HHS Reveals Draft of 5-Year 'Strategic Health IT Plan'Document Focuses on Secure Patient Records Access and Health Information Exchange
The Department of Health and Human Services has issued a draft of a five-year strategic health IT plan that is largely focused on providing patients with secure access to their health information as well as supporting secure, interoperable health information exchange among healthcare providers.
The 28-page draft document released Wednesday is “an outline for federal health information technology goals and objectives to ensure that individuals have access to their electronic health information to help enable them to manage their health and shop for care,” says the HHS Office of the National Coordinator for Health IT.
“The draft federal strategic plan supports the provisions in the 21st Century Cures Act that will help to bring electronic health information into the hands of patients through smartphone applications,” said Don Rucker, M.D., national coordinator for health IT. ONC is accepting public comment on the draft plan until March 18.
Once finalized, the 2020-2025 strategic plan “will serve as a roadmap for federal agencies and drive private sector alignment,” the draft states. ONC says it will use it to prioritize resources, align and coordinate efforts across agencies, signal priorities to the private sector, and benchmark and assess change over time.
’Seamless, Secure Access’
The federal government, through implementation of the ONC plan, “seeks to enable individuals to have seamless, secure and free access to their electronic health information, which will allow them to more fully participate in the mobile app economy,” the draft states.
In a blog about the draft plan, the agency notes: ”ONC and our federal partners strive to promote a health IT landscape that can increase transparency, competition and consumer choice while also seeking to protect the privacy and security of individuals’ health information. These efforts include making coordinated investments, developing standards and policies for secure, standards-based APIs and promoting user-focused technologies.”
Four Top Goals
ONC highlights four top goals:
- Promote health and wellness;
- Enhance the delivery and experience of care;
- Build a secure, data-driven ecosystem to accelerate research and innovation;
- Connect healthcare and health data through an interoperable health IT Infrastructure.
The factors that motivate the plan, ONC says, include: the evolution of healthcare technologies, such as mobile and web apps and medical devices; the movement toward improved access, exchange and use of electronic health information; the increasing reliance on interoperable health IT and electronic health information; and lessons learned from investments in health IT and its use.
Keeping Data Private, Secure
Reacting to the release of the draft, privacy attorney David Holtzman of security consultancy CynergisTek, says: “I am encouraged that the authors of the strategic plan included an objective that recognizes that the success of the administration's goals for health IT require that patients and providers trust that patient information will be kept private and secure.”
HHS appears to be acknowledging some of the earlier feedback it received to various other proposals, including last year’s proposed rules related to information blocking, which are still awaiting final rulemaking, he notes.
”ONC's proposed information blocking regulation and the accompanying Centers for Medicare and Medicaid proposal for interoperability engendered a firestorm of criticism over concerns that they did not adequately address the privacy and security of consumers health information because the data would have been outside the protections provided by HIPAA,” Holtzman says.
Susan Lucci, senior privacy and security consultant at tw-Security, says hurdles remain in providing patients with the kind of health information access the draft appears to envision. “What I do think would help is to make it easier for patients to access their records online and have all reports and results available online,” she says. “Limiting what patients can have access to still exists, and the timeframe to obtain records should be shorter.”
The lingering obstacles to providing patients with easy access to their information, Lucci says, are “proprietary interests and corporate profitability” that hamper the sharing of records among organizations. “We have seen little in the way of results in more open sharing across systems.”
In addressing the issue of providing patients with better access to their records, the ONC draft notes: “Policies promoting use of application programming interfaces, including regulations that will implement certain provisions of the 21st Century Cures Act, will drive the development of health apps that provide access to and use of data in electronic health records.”
“Even with the implementation and use of robust privacy practices in response to federal and state regulations, health information can still be misused or inappropriately disclosed in ways that harm consumers.”
—HHS draft report
Last year, HHS announced a HIPAA right of access enforcement initiative that so far has resulted in two resolution agreements that include financial penalties for failure to provide access to records (see: Another Fine Tied to Patient Access to Records Announced).
The private sector is developing new technologies that can help improve patient access to information, ONC notes in its draft.
”New algorithms, analytic capabilities and machine learning capabilities are quickly moving from limited, conceptual use to everyday use by healthcare providers, individuals, and researchers,” the draft notes. “Remote monitoring technologies, such as wearables and web-enabled medical devices, also continue to become more advanced. Their use is rapidly expanding as healthcare providers and patients become more comfortable using such technologies.”
But ONC says warns that more than technology is needed to provide information access while ensuring privacy.
“Even with the implementation and use of robust privacy practices in response to federal and state regulations, health information can still be misused or inappropriately disclosed in ways that harm consumers. Individuals and their caregivers need education on data practices, their associated risks and opportunities to provide consent to these uses,” the draft states.
”Further, government agencies, healthcare providers, health IT developers, researchers and other stakeholders need to work together to implement robust mechanisms for ensuring the privacy of health information as more and more data are generated and health IT becomes more interoperable.”
Security of health information remains a critical concern, ONC notes.
“Individuals, healthcare providers, researchers and other stakeholders alike have significant concerns about the confidentiality and integrity of electronic health information that is created, transmitted, and stored using health IT,” the draft states. “This is especially true in light of the healthcare industry’s move toward cloud-based storage, where data on entire populations of patients is held in one place,”
Despite the risk of cyberattacks and data breaches, many healthcare organizations still have a poor understanding of cybersecurity risks and best practices, the draft notes. “More robust mechanisms for securing information will be critical as health IT systems continue to become more advanced and interoperable.”