Generally, the Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) govern healthcare organizations from a federal regulatory perspective, but the Office of the National Coordinator for Health Information Technology (ONC) has also offered a lot of expertise in health information exchange (HIE) security. The continuation of those efforts will be a key component to HIE security this year.
For example, former National Coordinator for Health Information Technology Farzad Mostashari announced during HIMSS13 last March that ONC wanted to concentrate on accelerating HIE innovation and work toward secure data flow. A key piece of that speech was how privacy and security are significant to HIE policy development. “We have baked security as well as privacy issues into all the activities that we have around health information exchange,” Mostashari said in New Orleans. “My Chief Privacy Officer (CPO) always reminds me that we’re not just talking about the exchange of health information, but the secure exchange of health information.”
ONC went to on to award DirectTrust.org and the EHR/HIE Interoperability Workgroup, led by New York eHealth Collaborative (NYeC), each Exemplar HIE Government Program Cooperative Agreements that April. This was a significant announcement, as ONC chose DirectTrust because it said it placed importance of a privacy and security framework for HIE direct exchange and the organization was up to the task. Both organizations were supposed to have collaborated on a roadmap that laid out the milestones to achieve as Stage 2 Meaningful Use went into effect this month, January 2014.
Later, in May 2013, ONC provided guidelines that identify two roles for Direct exchange: The first dealing with Security and Trust Agents (STAs) and the other involving Registration Authorities (RAs) and Certificate Authorities (CAs). As part of its guidelines specifically for STAs and HISPs, ONC focused on the significance of business associate agreements (BAAs) for establishing whether an entity is in fact a BA and ensuring that contractually binding agreements are in place for clients.
So what will a new ONC National Coordinator mean to that work? As reported by EHRIntelligence.com, City of New Orleans Health Commissioner Karen DeSalvo, MD, will take over for Acting National Coordinator Jacob Reider. DeSalvo, who starts her new role next Monday, January 13, has lot on her plate. The start of Stage 2 Meaningful Use will ensure she hits the ground running, and a big part of her work with Stage 2 will be helping guide organizations to balance innovation goals with patient privacy. Increased transmission of data between healthcare organizations as part of HIEs will make this a challenge, but ONC proved in 2014 that it does consider HIE security a priority.