The Department of Health and Human Services has released voluntary guidelines for health information exchange that include "trust principles" for security and privacy.
The new "Governance Framework for Trusted Electronic Health Information Exchange" document also includes organizational, business and technical principles.
The framework, for example, calls for providing patients with privacy and security policy notices; giving patients the opportunity to decide whether to have their data exchanged; and allowing patients to access their health data and request changes to it.
David Whitlinger, executive director at New York eHealth Collaborative, which oversees New York's statewide HIE, says that the trust principles of the ONC governance framework are in line to what many HIE efforts are already doing. "They're not being too prescriptive," he says.
Evolving Governance Strategy
The release of the framework was announced in a blog by Farzad Mostashari, M.D., who leads the Office of the National Coordinator for Health IT. ONC is the unit of HHS responsible for setting policies and standards for the HITECH Act's incentive program for electronic health records. It also has doled out HITECH funding for health information exchanges
"We've published this framework to provide a common foundation for all types of governance models," Mostashari says in the blog. "Entities that set health information exchange policy should look to the framework's principles as a way to align their work with national priorities. It is critical that we are all working from a similar understanding of the expectations for nationwide electronic health information exchange."
Last year, ONC dropped plans for voluntary "rules of the road" within the context of a Nationwide Health Information Network Governance Rule after receiving public feedback that a regulation would be premature given that HIEs are in the early stages of development (see: ONC Backs Off HIE 'Rules of Road').
Instead, ONC has opted for a gradual rollout of voluntary guidance (see: Mostashari's Vision for Secure Exchange). The new governance framework is "a living document," Mostashari says in his blog. "As we learn with you, we will consider updating these principles over time to reflect policy changes, technological maturity and market innovations, as necessary."
The framework's "intended audience" includes any entities that set HIE policy, including state governments, public-private partnerships, health information exchange organizations and private companies.
While compliance with the recommendations in the framework is voluntary, ONC says that "third party assessors, such as certifying and accrediting organizations, may find the framework's guiding principles informative as they develop methods to assess the competency, credibility and trustworthiness of HIE governance entities."
In the guidelines, ONC writes, "trust is a prerequisite for electronic HIE and starts with patients. Without trust, the ultimate success of an electronic HIE initiative could be jeopardized."
With that in mind, ONC says that any entity that sets HIE policy should abide by trust principles, including allowing patients to:
- Be able to publicly access a notice of data practices. Such a notice would explain the purposes for which personally identifiable and de-identified data could be electronically exchanged, such as for treatment, payment, research, quality improvement, public health reporting or population health management.
- Receive a simple explanation of an HIE's privacy and security policies and its practices.
- Be provided with a "meaningful choice" as to whether their personally identifiable information can be electronically exchanged.
- Be able to request data exchange limits based on data type or source, such as for information related to substance abuse treatment.
- Be able to electronically access and request corrections to their personally identifiable information.
- Be assured that their personally identifiable information is consistently and accurately matched when electronically exchanged.
In addition to the principles related to privacy and security, the governance framework also includes several principles for organizational, business and technical issues.
Organizational principles suggest that HIEs should operate with transparency and openness, "and establish mechanisms to ensure that the entity's policies and practices and applicable federal and state laws and regulations are adhered to."
Business principles suggest that HIEs set standards of participation that "promote collaboration and avoid instances where - even when permitted by law - differences in fees, policies, services or contracts would prevent patients' health information from being electronically exchanged."
Technical principles include ensuring that technology is implemented to support the trust and business principles. The technical principles also suggest that HIE organizations "should promote the use of federal vocabulary, content, transport and security standards and associated implementation specifications adopted to support HIE."
However the principles note that HIEs should also encourage the use of standards developed by "voluntary consensus standards organizations" when equivalent federal standards have not been adopted.
Whitlinger of NYeC says he was pleased that the technical principles seem to indicate that the industry will be allowed to develop its own standards as health information exchange evolves.
"Allowing VSCOs [voluntary consensus standards organizations ] to set standards allows the industry to take greater ownership of HIE as it evolves," Whitlinger says.
"It's a good start, and I like that it's fairly brief," adds David Kibbe, M.D., CEO of DirectTrust, a non-profit trade association that created and maintains a security and trust framework for using the Direct Project protocol for secure e-mail between healthcare providers.
"The ONC is attempting to cover with a broad brush stroke many different kinds of health information exchange," Kibbe says. "Looking at trust from the perspective of the patient first is very reasonable," he says, adding "that more use cases" will likely help flesh out the principles over time.
NYeC and DirectTrust both received ONC grants last month related to the development of security best practices for national health information exchange (see: HIE Security Best Practices Get a Boost).
Although independent security consultant Tom Walsh doesn't anticipate that regulators will ever issue mandatory HIE guidelines, "many HIEs will be pressured by the covered entities that participate and, later on, maybe even by patients, to protect the data. The stakes are too high. Therefore I think external forces will influence good security practices. At some point security could be a differentiator for competing HIEs."