Consumers and patients support the electronic sharing of health information and are eager to experience the benefits of widespread adoption and use of electronic health records. Yet a substantial majority continue to express significant concerns regarding the impact of e-health on the privacy and security of their health information. According to a recent survey by the Markle Foundation, the privacy of health information is a significant concern for the American public and doctors who serve them.
Building and maintaining public trust in health IT and health information sharing will be critical to leveraging their benefits to improve individual and population health. The rhetoric from the Office of the National Coordinator for Health IT and HHS has been consistently strong on the importance of respecting the confidentiality of health information; however, with a few exceptions, the pattern has been too much talk and not enough action.
The start of the new year is the time to break that pattern. ONC and HHS must take big, concrete steps to implement a comprehensive privacy and security policy and technology framework to govern electronic health information exchange. As initial steps, HHS should:
- Act on the privacy and security policy recommendations issued by the Health IT Policy Committee;
- Promptly release the final modifications to the HIPAA privacy and security regulations enacted in the HITECH Act; and
- Promptly issue the Nationwide Health Information Network governance rule and clarify that governance covers all exchange programs operated or endorsed by ONC.
Act on Policy Committee's Privacy, Security Recommendations
There is significant agreement among many stakeholders that building trust in health information sharing requires implementation of a comprehensive framework of privacy and security policies based on fair information practices (FIPs) and supported by privacy-enhancing technologies. ONC adopted a version of FIPs in a December 2008 report, titled "The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information," and ONC's 2011 Health IT Strategic Plan specifically incorporates this document. This framework, articulated at the level of overarching principles, was an important development at a very early stage in federal efforts to promote the adoption of health IT.
The time has come to advance the framework through the adoption of specific privacy and security policies. As we are almost three years into implementation of the programs authorized by HITECH, a clear commitment by ONC and other agencies within HHS to implement a policy and security framework that builds on (and fills gaps in) current law will help secure public buy-in, endorsement of and engagement in health IT programs.
The federal Health IT Policy Committee has sent ONC numerous privacy and security policy recommendations that aim to build and maintain public trust in health information sharing, including recommendations regarding limitations on data collection, use and disclosure, consent, patient matching and amendments to health data. Each recommendation sets forth specific policies to implement the principles endorsed in ONC's Strategic Plan. Unfortunately, very few of these recommendations have been acted on by ONC or any other agency within HHS.
ONC should act on these recommendations and apply all of the policy levers at its disposal, such as conditions for receipt of federal funds authorized by HITECH, to promote the endorsed policies. ONC has used its authority over the electronic health record certification program to require EHR technology to include baseline security functionalities like encryption and access controls. This was an important first step in enabling a policy framework. However, for many of these functionalities there are no requirements on providers -- through law, the meaningful use program or other health IT spending programs -- to actually implement them. This needs to change in 2012.
Promptly Release Final HITECH Modifications to HIPAA Privacy and Security Regulations
Public trust in the health IT programs will be bolstered with the release of final HIPAA privacy and security regulations mandated by HITECH. A final rule to implement most of these changes was scheduled to be issued in September 2011, but stakeholders are still waiting for those regulations. Statutory deadlines for implementing most of these requirements have been in effect since 2010, but they are unlikely to be enforced before regulations have been released. In addition, reports required to be issued on de-identified data and protections for information in personal health records not covered by HIPAA are nearly three years late.
The absence of more clearly articulated privacy and security rules creates an environment of uncertainty that is a disincentive to adoption and could lead to unnecessary costs through the implementation of interim solutions that do not match final requirements. At a recent hearing before the Senate Judiciary Subcommittee on Privacy, Technology and the Law, one witness noted that HHS had "lost credibility" on privacy due to its delay in releasing the final HITECH regulations.
It is critical that the necessary policies to support health IT and health information sharing are put into place without further delay.
Promptly Issue the NwHIN Governance Rule Covering All Programs Operated or Endorsed by ONC
Another lever for advancing a comprehensive set of FIPs-based policies across all ONC programs is through governance of NwHIN, defined by ONC to be a "set of standards, services and policies that enable the secure exchange of health information over the Internet."
HITECH requires HHS to establish "governance" of NwHIN. The Health IT Policy Committee, at ONC's request, developed recommendations on governance for NwHIN:
- NwHIN should establish an environment of trust and interoperability for exchange that is the preferred approach for exchanging health information nationwide and that is supported by the federal government with strong incentives to promote adoption.
- The federal government should establish the Conditions for Trust and Interoperability (COTIs) that establish this preferred exchange environment.
- There should be a baseline of COTIs for all types of exchange, with some variability to meet the unique demands of certain exchange programs.
The Policy Committee also recommended that the initial set of COTIs would be set forth in the governance rule to be issued by ONC. The committee also assumes that a number of its recommendations on privacy and security policy would be considered for inclusion in the governance rule. ONC initially indicated this rule would be issued last fall, but it has yet to be released. Release of the governance rule in early 2012 will set a better direction for HHS on health privacy.
It is also critical that the rule on governance of NwHIN have broad scope, covering all mechanisms of NwHIN exchange. On its website, ONC identifies the Direct Project, NwHIN Exchange and NwHIN CONNECT as ONC's three NwHIN initiatives. Casting a wide net for NwHIN governance would realize ONC's stated intent to "assure the integration of privacy into all facets of ONC activities and programs." For example, if HHS intends to promote use of Direct as a viable mechanism for exchanging health information to qualify for later stages of the meaningful use incentive program or require states to incorporate Direct into their state HIE plans, it is imperative that Direct incorporate NwHIN governance conditions of trust and interoperability.
In the absence of clear guidance on this issue, the Direct Project organizers have recently proposed their own governance structure, DirectTrust.org, which would establish some rules and processes for accountability. The Direct Project organizers are right to recognize the need for a governance infrastructure to ensure that participants are operating using a consistent set of standards and policies. However, it is critical that governance for all ONC-established or -supported programs have the government (HHS) playing a key role to ensure that privacy and security policies and interoperability standards are established through processes that are legitimate, transparent, accountable and benefit the public.
Make 2012 the Year for Health Privacy
This new year is shaping up to be a big one for health care policy. Privacy consistently makes it to the top of the list in terms of important issues -- but taking big, concrete steps on health privacy has yet to be a priority for health IT policymakers. Let 2012 be the year for action on health privacy.