ONC's Mostashari Outlines PrioritiesAddresses Key Privacy, Security Issues
"We need to ensure and maintain the public's trust in health information systems and in the exchange of their health information," he stresses in the interview with Howard Anderson, executive editor at HealthcareInfoSecurity.
Mostashari notes that one of the main goals of the HITECH Act's electronic health record incentive program, which his office administers, is to determine, "given all of the other authorities and enforcement mechanisms that are in place, what more is necessary to do to protect the privacy and security of the information through the meaningful use rule?"
Incorporating such protections in future EHR "meaningful use" incentive requirements for participating hospitals and physicians, as well as in the criteria for EHR software eligible for the incentive program, is "certainly going to be something that's a priority for us," he says.
Also in the interview, Mostashari notes:
- An interagency task force on privacy and security, including representatives of ONC, the HHS Office for Civil Rights and several other agencies, is continuing to work on ensuring a consistent approach to health information privacy and security.
- ONC will test components of a new health information exchange architecture recommended by the President's Council of Advisors on Science and Technology (See: Tests of New HIE Architecture Slated).
- His goal as head of ONC is "to help create the world that we wish to see, where we see improved health and healthcare, and trust in ... information systems on the part of patients."
Asked whether he plans to serve a two-year term as national coordinator, following in the path of his predecessor, David Blumenthal, M.D., Mostashari says, "I plan on serving until they kick me out."
Before assuming his current role, Mostashari had served as deputy national coordinator for programs and policy at ONC. Previously, he served at the New York City Department of Health and Mental Hygiene as assistant commissioner for the Primary Care Information Project, where he helped facilitate the adoption of prevention-oriented health information technology by more than 1,500 providers in underserved communities.
Mostashari also formerly led the NYC Center of Excellence in Public Health Informatics and an Agency for Healthcare Research and Quality funded project focused on quality measurement at the point of care. He established the Bureau of Epidemiology Services at the NYC Department of Health, which provides epidemiologic and statistical expertise and data for decision making to the health department.
Mostashari did his graduate training at the Harvard School of Public Health and Yale Medical School and completed his internal medicine residency at Massachusetts General Hospital. He was one of the lead investigators in the outbreaks of West Nile Virus and anthrax in New York City, and was among the first developers of real-time electronic disease surveillance systems nationwide.
HOWARD ANDERSON: At a recent meeting, you stressed that the Office of the National Coordinator for Health IT must emphasize "putting patients and their interests, including privacy and security, in the center of all we do." You also called for "a move from strategy to execution on many of the things that we've started and designed." Please summarize the key steps you plan to take to make sure privacy and security issues are adequately addressed, and how you'll move from strategy to execution in this arena.
FARZAD MOSTASHARI: Absolutely. This is obviously a critical, critical area for the health IT agenda. We need to ensure and maintain the public's trust in health information systems and in the exchange of their health information. The information needs to go wherever they go to be able to follow them, but they also need to have the confidence that the information is secure where it's kept, where it's moving, and also that their privacy rights are protected.
The first step in this, in everything we do, is to make sure that we have an open and transparent and participatory and inclusive process for considering all the issues, all the dimensions of the issues. And we do that through, importantly, our Federal Advisory Committees, in particular, the Health IT Policy Committee and Standards Committee. We have had an average of one public meeting every other day, and many of the issues that they touch on really do relate to trust and privacy and security, among other issues. So part of the process here is making sure that we have an open and transparent discussion of the issues and identification of what are the gaps and what are the potential options for action, either on the part of ONC or on the part of other federal agencies or, indeed, our private partners. So that's kind of the overarching part of it.
The second piece is that the HITECH Act contained not only the foundations of ONC and the health IT incentive payments, it also had some very important privacy and security improvements in the Act. It [included] breach notification rules, accounting for disclosures requirements, expansion of HIPAA rules to business associates, restrictions on the sale of data and the use of that data for marketing, and it also included stepped-up enforcement of HIPAA, including higher civil monetary penalties. As you know, OCR [The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA] recently imposed such civil monetary penalties for entities that violated [HIPAA], and I think we're going to see continued cases like that. That will be important in creating a context for folks to take the necessary steps to protect the security of the information. [OCR] is also working with state attorneys generals to coordinate their expanded authorities to bring HIPAA enforcement actions. So those are some of the most important things, from a regulatory and enforcement point of view, we have to do.
And then there are some technical issues around finding ways ... to get patients more granular consent over what information is disclosed and to whom, in particular working with our partners ... on the behavioral health side; and looking at the EHR certification requirements and the opportunities there. And then governance over trusted intermediaries; there's going to be rulemaking coming out later to identify what are some of the conditions of trust and interoperability for intermediaries that serve to move information.
Collaboration on Privacy, SecurityANDERSON: Federal jurisdiction over privacy and security policy is shared by multiple agencies, and getting them to move in a coherent and consistent direction can prove challenging. What steps do you plan to take to work with other agencies within HHS and elsewhere to ensure that the federal government moves in a consistent direction on healthcare privacy and security issues?
MOSTASHARI: You're right to point to the importance of coordination between the different entities within the federal government. And, in fact, we have established an interagency task force on privacy and security with senior level representation within HHS, and this includes ONC. (See: White House to Create Health IT Task Force). It's co-chaired by ONC and the Office for Civil Rights, but it also includes many of the other agencies that are going to be affected and are actors in this. And much of this work has been informed by the recommendations from our federal advisory committees. So that coordination is key, and we've established a process to be able to achieve that.
There's also, from outside of HHS, the President's National Science and Technology Council, which includes [the Department of] Commerce and FTC [Federal Trade Commission] and probably 15 other agencies at the table -- including HHS and our chief privacy officer, Joy Pritts -- who are conducting discussions around privacy, more generally on the Internet; and health information that kind of falls through the HIPAA net has also featured prominently in these discussions.
EHR Incentive ProgramANDERSON: The only privacy or security requirement for Stage 1 of the electronic health record incentive program was to conduct a risk assessment, as already required under the HIPAA security rule, and take action to mitigate any risks identified. Do you plan to take a lead role in making sure that HHS includes additional privacy and security requirements in future stages of the EHR incentive program? And what privacy and security issues are most important to address in order to help build trust in the EHRs, among patients and physicians alike?
MOSTASHARI: We have a process, obviously, for rulemaking, and I wouldn't presume to kind of short-circuit that process. But I will say that one of the main goals of meaningful use, within a meaningful use framework, is, quite specifically, to make sure that we do what steps are necessary. Given all of the other authorities and enforcement mechanisms that are in place, what more is necessary to do to protect the privacy and security of the information through the meaningful use rule?
It's important to note, though, that, again, it's within the context of everything else that's already in place. We don't need to duplicate what's already in place in the meaningful use rule. ... So we have asked, and we are going to get recommendations on potential privacy and security aspects of meaningful use and the [EHR software] certification criteria and standards that might pertain to that, and it's certainly going to be something that is a priority for us.
HIE ArchitectureANDERSON: The President's Council of Advisors on Science and Technology has called for a new health information exchange architecture. ONC plans to test components of that architecture in the months ahead. How might those tests lead to new privacy or security requirements for future stages of the EHR incentive program?
MOSTASHARI: What's really interesting about the new exchange architecture is that it says that we should be able to identify data with metadata around what was the source of that information and what are some of the patient preferences around the use of that information. And this really enables some of the things that, for example, NCVHS [The National Committee on Vital and Health Statistics] called for years ago -- the ability to segment the data for sharing. For example, if the source is a mental health facility ... to be able to segment that information aside or to look at the additional requirements around patient choice that pertain to that. And we're beginning to do some pilots on this, which the Health IT Policy Committee [PCAST Report] Workgroup recommended, and [we will seek] comments on some metadata standards that could pertain to those. So I think there are some very exciting possibilities of technology that really permits more granular policies around sharing of information and choice. ... And I think it's a nice example of where it's not that technology that's trumping policy; it's that the technology enables policies that would have been difficult to implement otherwise.
ONC Leadership PlansANDERSON: Finally, do you plan to serve a two-year term as head of ONC, as your predecessor, Dr. David Blumenthal, did? And how do you hope to build on Dr. Blumenthal's accomplishments, and what new approaches do you hope to bring to the job, especially for privacy and security issues?
MOSTASHARI: My hope is to continue the fine tradition that David brought to policymaking in this office, which was really making sure that we have transparency and open, participatory and inclusive processes; that we listen; that we really set a course for changes in the healthcare system that are ambitious but achievable. And my goal for ONC is for us to really continue down that path, continue with those principles, and help create the world that we wish to see, where we see improved health and improved healthcare and a trust in those information systems on the part of patients and the public.
ANDERSON: So a two-year term or maybe longer?
MOSTASHARI: I plan on serving until they kick me out.