Sequester: Health Data Security Impact

How Budget Cuts Could Affect Ongoing Projects

By , March 27, 2013.
Sequester: Health Data Security Impact

The federal budget sequester could impact data privacy and security work under way at the Office of the National Coordinator for Health IT, including delaying or deferring pilot projects related to electronic patient consent, data segmentation and authentication.

See Also: Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches

"We could defer or delay follow-up on pilot projects that are investigating technologies and standards needed to implement data segmentation and electronic patient consent, or e-consent, and authentication methodologies under the National Strategy for Trusted Identities in Cyberspace, or NSTIC," an ONC spokesman tells HealthcareInfoSecurity.

While those adjustments haven't been finalized, privacy and security experts and healthcare CISOs worry about the potential impact such cuts could have on progress being made on secure health data exchange.

Farzad Mostashari, M.D., who heads ONC, expects the sequester to result in a $3 million cut in the office's $60 million annual budget, according to one news report earlier this month. The ONC spokesman declined to confirm that figure.

ONC, a unit of the Department of Health and Human Services, coordinates nationwide efforts to implement health IT and the electronic exchange of health information, including the HITECH Act's incentive program for the meaningful use of electronic health records.

Another HHS unit, the Office for Civil Rights, which is responsible for HIPAA enforcement, has not yet completed analysis of the sequester's impact on its budget.

"OCR is working to implement the sequester reductions in a way that tries to minimize the negative impacts on our mission. We do not have final plans or estimates of the impacts on employees or programs at this time," an OCR spokeswoman told HealthcareInfoSecurity.

Projects On Hold?

Regarding the ONC security and privacy efforts that could be affected by the sequester, "the data segmentation [pilot work] is continuing, but it seems that follow up would be curtailed," says the ONC spokesman. He declined to elaborate.

ONC's Data Segmentation Initiative was launched in 2011 after the President's Council of Advisors on Science and Technology recommended the use of metadata tags to help protect the security and privacy of sensitive health information during exchange. Several pilots are under way through the S&I Framework, a collaborative community of participants from the public and private sectors who are focused on providing the tools, services and guidance to facilitate health information exchange (see Feedback on EHR Metadata: Go Slow).

Regarding e-consent projects, ONC is awaiting a report on a recent pilot project in Buffalo, N.Y., involving the health information exchange HealtheLink and four local physician practices, the ONC spokesman says (see: Patient Consent: A New Approach). The project tested patients using tablets to read interactive educational material about health information exchange and data privacy and security before using the devices to provide consent to have their records shared via the HIE.

As for authentication, the HIT Policy Committee, which advises ONC, has in recent months made several recommendations related to patient and clinician authentication for accessing health information. The committee recommended that ONC make authentication guidelines for healthcare organizations available in advance of the 2014 start of Stage 2 of the EHR incentive program. Plus, to qualify for a second stage of incentive payments, hospitals and physicians must enable patients to view, download and transmit electronic health information via a web portal - and that requires authentication (see: Patient ID Best Practices Coming Soon?).

Industry Reaction

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, was disappointed to learn about the prospect of privacy and security projects being impacted by the sequester. She chairs the Privacy and Security Tiger Team that advises the HIT Policy Committee.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Microsoft Sounds Zero-Day Warning

Microsoft has issued an emergency fix for a vulnerability in Windows Kerberos that is being...

Latest Tweets and Mentions

ARTICLE Microsoft Sounds Zero-Day Warning

Microsoft has issued an emergency fix for a vulnerability in Windows Kerberos that is being...