American Hospital Association Advises ONC HIPAA is Sufficient
Critics of level of data security required under HIPAA legislation are calling for even greater demands to be placed on holders of Protected Health Information (PHI). Improved security and privacy controls would make it harder for cybercriminals – and other data thieves – from obtaining healthcare data.
The Interoperability Roadmap of the Office of the National Coordinator is intended to help achieve nationwide secure health data exchange involving the EHR systems that have now been implemented by many healthcare organizations. The roadmap calls for changes to be made to the existing framework of rules and regulations to improve cybersecurity controls to help achieve interoperability. The American Hospital Association (AHA) disagrees.
AHA Voices Opinion on the ONC Interoperability Roadmap
The ONC published a draft of the Roadmap back in January and invited healthcare organizations to submit comments. It will assess the feedback it receives before releasing the final version of the Interoperability Roadmap. The ONC has received criticism from many quarters over the first draft, with the AHA now having made its point of view known.
In a letter to ONC Secretary Karen DeSalvo – reported by HealthITSecurity – the AHA advised the Secretary that it is broadly in support of the roadmap, although there are a number of areas with which it is concerned.
Get The Checklist
Free and Immediate Download
HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
The Interoperability Roadmap could prove to be achievable, but the AHA was particularly concerned about whether the ONC understands what is actually possible in the 10 years that the roadmap covers, in particular during the first three years when a number of critical changes need to be made in order for the roadmap to achieve its goal.
Linda Fishman, Senior Vice President of Public Policy Analysis and Development at the AHA, said in the letter “that the roadmap is not sufficiently grounded in an assessment of present realities or focused enough on the steps that will enable public and private stakeholders to travel from the present regulatory, clinical and technology environment to the future state envisioned.”
It is Not Necessary to Change HIPAA Rules
Concern has also been raised about the proposal to change existing legislation to help achieve interoperability and improve cybersecurity. Fishman points out that it is not necessary to make further changes, as the roadmap is achievable under HIPAA. She believes that it is possible to improve the healthcare infrastructure as well as encourage and support secure data sharing in a clinical care setting within the existing framework of regulations.
Before changes are considered, it has been suggested that the main focus should be to get healthcare providers up to the required standards for privacy and security and in full compliance with current HIPAA regulations. Fishman says that “the proper focus should be on making these requirements the prevailing standard nationwide if it is essential to address access to health information within the interoperability context.”
She also suggests that cybersecurity policies should “align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations,” and says that the ONC should continue working within the broader framework of existing policies.
Fishman also asked for the Office for Civil Rights to provide more guidance to some of the covered entities that are struggling to achieve HIPAA-compliance. She said that additional guidance would benefit “ACOs and other multi-stakeholder alternative delivery system organizations,” for example.
With the current policy frameworks under HIPAA, data can be shared and privacy assured. There is no need to add to the current confusion over HIPAA Rules and other industry legislation by making changes to improve interoperability. The ONC just needs to develop a roadmap that can be achieved under current HIPAA rules and attain a workable balance between healthcare data protection and access and sharing of that data by authorized healthcare professionals.