Feedback Sought on HIE Rules of Road

More Details on Plans for NwHIN Voluntary Guidelines Revealed
Feedback Sought on HIE Rules of Road

Federal authorities have issued a formal request for information seeking comments on plans for voluntary national standards, including privacy and security guidelines, for health information exchanges.

The announcement, posted on the Federal Register Electronic Public Inspection Desk May 11, will be published in the Federal Register May 15. The Department of Health and Human Services' Office of the National Coordinator for Health IT then will accept comments for 30 days before beginning work on crafting a proposed Nationwide Health Information Network Governance Rule. Such a rule was mandated under the HITECH Act, part of the economic stimulus package.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

As reported by HealthcareInfoSecurity on May 2, the proposed rule would create an NwHIN "brand" that health information exchanges and others could voluntarily earn, much like the Energy Star program that signifies energy efficiency levels of many products, says Farzad Mostashari, who heads the Department of Health and Human Service's Office of the National Coordinator for Health IT (see: Voluntary HIE Standards in Works).

Statewide, regional or local health information exchanges, integrated delivery systems, electronic health record system vendors and others could apply to receive recognition as complying with the NwHIN standards, which will include privacy and security provisions, he notes. And that would help pave the way for the national exchange of medical records, such as when a patient is being treated in a hospital emergency department in another city.

66 Questions

The detailed request for information poses a series of 66 questions. For example, it asks for feedback on ways to obtain patient consent for the exchange of their information. And it asks whether there should ever be exceptions to a requirement for exchanging only data that's been encrypted.

ONC decided to start with a request for information "because we do think there are sufficient areas of ambiguities and questions, so we need to get the broadest possible feedback prior to rulemaking," Mostashari said in opening remarks at a May 2 meeting of the Health IT Policy Committee, which advises ONC.

The announcement seeks comments on:

  • The creation of a voluntary program to validate that organizations that facilitate electronic health information exchange conform to certain ONC-established "conditions for trusted exchange," or CTEs;
  • The scope and requirements included in the initial CTEs;
  • The processes that could be used to revise CTEs, adopt new ones and retire outdates ones;
  • An annual review process to classify the readiness of emerging technical standards and implementation specifications to support interoperability-related CTEs;
  • An approach for monitoring compliance with NwHIN standards.

Rules of the Road

A baseline set of "rules of the road" for electronic health exchange is being considered, according to the announcement, because the exchange of information is now governed by "a patchwork of contractual relationships, procurement requirements, state and federal laws and industry self-regulation through accreditation and certification."

The ONC announcement says a voluntary set of standards is being considered because: "Overall, we believe that it would be impracticable and imprudent to establish through regulation a 'one-size-fits-all' approach to governance."

It continues: "Given the constantly evolving technical and policy landscape applicable to electronic exchange, it would be onerous and perhaps unachievable to specify upfront all forms of electronic exchange to which the governance mechanism could apply. Rather, we view the Nationwide Health Information Network as a continually expanding ecosystem of electronic exchange activities for which stakeholders would be able to select the appropriate set of standards, services and policies to meet their electronic exchange needs."

One potential benefit of an NwHIN Governance Rule, the announcement notes, is that it could create data safeguards that go beyond those in the HIPAA privacy and security rules or state laws.

"We anticipate that the governance mechanism could provide assurances to all electronic exchange parties that a specified set of requirements have been met," ONC notes. "In turn, we believe these assurances could help spur greater trust and confidence in electronic exchange among providers and ease concerns associated with sharing patient information."

Recently Released Guidance

While awaiting development of the NwHIN Governance Rule, which could take many months, ONC recently issued detailed privacy and security guidelines for federally funded health information exchanges based largely on the recommendations of the HIT Policy Committee and its privacy and security tiger team (see: HIEs Get Privacy Guidance).

That guidance, which could possibly foreshadow some of what may eventually be included in the NwHIN rule, spells out what federally funded HIEs "should" be doing in such areas as encryption, authentication and patient consent. The program information notice containing the guidance points out that federally funded HIEs that are not taking the recommended privacy and security steps must develop a "strategy, timeline and action plan for addressing these gaps."


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.