ONC Starts Health IT Strategic Framework

Includes detailed privacy/security strategies
ONC Starts Health IT Strategic Framework
The Office of the National Coordinator for Health Information Technology has posted on its Web site a preliminary draft of its "Health IT Strategic Framework" that spells out, among other things, its proposed federal privacy and security strategies.

Under the HITECH Act, the ONC, a unit of the U.S. Department of Health and Human Services, must work with other agencies to update the Federal Health IT Strategic Plan published in June 2008. The framework, which will be refined in the coming months, will be the foundation for this update. David Blumenthal, M.D., serves as the national coordinator.

Security component

The "pre-decisional draft" states that one goal of the framework is to "build public trust and participation in health information technology and electronic health information exchange by incorporating effective privacy and security solutions in every phase of its development, adoption and use."

Strategies to achieve this goal, according to the draft, include:

1. Assess and implement, as appropriate, federal policies related to key privacy and security issues for the broad use of health information and communications technologies amongst all parties that access or exchange health data for individual or population health.

  • Implement HIPAA modifications included in HITECH.
  • Provide transparency of reported breach notifications, and analyze reported breaches to identify common issues that can inform future privacy and security policies.
  • Assess the extent to which lawful and unlawful uses and disclosures of health information can cause harm to individuals (such as through discrimination) and identify, and implement where possible, new policies that would limit these uses and disclosures to help resolve privacy concerns.
  • Assess HIT security vulnerabilities and develop initiatives to mitigate these vulnerabilities.
  • Assess existing privacy and security protections for non-HIPAA covered entities and address needed protections.
  • Incorporate privacy and security policies in meaningful use criteria and adopted standards, implementation specifications, and certification criteria.

2. Explore and promote, where appropriate, existing and emerging technologies to enhance privacy and security.

3. Actively engage states to harmonize privacy laws or exchange policies where it is essential to advancing the national health priority goals.

4. Implement federal privacy and security policies through guidance and HIT programs.

  • Develop, disseminate, and promote specific best practices and guidance for hospitals and health care professionals on the implementation of privacy and security policies defined in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.
  • Promote privacy and security practices through exchange efforts tied to federal efforts (e.g., NHIN, State HIE grants, and state health policy consortium).

5. Promote an environment of accountability through public education and effective and fair enforcement of legal requirements.

6. Develop and maintain a national education initiative to increase consumer knowledge about the benefits of health information exchange and to broaden the national dialogue on privacy and security issues and to enhance public transparency regarding the uses of protected health information and individual's rights with regard to protected health information.

To view the draft of the framework, visit healthit.hhs.gov and type "strategic framework" in the search function.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.