Experts: Compliance Builds Public TrustConsultants stress education, enforcement
The first draft of the framework correctly points out that public trust is vital to expanding use of electronic health records as well as health information exchanges, three security consultants say.
But a key first step, they say, is to make sure hospitals, physicians and their business associates understand how to comply with HIPAA and HITECH Act privacy and security requirements.
One strategy listed in the draft document, which will ultimately serve as the basis for an updated version of the Federal Health IT Strategic Plan, is a national consumer education effort about the benefits of HIEs paired with a "dialogue" on privacy and security issues.
"Many believe that providers are the key to educating their patients," says Janie Tremlett, senior vice president at Concordant, a North Chelmsford, Mass.-based consulting firm. "So shouldn't there be education for providers first?"
The framework draft also calls for "fair enforcement of legal requirements."
Enforcement of federal regulations is as important as provider and consumer education, stresses Kate Borten, president of the Marblehead Group, a security consulting firm based in Marblehead, Mass.
Borten contends that current efforts to build regional HIEs and link them nationally are premature because security precautions are lacking.
"Our first priority must be to get up to snuff on privacy and security," Borten says. "The government has done way too little on security and privacy compliance and enforcement. That has to be front and center, rather than taking it on as we move forward."
Borten chastises the U.S. Department of Health and Human Services for delaying the start of HIPAA compliance audits by its Office for Civil Rights as called for under the HITECH Act. Since HIPAA was enacted in 1996, the government has been moving at a snail's pace to enforce its privacy and security rules, she laments.
The final version of the strategic framework, Borten contends, should pinpoint security education for healthcare providers and their business associates, as well as stepped-up HIPAA enforcement efforts, as the most urgent security strategies.
"The appropriate, ethical, moral position is to say, 'Hold on; we've got to fix privacy and security before we move forward with any of the rest of this.'"
Tremlette says the framework ultimately must articulate a "concrete roadmap of how to get from the current state to a more protected environment in a cost-effective way."
HHS' Office of the National Coordinator for Health Information Technology recently posted on its Web site a preliminary draft of the framework that spells out, among other things, its proposed federal privacy and security strategies.
Under the HITECH Act, the ONC, must work with other agencies to update the Federal Health IT Strategic Plan published in June 2008.
The framework, which will be refined in the coming months, will be the foundation for this update. David Blumenthal, M.D., serves as the national coordinator.
The "pre-decisional draft" states that one goal of the framework is to "build public trust and participation in health information technology and electronic health information exchange by incorporating effective privacy and security solutions in every phase of its development, adoption and use."
Educating the public
Consumer education about the value of HIEs and the protecting of electronic records, as called for in the draft, eventually will prove to be important, the consultants say.
"A lot of the Health Information Exchanges being built will require patients to opt in," notes Glen Day, principal, cybersecurity and privacy, at the consulting firm Booz Allen Hamilton Inc., Los Angeles. "They won't opt in if they're told 'just trust me' when it comes to security. They need to be educated on the value of the HIE, how it affects their healthcare, and why these systems should be trusted."
Without that education and assurance, Day says, "HIEs are going to be stopped in their tracks."
Another proposed strategy in the draft calls for "harmonizing" state privacy laws and exchange policies to pave the way for sharing data across state lines. Day calls this step essential to the success of HIEs.
"A number of state laws conflict with each other," he notes. These conflicting laws, he argues, can be roadblocks to the potentially life-saving exchange of information across state lines, such as when someone is treated in an ER while on vacation in another state.
Harmonizing state laws "will be a tough, complicated thing to do," the consultant acknowledges. But it will, nevertheless, prove essential to broad data exchange efforts, he says.