The Security Scrutinizer with Howard Anderson

Governing HIEs: A Tough Task

Federal Advisers Struggle With NHIN Compliance Monitoring Plan
Governing HIEs: A Tough Task

But it's far from easy. A governance workgroup has spent weeks crafting complex, detailed guidelines for governing HIEs. The Health IT Policy Committee, after two hours of reviewing the recommendations Nov. 19, gave up. It instructed the workgroup to continue its efforts to clarify just how an organization validating HIE compliance would do its job.

Over the course of the meeting, several members of the policy committee confessed that they were finding the subject matter difficult to comprehend. And that made me feel better, because it sure was tough for me to follow.

Without public trust, the entire health information exchange house of cards could come tumbling down. 

Here's a bit of background. The HITECH Act, which provided states with funds to spur development of statewide HIEs, also called for development of the Nationwide Health Information Network. NHIN is not an actual network, but "a set of policies, standards and services that enable the Internet to be used for secure and meaningful exchange of health information," according to the official government definition.

The idea behind NHIN is to pave the way for the exchange of electronic health records and other information coast-to-coast by linking various HIEs and other networks that all adhere to the same standards.

To make NHIN work, someone needs to offer a "seal of approval" that an HIE meets the NHIN standards, including those for privacy and security. And that's the crux of the "governance" issue. HITECH requires federal regulators to issue a rule on NHIN governance, but that's been delayed until next year.

At the Nov. 19 Health IT Policy Committee meeting, John Lumpkin, M.D., chair of the governance workgroup, made a detailed presentation on the panel's recommendations that triggered more than hour's worth of questions.

As time ran out, David Blumenthal, M.D., national coordinator for health IT for the Department of Health and Human Services, decided it was time to punt. Faced with all the questions and concerns that committee member voiced, Blumenthal, the government's HITECH point man, instructed the workgroup to go back to the drawing board. He asked that it add more details to its proposals and present them more clearly as a series of choices.

For example, the workgroup called for Blumenthal's office to designate a non-government organization to validate that HIEs meet "conditions of trust and interoperability." And that organization could, in turn, designate others to lend a hand with validation.

Several committee members wanted to know far more about how this validation process would work and suggested that perhaps a government agency should handle it.

"My real heartburn comes with having a central validating body that's a private organization," said Deven McGraw, a committee member who is director of the health privacy project at the Center for Democracy & Technology. "I can't move forward on the recommendation for a central, private validating authority without a lot more detail about what that would look like."

But the clock is ticking. Across the country, many statewide and regional HIEs are functioning or in development. That's why Lumpkin compared the task of his workgroup to "putting tires on a moving vehicle."

Acknowledging the time crunch, Blumenthal called for dividing the governance proposal into more manageable chunks that can be addressed over several months. Among the questions that must be answered, he said, are:

  • Do we need a governance mechanism for the exchanges that are using NHIN standards?
  • If so, what tasks should the governance body handle?
  • Should the validation process be conducted by a federal authority or a private organization?
  • If a private organization handles the tasks, how would regulators validate that it's qualified to do the job?

All good questions. All tough to answer. And time marches on.

But I'd rather see those involved take the time to get this right, versus wind up with a governance plan that fails to do a good job of ensuring that those exchanging information nationally using NHIN standards are playing by the same rules.

Without public trust, the entire health information exchange house of cards could come tumbling down.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.