TRENDING:

Safe & Sound with Marianne Kolbasuk McGee

The New ONC: Impact on Privacy, Security

Advisory Panels Get a Makeover Marianne Kolbasuk McGee (HealthInfoSec) • June 5, 2014    
The New ONC: Impact on Privacy, Security

The Office of the National Coordinator for Health IT, which coordinates standards and policies for the HITECH Act electronic health record incentive program, has played an important role in ensuring the privacy and security of patient information.

See Also: ISO/IEC 27001: The Cybersecurity Swiss Army Knife for Info Guardians

So it was initially somewhat concerning to learn that ONC was reorganizing, slashing many of its subunits as well its advisory workgroups. Fortunately, it appears privacy and security issues will remain a priority at the agency as it enters a new phase.

ONC is streamlining its 17 subunits to only 10. But one of the survivors is the Office of the Chief Privacy Officer, which will continue to be headed by Joy Pritts. Pritts has been a strong advocate for patient data confidentiality, secure health information exchange, and data segmentation for protecting sensitive information.

ONC is also cutting in half the number of workgroups that provide recommendations on health IT standards and policies. But a key panel, the HIT Policy Committee's Privacy and Security Tiger Team, will survive, although it may get a new name. And Deven McGraw and Micky Tripathi are expected to continue their hard work leading the team's deliberations on policy issues pertinent to protecting patient data.

Meanwhile, the HIT Standards Committee's Privacy and Security Workgroup will be re-launched as the Security and Transport Workgroup. That seems to reflect ONC's emphasis on system interoperability and secure national health information exchange, which play important roles in care coordination and continuity of care.

Tackling Issues

The revamped tiger team may refine its focus, in addition to adding some new members, McGraw, chairman of the group, tells me. "That is a matter for ONC to decide, in consultation with the Policy Committee," she says.

As for a possibility that the "tiger team" designation may disappear, McGraw says she wouldn't mind if that happened.

"I personally think it makes sense to drop it," says McGraw, a partner at law firm Manatt, Phelps & Phillips LLP. "It made sense when we were first formed and asked to take on the issue of [patient] consent over the summer of 2010 - but although we've been a consistently active working group, we haven't been in 'strike force' mode since that time."

Meanwhile, Dixie Baker, who chairs the HIT Standards Committee's Privacy and Security Workgroup, which is being phased out, says she's uncertain who will lead the new Security and Transport Workgroup.

Baker, who is a senior partner at the consulting firm Martin, Blanck and Associates, says the evolution of the HIT Standards Committee workgroups, including the new security and transport panel, stems from a focus on "semantic and technology interoperability."

For instance, interoperability plays an important role in secure data exchange, such as the ability for primary care doctors to securely send patient health information that can be appropriately viewed by medical specialists and incorporated into patient EHRs.

Pivoting for the Future

ONC, a unit of the Department of Health and Human Services, is responsible for setting policies and standards for the HITECH Act financial incentive program for electronic health records adoption, and also for secure nationwide health information exchange.

With HITECH Act funding already starting to end for many programs, ONC is "pivoting for the future," explains its leader, Karen DeSalvo, M.D. who joined ONC in January.

"This realignment will support our focus on developing and implementing an interoperability roadmap, supporting care transformation and establishing a framework to support appropriate use of health data to further meaningful consumer engagement, system-level quality and safety of care, improvements in the public's health and advancements in science," DeSalvo wrote in an e-mail to ONC staff last week that the office shared with me.

While ONC prepares to "pivot" for the future, some legislators are questioning whether some of ONC's plans are overstepping the agency's regulatory authority. In a May 3 letter to DeSalvo, leaders of the House Committee on Energy and Commerce asked ONC for more details related to the agency's proposals for the creation of a Health IT Safety Center and a new user fee for health IT software vendors and developers to support ONC's standardization and certification activities.

"It's not clear to us under what regulatory authority ONC is now pursuing these enhanced regulatory activities," the legislators wrote, asking ONC to supply answers to several related questions.

Playing a Part

Meanwhile, If you want to have a say in ONC's future, the agency is accepting applications for volunteers to serve on its workgroups - but only until June 6 - according to a recent blog by Michelle Consolazio, who coordinates the activities of ONC's federal advisory committees.

Despite all the changes at ONC, let's hope that ensuring privacy and security remain long-time priorities for all federal healthcare regulators. After all, the HITECH incentive program has succeeded in making EHRs pervasive. But now that so much more patient information is digitized and shared, it's critical that standards and policies to help keep that data private and secure continue to evolve.



About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.