The Federal Information Security Management Act and HIPAA privacy rules make it difficult to share electronic health records among federal agencies and private-sector health care providers, health IT executives said last week at a forum hosted by market research firm Input, Government Health IT reports.
The HIPAA privacy rules require health care providers and plans to protect patient information, while FISMA requires federal agencies to safeguard, monitor and document the security of their networks and systems. To comply with the combined technical requirements of the laws, health care organizations often must take more than 200 steps, such as conducting risk assessments and establishing access controls, to ensure their data and systems are secure.
Vish Sankaran -- program director of the Federal Health Architecture office, which is charged with managing the federal government's Connect software project to share health information with private health care providers -- said, "A small practitioner's office would not have the infrastructure to manage all the security controls." He added, "And we can't have the government having to check that all these systems are compliant."
Sankaran said health data ownership could present additional hurdles to health information sharing. He said, "If it's the federal government's data, there is a further obligation (under FISMA) for the entity receiving it," adding, "If the patient owns [the information], and the patient authorized [the Department of Defense] to move the information into the private sector system, then the receiving entity will have the right security controls in place" (Mosquera, Government Health IT, 11/6).