HIE 'Rules of Road': What's Next?Experts Weigh In on Privacy, Security Strategy
Supporters of a recent decision by federal regulators to back away from issuing voluntary "rules of the road" for secure health information exchange say the move makes sense, given that HIEs are still in the early stages of development (see: ONC Backs Off HIE 'Rules of Road'). But some others argue that establishing HIE benchmarks, especially for privacy and security, is advisable now to help build public trust.
The debate revolves around the concept of a Nationwide Health Information Network, an idea that has been kicking around for several years. Not a literal network, NwHIN would amount to a set of standards and guidelines to facilitate the flow of healthcare information from coast to coast, such as from one health information exchange to another.
Federal regulators had planned to issue an NwHIN Governance Rule, setting voluntary guidelines for health information exchange. When he unveiled plans for the rule earlier this year, Farzad Mostashari, M.D., who heads the Office of the National Coordinator for Health IT, said it would create an NwHIN "brand" that health information exchanges and others could voluntarily earn, much like the Energy Star program that signifies energy efficiency levels of many products.
But Mostashari announced in a Sept 7 blog that those plans are on hold because HIEs are evolving, and regulating them would be premature.
In the spring, Mostashari's office issued a request for information to seek comments on its NwHIN Governance Rule proposal. In his blog, Mostashari noted: "Based on what we heard and our analysis of alternatives, we've decided not to continue with the formal rulemaking process at this time, and instead implement an approach that provides a means for defining and implementing nationwide trusted exchange with higher agility, and lower likelihood of regret."
Mostashari also noted: "One concern we heard repeatedly was that the very act of beginning a regulatory process may actually slow the development of trusted exchange at a time when we cannot afford that." (See: Sorting Out NwHIN Comments.)
It remains unclear how, when or if ONC, a unit of the Department of Health and Human Services, might move forward with recommending standards for health information exchange. But some observers predict a public-private accrediting body could be formed to take a lead role.
Too Early for Regulation?
Those who back Mostashari's decision say it was a pragmatic move.
"The general consensus of industry stakeholders is that it is too early in the development of health information exchanges and the NwHIN ecosystem to write helpful regulations," says John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, and co-chair of the HIT Standards Committee that advises ONC. "I'm confident that rules of the road will be written once we have more real world experience with large scale health information exchange."
In contrast, Dixie Baker, a member of the HIT Policy Committee's Privacy and Security Tiger Team, which has drafted proposed HIE guidelines, is disappointed with the decision to shelve the NwHIN Governance Rule. She argues that there's a need for all players to "conform to a common, baseline set of privacy and security policies and to enforce those policies in a consistent way using a common set of standards."
Baker, who recently joined the consulting firm Martin, Blanck and Associates as a partner, is among those who had hoped that a NwHIN Governance Rule would raise the bar for data exchange security and privacy protections beyond those provided by HIPAA and the HITECH Act.
"Entities exchanging health information need to be able to assume nationwide conformance with a core set of privacy and security policies and standards that together comprise the trust fabric of a nationwide health information exchange capability," she says. "This is not to say that states cannot impose stronger policies, but that some core baseline set needs to be a given. HIPAA serves as this baseline for enterprises, but does not address health information exchange providers."
Some others, however, say that upping the ante on security and privacy rules for health information exchange beyond what's in HIPAA would be overreaching by ONC.
"HIPAA is a fairly complex law and subsequent set of regulations," says Jeffery Smith, assistant director of advocacy at the College of Healthcare Information Management Executives. "There are also important aspects of HIPAA that were changed through HITECH, yet final regulations specifying those changes have yet to surface. We worried that ONC would be further complicating HIPAA by moving forward with proposals that appeared to mandate more stringent rules than outlined by current regulations."
Adam Greene, a partner at the law firm Davis, Wright Tremaine who formerly worked at the HHS Office for Civil Rights, which enforces HIPAA, says that rather than have HHS issue rules about securing data privacy in health information exchange, rules governing patient privacy need to be modified.
"One of the biggest regulatory challenges facing health information exchange is that liability is focused on the disclosing entity, not the requesting entity," Greene says. "I'm not sure that regulations of health information exchange are the appropriate vehicle for addressing this issue, because I think ONC rightly recognizes that regulations may not keep up with the changing nature of the exchanges," he says. "Revision of HIPAA to focus more on requests for information may be a more appropriate and flexible solution."
Although the NwHIN Governance Rule would have been helpful, it's also important to address gaps in the HIPAA rules and ramp up enforcement, adds Mark Savage, senior attorney at Consumers Union.
"Rules of the road are generally good. [They] create certainty and trust for patients and providers and common expectations of vendors," he says. But equally important, he says, is further modifying HIPAA to make certain that all organizations and companies that have access to protected health information must comply with the federal rules.
While ONC has put its plans to draft an NwHIN Governance Rule on hold, in March, it issued a notice to federally funded HIEs that included guidance for privacy and security policies and procedures (see: HIEs Get Privacy, Security Guidance ).
But that guidance amounts to recommendations that "cannot be fully enforced," says Jennifer Covich Bordenick, CEO of eHealth Initiative, a private-public consortium that promotes the use of health IT, including HIEs.
And federally funded HIEs operating in states that have privacy laws stricter than HIPAA must comply with those state laws, adds Micky Tripathi, another member of the Privacy and Security Tiger Team. "In states like California, Massachusetts and New York, where privacy laws are stricter than HIPAA, they can't be tossed out in favor of HIE guidance," he says.
Still, some think the ONC guidance to federally funded HIEs is helpful, even if it doesn't apply to everyone.
'We are happy with ONC's decision to hold off on NwHIN regulation," Smith says. But he adds: "Generally, any guidance offered by ONC to federally funded HIEs is a good thing. So many states are struggling to define their sustainability strategy, service offerings and value proposition - guidance and best-practices are nearly always welcome."
Too Much Too Soon?
Tripathi, who is chairman of eHealth Initiative and also CEO of the Massachusetts eHealth Collaborative, argues that shelving the NwHIN Governance Rule was a sensible decision because regulators need to wait until HIEs mature. "Then you know what the problems are and it's clearer to write cohesive regulations. We're no where near that now."
Self-described "privacy and security nut" Gayle Herrell, a member of the Privacy and Security Tiger Team and a state representative in Florida, shares that point of view. "I want to make sure the public is satisfied that their data is secure and private," she says. "But HIEs are still in their infancy, and we want to allow innovation and creativity to bring standards up, not get locked in too early. Let's see what happens in the next six to 12 months."
Herrell predicts that security and privacy policies and standards for HIEs might eventually be set or monitored by a public-private accrediting body rather than HHS.
Tripathi agrees, saying that a public-private collaborative effort that "gives a good housekeeping seal of approval" to HIEs might be the best approach in the long run.
And Baker, who supported moving foward with the NwHIN governance rule, acknowledges that a public-private partnership approach could work.
"I would have preferred to see forward movement toward the development and implementation of a governance structure wherein a public-private advisory group would recommend a baseline set of policy rules and standards," she says.
"These policy rules and standards then would become the regulatory foundation for the NwHIN, and one or more public-private entities would be responsible for defining higher-level policy and standards designed to encourage and facilitate interoperability, while allowing innovation to occur outside a federal regulatory structure."
Also, while the ONC had hinted that compliance to the possible rules of the road would be voluntary, Baker insists that some mandatory security and privacy requirements are needed.
"Compliance with the privacy and security policy rules and standards should be mandatory, while compliance with higher-level policy and standards could be voluntary," she says.
"This would enable each healthcare entity to be assured that, regardless of the exchange service provider it chose to use - and regardless of the service provider its business partners chose to use - the health information entrusted to that entity would be protected, and the privacy rules associated with the information would be enforced. At the same time, by keeping higher level policy and standards out of federal regulations, innovation and regionalization could occur outside the constraints of the regulatory process."