September 26, 2011 – Howard Anderson, Executive Editor, HealthcareInfoSecurity.com
Federal authorities deserve credit for adding privacy and security details to the final version of the Federal Health IT Strategic Plan, several observers say. But some still believe the document doesn’t go far enough in spelling out specific action steps and priorities.
Earlier this month, the Department of Health and Human Services’ Office of the National Coordinator for Health IT issued the final version of the plan, which was fine-tuned in light of 240 comments received about the draft version issued in March. The draft generate a wide range of criticisms (see Health IT Strategic Plan: A Critique).
“It’s obvious some effort was put into broadening the view of this plan,” says Mac McMillan, CEO at the security consultancy CynergisTek. “But it still falls short of what I think healthcare is going to need to fully realize the benefit of HIPAA and the HITECH Act.”
McMillan says the final version of the plan, which serves as a blueprint for HHS’ information technology policy priorities, “incorporates all the right areas of focus with respect to privacy and security, but misses the chance to address some important issues that will be critical to healthcare’s future success in addressing data security.” For example, he says the plan fails to address the security of medical devices, such as heart monitors and IV pumps. And he would have liked to have seen more details spelling out specifics on how to give HIPAA enforcement “a sharper set of teeth.”
In addition, McMillan says the plan should have called for the “adoption of a recognized security framework and standard.” In a recent interview, he advocated creation of a security standard, either through a federal mandate or an industry-led voluntary effort (see: Security in a Post-9/11 World.). “We still have 50 percent of hospitals who are lacking a full-time security person,” he notes. “We still have a lot of hospitals that are not conducting regular risk assessments.” That won’t change, he argues, “until we have a credible standard with specific requirements that a network has to meet.”
Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center in Vancouver, Wash., also laments a lack of privacy and security specifics in the final version of the plan. Compared to the draft, the final version “has more clarity of intent in the language and even a better voice of passion for the purpose,” he says. Nevertheless, he contends that the final version mainly offers “promises to make progress.”
Conflicting State Laws
Some observers, however, were pleased by some of the specific additions included in the final version of the plan.
For example, Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., criticized the draft version of the plan for failing to highlight “the conflicting nature of some of the federal and state regulations” dealing with privacy, which is impeding the progress of health information exchange.
So he was pleased that the final version addressed the issue. “It is good to see that they will be looking at the differences in the various state laws and how some may impede health information exchange in referral markets that cross state lines,” the CIO says.
The final plan states: “ONC will work with state governments and state HIE grantees to identify and develop best practices to exchange health information electronically among states with varying privacy laws. In addition, ONC is exploring technology solutions to aid implementation in a computable format of patient consent and to enable information exchange among states.”
Agency Collaboration Welcomed
Another important addition to the final version of the plan, some observers say, is the revelation that multiple agencies will be involved in setting guidelines for the privacy and security of information that’s exchanged, including a new HHS Inter-Division Task Force and the Federal Health IT Task Force, which represents six government agencies, including HHS.
“It’s important for HHS to coordinate with other agencies,” says Lisa Gallagher, senior director, privacy and security, at the Healthcare Information and Management Systems Society. “There may be aspects of policies HHS could learn from other agencies.”
But while the collaborative effort is good news, Gallagher hopes that “it moves at a brisk pace, because we need to keep moving forward as rapidly as possible.” She notes that interagency task forces “sometimes progress slowly.”
HIMSS will be participating in HHS’ efforts to address the data segmentation issue, highlighted in the final version of the strategic plan. “It’s going to be very challenging technically,” she stresses.
The final version of the plan notes ONC is investigating, through research and demonstration projects, ways to offer patients the ability to give consent for some, but not all, of their personal health information to be exchanged, or what it calls “granular patient choice” or “data segmentation”
In recent weeks, federal authorities have announced a number of projects in this arena, including the Data Segmentation Initiative,, which will test sharing only portions of patient’s electronic health records among providers to help assure privacy, and the Query Health project, designed to test standards for querying data from electronic health records to conduct research.
Like Gallagher, Paidhrin says the issue of data segmentation will prove challenging. “This new strategy addresses a central public concern for ‘granular’ control of what is seen by whom,” he notes. “But how this can be managed across the spectrum of care is a rat’s maze of complexity. Granting access is one thing; filtering content for a large number of different roles is another.”
And Christian of Good Samaritan suggests that far more study is needed on the issue of data segmentation before policy is adopted. “I do not disagree that the data is owned by the patient, but I’m concerned about the potential liability that providers may have if they are treating patients without the benefit of all the clinical information that they should have during the treatment encounter.”
Paidhrin would have liked the final version of the plan to address security training issues in more depth. “The lack of skilled health IT professionals is a well-publicized crisis,” he says. “PeaceHealth Southwest Medical Center is collaborating with the city of Vancouver, Wash., to build a new high school adjacent to our main campus. The curriculum will focus on technical skills, with a healthcare emphasis. The industry could use more champions of healthcare training and student incentives.”
Paidhrin is concerned that federal officials lack a sense of urgency when it comes leveraging information technology while addressing privacy and security matters.
For example, he notes, “I could imagine cutting several years off of the development of any possible nationwide health information exchange by simply adopting international standards, protocols and development programs.”
He sums up his concerns by saying: “The healthcare service industry is dealing with multiple crises, and we need immediate attention and action to remediate the core threats to patient care, safety and efficient services.”
Christian, however, cautions against proceeding at too rapid a pace. “I realize that many may not think the industry is moving fast enough,” he says. “But for one who is pounding the road, running the race, the pace is fast enough, at least for me. We did not get to where we are in a few short years; it has taken decades. I think we are moving in the right direction, but we need to be cautious as we speed around the blind curves.”