Tiger Team's McGraw on Next StepsHow Privacy Recommendations Could Be Carried Out
The NHIN governance rule will spell out guidelines, including conditions of trust and interoperability, for those voluntarily using the NHIN standards, such as to ease the transfer of data among various health information exchanges.
In an interview (transcript below), McGraw:
- Describes why she'd like the Department of Health and Human Services to also adopt the team's recommendations when issuing final rules to modify HIPAA as well as set standards for future phases of the HITECH Act electronic health record incentive program;
- Pinpoints the tiger team's next projects, including developing recommendations for authenticating the identity of physicians accessing information across a network as well as authenticating patients who want to access records via a portal;
- Reveals that the tiger team will solicit public comments in April on what other privacy and security tasks the panel should tackle;
- Explains why she believes the Presidential Council of Advisors on Science and Technology's call for creating a universal exchange language and making it a requirement for future stages of the EHR incentive program has far too ambitious a timeline.
An attorney, McGraw is director of the health privacy project at the Center for Democracy & Technology in Washington.
HOWARD ANDERSON: Could you tell us a little bit about how you anticipate the tiger team's recommendations will be implemented? Are we going to see them show up in a NHIN governance rule or the HIPAA modifications or the EHR incentive program's stage 2 or 3 criteria?
DEVEN MCGRAW: Well, there is probably a difference between what I would love to see happen and what is probably more realistic. My ideal would be for HHS to look at all of their policy levers, which would include HIPAA modifications as well as the voluntary governance process that they want to establish through this upcoming Nationwide Health Information Network rule. So there are a number of ways that HHS can influence policy in this regard, and I would love it if they would think about what is the most appropriate vehicle for the different components.
So just to give you an example, we said a lot about how there are ought to be some really clear limits on intermediaries in terms of how they use data. And that it not just to be an issue of consent but where you've got business associates being exposed to data in transit or holding data such as in a centralized HIE, they are subject to business agreement constraints, and some constraints under the HIPAA privacy and security rules. Those haven't been spelled out with as much particularity as we think they would need to be in order to be consistent with tiger team recommendations.
So rather than trying to find another policy lever through the NHIN governance rule and EHR meaningful use rule, which are voluntary programs, or as conditions for HIEs, for which the grant money is already actually out the door, I'd much rather see them think about that as something to put in HIPAA. And then for some of the other pieces, such as patient consent (to exchange data), rather than disrupting HIPAA's traditional model, we should think about that as a best practice above and beyond HIPAA that might be done through the NHIN governance rule.
I gave you my ideal scenario. But what I think is probably more likely is that the tiger team recommendations will show up in the NHIN governance rule, because I think that the Office for Civil Rights has some specific direction from Congress about HIPAA modifications that they have to make, and I think they have historically been reluctant to make changes to that rule on their own. This isn't part of the constellation of things that Congress is requiring them to do, so I don't get the sense that there is a great appetite there for reopening it up for issues that they haven't been asked to address. ...
NHIN Governance Rule
ANDERSON: For those who don't know, describe that NHIN governance rule and its purpose.
MCGRAW: In the HITECH Act, there is just one sentence on NHIN in the whole document. ... What it said was ONC needs to establish governance for the Nationwide Health Information Network. ... The general counsel of HHS said that if you're going to establish a set of rules and call them governance, you are really going to need to do so through a rule-making process. You can't do this through some sort of a sub-regulatory body. And so, they have said that they are going to issue a rule this fall that is about the specifics of Nationwide Health Information governance, including what they call the "conditions of trust and inoperability," specifying the particular rules on how data is accessed, used and disclosed, that are going to be layered on top of what the law already requires.
ANDERSON: And that is for those using the NHIN's standards to exchange data, like HIE to HIE?
MCGRAW: That's right. So the Nationwide Health Information Network ... is as a voluntary "brand." If you ascribe to this set of criteria that are established, you can use the NHIN brand, but it is voluntary. ... But, for example, in the meaningful use criteria, they could (potentially) say that in stage two, you need to be a participant in the Nationwide Health Information Network and using those branded standards to exchange information.
ANDERSON: But that is not in the proposed criteria for stage two so far, right?
MCGRAW: It's not in the criteria included in the recent request for comment, no, because ... it was hard to leave a placeholder for that ... because we just have no idea what that NHIN governance rule is going to look like. ...
EHRs and Privacy
ANDERSON: Now the draft of requirements for stage two and three of the EHR incentive program didn't have anything new on privacy and security added. Why is that and will it be added later?
MCGRAW: The reason why there aren't privacy and security criteria is ... the tiger team has been building out a policy framework with an ever-growing list of privacy and security policy recommendations, and that work isn't done. So rather than for the meaningful use workgroup to try to include those in their incomplete form in the proposed criteria, they decided to give us a little bit more time to flush out the framework that we've been working on, with the expectation that work would inform the privacy and security category of meaningful use.
ANDERSON: So when they get to the next phase, the notice of proposed rulemaking for stage 2 of the EHR incentive program, that could have more detail on privacy and security?
MCGRAW: That could and should have more detail. I think we're expecting that rule to be proposed toward the end of 2011.
ANDERSON: So we could see some tiger team recommendations in there as well as the NHIN governance?
MCGRAW: That's where the timing gets a little tricky. To the extent that there have been some indications from ONC that they might look to the NHIN governance rule to be the vehicle for implementing the tiger team policy recommendations, if that comes out first in the fall of 2011 for example ... then we would have some time to say, "Are there some requirements that ought to be carved out and stuck into the EHR meaningful use stage 2 criteria, or do we just create a tie to in the meaningful use criteria, like you must be a subscriber to the Nationwide Health Information Network and be governed by its principles and not be kicked out for failure to comply? Is that the way we're going to do it?"
The problem will be if the meaningful use rule comes out before the NHIN governance rule, and then I think we'll really be hard pressed to try to figure out how those two things are going to be knit together.
Universal Exchange Language
ANDERSON: The Presidential Council of Advisors on Science and Technology called for a universal exchange language. What do you think of the proposal? Is it practical to require the use of a universal exchange language in stages two and three of the EHR Incentive program?
MCGRAW: Whether a universal exchange language is achievable in stage two, or whether it ought to be stage three, in part, depends on what you think about when you think of the universal exchange language. So one could argue that where we have some standards in place already for certain types of data, like laboratory data and pharmacy data, that is actually in a structured language. While we don't have complete industry adherence, we are already moving in that direction in stage one. But that's not exactly what the PCAST report said. They wanted a universal exchange language that would move what they called "atomic level data elements," versus movement of data within documents, at stage two to stage three.
I just think that's ... probably going to take a little bit longer to get there than stage two or stage three because much of the way that current EHR technology exchanges data is through documents that have multiple types of data within them. Of course lab reports are usually already on their own. Again, one could argue there is a universal exchange language for lab data; it is the Health Level Seven vocabulary and content standards. So it just kind of depends on what you're talking about.
There are bits and pieces of the universal exchange language recommendation that one could argue we're already doing. But in terms of the PCAST vision, which calls for tagging of data elements within a document and the ability to exchange them outside of their document container, that might take a little longer because it's just not the way that most EHRs ... are necessarily built, and there's going to need to be some path forward, whether it's through middleware or through these systems having a retrofit, for that to work.
Health Information Exchange
ANDERSON: Does the whole debate on PCAST recommendations have the potential to derail progress toward health information exchange?
MCGRAW: I think it only derails progress if the focus on the recommendations is: "Take it or leave it, we must do it all and all at once or we don't do any of it." That is a mistake, because I do think there are some really important, visionary statements and goals in there we haven't made progress toward with the current set of infrastructure standards that we've put into place.
One example of this is that we've been focusing a lot on direct models of exchange, which means "push" types of transactions. A doctor sends information to the other doctors that are on the care team by pushing it to them through secure messaging, through the sending of a document. ...
We have not yet laid the infrastructure, at least at the national level (some states have done this) for you to find a patient's data even if you have no idea what other doctor has treated him or her. That is the query or "pull" model which is the essence of PCAST. You are treating a patient and you want to find information about them to prepare yourself to treat them. Or you have a research protocol and you want to find the patients who have had mammograms in the last five years. It is a different model of exchange that we really have not focused any infrastructure development work on at the national level; we have really focused on push. And I do think that was the right place to start ... to at least give people the capacity to send data out to their normal trading partners.
But we need to be able to sort of broaden that lens and think about nationwide data sharing and the use case of you showing up in an emergency room and they know who you are, but they don't really know what doctors have treated you and where your records are, and then be able to find that out. The Markle Common Framework did a huge amount of work on that. It's not like there aren't some sorts of models that you can build on, and PCAST presents some issues to think about in that regard too.
ANDERSON: To wrap up, what's next for the privacy and security tiger team? Have you picked what topics you are going to tackle next, and are you going to ask the public for input on that?
MCGRAW: We've got a couple of issues that are teed up for March and April. One ... is patient access to information and what are the policies for identifying and authenticating patients to be able to electronically get their records, such as through a portal. But before we address that, we have been asked by ONC to discuss user authentication at the provider level.
We already issued some recommendations about digital certificates for a hospital or a physician's practice. But in terms of the single physician user accessing information across a network, such as if they are using an EHR system through software-as-a-service ... how do you authenticate that the person is who they say they are and what are the basic baseline policy standards? We've been asked to put that next.
Then I really do want to ask the public for some input on where there are still recommendations to be issued. ... And I'm hoping that there will be an opportunity to solicit more public comment probably through our blog in April.