A Look at ONC's 10-Year PlanSecurity, Privacy Key Building Blocks for Interoperability
The Office of the National Coordinator for Health IT has unveiled a plan setting new priorities for the next 10 years as the HITECH Act electronic health records incentive program, which has been its primary focus, nears completion.
ONC's 10-year game plan focuses on building an interoperable, nationwide health IT infrastructure to pave the way for the secure exchange of patient information; it includes privacy and security among five core building blocks.
The new report, Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure, outlines ONC's "broad vision and framework for interoperability over the next decade," writes ONC leader Karen DeSalvo, M.D. in a blog.
"Over the coming months, we will offer several opportunities to provide input as we shape a national interoperability roadmap and encourage participation from all stakeholders," DeSalvo writes.
System interoperability plays an important role in secure data exchange, such as the ability for primary care doctors to securely send and receive patient health information - including sensitive data - that can be appropriately viewed by other clinicians, such as medical specialists, and incorporated into patient EHRs.
In recent years, ONC has been working on policies and standards for health information exchange, in addition to its HITECH-related work on EHRs.
HITECH Act funding for EHR incentives, as well as other projects, including start-up statewide health information exchanges and regional extension centers offering EHR support, is winding down. But ONC, a unit of the Department of Health and Human Services, has its own budget for other projects.
ONC was created 10 years ago by executive order of President George W. Bush. But the agency didn't blossom until the HITECH Act was signed into law by President Obama in 2009, providing funding to propel the nationwide adoption of EHRs.
"Over the past decade, there has been dramatic progress in adoption and use of health IT across the nation," DeSalvo writes. "This progress has laid a strong base upon which we can build. There is much work to do to see that every person and their care providers can get appropriate health information in an electronic format when and how they need it to make care convenient and well-coordinated and allow for improvements in overall health."
DeSalvo says that ONC has "heard loudly and clearly that interoperability is a national priority." To achieve that goal, ONC's vision for the next 10 years focuses on "five critical building blocks for a nationwide interoperable health IT infrastructure."
Those core building blocks include:
- Core technical standards and functions;
- Certification to support adoption and optimization of health IT products and services;
- Privacy and security protections for health information;
- Supportive business, clinical and regulatory environments;
- Rules of engagement and trust for data exchange and governance.
John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center and co-chair of ONC's HIT Standards Committee, tells Information Security Media Group that the long-term vision set out by ONC strikes a good mix of goals.
"ONC will have to focus its strategy and reduce the number of initiatives in response to the end of [HITECH] funding," he says. "ONC has led many privacy and security initiatives over the past few years including the Direct Project, data segmentation for privacy, and identity management for patients and providers.
"The strategy announced today sets a positive direction without being overly prescriptive at this point," Halamka says. "This sounds appropriate to me because new solutions are going to evolve. For example, the patient may be the best steward of data, and privacy can be directly controlled by the patient, such as with Apple's new HealthKit," he says, referring to a health and fitness application development tools for the iPhone.
Pivoting for the Future
The new 10-year vision is ONC's latest move as the agency prepares to "pivot" for the future. ONC recently disclosed to staffers that it was realigning the agency internally, including streamlining from 17 to 10 subunits. However, those changes did not affect top leadership of ONC's Office of Chief Privacy Officer, of which Joy Pritts remains at the helm. (see New ONC: Impact on Privacy, Security). Also, ONC is reducing by half the number of advisory workgroups of its HIT Standards and Policy Committees, but retaining its Privacy and Security Tiger Team, which may be renamed.
Meanwhile, some legislators are questioning whether some of ONC's other recently revealed plans are overstepping the agency's regulatory authority. In a May 3 letter to DeSalvo, leaders of the House Committee on Energy and Commerce asked ONC for more details related to the agency's proposals for the creation of a Health IT Safety Center and a new user fee for health IT software vendors and developers to support ONC's standardization and certification activities.
"It's not clear to us under what regulatory authority ONC is now pursuing these enhanced regulatory activities," the legislators wrote, asking ONC to supply answers to several related questions.
An ONC spokesman tells ISMG that ONC is preparing a response to the committee members.
Privacy and Security Building Blocks
In its new 10-year plan, ONC says it will "strive to ensure that privacy and security-related policies, practices, and technology keep pace with the expanded electronic exchange of information for health system reform."
The plan says ONC will:
- Continue to assess evolving models of health information exchange to identify and, with stakeholder input, develop solutions to address weaknesses and gaps in privacy protections. That includes improved standards, technology, and workflow to address discrepancies between HIPAA and state privacy laws that make some data exchange complicated.
- Focus on methods and approaches that support distributed analytics and sharing research results without disclosing protected health information.
- Work with the National Institute of Standards and Technology and other stakeholders "to expand the options for ensuring, at an appropriate level of certainty, that those who access health information electronically are who they represent themselves to be."
- Work with the private sector to address emerging cyberthreats.
- Collaborate with its HHS sister unit, the Office for Civil Rights, as well as other agencies "to encourage greater consumer education about the benefits of health information exchange and the steps they can take to safeguard their own data."