Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, October 6, 2010

NCHICA offers recommendations to health care providers on security and meaningful use

The North Carolina Healthcare Information and Communications Alliance (NCHICA) just released a white paper entitled "Privacy and Security Implications of Meaningful Use for Health Care Providers" that reflects the results not only of an analysis of federal rules associated with the Electronic Health Record (EHR) Incentive Program administered by the Centers for Medicare and Medicaid Services (CMS), but also of a workshop held last June just before the Sixth Academic Medical Center Security & Privacy Conference. The paper provides a brief background on the "meaningful use" rules that will serve as the basis for health care providers and professionals to qualify for financial incentives to subsidize the cost of acquiring EHR technology, and offers a series of recommendations for health care providers in the areas of governance and compliance, the role of security officers, data exchange and coordinated care, health information exchanges, and patient engagement.

Overall, the NCHICA paper should provide useful high-level guidance to some of the many potentially eligible health care providers who are still trying to make sense of meaningful use. I've written fairly extensively on various aspects of this exact topic (including the need for authoritative guidance on conducting risk analyses and the meaningful use security requirements in general), and on balance it seems likely that however prepared or unprepared health care providers may be to comply with meaningful use measures, the requirements associated with security and privacy are not likely to be the most challenging ones to meet, at least for Stage 1 of the program that begins in early 2011. In the interest of full disclosure, please note that ISACA Journal Online just published an article I wrote on essentially the same subject, "Privacy and Security Considerations for EHR Incentives and Meaningful Use" so the NCHICA paper seems to confirm the timeliness and relevance of complying with meaningful use security requirements. Given the protracted federal rulemaking process involved with the meaningful use measures and associated EHR standards and certification criteria, one of the practical difficulties is trying to stay abreast of the specific requirements to which providers will be held accountable while those specifics are undergoing revisions.

As noted above, the contents of the white paper reflect discussions at a pre-conference workshop on privacy and security implications of meaningful use, coordinated by NCHICA and held in early June. At the time this Sixth Academic Medical Center Security & Privacy Conference was held, the final versions of the meaningful use rules and EHR standards and certification criteria had not been published (they were released in mid-July, and published in the Federal Register on July 28), so the material available to workshop participants was from the draft versions released in January. While most of the core themes of the meaningful use program were consistent from the interim to the final versions, some of the items that changed are not reflected in the white paper. For instance, to highlight the central importance of HIEs in the national health IT strategy, the white paper references a passage from the "Meaningful Use Notice Final Rule", but the quote and its reference are from the proposed (draft) final rule published in January, not the final version published in July. The passage quoted was not included in the final rule, and while the federal funding allocated towards and policy emphasis placed on HIEs certainly speaks to the importance of health information exchanges in general, the final meaningful use rule greatly reduced the focus on the purported benefits to be delivered to health care entities through HIE.

The authors of the white paper point out that the single meaningful use measure related to security is essentially a reference to an existing requirement (under the provisions of the HIPAA Security Rule) to conduct regular risk analyses. Specifically, they explain that "the intent may be broadly interpreted that eligible professionals and eligible hospitals should assess their privacy and security practices in general and make improvements where necessary and appropriate." This is a much broader interpretation than the guidance offered with the publication of the final rule, which altered the language in the draft meaningful use measure requiring risk analyses so that the final measure explicitly limits the scope of the risk analysis to the certified EHR system or modules being used by the eligible entity.

To their credit, the workshop participants and the white paper's authors do not limit their focus to Stage 1, but appear to try to consider likely future requirements for Stage 2 and Stage 3, work on which has only just begun. The underlying message is that health care providers need to be taking steps now, both to try to meet existing rules and also to plan for complying with new requirements, including those that will implement provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act. A further challenge for health care organizations seeking to establish or maintain compliance with all relevant rules is that the EHR incentives program using meaningful use measures and criteria will be in effect before some key HITECH-driven rules are finalized (breach notification) or even drafted (accounting of disclosures). In the case of accounting of disclosure rules, the law gave the HHS Secretary the discretion to delay the implementation of the rules beyond the 2015 deadline for meaningful use Stage 3, so it is far from clear to what extent, if any, providers and professionals will be expected to comply with such legal requirements if the corresponding rules have not yet been promulgated.

When addressing health information exchanges, the white paper suggests that "it will be necessary to re-engineer workflows across organizations, replacing point-to-point connections/interfaces with robust HIE processes." While it is hard to argue with the position that many-to-many integration patterns are well suited to enabling widespread health information exchange, none of the major federal HIE initiatives provide for any data exchange more complicated than mutually authenticated point-to-point transmissions. Both NHIN Exchange and NHIN Direct rely on entity-to-entity messaging models, although to be fair NHIN Exchange is intended to offer a logically centralized directory (registry) of participating entities, which can be used to satisfy requests from multiple participants to find out which ones have information about specific subjects (such as patients or providers). The integration interfaces that health care entities will use to exchange data in these models may indeed require updating to support multiple data exchange partners, but the communication model is likely to remain point-to-point, and to the extent these HIE participants adopt prevailing HIE standards, little or no entity-specific variation in interfaces should be needed.

The NCHICA authors astutely point to the need for more work to specify patient expectations and requirements with respect to EHRs, HIEs, and health IT in general. They also correctly pinpoint the clinician-to-patient or caregiver-to-patient relationship as the central locus for developing and maintaining patient trust, with a corresponding need to educate and inform clinicians and caregivers of this role with respect to patients. Particularly with respect to trust and EHRs, the paper highlights a suggestion that providers may need assign staff to the role of "patient advocate," both to help patients understand relevant aspects of the health care system and to foster greater levels of patient engagement or active involvement in their own care.

1 comment:

  1. Steve,

    Thanks for your comments. Appreciate your insight and thoughts regarding our paper. We were going primarily on the initial rule when this paper was being put together in June and July. Your comments provide an excellent update regarding the final rule.

    Phyllis Patrick

    ReplyDelete