After Blumenthal: A To-Do ListMany Health Information Privacy, Security Tasks Remain
One top priority for his successor will be to work with other agencies to build a consistent approach to protecting patient information, says Deven McGraw, co-chair of the Privacy and Security Tiger Team that's been advising Blumenthal's office.
Plus, Blumenthal's successor must better define how to balance the need to keep healthcare information secure against the need to give clinicians prompt access to potentially life-saving information, suggests Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind.
And Dan Rode, vice president of policy and government relations at the American Health Information Management Association, would like to see Blumenthal's successor take a lead role in tackling the difficult task of providing much more detailed privacy and security guidance that applies to all healthcare organizations, and not just those participating in the HITECH Act electronic health record incentive program.
HHS Secretary Kathleen Sebelius says her office is conducting a national search "to find the right successor for this key position."
As head of the Office of the National Coordinator for Health IT within the Department of Health and Human Services, Blumenthal spearheaded the HITECH Act EHR incentive program, which mandates participants conduct a risk assessment and mitigate any risks identified. The Medicare and Medicaid incentive program requirements stop short of explicitly mandating the use of encryption or other security technologies, although they do require the use of certified EHRs, which must include numerous security functions.
Security RecommendationsMcGraw says a priority for Blumenthal's successor must be to carry out all the privacy and security proposals of the Health IT Policy Committee, which is reviewing the tiger team's recommendations. Those recommendations primarily apply to health information exchange.
In addition, his successor must "explore all the possible policy levers for ensuring privacy and security accountability for all holders of health data. That includes working to establish a consistent approach to privacy and security among all HHS agencies as well as working with the Federal Trade Commission and the Department of Commerce on privacy protections for health data that is outside of HIPAA coverage."
McGraw, who is director of the health privacy project at the Center for Democracy & Technology, notes that many of the privacy and security provisions of the HITECH Act "were essentially amendments to HIPAA, which means they are largely the responsibility of the HHS Office for Civil Rights." Because Blumenthal lacks sole authority for privacy and security protections, McGraw says, the "shared jurisdiction has created some hurdles."
But, she adds, "I always thought that Dr. Blumenthal was deeply concerned about privacy and security and putting into place workable protections for electronic health data."
The Office for Civil Rights is still working on plans for a HITECH-mandated HIPAA compliance audit program. Both OCR and ONC have a long list of unfinished HITECH-mandated regulations and programs. The first one expected this year is a final rule from OCR carrying out modifications of the HIPAA privacy, security and enforcement rules. Also pending is a final version of OCR's breach notification rule. ONC is working with the FTC on a report about the privacy and security of personal health records. It's also developing a Nationwide Health Information Network governance rule establishing guidelines for the privacy and security of health information exchange, among many other factors.
Security Is a Balancing ActWhen it comes to addressing security issues, Blumenthal's successor will have to perform a balancing act, says Christian, the Healthcare Information and Management Systems Society's 2010 CIO of the Year.
"The tiger team that is working on the privacy and security processes has a delicate balancing act to perform when crafting recommendations in this area," Christian says. "If the balance leans too far toward security, you risk creating artificial barriers for the clinical staff, with the potential for creating harm if access to the information is delayed when minutes count. If the balance leans too far toward ready access, you risk creating an environment where a patient's personal privacy is placed in the open."
Christian says that he's "uncertain if that balance has been adequately defined." As a result, he says, "Fostering open dialogue is the best approach to identifying that balance between the risk and the benefits. It's my hope that the person following Dr. Blumenthal will be as passionate about moving all of HITECH forward in a structured manner, maintaining the appropriate balance, while listening to an array of thoughts and discussions."
Broader Security GuidanceAHIMA's Rode is hopeful that now that Blumenthal and his team have successfully launched the HITECH EHR incentive program on a tight timeline, his successor can tackle broader privacy and security projects.
He'd like to see the policy and standards committees that are advising ONC "take a broader look at privacy and security requirements so they're addressing the needs of the entire industry, and not just those covered by the EHR incentives' meaningful use requirements."
Creating more detailed federal policies, especially to govern health information exchange, is essential "if we're going to be successful with protecting data exchanged by all kinds of healthcare entities," he says. Organizations need more guidance on the security strategies and technologies, including authentication, that they should adopt, he adds.
A Security Champion NeededDixie Baker, who serves on several committees that advised Blumenthal on privacy, security and other issues, says the new head of ONC needs to "continue to champion policies and technologies that adhere to fair information practices for consumers and that protect the confidentiality of sensitive information, the integrity of decision-critical data and the availability of information and services essential to the delivery of safe, high-quality care."
Baker, senior vice president and chief technology officer for health and life sciences at Science Applications International Corp., gives Blumenthal high marks for his commitment to maintaining the privacy and security of healthcare information as it's digitized. "Through both his statements and his actions, Dr. Blumenthal consistently expressed his view that privacy and security were essential to gaining and maintaining the trust of both consumers and providers, and that such trust was a prerequisite to the widespread adoption of EHR technology and the electronic exchange of information."