EHR Assn: Privacy and security of NwHIN is 'sufficient'
The Office of the National Coordinator for Health IT (ONC) issued a request for information (RFI) on the creation of a governance structure for the Nationwide Health Information Network (NwHIN) back in May. Now, the EHR Association (EHRA) is submitting its response, expressing appreciation that this is an RFI, not a notice of proposed rulemaking.
According to an ONC presentation, the NwHIN governance mechanism will include rules on technical, business practice, privacy and security requirements to establish a common trust framework for the exchange. The RFI specifically sought input on the following:
Jeremy Maxwell, application security architect for Allscripts and vice chair of the EHRA Privacy and Security Workgroup, said EHRA appreciates the RFI because “it gives the industry two chances to comment on the governance model which will lay a foundation for how health information exchange is done for years to come. It’s imperative that we get it right.”
The NwHIN is no longer a mere concept, said Charles Parisot, architecture and standards manager for GE Healthcare IT and chair of the EHRA Standards and Interoperability Workgroup. The network has been in operational existence for a year-and-a-half, he said, "with a very significant number of transaction. Over a million patients have records being shared at the national level." With this level of experience, it's now time to formalize its various aspects, he said. "That's why we support this effort by the ONC to better organize the NwHIN governance." He said he envisions the governance effort refining the network and proving to become a continuous improvement exercise.
One aspect of the RFI the association take issue with is privacy and security, said Maxwell. ONC poses approximately 60 questions with a little more than half related to privacy and security. "One of the goals of the governance model is to increase the public’s trust of HIE. That’s where privacy and security CTEs come in."
The EHRA supports privacy and security efforts, he said, and recognizes the "extreme importance of privacy and security in health information exchange." The group felt the RFI fell short with its proposed CTEs because they go beyond HIPAA in certain instances. "HIPAA already provides strong protection for privacy and security, especially when it comes to exchange,” he said.
Meanwhile, the list of publicly disclosed data breaches indicates that very few breaches occur during exchange but rather as a result of physical loss or theft of media. "So, we feel that the existing privacy and security protections in HIPAA are sufficient, at least at this juncture, for the foundational NwHIN.”
Maxwell believes the pace of progress is appropriate. "As an industry, what is necessary and needful is the actual exchange. Governance of the actual exchange is key and we need to get it right. We don’t want to rush just to get something in place."
According to an ONC presentation, the NwHIN governance mechanism will include rules on technical, business practice, privacy and security requirements to establish a common trust framework for the exchange. The RFI specifically sought input on the following:
- The establishment of a set of Conditions for Trusted Exchange (CTE);
- A validation process allowing participants to demonstrate compliance with CTEs;
- Procedures to update CTEs;
- Processes to classify the readiness of technical standards to support CTEs; and
- Approaches for monitoring and overseeing NwHIN.
Jeremy Maxwell, application security architect for Allscripts and vice chair of the EHRA Privacy and Security Workgroup, said EHRA appreciates the RFI because “it gives the industry two chances to comment on the governance model which will lay a foundation for how health information exchange is done for years to come. It’s imperative that we get it right.”
The NwHIN is no longer a mere concept, said Charles Parisot, architecture and standards manager for GE Healthcare IT and chair of the EHRA Standards and Interoperability Workgroup. The network has been in operational existence for a year-and-a-half, he said, "with a very significant number of transaction. Over a million patients have records being shared at the national level." With this level of experience, it's now time to formalize its various aspects, he said. "That's why we support this effort by the ONC to better organize the NwHIN governance." He said he envisions the governance effort refining the network and proving to become a continuous improvement exercise.
One aspect of the RFI the association take issue with is privacy and security, said Maxwell. ONC poses approximately 60 questions with a little more than half related to privacy and security. "One of the goals of the governance model is to increase the public’s trust of HIE. That’s where privacy and security CTEs come in."
The EHRA supports privacy and security efforts, he said, and recognizes the "extreme importance of privacy and security in health information exchange." The group felt the RFI fell short with its proposed CTEs because they go beyond HIPAA in certain instances. "HIPAA already provides strong protection for privacy and security, especially when it comes to exchange,” he said.
Meanwhile, the list of publicly disclosed data breaches indicates that very few breaches occur during exchange but rather as a result of physical loss or theft of media. "So, we feel that the existing privacy and security protections in HIPAA are sufficient, at least at this juncture, for the foundational NwHIN.”
Maxwell believes the pace of progress is appropriate. "As an industry, what is necessary and needful is the actual exchange. Governance of the actual exchange is key and we need to get it right. We don’t want to rush just to get something in place."
Beth Walsh,
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.