Sorting Out NwHIN Comments

Potential HIE 'Rules of Road' Elicit Strong Reactions
Sorting Out NwHIN Comments

As federal regulators hammer out "rules of the road" for national health information exchange, they should consider making compliance with standards mandatory, rather than voluntary, several organizations recommend. And while some advocate a go-slow approach toward HIE guidelines and caution against going beyond existing HIPAA privacy and security rules, others call for quick action and beefed-up consumer protections.

See Also: 2024 Healthcare Cybersecurity Benchmarking Study

That's just a sampling of the more than 140 comments on a recent Department of Health and Human Services request for information on preliminary plans for a Nationwide Health Information Network Governance Rule.

The RFI, which was posted May 6 by HHS' Office of National Coordinator for Health IT, posed 66 questions on plans for voluntary national standards, including privacy and security guidelines, for health information exchanges and others. HHS accepted comments until June 29, and those responses were posted last week on a regulatory website. ONC will now begin work on drafting a proposed rule, taking into consideration the comments received.

Seal of Approval

When he unveiled plans for the RFI, Farzad Mostashari, who heads ONC, said the NwHIN Governance Rule would create an NwHIN "brand" that health information exchanges and others could voluntarily earn, much like the Energy Star program that signifies energy efficiency levels of many products (see: Voluntary HIE Standards in Works). Mostashari said he believes the NwHIN Governance Rule, called for under the HITECH Act, could help jump-start the exchange of patient records. National standards for health information exchange are necessary, Mostashari said, because many states are already developing "unique and potentially conflicting" rules for HIEs. The NwHIN rule "will make it more efficient to exchange health information while protecting patient privacy and security," he added.

Some early reactors to the proposal questioned whether a voluntary approach would prove effective (see: Voluntary HIE Rules: Early Reaction).

The Health IT Policy Committee, which advises ONC, says in its comments that a voluntary approach would be sufficient if, as expected, federal agencies were to require NwHIN Governance Rule compliance as a condition of exchanging information with an HIE "or if companies make validation a condition in their business contracts."

Voluntary Approach Questioned

Several other organizations that submitted formal comments, however, say they aren't convinced that the voluntary NwHIN standards would be enough to push sustained national health information exchange.

Yet, at the same time, some of those organizations are also fearful that new mandates could limit their flexibility in exchanging data related to emerging models of care delivery and payment, such as Accountable Care Organizations.

"We are concerned that a voluntary certification may not yield the standardization we believe is necessary to facilitate true nationwide connectivity, and that there may not be significant uptake by health information exchanges if the requirements to become an NVE (NwHIN Validated Entity) are overly burdensome," writes Charles Kahn, president and CEO of the Federation of American Hospitals, in a comment letter. He adds, however, "We also believe that ONC should give significant consideration to the ability of HIEs to develop and maintain financially sustainable business models under any certification program."

The Oregon State Office of Health Information Technology is also concerned that voluntary, rather than mandatory, compliance to national NwHIN standards would weaken efforts for national data sharing.

"We believe a voluntary participation in a national health information network would be ineffective," writes Carol Robinson, administrator of Oregon's OHIT. "A voluntary participation process is not optimal unless there is an expectation of a high level of participation - near universal - and there are serious consequences for non-participation. We believe mandatory participation will provide consumers with a fair marketplace and eliminate risk for consumers to shop around for the least expensive or easiest solutions and not necessarily the most reliable or compliant solution."

Mandatory standards that all HIEs must adopt are essential to the success of health information exchange across state borders, Robinson argues. "If these critical factors are not incorporated into the NwHIN rule, then long-term sustainability of interstate secure data exchange is at risk."

Don't Mess With HIPAA

Some organizations responding to the RFI express concern that privacy and security provisions in a NwHIN Governance rule will conflict with existing HIPAA requirements.

The College of Health Information Management Executives, which represents CIOs, urges the federal government not to use the NwHIN governance rule to change existing HIPAA regulations.

"CHIME is very uncomfortable with the notion that the NwHIN governance mechanism and the related CTEs [conditions for trusted exchange] could become a means for imposing requirements that go beyond the HIPAA privacy and security rules," CHIME officials say.

"We urge, instead, that any perceived deficiencies in the HIPAA privacy and security rules be addressed directly, through changes in those rules following the usual opportunity for public input," the CHIME officials add. "If such perceived deficiencies require statutory changes, then HHS should work with the Congress to address these issues."

Echoing those sentiments, the eHealth Initiative, which represents a variety of public and private healthcare stakeholders, is urging that current HIPAA privacy and security regulations be applied in health data exchange across the NwHIN.

"Existing laws and regulations at the federal and state levels provide requirements for trusted exchange relative to privacy and security and the relationships of businesses with one another," writes eHealth Initiative CEO Jennifer Covich Bordenick. "These laws and regulations also include enforcement mechanisms to motivate compliance. ... It is not apparent that the additional conditions proposed in the RFI relative to Safeguards and Business Practices are necessary at this time," she says.

Setting the Pace

While U.S. bureaucrats are often criticized for moving too slowly in regulatory matters, some organizations have urged ONC not to move too hastily with its NwHIN Governance Rule.

"Given the varying stages of development of HIE initiatives across the nation, the need for the regulatory scheme proposed in the RFI is premature and might place too great a burden on nascent HIE initiatives, while at the same time slowing down advanced HIE initiatives by causing them to unwind established governance mechanisms and business models to comply with certain CTEs," writes Eric Thieme, general counsel and compliance officer at the Indiana Health Information Exchange. "Flexibility, stakeholder engagement and proceeding with due deliberation are all critical."

But others, including the HIT Policy Committee, urge regulators to move swiftly in establishing a governance rule. "There is an urgent need for a clear and robust governance structure to encourage participation in health information exchange nationwide," the committee says in its comments.

In a joint comment letter, two consumer advocacy groups - the Center for Democracy & Technology the National Partnership for Women and Families - argue that new privacy and security guidelines that go beyond HIPAA requirements are essential.

"It will not be possible to give providers 100 percent assurance that the other providers with whom they share patient information will not breach or misuse that data. But HIPAA likely will not provide a sufficient foundation to alleviate the concerns of providers contemplating sharing data with other providers across a network," the consumer groups contend. "Consequently, it will be critical for NwHIN privacy and security governance conditions to focus on provider concerns about data sharing across a network that can be reasonably addressed through a set of additional NwHIN governance conditions."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.