Sequester: Health Data Security Impact How Budget Cuts Could Affect Ongoing Projects

The federal budget sequester could impact data privacy and security work under way at the Office of the National Coordinator for Health IT, including delaying or deferring pilot projects related to electronic patient consent, data segmentation and authentication.

See Also: Preparing for OCR Audits: Presented by Mac McMillan of the HIMSS Privacy and Policy Task Force

"We could defer or delay follow-up on pilot projects that are investigating technologies and standards needed to implement data segmentation and electronic patient consent, or e-consent, and authentication methodologies under the National Strategy for Trusted Identities in Cyberspace, or NSTIC," an ONC spokesman tells HealthcareInfoSecurity.

While those adjustments haven't been finalized, privacy and security experts and healthcare CISOs worry about the potential impact such cuts could have on progress being made on secure health data exchange.

Farzad Mostashari, M.D., who heads ONC, expects the sequester to result in a $3 million cut in the office's $60 million annual budget, according to one news report earlier this month. The ONC spokesman declined to confirm that figure.

ONC, a unit of the Department of Health and Human Services, coordinates nationwide efforts to implement health IT and the electronic exchange of health information, including the HITECH Act's incentive program for the meaningful use of electronic health records.

Another HHS unit, the Office for Civil Rights, which is responsible for HIPAA enforcement, has not yet completed analysis of the sequester's impact on its budget.

"OCR is working to implement the sequester reductions in a way that tries to minimize the negative impacts on our mission. We do not have final plans or estimates of the impacts on employees or programs at this time," an OCR spokeswoman told HealthcareInfoSecurity.

Projects On Hold?

Regarding the ONC security and privacy efforts that could be affected by the sequester, "the data segmentation [pilot work] is continuing, but it seems that follow up would be curtailed," says the ONC spokesman. He declined to elaborate.

ONC's Data Segmentation Initiative was launched in 2011 after the President's Council of Advisors on Science and Technology recommended the use of metadata tags to help protect the security and privacy of sensitive health information during exchange. Several pilots are under way through the S&I Framework, a collaborative community of participants from the public and private sectors who are focused on providing the tools, services and guidance to facilitate health information exchange (see Feedback on EHR Metadata: Go Slow).

Regarding e-consent projects, ONC is awaiting a report on a recent pilot project in Buffalo, N.Y., involving the health information exchange HealtheLink and four local physician practices, the ONC spokesman says (see: Patient Consent: A New Approach). The project tested patients using tablets to read interactive educational material about health information exchange and data privacy and security before using the devices to provide consent to have their records shared via the HIE.

As for authentication, the HIT Policy Committee, which advises ONC, has in recent months made several recommendations related to patient and clinician authentication for accessing health information. The committee recommended that ONC make authentication guidelines for healthcare organizations available in advance of the 2014 start of Stage 2 of the EHR incentive program. Plus, to qualify for a second stage of incentive payments, hospitals and physicians must enable patients to view, download and transmit electronic health information via a web portal - and that requires authentication (see: Patient ID Best Practices Coming Soon?).

Industry Reaction

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, was disappointed to learn about the prospect of privacy and security projects being impacted by the sequester. She chairs the Privacy and Security Tiger Team that advises the HIT Policy Committee.

"It would be very unfortunate if those projects were delayed or deferred, especially since the data segmentation project is well along, as was demoed at the interoperability showcase at the HIMSS 2013 [Conference]," she says. "Also, providers already have existing obligations to comply with enhanced patient consent requirements and absolutely need for their EHRs to help them meet those existing obligations."

Healthcare providers benefit from help in securely managing patient health data, she says.

"If providers don't have the technical mechanisms to enable them to appropriately handle sensitive health data, then that data is likely to be left out of electronic records or electronic exchange arrangements - which means that populations with sensitive health conditions will not experience the benefits of better care," McGraw says. "Given the focus lately on improving care for mental illness, this seems particularly shortsighted."

John Houston, CISO at the University of Pittsburgh Medical Center, says pulling funding away from important authentication projects under way at NSTIC, and delaying or deferring projects related to e-consent and data segmentation, could potentially stunt important progress in securely exchanging health data.

"You cannot build robust health information exchange and interoperability without being able to segment sensitive data and manage patient consent electronically," says Houston, who is also a member of the tiger team.

"Data segmentation is in its infancy," he says. Yet it's vital to allowing providers to exchange important patient data, such as blood test results and medications, while protecting sensitive data, such as mental health information, he adds. Without standards and guidance on how to protect patients' most sensitive information, many providers and patients will refrain from participating in data exchange, he predicts.

In addition, some experts believe that delaying important privacy and security projects could impact Stage 2 of the HITECH Act incentive program, which starts in 2014. "Electronic management and sharing of consents is an urgent need, especially given Stage 2's focus on exchange," says Dixie Baker, senior partner of the consulting firm Martin, Blanck and Associates and a member of the tiger team.

"Right now, I'm seeing ideas for exchanging electronic images, like PDFs, of signed, paper consents, transmitted along with the data. I don't think this approach is likely to be efficient, scalable or practical. Consents need to be made electronic and computer-interpretable," Baker says.

The Nationwide Health Information Network Power Team and the Privacy and Security Workgroup of the HIT Standards Committee have identified standards for consent as an urgent need, Baker notes. And the tiger team is making recommendations on this topic, she adds.

As for funding for authentication projects, "NSTIC is a very important national initiative, and it's important that healthcare standards align with it," she says. Baker notes that the Centers for Medicare and Medicaid Services recently announced its intent to use NSTIC credentials. "Most of the work on NSTIC, including the pilots, is being done by NIST, so hopefully the impact of ONC's reduction in funding for pilots will be minimal," she says.

More to Cut

Privacy and security projects at ONC aren't the only work that will be affected by the sequester. Among other projects that could be affected are standards development and harmonization efforts, the ONC spokesman says.

In addition, "we are still looking at reducing or eliminating support for lower-priority projects outside of the meaningful use [HITECH incentive] framework, including long-term care clinical care summary standards and modular application interoperability ... and enhancements to the Clinical Quality Measure testing engine," he says.

Christopher Paidhrin, IT Security Compliance Officer at PeaceHealth, a health delivery network in Washington state, is concerned about the impact of possible delays or cutbacks in federal work related to health data privacy and security standards and guidelines.

"A large handful of ONC projects and collaborative initiatives are central to the success of meaningful use," he says. "To be cost-effective, widely adopted and uniformly audited and enforced, the industry needs not only standards and more accessible best practices - we need simple methodologies that align to core common criteria."

Paidhrin adds: "We need a shared and accessible repository of healthcare wisdom, like a Wikipedia, where policies, procedures, best practices, effective templates and tools can be found, put to use, and through feedback rise above the distraction and become useful."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.





Around the Network