Health IT Strategic Plan UnveiledSpells Out Federal Privacy, Security Projects
David Blumenthal, M.D., who now leads the Office of the National Coordinator for Health IT, is stepping down next month, and his replacement has yet to be named. His team has completed a draft of an 80-page document that outlines ONC's projects -- many of them long overdue -- to carry out mandates in the HITECH Act. HITECH, among other things, created the electronic health records incentive program, which could provide as much as $27 billion in Medicaid and Medicare incentives. It also provided funding for statewide health information exchanges.
Comments on the strategic plan will be accepted through April 22. Blumenthal's successor likely will oversee efforts to analyze the comments before a final version of the plan is eventually posted on the ONC website. As a result, the final version could contain some new initiatives.
Inspiring TrustOne of the key goals cited in the strategic plan is to "inspire confidence and trust in health IT."
The draft notes: "EHRs and other health IT will enhance the quality and value of healthcare, but only if there are appropriate protections in place to keep health information private and secure. Privacy and security are the bedrock of building trust, a must-have component that is essential to achieving meaningful use and realizing the value of health IT.
"Patients and providers must feel confident that laws, policies and processes are in place to keep their health information private and secure, and that they will be enforced when violations occur."
Patient SafetyIn a section on improving safety and effectiveness of health IT, the plan notes ONC is "exploring mechanisms to improve data integrity, including an assessment of existing and emerging technologies that may allow for automated resolution of inaccurate or questionable data in EHRs and PHRs."
The plan also notes that ONC has commissioned the Institute of Medicine to conduct a study of health IT patient safety concerns and recommend action.
Privacy, Security ProjectsIn a section on protecting the confidentiality, integrity and availability of health information, the plan reviews ONC's ongoing and planned efforts. These include:
- Pending modifications to HIPAA privacy and security rules. A final version of these long-overdue modifications, mandated under HITECH, is still in the works.
- Continuing work on other privacy and security policies, including giving patients the opportunity to consent to the exchange of their information; protecting information used for secondary purposes, such as research; and potential regulation models for personal health records. A joint report to Congress from ONC and the Federal Trade Commission on protecting PHRs, mandated under HITECH, is still on the drawing board.
- Creating a governance rule for those using the Nationwide Health Information Network standards.
- Ramping up HIPAA enforcement by the HHS Office for Civil Rights, including the creation of a long-overdue compliance audit program. OCR's proposed fiscal 2012 budget asks for additional enforcement funding. (See: More HIPAA Enforcement Funding Sought).
- Identifying additional security features that may be required for EHR software certified for future stages of the Medicare and Medicaid incentive program. (See existing EHR certification criteria here.)
- Investigating innovative means for protecting the privacy of health information, such as data segmentation and consent management tools.
- Conducting a study to identify security vulnerabilities in health IT systems "to identify where to best target" ONC's resources. For example, "ONC will analyze health information breaches ... to identify the most likely sources of vulnerability."
- Identifying "best practices" to ensure privacy and security in light of advances in technology.
Privacy RightsIn a section on informing individuals of their rights and increasing transparency regarding the uses of protected health information, the plan notes:
- ONC and OCR are planning a two-year education and outreach effort "to inform individuals about how their information is safeguarded, how their information may be used and shared, and how individuals can exercise their rights under the HIPAA privacy rule."
- The Privacy and Security Tiger Team is holding public meetings to gain input on its recommendations that could lead to policies and regulations.
- Regarding informing consumers about health information breaches, ONC, OCR and the FTC are "analyzing laws, policies and procedures to ensure they meet individuals' rights and needs." A final version of the breach notification rule, which was yanked last summer, is still in the works. In the meantime, an interim final version of the breach notification rule remains in effect.