A Roadmap for National Health Data ExchangeHHS Outlines Key Privacy, Security Issues
See Also: Threat Intelligence - Hype or Hope?
The idea behind the plan, unveiled by the Department of Health and Human Services' Office of the National Coordinator for Health IT, is to make it possible for clinicians to securely access timely, potentially life-saving data about a patient, no matter where that patient is treated.
Among key security-related elements are making widespread use of encryption and enhanced authentication and drafting "rules of the road" for secure data exchange.
In addition to the roadmap, ONC also issued an advisory containing standards that developers and others can use in their efforts to achieve interoperable, secure data exchange.
While the draft is a 10-year vision, it contains critical actions that can be taken by regulators and the healthcare stakeholders within the next three years to help remove barriers that are hindering information exchange.
ONC says its 150-page draft roadmap was "designed in concert" with HHS' Federal Health IT Strategic Plan 2015 - 2020, which was released in December. The draft roadmap also builds on a more general 10-year vision that ONC released last summer.
ONC is accepting public comments on its draft roadmap until April 3, with plans to release a final version later in this year.
The roadmap "provides a path ... to unlock [health] data in an appropriate fashion and put it to use for consumers to be engaged and empowered for clinical care, quality improvement, payment reform, public health and to advance science," ONC's leader, Karen DeSalvo, M.D., said during a Jan. 30 press briefing with reporters announcing the roadmap.
Privacy, Security Objectives
Here are some of the cybersecurity related critical actions ONC is aiming to take over the next three years:
- Work with the HHS Office of Civil Rights to release an updated HIPAA security risk assessment tool and hold appropriate educational and outreach programs;
- Coordinate with the HHS Office of the Assistant Secretary for Preparedness and Response on priority issues related to cybersecurity for critical public health infrastructure;
- Work with the National Institute for Standards and Technology and OCR to finalize and publish a guide to using the NIST Critical Infrastructure Cybersecurity Framework while complying with the HIPAA Security Rule.
In addition, HHS will work with the industry to develop a uniform approach to enforcing cybersecurity in healthcare in concert with enforcement of HIPAA.
Plus, HHS will continue to support the creation a single health cybersecurity Information Sharing and Analysis Center. The center would coordinate information sharing about cyberthreats and vulnerabilities among various players in the healthcare industry and the federal government (see Federal Strategic Health Plan Issued).
The Role of Encryption
Encryption of data is a component of "a ubiquitous, secure network infrastructure," and ONC plans a number of activities to promote its use, according to the roadmap. Between 2015 and 2017, ONC will:
- Work with OCR and industry organizations to develop standards for encryption of data "at rest" as well as data "in transit" and provide technical assistance. OCR will consider whether additional guidance or rulemaking is necessary.
- Develop guidance for implementing encryption policies;
- Work with insurers and other payers to explore the availability of private sector financial incentives to increase the rate of encrypting, starting with discussions with casualty insurance carriers that offer cybersecurity insurance.
Without appropriate identification and authentication policies, processes and technologies, individuals will not trust that their health information and other data are secure and private as it's exchanged, ONC notes in the roadmap. So the office plans to take several steps, including:
- Establish policies for multi-factor authentication for those who access health information, subject to contextual appropriateness and consistency with the HIPAA Security Rule.
- Work to harmonize other standards with those adopted for multi-factor authentication.
- Establish and adopt best practices for identity proofing that are consistent with standards already adopted for other industries and that comply with the HIPAA Security Rule.
ONC is also looking for health IT developers to leverage existing mobile technologies and smart phones for patient and provider identity authentication.
ONC is also looking to tackle issues related to individuals providing consent for the various uses and disclosures of their health information related to electronic exchange. Critical actions for 2015 to 2017 include:
- Through education and outreach, OCR will consider where additional guidance may be needed to help stakeholders understand how the HIPAA Privacy Rule permits health information to be exchanged for treatment, payment and operations without patient consent.
- Federal and state governments will distribute educational materials and OCR guidance about permitted uses and disclosures of health information and individual's choice to provide consent for their data being shared.
- ONC will brief key stakeholders, possibly including privacy advocates and Congress, on findings regarding the complexity of privacy and related regulations at the state and federal levels.
- ONC, in collaboration with states, national and local associations, and other federal agencies will convene a "policy academy on interoperability," with a particular focus on privacy as an enabler.
While the adoption of electronic health records has exploded as a result of billions of dollars in financial incentives under the HITECH Act, barriers remain to the secure exchange of patient information, the draft roadmap acknowledges. The draft addresses ways of overcoming those barriers.
For instance, when it comes to nationwide data sharing, "additional education is needed to advance understanding about HIPAA" as well as state and other laws related to health data sharing, says Erica Galvez, ONC interoperability portfolio manager. Also "harmonization" of state and federal laws related to privacy is needed to help technology developers "automate how data is shared," she says.
The draft interoperability roadmap also includes "a call to action" for health IT stakeholders to come together to establish a coordinated governance process, or "rules of the road" for nationwide interoperability, says Jodi Daniel, ONC director of policy. "These are the principles and an overarching framework of policies and practices that folks helping to facilitate health information sharing should follow to make sure that health information follows the patient, that information is protected, and is following the standards and best practices."
That includes "considering regulatory options, [and] considering how to leverage certification to ensure accountability with the rules of the road," she says. "We're looking at how best we cannot just set forth the principles, but hold people accountable."
Standards in five critical areas - including security - also play a key role in the interoperability roadmap, ONC says.
As a companion document to the draft roadmap, ONC released a draft 2015 "interoperability advisory," which represents ONC's assessment of the best available standards and implementation specifications for clinical health information interoperability as of December 2014. The advisory is open for public comment until May 3.
ONC will issue a new interoperability advisory annually, says Steven Posnack, ONC director of the office of standards and technology. The hope is that developers and others will "look first before building products," with the advisory being a "non-regulatory" resource to achieve interoperability, he says.
"This [roadmap] document will help health IT executives compare standards used by their [software providers] with standards required by federal programs, as well as standards prominent in the industry," says Charles Christian, CIO at St. Francis Hospital in Columbus, Ga. and board chair of the College of Healthcare Information Management Executives. "This process will enable a national discussion between standards developers, technology developers, providers and the public to determine which standards hold the most promise, from conceptualization through implementation."