Farzad Mostashari: HIE Security Vital

ONC Leader Shares His Data Exchange Vision

A top priority this year for the Office of the National Coordinator for Health IT is to boost the exchange of patient data among provider organizations to improve access to potentially life-saving information, says Farzad Mostashari, who heads the office. But advancing data exchange will require devoting adequate attention to privacy and security issues to build trust, he adds (see: Federal HIE Guidelines coming Soon).

Mostashari is hopeful ONC will issue voluntary guidelines for secure health information exchange this spring, he says in a recent interview with Information Security Media Group (transcript below).

Last year, ONC dropped plans for voluntary rules of the road within the context of a Nationwide Health Information Network Governance Rule after receiving feedback that a regulation would be premature given that HIEs are in the early stages of development. Mostashari also notes that those commenting on the proposed rule said time-consuming regulatory action "would freeze all development in the market as people stop and wait to see what the regulations say they have to do" (See: ONC Backs Off HIE 'Rules of the Road').

Instead, ONC will offer voluntary guidelines outside of a regulatory framework. The guidance will be based, in large part, on the recommendations of the Health IT Policy Committee and its Privacy and Security Tiger Team, he notes.

ONC might eventually consider mandatory guidelines for data exchange, including privacy and security requirements, if the voluntary approach comes up short, he says. "We're going to have to wait and see. If this approach doesn't work, in terms of fostering exchange of information across vendor and organizational boundaries, then we're going to have to look at other options."

Encryption, Authentication

In the interview, Mostashari also:

  • Notes that two essential elements of successful information exchange are encryption and authentication. "We [need assurance] that the person sending information is from the organization that they say they are from and that their organization is following appropriate policies under their HIPAA and other obligations."
  • Stresses that another key to secure data exchange is making sure that "intermediaries that are providing the data exchange function also are bound by the same kind of requirements" as those sending and receiving information.
  • Stresses that the Direct Project protocol for secure data exchange between two organizations "will play a huge role" in facilitating the sharing of information for Stage 2 of the HITECH electronic health record incentive program.

Before assuming his current role in April 2011, Mostashari had served as deputy national coordinator for programs and policy at ONC. Previously, he served at the New York City Department of Health and Mental Hygiene as assistant commissioner for the Primary Care Information Project, where he helped facilitate the adoption of prevention-oriented health information technology by more than 1,500 providers in underserved communities.

Mostashari also formerly led the NYC Center of Excellence in Public Health Informatics and an Agency for Healthcare Research and Quality funded project focused on quality measurement at the point of care. He established the Bureau of Epidemiology Services at the NYC Department of Health, which provides epidemiologic and statistical expertise and data for decision making to the health department.

The physician did his graduate training at the Harvard School of Public Health and Yale Medical School and completed his internal medicine residency at Massachusetts General Hospital. He was one of the lead investigators in the outbreaks of West Nile Virus and anthrax in New York City, and was among the first developers of real-time electronic disease surveillance systems nationwide.

Voluntary HIE Guidelines

HOWARD ANDERSON: Your office is preparing to introduce voluntary guidelines for health information exchange. What do you see as the most critical steps that need to be taken to ensure patient information remains secure and private when it's exchanged?

FARZAD MOSTASHARI: It starts with the standards, having standards that have privacy and security built into them, baked into them, making sure that information is always encrypted as it flows. But it's [also about making sure] that there's authentication so we know who's on either end; [that] we have an assurance that the person sending information is from the organization that they say they're from and that that organization is following appropriate policies under their HIPAA and other obligations.

... One of the main issues that we grappled with and the industry grappled with was not including any patient information in the header [of the message], so that the organization that's routing the information need not know the identity of the person that the information pertains to. That's also very important. And [it's also important to] make sure that those data intermediaries that are providing this data exchange function also are bound by the same kinds of requirements.

The HIPAA Omnibus Rule ... actually was a major improvement and step forward in articulating and clarifying that business associates ... all are bound by HIPAA privacy and security protections. That's an important step, but there's more I think that could be done to clarify those requirements.

ANDERSON: When will the first batch of voluntary guidelines come out? This spring?

MOSTASHARI: I hope so.

New Approach to HIE Guidance

ANDERSON: Can you explain a bit how your current plan for issuing voluntary guidelines is different from the earlier plan for voluntary guidelines within the Nationwide Health Information Network Governance Rule? What's new about this approach? What makes it more appropriate?

MOSTASHARI: We provided a framework in our request for information for nationwide governance [for HIE] that said these are some conditions for trusted exchange, these are conditions for privacy and security, and these are conditions on the technology and interoperability side and conditions on business practices. What we heard loud and clear from nearly every respondent was that the [HIE] field is just now emerging and that taking a regulatory action or even saying that we would take a regulatory action would freeze all development in the market as people stop and wait to see what the regulations say they have to do. [We also heard from respondents] that there were promising emerging - more nimble potentially - public-private governance activities, like scalable trust/Direct Trust activities, like the eHealth Exchange, formerly NwHIN Exchange ... that could carry the load in a more nimble way to coming up with consensus-based guidelines and rules of the road. We said, "Okay, we'll try it."

But we're not going to sit back and do nothing. The fact that we're not regulating doesn't mean that we're not pushing governance and trust pretty hard, and we said that there would just be a few things that we would do. We would continue to express the recommendations from the federal government that we've received and processed through the Health IT Policy Committee and its privacy and security tiger team. We heard testimony from the [HIE] governance entities that they want us to tell them what we think is the right thing to do, and we're going to do that. We're going to tell them, based on all the considered recommendations from the policy committee and the privacy and security tiger team, and all the hearing sessions we've done and all the listening sessions we're doing, what we think is the right thing to do at this time.

We're going to be able to designate one or more of those emerging governance entities as being ones that we work with so that others can say, "Oh, this is an ONC-connected governance activity," and give them more confidence that what this governance entity is doing is in conformance to what we think should be done on the federal level. I think that will help them spread. We're also creating a forum through the National eHealth Collaborative where different entities involved in the governance can come together and have more broad-range discussions, not just about where we are today with governance but where we need to be in the future.

Mandatory Rules for HIE

ANDERSON: At some point would you consider enacting mandatory rules for health information exchange, especially for organizations receiving federal funding? At what point might that be appropriate?

MOSTASHARI: I think we're going to have to wait and see. Obviously, if this approach doesn't work in terms of fostering exchange of information across vendor and organizational boundaries, then we'll have to look at other options.

ANDERSON: You've announced a new RFI on interoperability. Can you explain the purpose of that?

MOSTASHARI: ...We wanted to express unambiguously that our policy intent is that not only do we meet the standards in place and the governance agreements and rules that are already in place, [but] there also needs to be a business case for health information exchange interoperability. It's got to be more profitable to share data than to hoard it. We're intent on making sure that we use all payment and policy levers as appropriate to make sure that people actually find it profitable to share information. The re-admission adjustments have really moved the market on this. Bundled payments are having an effect. ACOs [Accountable Care Organizations] are having an effect. But we want to do more. What the RFI says is a) we're committed to this, and b) we want to know what else we could do to remove any perverse incentives that hinder information sharing to benefit the patient.

ANDERSON: Could that include privacy and security? Does it touch on those issues at all?

MOSTASHARI: No, it's more on the payment and other regulatory policy side. We would obviously ... receive any information people choose to submit to us. My personal feeling about the matter is that privacy and security is not a barrier to the secure exchange of information, conformant to patient expectations. In fact, we must adhere to the patients' expectations. Without that, I think the trust that people need in information exchange will be lost.

Direct Project

ANDERSON: What role will the Direct Project play with information exchange in Stage 2 of meaningful use? Is that going to play a huge role?

MOSTASHARI: Huge role; huge role. It will be the ubiquitously available transport protocol. Every electronic health record is going to be able to [use it] and is going to have to be able to catch and throw according to the Direct protocols. This creates an ecosystem where if I'm ... a long-term care facility, for example; if I'm a behavioral health provider; if I'm a home health provider, if I'm a health department - the one big question mark that I have always had is how do I exchange information with all these different EHR vendors? I can't afford interfaces with 600 different interfaces .... The answer is use the Direct protocols, which are ubiquitously available and secure. To make that really sing, though, we need to establish what are called trust bundles of certificates. ...

ANDERSON: Will the Direct Project play a long-term role or be replaced by something else?

MOSTASHARI: I think that we're going to need all the tools in the toolbox and different combinations of them to get accomplished what we need to do. One of the things that was really interesting to me was seeing the work of the Automate Blue Button Initiative, which has now been rolled out as Blue Button+. Blue Button was download your data, however it is. Blue Button+ is you can set it and forget it. You set a trigger, say this is where I want my records sent, and they will use the Direct protocols to, any time there's an update to the record, push a copy of the record to your designated recipient or repository. There are certain use cases, certain jobs for which [the Direct protocols] are the right tool. There are other jobs where it's not the right tool, and we're going to look for other tools to meet those needs, like a [data] query for someone who has unplanned care. But for planned-care purposes, for pushing information, for having referrals, discharge summaries and public health reporting, [Direct] is really the right tool for the job.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.