Choosing a New Leader at ONC
As David Blumenthal Departs, a Tactician Is NeededAs David Blumenthal, M.D., prepares to step down as National Coordinator for Health Information Technology this spring, it's a good time to assess the privacy and security issues that his successor must address.
Blumenthal did a fine job of heading the herculean effort to get the ambitious HITECH Act electronic health record incentive program off the ground in a hurry. He carried out a HITECH mandate when he appointed Joy Pritts as ONC's chief privacy officer. And his move to create a Privacy and Security Tiger Team helped ensure that important issues involved in health information exchange are addressed.
A physician and an academic, Blumenthal was well-suited for the task of setting up broad strategies and getting the ball rolling. His successor needs to be a hands-on tactician who can collaborate with others inside and outside the federal government to make sure all necessary steps are taken to protect the privacy of electronic health records and other healthcare information.
Collaboration among federal agencies is going to prove essential. For example, the Office for Civil Rights, which, like the Office of the National Coordinator for Health IT, is a unit within the Department of Health and Human Services, is responsible for enforcing HIPAA and the HITECH breach notification rule. Meanwhile, the Federal Trade Commission holds sway over personal health records, among other issues.
Deven McGraw, co-chair of the Privacy and Security Tiger Team that's been advising Blumenthal's office, says the next head of ONC must "explore all the possible policy levers for ensuring privacy and security accountability for all holders of health data. That includes working to establish a consistent approach to privacy and security among all HHS agencies as well as working with the FTC and the Department of Commerce on privacy protections for health data that is outside of HIPAA coverage."
The "shared jurisdiction" within the federal government regarding healthcare privacy and security issues "has created some hurdles," McGraw acknowledges. Certainly, the new head of ONC could take a lead role in overcoming those hurdles.
Dan Rode, vice president of policy and government relations at the American Health Information Management Association, would like to see Blumenthal's successor take a lead role in providing much more detailed privacy and security guidance that applies to all healthcare organizations, and not just those participating in the HITECH electronic health record incentive program.
Encryption Guidance
We'd like to see the next head of ONC lead the way toward additional, clear-cut guidance on the use of encryption and other security technologies. A pending proposal to modify HIPAA privacy, security and enforcement rules stops short of explicitly mandating the use of encryption or any other security technologies. Likewise, the rules for the HITECH EHR incentive program don't include such a mandate.
As we noted in a blog last summer, a clear-cut "you must encrypt" mandate would certainly make it easier for security professionals to win funding for the use of encryption in their organizations (See: Encryption: No Mandate So Far). Perhaps the initial mandate could focus on encrypting data stored on mobile devices and information traversing the Internet, the two highest risk areas.
The President's Council of Advisors on Science and Technology recently jumped into the healthcare IT policy fray when it recommended adoption of a universal exchange language for healthcare and mandating its use in future stages of the EHR incentive program. While the council's report raises important issues about the interoperability and privacy of electronic health records, Blumenthal's successor needs to find a diplomatic way to tell the council that moving to a universal exchange language is a long-term project that can't be rushed. Health Level Seven and other organizations have been working on interoperability issues for decades, and ONC and others need to build on the work that's been done so far. And that will take years, not months.
In the short-term, the next head of ONC must put into place clearly stated rules for protecting health information that's already being transmitted over health information exchanges. The tiger team has made a nice start on such guidelines.
Blumenthal's successor also should work closely with consumer groups to identify additional security measures to help win the trust of the American public for electronic health records and health information exchange.