Based on the feedback it received, the Office of the National Coordinator for Health IT will consider making tweaks to its proposed Trusted Exchange Framework and Common Agreement, including provisions related to privacy and security, says ONC's Genevieve Morris.
ONC's draft framework, unveiled in January, aims to help fulfill a call for increased health data exchange in the 21st Century Cures Act that was signed into law in 2016.
That law is aimed at accelerating medical innovation, including easing the exchange of data among various health information networks to support timely, appropriate treatment decisions.
Some security components being proposed for the framework are more specific than what's required by HIPAA, with the draft document acknowledging that not all of the participants in networks that adopt the framework will necessarily be HIPAA-covered entities or business associates.
"Overall, people were quite supportive with the goals we're trying to accomplish with the trusted exchange framework. But the devil is always in the details," says Morris, ONC's principal deputy coordinator, in an interview with Information Security Media Group at the HIMSS18 conference in Las Vegas.
"Some folks commented on the timelines and the need to think about longer implementation timelines," she says.
The proposal for stricter breach notification requirements - within 15 days after discovery, versus the 60 days allowed under HIPAA for the reporting of major breaches impacting 500 or more individuals - got "mixed feedback," she says.
"There were a number of folks who were quite concerned about the shorter time period and the lack of alignment with HIPAA - and there were some folks that thought that was great," she says. "So we're revisiting all that and working closely with [HHS'] Office for Civil Rights to figure out what the best path forward is.
"We're looking forward to refining the privacy and security requirements and getting to a place where folks feel comfortable that the data that we're exchanging is safe and secure."
In the interview (see audio link below photo), Morris also discusses:
- The frameworks' proposed authentication requirements that are stricter than what's specified under HIPAA;
- ONC's work on the 21st Century Cure Act's provisions related to information blocking;
- What comes next in ONC's work involving the 21st Century Cures Act's health information exchange provisions.
Before joining ONC as principal deputy national coordinator for health IT, Morris worked with ONC during the Obama administration in a variety of areas, including policy, standards, technology and grant programs, through contractor Audacious Inc., where she was senior policy director. Morris was involved with development of ONC reports related to the State Health Information Exchange Program, consumer engagement in health information exchange, provider directories, query-based health information exchange and the development of the Shared Nationwide Interoperability Roadmap. Earlier in her career, Morris worked at a payer organization and with a health information exchange organization in Pennsylvania.