ONC's HIE Roadmap: The Hurdles AheadNationwide, Secure Health Data Exchange Tough to Achieve
Federal regulators are on the right track in their vision for a "roadmap" to remove barriers to nationwide, secure health information exchange, but many more hurdles remain, security and privacy experts say.
The Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, released on Jan. 30 a draft 10-year vision for achieving nationwide secure health data exchange built on interoperable electronic health records systems (see Roadmap For National Data Exchange).
While the document offers a 10-year outlook, it lays out "critical actions" that ONC suggests can be taken by regulators and healthcare stakeholders within the next three years to help remove barriers that are hindering national information exchange, which could provide clinicians with more timely access to patient information to support treatment decisions. Barriers ONC is attempting to remove include: the lack of mature technology standards; the absence of widely embraced and consistent policies, best practices and regulations related to data sharing; and misunderstanding of health information exchange by healthcare providers, as well as patients.
But even if ONC addresses those barriers, it faces other regulatory, policy and technical hurdles - as well the formidable challenge of gaining buy-in from healthcare stakeholders.
"If ONC hones in on the immediate steps - the three-year items - and is moderately successful with those steps, the value of the roadmap will be realized long before 10 years," says Jeffrey Smith, vice president of public policy at the College of Healthcare Information Management Executives, an association that represents healthcare CIOs.
"The challenge for policymakers will be to prioritize and focus on the near-term as there are many competing priorities - for example, public health, patient generated health data, etc. I'm hoping this roadmap helps the wider stakeholder community [understand] that all [those] things are important, but we need to ensure the foundation is set before building the house, so to speak," Smith says.
John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, tells Information Security Media Group: "In short - the [ONC] plan is sound. It embraces the work of the private sector, and the acceleration of new standards, such as Fast Healthcare Interoperability Resources, that will reduce the interoperability implementation cost and time, while protecting security."
But in a blog, Halamaka says he has a few areas of concern about the roadmap. "It suggests that states become more active in the area of interoperability," he notes. "We need to be careful with this approach, or else we'll create 50 interoperability silos given variation in state laws. The new economic incentives of accountable care organizations will motivate vendors to address health information exchange needs based on business cases, not geography."
Indeed, ONC officials acknowledged during a Jan. 30 press briefing about the roadmap that there have been a number of successful regional health information exchange efforts, but that an assortment of issues, including a patchwork of diverse state privacy regulations, have hindered efforts to achieve nationwide health information sharing.
Erica Galvez, ONC interoperability portfolio manager, said that "harmonization" of state and federal laws related to privacy is needed to help technology developers "automate how data is shared."
Lack of Urgency
Christopher Paidhrin, security administration and integrity manager in the compliance division of PeaceHealth, a healthcare delivery system in the Pacific Northwest, says the roadmap lacks a sense of urgency.
"The pace feels too slow. Consensus-building is essential, but past a certain tipping point, commitments to change and timeliness need to be final," he says. "I appreciate the scale of the required transformation - and that it takes time and due diligence to make the right choices, with broad engagement of key stakeholders."
Given the large number of technical elements and interdependent goals outlined by ONC, "how can we meet the goal 'to send, receive, find and use a common set of electronic clinical information at the national level by the end of 2017,' when the timeline stretches three, six and 10 years out?," Paidhrin asks.
The ONC roadmap identifies a number of "critical actions" for security and privacy needed in the next three years to pave the path to secure nationwide exchange in the next decade. Those include making broader use of encryption and authentication.
"If we could resolve all data collection and distribution standards, would we have the security protocols resolved and ready to go?" Paidhrin asks. "The ONC goal for 2015 is to 'clarify privacy and security requirements to enable interoperability.' The suite of standards under review are mature and sufficient, but implementation of federated authentication and authorization on this scale - with the granularity of data envisioned for 2020 - is a daunting task."
Paidhrin praises ONC for setting a goal of making widespread use of multifactor authentication during data exchange, but says achieving that goal will prove challenging. "How do we automate the process of validating the identity of each unique submitter and requestor of information, and determine that they have a need to know and that they only access what is minimally necessary? That may sound familiar, but it is the nutshell of the security and privacy challenge."
John Houston, vice president of privacy and information security and associate counsel at the University of Pittsburgh Medical Center, says most healthcare organizations still have a long way to go when it comes to identity management.
"Regardless of whether organizations invest in multifactor authentication, there is a far more basic issue, and that is that almost no healthcare providers today do even the most basic identity management," he says. "This is really an initial step to securing and protecting a provider's environment."
Rules of the Road
ONC's draft interoperability roadmap also includes "a call to action" for health IT stakeholders to come together to establish a coordinated governance process, or "rules of the road" for nationwide interoperability, says Jodi Daniel, ONC director of policy. "These are the principles and an overarching framework of policies and practices that folks helping to facilitate health information sharing should follow to make sure that health information follows the patient, that information is protected, and is following the standards and best practices."
That includes "considering regulatory options, [and] considering how to leverage certification to ensure accountability with the rules of the road," she says. "We're looking at how best we cannot just set forth the principles, but hold people accountable."
Halamka writes in his blog that the ONC plan "wisely suggests 'non-government governance' for health information exchange rather than trying to create a single top-down nationwide governance entity."
CHIME's Smith notes that ONC has already floated voluntary "rules of the road" for nationwide heath information exchange. "One area that will require a great deal of attention is around governance, and I suspect we will have an opportunity to look again at past policy proposals - the Nationwide Health Information Network [NWHIN] governance request for information from a few years ago, and see if the market has evolved to a point where [it] can have value," he says. "Developing a framework for trust and authentication will increasingly be important, and [those] are areas that may be closer to maturity - from a policy plus technology - than they were a few years ago."
In a Jan. 30 blog, ONC leader Karen DeSalvo, M.D. and Galvez stress: "We must have clear rules of the road to govern how people's electronic health information will be collected, shared, used and how privacy and security will be protected. This trust is critical to a functioning, sustainable and vibrant interoperable health IT ecosystem. There must be agreement on the policies, operations and technical standards that give data trading partners, including consumers, confidence that information is secure, used only for appropriate purposes, and that privacy preferences are honored."
Halamka says ONC's emphasis in its roadmap on the need for additional outreach and education for better understanding of HIPAA by patients and healthcare providers alike is an appropriate step to take in promoting data sharing. "[The roadmap] focuses on the importance of clarifying HIPAA to reduce confusion and misconceptions about HIPAA restrictions and enablers," he writes in his blog. "For example, does everyone know there is no such thing as HIPAA certified software and there are no restrictions on giving patients access to their own data?"
Houston of the University of Pittsburgh Medical Center says ONC needs to tweak its roadmap proposal to work with the National Institute of Standards and Technology and HHS' Office for Civil Rights to finalize and publish the NIST Critical Infrastructure Cybersecurity Framework and HIPAA Security Rule "crosswalk."
"I believe that large providers already have frameworks and crosswalks to secure their environments. Unfortunately, small to midsized providers have, at best, basic capabilities. ONC should work with these providers to improve their readiness."