EHR and Health IT Consulting
38.9K views | +0 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

EHR Interoperability Plan Raises Concerns

EHR Interoperability Plan Raises Concerns | EHR and Health IT Consulting | Scoop.it

Several healthcare associations have raised concerns about some of the privacy and security components of the Office of the National Coordinator for Health IT's proposed 10-year electronic health record interoperability roadmap.


For example, they expressed concern about proposals related to obtaining patient consent for sharing health information, cybersecurity activities and governance "rules of the road" for national data exchange.


ONC, the unit of the Department of Health and Human Services responsible for standards and policies of the HITECH Act EHR incentive program, in January released a draft roadmap for achieving nationwide secure health data exchange built on interoperable EHR systems.

While the ONC draft is a 10-year vision, it contains critical actions that can be taken by regulators and healthcare stakeholders in increments over the next three, six and 10 years, to help remove technical, policy and regulatory barriers that are hindering information exchange. The idea behind the plan is to make it possible for clinicians to securely access and share timely, potentially life-saving data about a patient, no matter where that patient is treated.


Over the next several months, ONC will review the comments it received and consider how they might be reflected in the final version of its interoperability roadmap expected to be released later this year.

Patient Consent

ONC in its roadmap introduced the concepts of "basic choice" patient consent related mostly to information that's allowed to be disclosed by covered entities under HIPAA for treatment, payment and operations, versus "granular choice" consent that patients would provide to allow sharing of specific data, such as sensitive information related to substance abuse or mental health treatment.


Under the HIPAA Privacy Rule, an individual's written authorization is not required for the sharing of health information for treatment, payment or operations. But many covered entities choose to obtain an individual's consent anyways, ONC notes. And that's what ONC describes as "basic choice" consent.


ONC says "granular choice" consent refers "not only to granular choice among clinical conditions that are protected by laws in addition to HIPAA, but eventually, granular choice, should a patient wish to express it, regarding other data distinctions to be determined ... such as research ... in which an individual has chosen to participate."

Some organizations in their comments say they are opposed to federal regulators introducing the concept of granular choice consent. That's because they say it could potentially fuel more confusion among healthcare entities about the patient data that can or cannot be exchanged under HIPAA versus other government regulations, including state privacy laws.


For instance, the Healthcare Information and Management Systems Society says it "does not see the benefit of, nor is in favor of, the introduction of the concepts of 'basic' and 'granular' choice, particularly in view of these concepts being contradictory and inconsistent with applicable law, for example, HIPAA and state law."


HIMSS says it "supports the idea that interoperability efforts should focus on facilitating exchange of data when the law expressly authorizes use or disclosure of protected health information. ... HIPAA should not be essentially rewritten, through a reinterpretation, with respect to erroneously stating that individuals have the right to individual access and individual choice under the Nationwide Privacy and Security Framework, based on the Federal Trade Commission's Fair Information Practice Principles."


Similarly, as it relates to information sharing and consent, the American Hospital Association says that it opposes potential changes to current government privacy and security policies in the effort to drive healthcare providers to share electronic health information. "With regard to privacy and security issues, the AHA strongly believes that improving the infrastructure to support secure data sharing in support of clinical care can be accomplished within the existing HIPAA requirements."

Cybersecurity Activities

When it comes to issues related to cybersecurity, the AHA urges ONC to leverage existing guidance, including the National Institute for Standards and Technology's framework, rather than start from scratch.

"The roadmap includes proposed activities for ONC or HHS, but activities in this area must align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector-specific issues," AHA says.


"Further, any detailed standards should be aligned with the NIST Cybersecurity Framework, which is the overarching federal approach to cybersecurity, and the existing HIPAA security rules."

Rules of the Road

ONC's draft interoperability roadmap also included "a call to action" for healthcare IT stakeholders to come together to establish a coordinated governance process for nationwide interoperability. Those proposals also included the possibility that ONC would consider regulatory options to ensure compliance to so-called governance "rules of the road."


But some organizations, including the College of Healthcare Information Management Executives and the Association of Medical Directors of Information Systems, oppose too much government intervention in governance issues.


"We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders," CHIME and AMDIS say in its joint comments to ONC. "In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term."

Other Recommendations

As part of its comments on the interoperability roadmap, HIMSS also made several privacy and security recommendations. Those include suggestions that ONC, federal partners and industry stakeholder groups collaborate on developing:


  • A central portal that aggregates cyberthreat indicators and vulnerability information, across critical infrastructure sectors;
  • Guidance for what a thorough, holistic risk management program looks like - including plans, policies, procedures, application security testing, penetration testing, networking monitoring and detection, incident response, continuity, disaster recovery and resilience; and
  • Guidance on issues related to encryption, including practical guidelines on encryption requirements for protected health information stored or accessed via devices and software.


"Encryption is not a silver bullet, but it can be a useful safeguard when the right technology and know-how are used appropriately to keep information both private and secure," HIMSS notes.


more...
No comment yet.
Scoop.it!

Records Exchange Raises Privacy Worries

Records Exchange Raises Privacy Worries | EHR and Health IT Consulting | Scoop.it

A new survey shows that many consumers are concerned about whether their healthcare information will remain private once electronic records are routinely exchanged among providers. But experts say a good way to address those concerns is for organizations to be transparent with patients about who's accessing their data and why.

Devore Culver, executive director and CEO of HealthInfoNet, Maine's statewide health information exchange organization, says that HIEs and healthcare providers should take key steps to earn patients' trust that their records will remain private.


"Acknowledge their concerns," Culver says. "Be clear and transparent about how data will be used and by whom. Confirm that the organization adheres to current data security practices and standards. ... Provide the option for consumers to access audit reports of who is looking at their data."

Survey Results

The new survey, published this month in the Journal of the American Medical Informatics Association, found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.

When it comes to the impact of health information exchange, 40 percent of consumers surveyed say it worsens privacy and 43 percent say it worsens security.

The report was based on a phone survey of 800 consumers in California conducted by researchers at the University of California's Sacramento and San Diego campuses.

"While consumers show willingness to share health information electronically, they value individual control and privacy," the researchers wrote. "Responsiveness to these needs, rather than mere reliance on HIPAA may improve support of data networks."

Access Reports

Consumer confidence in EHRs and HIEs could be boosted if patients are given the opportunity to get reports on who accesses their records, says David Whitlinger, executive director of the New York eHealth Collaborative. The group coordinates activities for the Statewide Health Information Network of New York, which is the state's health information exchange.

SHIN-NY plans to provide consumers will such access reports through the HIE's patient portal, he says.

"They'll be able to look to see who accessed their records via SHIN-NY," he says. Providing patients with access reports about their health records is akin to credit bureaus providing consumers with reports about who accessed their credit reports, he says. "If patients ask who has accessed their records, and can get a report, that will go a long way to alleviate concerns."

Regulatory Activity

In fact, federal regulators have been working on a proposals regarding an accounting of health information disclosures and EHR access reports for patients.

The HITECH Act mandated the Department of Health and Human Services update HIPAA requirements for an accounting of disclosures of protected health information. In May 2011, HHS' Office for Civil Rights issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision.

As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. That access report would include EHR disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule.

Many of the public comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible for EHR vendors to implement, and complex and expensive for healthcare organizations.

But Whitlinger doesn't buy those arguments. "The provider community realizes that they will get challenged about who accessed [a patient's] record, and they don't want to deal with that," he says. And he believes that some EHR vendors "don't want to have to go down the path of how to make these access reports representative and valuable" for patients.

OCR Director Jocelyn Samuels said in January that the agency was considering a possible request for additional public input on HHS' proposed accounting of disclosures rule making. OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule, she said.

Patient Control

An executive at EHR vendor Athenahealth says that patients will become more confident in the security and privacy of their health records if they have more control over that information.

"Too often, patient data and its sharing is controlled not by the patient but by large care organizations and their health IT vendors," says Dan Healy, Athenahealth's vice president of government and regulatory affairs. "Our vision is of a system of patient-centered information exchange, putting control back in the hands of the patient. That will do more than anything else to increase confidence."


more...
No comment yet.