Health IT Strategic Plan: A CritiqueLacks New Privacy and Security Details, Some Say
Mac McMillan, chairman and CEO at the consulting firm Cynergistek, says the plan "just struck me as not being forward-thinking enough and not really getting into the issues that need to be resolved."
The plan primarily focuses on privacy and security projects that the Department of Health and Human Services' Office of the National Coordinator for Health IT already has in the works, McMillan says. "Usually, a strategic plan talks about where we are going as opposed to what we are currently doing. It doesn't seem to tell me what's next."
Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash., offers a similar reaction: "The river of technology innovation and adoption is flowing fast; a rowboat approach will not get us safely to our destination," he says. "I believe the intention is based on reasonable principles, but the delineation of specific actions and expected outcomes - actual deliverables - remains vague."
A Work in ProgressDavid Blumenthal, M.D., who now leads ONC, is stepping down soon, and his replacement has not yet been named. His team completed a draft of the strategic planning document that outlines ONC's projects -- many of them long overdue -- to carry out mandates in the HITECH Act. The legislation, among other things, created the electronic health record incentive program.
Comments on the strategic plan will be accepted through April 22 on the ONC website. Blumenthal's successor likely will oversee efforts to analyze the comments before a final version of the plan is eventually posted (See: Health IT Strategic Plan Unveiled.) As a result, the final version could contain some new initiatives.
"The healthcare community may be resistant to change and the adoption of costly technologies, but we do need guidance," Paidhrin stresses. "Leading institutions are not waiting for guidance, policies, processes and procedures; we are forging ahead. Many of us are reinventing wheels and methodologies because we can't wait for shared standards to appear. The often-delayed guidelines from HHS do not inspire patience."
Missing Security ElementsAmong the actions that some observers say should have been singled out, with details, in the draft of the plan are:
- Addressing the issue of the lack of a universal patient identifier. HIPAA called for creation of a universal patient identifier, but Congress blocked its adoption because of political concerns about the privacy issues involved. "But what if we were to have a voluntary patient identifier?" asks McMillan, the consultant. Some sort of identifier is essential to linking patients to the right records, especially when they are shared over health information exchanges, he contends. Similarly, in a comment submitted on the ONC website, Fred Smith notes: "Without a unique patient identifier that is used across a multi-lateral exchange environment, it will be hard to validate the relationship between the electronic information and the actual patient.
- Harmonizing various federal and state regulations. Charles Christian, CIO at Good Samaritan Medical Center in Vincennes, Ind., says the plan should have highlighted the need to address "the conflicting nature of some of the federal and state regulations." This is a serious issue for organizations, like Good Samaritan, that are located near a state border, he contends. "Harmonization of regulations would remove some of the confusion."
- Beefing up enforcement. McMillan laments that a HIPAA compliance audit program mentioned in the strategic plan was mandated under the HITECH Act and is long overdue. He'd also like to see the final version of the plan spell out that HHS will explicitly require healthcare organizations to conduct annual risk assessments. "Other regulated industries have mandatory annual assessments that they have to perform," he notes. "The strategic plan doesn't talk about measures to avoid breaches; it's still talking about enforcement as a reactive measure."
- Requiring anti-fraud measures. In a lengthy commentary on the ONC website, Donald Simborg, M.D., contends the draft of the strategic plan "continues to ignore healthcare fraud as a legitimate responsibility of healthcare IT in general and ONC in particular. It represents a neutral position on the issue of fraud that will undermine the laudable goals outlined in this plan." For example, he calls for ONC to focus on fraud prevention in its EHR software certification rules for the incentive program.
- Spelling out more clearly rules for breach notification. A final version of the HITECH breach notification rule has been on hold since last summer. McMillan was disappointed that the strategic plan didn't signal that HHS would greatly clarify the standards for when a breach must be reported. Some members of Congress have called for removal of the harm standard included in the interim final version of the breach notification rule, which states that healthcare organizations can conduct a risk assessment to determine whether a particular breach incident represents a significant risk of harm and thus should be reported .
- Requiring privacy and security education at medical schools. "Physicians should come into the workforce understanding what their responsibilities are," McMillan argues.
Other ConcernsChristian, the CIO, hopes the final version of the strategic plan will address the issue of how to carry out the higher penalties for HIPAA violations mandated under the HITECH Act. He'd like to see the penalties adjusted based on an organization's size. "Depending on the size of the organization, the size of the penalty can have different impacts. For a small physician practice, a $1.5 million penalty would probably cause bankruptcy."
McMillan praised the plan for calling for the development of security functionality requirements for other health information technology beyond EHRs. The criteria for EHR software that qualifies for the HITECH EHR incentive program already require certain security functions, including encryption. The consultant says that other applications that feed information into EHRs, as well as medical devices, also should be required to incorporate specific security functions to protect the data they gather.
Paidhrin of Southwest Washington Medical Center contends federal authorities need to take rapid steps to make sure that security control standards keep up with the rapid adoption of EHRs and health information exchanges.
"Healthcare must stop dithering about," he says. "Millions of EHRs are already online or transmitted over the Internet, and too many are lost or breached every month."