Most viewers of EHR Scope are physicians and medical office managers, many of whom are becoming educated about the necessity of EHR implementation, and may not be completely up to date with some of the technical progress of the National Health Information Network (NHIN) since HITECH. While the meaningful use final rules are shaping elements of incentive qualifications and penalty enforcement; when all is said and done, HIT work roles and workflows will be significantly changed as well. Defined roles and qualifications for those required to handle personal health information (PHI) will be formed by the security requirements embedded in the National Health Information Network. While these issues are more technical in nature, perhaps there are some of you out there with the ability to contribute to the public discussion while the ONC is listening.
This in mind, some of the infrastructure advisory boards are now starting to become more active in specific issues faced by the adoption of HIT technology.
Last Thursday, an ONC email went out describing a recent post the committee has submitted regarding “Provider-Entity Authentication.” Apparently the “Tiger Team” is requesting responses from the public to some specific questions. The post can be found here. The questions and an image taken from the Tiger Team materials:
1. What strength of provider-entity authentication (level of assurance) might be recommended to ensure trust in health information exchange (regardless of what technology may be used to meet the strength requirement)?
2. Which provider-entities can receive digital credentials, and what are the requirements to receive those credentials?
3. What is the process for issuing digital credentials (e.g., certificates), including evaluating whether initial conditions are met and re-evaluation on a periodic basis?
4. Who has the authority to issue digital credentials?
5. Should ONC select an established technology standard for digital credentials and should EHR certification include criteria that tests capabilities to communicate using that standard for entity-level credentials?
6. What type of transactions must be authenticated, and is it expected that all transactions will have a common level of assurance?
While these questions are extremely technical and jargon oriented, the truth of the matter is that these are discussions that will establish the security standards for HIT/ EHR data transmission. Thus, the operations, workflow and job-functions of those persons tasked with utilizing this technology will be directly influenced by these standards developed for secure medical data transmission. Some of the comments already posted raise existing security concerns regarding large facilities and medical staffing.
After discussing these technical security issues at length with more informed parties, it was established that the methods involved in transferring individual patient data would be taken care of through secure data transmission providers. These are the same or similar security standards used for monetary transactions online. One specific company mentioned in the blog responses is VeriSign. This question then becomes: What will the transaction costs involved in the utilization of a secure service like VeriSign become? And where will the costs be placed?
Another issue posited is privacy-oriented conflict of incentives produced by individuals having access to patient record data as it passes through the data pipeline for various purposes, other than care. How does digital certification play into this issue? What are the legal responsibilities of the caregiver? Although I did not mean to answer a question with more questions, the final rules for these issues are still being finalized.
Take for example the credit card. When a card is lost or stolen, and it is no fault of one’s own, one is not responsible for the costs incurred by the fraudulent actor. The case would be same for any hacked medical data. As long as HHS (HIPAA) and the ONC are proactively managing these issues and report them, the quality of security measures can be improved. One may know that a person has a subset of medical conditions, but any decisions made, based upon that information are restricted. The only data used is that which is established as admissible for such decision subsets. This is basically already the case and I am not of the belief that the public is well enough informed about this.
Even given the extensive framework outlined in HITECH Act, privacy issues are still being brought forth to reduce the imperative nature of EHR adoption. The benefits of integrated care, cost reduction and research far outweigh the Personal Health Information (PHI) privacy cases that will inevitably occur. Either way, the gray areas of these issues will be organized and hammered out in the coming years while the next stages of Meaningful Use and HITECH are completed. The only real question is time.
The thought process represented here does not go into the moral prerogatives of making non-medical decisions—based on medical data. HIPAA’s requirements for (PHI) explain the necessity to hold those persons accountable for any misuse or breach of the PHI record. This will be extended in providing workflows for management, defining who is qualified to have the digital certifications in their possession or administration.
If you have the expertise and wish to share with the decision makers, please make your opinion heard by posting on the Federal Advisory Committee Blog.
What is the National Health Information Network (NHIN)?
The National Health Information Network is the collective name for all network structures which combine into a cohesive health data exchange medium. This fall has kicked off many ONC workgroups and collaborative information gathering initiatives in order to move forward the HITECH act. Some of these existing groups operate through the HIT policy Committee, and more recently to tackle specific security issues, the ONC has created the Tiger Team.
What is the HIT Policy Committee?
The committee was established by the HITECH Act as set of workgroups, reporting directly to the National Coordinator, to set priorities and framework for development of health technology infrastructure the and EHRs themselves. The Committee is made of appointees. The Committee’s most recently active workgroups cover issues involved with Meaningful Use, HIT governance and EHR information exchange. These groups are directly requesting input, in the form of blog comments, from the public. The blog is located at the ONC page under “Federal Advisory Committee Blog.” Another more recently established advisory board, also requesting public response is the ONC Tiger Team.
What is the ONC Tiger Team?
The Office of the National Coordinator for Health IT (ONC) “Tiger Team” is a collaborative privacy and security subcommittee. The Members of the group include Executives from private HIT firms as well as representatives from some of the Nation’s top Universities, Foundations and National Partnerships. The group has been meeting since June 10th. The National Coordinator Dr. David Blumenthal formed the team to deal with the very difficult issues of secure information exchange over the internet, in the Health Information Technology (HIT) spectrum. The issues handled by this board are very technical in nature; including the strategy and organizational structures that are creating the network(s) in which the Electronic Health Records (EHR) will be operating.
Currently, the meetings have culminated in explanations of policy development around the National Health Information Network (NHIN) and how personal Health information is transferred through EHRs geographically. These activities will further codify the legal and operational framework of the entire industry. These groups are critical in the adoption and evolution of standards amongst private and public entities. To stay current with ONC Tiger Team or to catch up on media from previous meetings go to the ONC Tiger Team homepage.