TECHNOLOGY:
But NWHIN security, privacy concerns remain
Private sector will take lead on nationwide health info network
Many of the healthcare industry’s information technology cognoscenti are pleased that the top U.S. official over health information technology hit the regulatory pause button to allow the private sector to take the lead on the nationwide health information network. Even some who like the approach, though, wonder whether the still-embryonic network can overcome long unresolved privacy and security issues without the federal government taking a more forceful role.
Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology at HHS, announced Sept. 6 that “now is not the time” for formal regulation of the proposed network, known as NwHIN.
Mostashari’s office will still keep an eye on private-sector attempts at self-regulation and plans to chip in with help and advice on occasion, but it will step back in only if formal regulation is needed, he said. One reason for continued ONC attention is that Congress under the American Recovery and Reinvestment Act mandated that the ONC establish a “governance mechanism” for the NwHIN.
Yet even the merest inkling of a NwHIN governance plan, which was about all the federal agency released in its formal “request for information” on May 15, was too much regulation for many of the 140 individuals and organizations that submitted formal comments on the proposal.
“We are extremely pleased that Dr. Mostashari heard our concerns,” said Jennifer Covich Bordenick, CEO of the New Yorkbased not-for-profit eHealth Initiative, which, in its formal comments on the ONC plan, asked Mostashari’s crew to hold off while the market develops self-regulation mechanisms.
Dan Porreca, executive director of HealtheLink, a regional health information exchange based in Buffalo, N.Y., also praised the doctor’s call. “I give Dr. Mostashari a lot of credit and appreciate the fact that he asked for feedback and he listened to the feedback he received,” Porreca said in an e-mail. “There is a lot going on and a lot of advancements throughout the country.”
Although it has gone by various names over the years, an intra-national health information network that would enable providers and researchers to look up, retrieve and securely exchange patient information has been the enigmatic goal of the ONC since the agency’s formation in 2004. Dr. David Brailer, the first ONC leader, called for the formation of a “network of networks,” linking regional health information organizations, or RHIOs, into a nationwide grid.
“There are topics that need to have good discourse, but it is different in many areas across the country.”
—Dave Whitlinger, New York eHealth Collaborative
In recent years, the ONC has placed considerable emphasis on the Direct project, an initiative it launched in March 2010 with private sector participation to develop a bare-bones set of common standards, including security-protecting encryption, for clinical messaging. Direct is likely to carry much of the load for peer-to-peer and clinician-to-patient messaging in the recently released Stage 2 meaningful-use requirements of the federally funded EHR incentive payment program, for example. DirectTrust.org, a newly formed, privatesector governance project for Direct messaging participants, was linked by Mostashari in a recent blog post on NwHIN governance.
But it was a broader, more complex nationwide query and retrieve system that has proved more nettlesome from a policy-setting perspective, said Dave Whitlinger, executive director of the New York eHealth Collaborative, which coordinates activities of New York’s statewide health information exchange network. Multiple self-regulation schemes for this broader network also are in the works, he said.
While Mostashari still wants an NwHIN, as a federal official, “trying to force the next level of record exchange, what he refers to as query-based exchange, has a number of issues, mostly policy issues, data rights and privacy issues,” Whitlinger said.
“New York has written a lot of policy and has exchange going in 12 different communities and has a lot going for it on a state-based network with 20 million people,” Whitlinger said. But some other states “are just getting started,” he said.
Also, New York has one of the more strin- gent state privacy policies, in that patients must be asked and provide their consent, or “opt in,” to have their medical records transferred through the state exchange.
In contrast, providers that are members of the Indiana Health Information Exchange don’t need to obtain patient consent for their data to be accessible through the exchange, relying instead on the more lax Health Insurance Portability and Accountability Act’s 2002 privacy rule revision.
It allows for sharing of patient information for treatment, payment and many other healthcare operations without consent, which Whitlinger called “the exact opposite” of New York. Still, other state exchanges use an “opt out” framework; consent is implied, and patients may request that their records not be included.
These differences raise questions, Whitlinger said: “Does the patient know who is seeing this data and for what purposes? There are topics that need to have good discourse, but it is different in many areas across the country.” For now, he said, those policy differences “are too great to surmount.”
Others complained that the ONC’s decision to withdraw from formal rulemaking means not only that privacy and security issues may impede a nationwide network, but also that the government is failing to address those concerns.
“No regulations mean the industry and the data miners will still dominate the process, but regulations mean the poor patients will at least have a shot at having impact on the process through advocacy,” said Dr. Deborah Peel, an Austin, Texas psychiatrist and founder of notfor-profit Patient Privacy Rights Foundation. In its comments, the foundation urged the ONC to seize this “critical opportunity” to address “privacy and security flaws in current systems and state and federal data exchanges.”