EHR and Health IT Consulting
38.9K views | +4 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

EHR Interoperability Plan Raises Concerns

EHR Interoperability Plan Raises Concerns | EHR and Health IT Consulting | Scoop.it

Several healthcare associations have raised concerns about some of the privacy and security components of the Office of the National Coordinator for Health IT's proposed 10-year electronic health record interoperability roadmap.


For example, they expressed concern about proposals related to obtaining patient consent for sharing health information, cybersecurity activities and governance "rules of the road" for national data exchange.


ONC, the unit of the Department of Health and Human Services responsible for standards and policies of the HITECH Act EHR incentive program, in January released a draft roadmap for achieving nationwide secure health data exchange built on interoperable EHR systems.

While the ONC draft is a 10-year vision, it contains critical actions that can be taken by regulators and healthcare stakeholders in increments over the next three, six and 10 years, to help remove technical, policy and regulatory barriers that are hindering information exchange. The idea behind the plan is to make it possible for clinicians to securely access and share timely, potentially life-saving data about a patient, no matter where that patient is treated.


Over the next several months, ONC will review the comments it received and consider how they might be reflected in the final version of its interoperability roadmap expected to be released later this year.

Patient Consent

ONC in its roadmap introduced the concepts of "basic choice" patient consent related mostly to information that's allowed to be disclosed by covered entities under HIPAA for treatment, payment and operations, versus "granular choice" consent that patients would provide to allow sharing of specific data, such as sensitive information related to substance abuse or mental health treatment.


Under the HIPAA Privacy Rule, an individual's written authorization is not required for the sharing of health information for treatment, payment or operations. But many covered entities choose to obtain an individual's consent anyways, ONC notes. And that's what ONC describes as "basic choice" consent.


ONC says "granular choice" consent refers "not only to granular choice among clinical conditions that are protected by laws in addition to HIPAA, but eventually, granular choice, should a patient wish to express it, regarding other data distinctions to be determined ... such as research ... in which an individual has chosen to participate."

Some organizations in their comments say they are opposed to federal regulators introducing the concept of granular choice consent. That's because they say it could potentially fuel more confusion among healthcare entities about the patient data that can or cannot be exchanged under HIPAA versus other government regulations, including state privacy laws.


For instance, the Healthcare Information and Management Systems Society says it "does not see the benefit of, nor is in favor of, the introduction of the concepts of 'basic' and 'granular' choice, particularly in view of these concepts being contradictory and inconsistent with applicable law, for example, HIPAA and state law."


HIMSS says it "supports the idea that interoperability efforts should focus on facilitating exchange of data when the law expressly authorizes use or disclosure of protected health information. ... HIPAA should not be essentially rewritten, through a reinterpretation, with respect to erroneously stating that individuals have the right to individual access and individual choice under the Nationwide Privacy and Security Framework, based on the Federal Trade Commission's Fair Information Practice Principles."


Similarly, as it relates to information sharing and consent, the American Hospital Association says that it opposes potential changes to current government privacy and security policies in the effort to drive healthcare providers to share electronic health information. "With regard to privacy and security issues, the AHA strongly believes that improving the infrastructure to support secure data sharing in support of clinical care can be accomplished within the existing HIPAA requirements."

Cybersecurity Activities

When it comes to issues related to cybersecurity, the AHA urges ONC to leverage existing guidance, including the National Institute for Standards and Technology's framework, rather than start from scratch.

"The roadmap includes proposed activities for ONC or HHS, but activities in this area must align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector-specific issues," AHA says.


"Further, any detailed standards should be aligned with the NIST Cybersecurity Framework, which is the overarching federal approach to cybersecurity, and the existing HIPAA security rules."

Rules of the Road

ONC's draft interoperability roadmap also included "a call to action" for healthcare IT stakeholders to come together to establish a coordinated governance process for nationwide interoperability. Those proposals also included the possibility that ONC would consider regulatory options to ensure compliance to so-called governance "rules of the road."


But some organizations, including the College of Healthcare Information Management Executives and the Association of Medical Directors of Information Systems, oppose too much government intervention in governance issues.


"We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders," CHIME and AMDIS say in its joint comments to ONC. "In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term."

Other Recommendations

As part of its comments on the interoperability roadmap, HIMSS also made several privacy and security recommendations. Those include suggestions that ONC, federal partners and industry stakeholder groups collaborate on developing:


  • A central portal that aggregates cyberthreat indicators and vulnerability information, across critical infrastructure sectors;
  • Guidance for what a thorough, holistic risk management program looks like - including plans, policies, procedures, application security testing, penetration testing, networking monitoring and detection, incident response, continuity, disaster recovery and resilience; and
  • Guidance on issues related to encryption, including practical guidelines on encryption requirements for protected health information stored or accessed via devices and software.


"Encryption is not a silver bullet, but it can be a useful safeguard when the right technology and know-how are used appropriately to keep information both private and secure," HIMSS notes.


more...
No comment yet.
Scoop.it!

How cloud computing enables interoperability

How cloud computing enables interoperability | EHR and Health IT Consulting | Scoop.it

CMS has signaled a renewed focus on interoperability, a welcome development for healthcare professionals anxious to more easily exchange insightful data. But there’s still the matter of how well the people involved in various collaborative “Big Data in Healthcare” initiatives operate together.

At some point for most of us in our careers – usually early on – we’ve encountered a project that was initially heralded with a great deal of fanfare, only to ultimately fizzle out after failing to gain enough buy-in. For all the excitement surrounding Big Data projects, many are at similar risk of a premature end if stakeholder concerns aren’t addressed at the outset:

  • Who will host the data?
  • How will data privacy concerns be handled?
  • How have restrictions on data use been addressed?
  • Do existing consents allow for data sharing?
  • Will the data need to be de-identified? If so, using which methodology?
  • Who will be responsible for acquiring, maintaining and distributing it?
  • How will the data be protected as it’s routed to its new home?
  • How well will it be protected in its new home? Who will have access to it?

For this to work, a neutral ground is usually needed, offered by a trusted third party.

The cloud: breaking down barriers to data exchange
In healthcare, massive amounts of data are not stored in pre-defined, structured tables. Instead, they are often composed of text, notes, numbers, images, formulas, dates, and other facts that are inherently unstructured. In fact, certain kinds of data sources are being created so quickly that there is no time to store it before the need to analyze it.

Savvy healthcare executives see Big Data as an opportunity to break down the paradigm of siloed data. They know that isolated data can be inefficient. Yet even while supporting the vision of Big Data, many healthcare leaders are traditionally reluctant to share data outside their own firewalls. Due to competitive considerations and confidentiality risks, there must be a level of trust in the quality and security of the receiving organization’s health data management systems for the data owner to be willing to share it. No one wants to risk a HIPAA privacy or security violation at the hands of another entity.

'Dirty' data can yield hidden treasures
To make an effective Big Data play, data sharing arrangements must be made, data flows defined, data analytics engines and the underlying infrastructure created, and the proper data governance must be agreed upon by all relevant stakeholders. It is at this stage that a trusted third party data warehouse environment is critical for success.

Conventional wisdom leads many to believe that data must be scrubbed, normalized and aggregated into a standard format in order to gain key insights. In fact, for Big Data in Healthcare, the time-tested principle of “garbage in, garbage out” actually may not apply.

Using the right data analytics tools can reveal unexpected insights from unstructured or “dirty” data as some call it.

In addition to enabling insights from disparate data sources, storing and protecting data, data management services are now available that alleviate the need for healthcare organizations to hire additional experts in meaningful use or cloud technology, including:

  • Pulling data from different sources into a single cloud-based repository for collaborative use
  • De-identifying the data and stripping it of identifiable information
  • Data visualization with dashboards and reports
  • Audit trails of who accessed what, when and from where
  • Dynamically scaling the infrastructure as the data volume increases

Cloud for collaborative care
Entities that are members of an accountable care organization or other coordinated care programs also benefit from the neutrality of the cloud for a variety of functions, from the day-to-day, such as claims and billing, to more analytic reporting and collaboration. The cloud provider can host the data along with any other number of data management services that the healthcare organization can’t, or just doesn’t want to take on.

Can you blame them? Healthcare organizations need all of their IT staff on deck for analytics and other data projects. And as we move to a more coordinated and shared model for healthcare, all stakeholders need a neutral and trusted environment that fosters collaboration. And based on the potential for infinite computing power and storage on the cloud, the sky’s the limit for interoperability.


more...
No comment yet.