHR networks and being prepared to provide attestation and proof that by becoming a part of the interoperable network, they are not creating significant risk to the other organizations already connected," he says.
Of the obstacles to interoperability highlighted in the GAO report, accurately matching patients' health records to achieve data integrity "is the primary reason interoperability is so challenging," says security expert Tom Walsh, founder of tw-Security.
"The only thing worse than no information on a patient is wrong information on a patient," he says. Not only does that cause data integrity issues, but it also creates patient safety and privacy concerns. "If a physician or a clinician cannot trust the data they are receiving, it doesn't matter how smoothly the data moves between diverse systems and entities," he says.
The GAO report noted that some methods of matching records across providers can fail because of differences in data formats across EHR systems or because of missing or inaccurate data in some records. For example, some organizations rely on Social Security numbers to help match patient records, while others do not.
In her written testimony, DeSalvo also suggested that Congress consider measures that could foster better interoperability.
"We understand that the committee may be interested in ways to make technology more usable by establishing a governance mechanism for how technology is used in practice, improving transparency in the market and prohibiting information blocking," she testified. "For example, a governance mechanism would ensure that those participating in the exchange and interoperability of health information, including, for example, health IT vendors, can be held accountable."
In April, ONC issued a report to Congress on information blocking, which refers to "when persons or entities knowingly and unreasonably interfere with the exchange or use of electronic health information." Information blocking can be caused by healthcare providers, EHR vendors and services providers who deliberately inhibit data exchange through excuses, contractual terms or even through refusal to use standard-based software interfaces, the report notes (see Overcoming Health Information Exchange Blocking).