A recurring challenge facing efforts to implement interoperable health information exchange solutions is agreeing on a common set of security standards that can be applied to both private and public sector participants in such exchanges. There are multiple alternatives from which to choose, notably including the HIPAA security rule, ISO/IEC 27002, and NIST SP800-53 security controls used in association with FISMA, but none of these apply — either by regulation or by choice — to all the different types of organizational entities sought for participant in health information exchange. The federal government, through the Office of the National Coordinator (ONC) for Health IT within the Department of Health and Human Services, has taken on the role of setting policy, providing program funding and financial incentives for health IT technology adoption, and establishing the criteria organizations must meet to qualify for these incentives. ONC has also formed advisory committees with representation from government, commercial, and non-profit organizations to determine the most appropriate overarching policies and standards to be used for health information exchange. For several years the government has been leading major initiatives intended to help realize the vision of a nationwide information exchange infrastructure, and with the passage of the HITECH Act in February 2009, the government also took on a role as the arbiter of technical standards, including those for security. In a recent webcast sponsored by 1105 Government Information Group, speakers from the government, contractor, and IT analyst communities gave presentations on security as both a key prerequisite and important enabler of health information exchange, and highlighted work being done today by the Veterans Administration that may serve as a model for recommended security standards for electronic health records. Even the limited experiences with health information exchanges between government agencies and private sector organizations demonstrate the enormous complexity involved with complying with all applicable security and privacy regulations. Nevertheless, getting security right is absolutely necessary in order to achieve widespread use of health IT and participation in health information exchanges.
For the VA's part, director of Health Care Security Gail Belles emphasized the need for a common set of security standards that can be applied to both public and private sector entities, but also highlighted the lack of consistent standards even among federal agencies for handling data exchanges with non-federal entities. During the webcast Belles summarized a Veterans Health Administration pilot patient record sharing project with Kaiser Permanente in San Diego, using the specifications and standards of the Nationwide Health Information Network (NHIN). For the pilot project, both VHA and Kaiser Permanente signed a legal agreement laying out terms, prerequisites, and obligations for data exchange between the two organizations, and then proceeded in accordance with the regulatory security requirements that apply to each organization — in Kaiser Permanente's case, that includes HIPAA and HITECH as well as California laws such as the SB 1386 governing privacy of personal information; in addition to HIPAA and HITECH the VA is subject to FISMA, the Privacy Act, and provisions under Title 38 of the U.S. Code covering privacy and confidentiality of veterans' medical records and claims data. Even without beginning to dive into the specifics, the picture would be greatly simplified if a single comprehensive set of security and privacy standards were available. Because it has such a large presence in delivering and administering health care, the government alone is in the position to declare standards that will be adopted by federal and non-federal participants alike. The government is already working on a standard definition for the structure of an electronic health record, so it does not seem unreasonable that the government would also take a shot at formalizing the standards required to secure those records when they are exchanged.