Voluntary HIE Rules: Early ReactionExperts Debate Need for Mandatory Privacy, Security Standards
As federal authorities ponder how to ensure that most health information exchanges follow the same "rules of the road," observers are debating whether voluntary compliance with guidelines, as proposed, will prove effective.
The Department of Health and Human Services' Office of the National Coordinator for Health IT recently issued a formal request for information seeking comments on plans for voluntary national standards, including privacy and security guidelines, for HIEs. Comments are due June 14 (see: Feedback Sought on HIE Rules of Road).
The proposed Nationwide Health Information Network Governance Rule would create an NwHIN "brand" that health information exchanges and others could voluntarily earn, much like the Energy Star program that signifies energy efficiency levels of many products, says Farzad Mostashari, who heads ONC (see: Voluntary HIE Standards in Works).
The proposed voluntary NwHIN program "is a good first step," says Andrew VanZee, the statewide health IT director in Indiana who oversees efforts to link five HIEs to share data statewide. "Voluntary compliance gets the early adopters and innovators on board."
But VanZee believes an eventual shift to mandatory compliance could prove necessary. "It will most likely take mandatory compliance to get all organizations to ensure that the standards are met."
Although VanZee says voluntary standards may sound better "in the current political environment," he adds, "The final governance standards need to look at what are the essential standards that apply to all use cases, all geographic locations and all technology solutions."
A Call for a Mandate
Consumer advocate Corinne Carey believes HIE standards should be mandatory on day one.
"While I understand the [voluntary] approach and that the idea is that agencies, organizations and providers will ultimately seek out the seal of approval, I don't think that patients 'shop' for medical care - and for access to their own medical records - in the same way they shop for appliances, says Carey, assistant legislative director at the New York chapter of the American Civil Liberties Union. "There may be some incentive for systems to strive to earn the "seal of approval," but I don't think that adopting strong patient privacy controls should be voluntary."
A set of voluntary guidelines will only prove effective if HIEs widely adopt them, says another consumer advocate, Deven McGraw. She's co-chair of the Privacy and Security Tiger Team, which has made numerous recommendations for HIE standards.
"HIEs have been asking the federal government for quite some time for more guidance on how to handle privacy and security issues," McGraw notes. "HIPAA provides a baseline set of rules, but it does not address all questions, particularly in the case of new infrastructure that wasn't even envisioned when the HIPAA regulations were issued. A set of voluntary guidelines provides HIEs with this guidance - but it will only work if the collective desire HIEs have had for guidance results in collective adoption."
Widespread HIE adoption of the NwHIN standards will depend on whether the standards are perceived to be flexible enough to fit various models of exchange "without a significant disruption to what they're already doing," says McGraw, director of the health privacy project at the Center for Democracy & Technology.
Federal officials could eventually make HIE compliance with NwHIN standards mandatory in certain cases, she adds, if the voluntary approach fails to generate enough participation in the NwHIN program.
The tiger team will consider a series of privacy and security questions posed by the NwHIN request for information when it meets May 22 and again June 4. That could include addressing the voluntary nature of the program. The team ultimately will make recommendations to the Health IT Policy Committee, which will submit a reply to the RFI.
Security consultant Kate Borten, president of The Marblehead Group, notes that ONC is considering the use of formal accreditation and certification bodies to review compliance with the NwHIN standards - an essential component in the voluntary approach. But she's concerned about those HIEs and others that decide not to seek out the NwHIN seal of approval. "Unfortunately, we wouldn't know if these organizations have stellar security controls and are fully HIPAA-compliant ... or if their safeguards are substandard," she says. "Would they eventually fold without the accreditation? I wouldn't want to count on it."
Borten also is concerned about the lack of HIPAA compliance among covered entities and business associates that might exchange information through HIEs. "An important underlying message of the ONC's request for information and its related efforts seems to be that the national network is relying on CEs and BAs being HIPAA privacy and security rule compliant," she says. "But seven years after the security rule became enforceable, we know that compliance is uneven and still weak in many sectors. And enforcement hasn't gotten a lot better either."
Rules of the Road
A baseline set of "rules of the road" for electronic health exchange is being considered, according to the ONC announcement, because the exchange of information is now governed by "a patchwork of contractual relationships, procurement requirements, state and federal laws and industry self-regulation through accreditation and certification."
The ONC announcement says a voluntary set of standards is proposed because: "Overall, we believe that it would be impracticable and imprudent to establish through regulation a 'one-size-fits-all' approach to governance."
It continues: "Given the constantly evolving technical and policy landscape applicable to electronic exchange, it would be onerous and perhaps unachievable to specify upfront all forms of electronic exchange to which the governance mechanism could apply. Rather, we view the Nationwide Health Information Network as a continually expanding ecosystem of electronic exchange activities for which stakeholders would be able to select the appropriate set of standards, services and policies to meet their electronic exchange needs."
The eHealth Intiative is forming a work group to develop a comment letter on the NwHIN issue. The first meeting of the group will be held May 23. To register, visit the initiative's website.