GOP Senators Raise HIE Security ConcernsLegislators Ask HHS to Fill in EHR Interoperability Roadmap
While federal regulators flesh out details of a 10-year roadmap for electronic health record interoperability, which would pave the way for national data exchange, five GOP senators are demanding that more attention be paid to the plans for security and privacy of patient data as it's shared among healthcare providers .
In a recent blog appearing in Health Affairs, co-written by Republican Senators Lamar Alexander of Tennessee, Richard Burr of North Carolina, Mike Enzi of Wyoming, Pat Roberts of Kansas and John Thune of South Dakota, the lawmakers question whether American taxpayers are getting a return on the $35 billion investment that the HITECH Act has made in promoting the adoption of EHRs.
Among several concerns noted by the senators is a lack of details from the Department of Health and Human Services' Office of the National Coordinator for Health IT for "practical and actionable steps to ensure a proper return on the American people's investment," including achieving secure national health data exchange to improve the quality of care based on timely access to information.
Where's the Beef?
The GOP leaders acknowledge that ONC - which oversees standards and policies for the HITECH Act's EHR financial incentive program - is making some progress in embracing interoperability as the theme for the agency's recently released 10-year vision. However, the senators complain ONC's proposals are "high-level goals for how to achieve interoperability, like building on existing infrastructure and empowering individuals, but the roadmap fails to outline real and actionable next steps."
The lawmakers note: "The ONC roadmap describes collaboration across several government agencies to accomplish their security goals. It says HHS will work with the Office for Civil Rights and industry to develop and propose a uniform approach to developing and enforcing cybersecurity in healthcare in concert with enforcement of HIPAA Rules.
"However, the roadmap lacks clear, obtainable goals regarding security requirements and implementation," the blog notes. "Additionally, the costs for our future security infrastructure are unknown, as well as who will pay for it. As new cyberthreats emerge every day, this administration must answer these questions quickly."
The GOP co-authors - without specially naming Anthem Inc. - say "the recent hack on a major health insurer that compromised personal information ... of tens of millions of Americans highlights the urgent need for an appropriate framework to protect patient privacy."
In response to an Information Security Media Group request for comment about the Republicans' blog, an ONC spokesman would only say: "The comment periods on the Roadmap and Standards Advisory are still open and we appreciate any comments on both of them."
ONC is accepting public comments on its draft roadmap and a related standards advisory until April 3, with plans to release final versions later this year. The advisory, which was also released on Jan. 30 along with ONC's draft roadmap, outlines standards that EHR developers and others can use in their efforts to achieve secure data exchange based on interoperable systems.
While the Republican senators emphasize the urgency of regulators zeroing in on the "next steps" for interoperable, secure patient data exchange, the recent 2015 Healthcare Information Security Today survey found less urgency about EHR interoperability among the senior executives at 200 healthcare organizations who participated in that study.
Although ONC in its roadmap highlighted the need for improved interoperability of EHR systems as a vital component of easing national exchange of health information to improve treatment, more than half of the survey respondents said that interoperability is an important issue, but that it should not be a top priority for regulators because there are other more urgent issues.
Only about a third of survey respondents said interoperability is a critical issue that needs to be addressed urgently. Fourteen percent said interoperability is not a major concern because they think nationwide health information exchange is an unattainable goal.
Federal officials have identified the need for improved interoperability of EHR systems as a vital component of easing national exchange of health information to improve treatment. What is your reaction?
Source: 2015 Healthcare Information Security Today survey.
In the coming weeks, ISMG will offer a webinar and issue a detailed report on the 2015 Healthcare Information Security Today survey, which is sponsored by Cardigm, (ISC)Â² and ZixCorp.
Security expert Tom Walsh, founder and CEO of the consulting firm tw-Security, says he's found that while many healthcare organizations are willing to share health data, they're less likely to use data that's available from other healthcare entities - especially those that participate in health information exchange organizations - to help make treatment decisions. That's because of concerns about data integrity and whether the identities of patients being treated are accurately matched to the data being shared by other providers, he says.
"When we're making risky treatment decisions, you don't see many ER doctors pulling data from these exchanges," he says. That's because there's concern about whether data from one hospital "about a patient named 'Tom Walsh' is the correct data for the patient named 'Thomas Walsh', who's being treated in the ER of another hospital," he says.
Uncertainty about the integrity of master patient indexes from one hospital to the next, as well as a lack of standards implementation across different EHR platforms, are among the "trust" issues that healthcare organizations deal with when sharing and using patient data with or from other entities, he adds (see Linking HIEs: Key Security Issues).
John Halamka, M.D., CIO at Beth Israel Deaconess Medical Center in Boston, expects the federal government ultimately will have a more limited role in health data exchange. "EHR vendors and the federal government don't control data exchange - patients and healthcare providers decide who should be trusted," he says. Bidirectional data exchange among healthcare organizations will evolve through the use of open APIs, he predicts. "You don't need a giant database in the basement of the White House," he says.
Additionally, many state health information exchange organizations continue to struggle with sustainability, he notes. "You can have trading partners without a central infrastructure."