HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Criticism of ONC’s EHR Interoperability Plan Builds

The Office of the National Coordinator for Health IT proposed an Interoperability Roadmap in January this year, to help the healthcare industry achieve the benefits that should come from moving over to electronic health record (EHR) systems.

The ultimate aim of the plan is to create an environment where medical professionals can share data on patients and access medical information quickly and easily, which in turn should have an important impact on patient outcomes.

After the issuing of the first draft, the ONC invited healthcare providers and other holders of healthcare data to read the roadmap and send in comments. That comment period ended on April 3, and many healthcare organizations took the opportunity to help the ONC achieve its goal. Criticism has been constructive and a number of concerns have been raised.

Timescale for Critical Actions

The Interoperability Roadmap calls for a number of actions to be taken by both stakeholders of healthcare organizations as well as industry regulators. These measures are critical to the overall success of the Interoperability Plan and are required at key stages – 3, 6 and 10 years. If these deadlines are not met, it is unlikely that the plan will achieve its ultimate aim within the ten year timescale. The American Hospital Association (AHA) has expressed concern about whether the timescales are realistic and suggests the plan needs to be grounded by reality.

Please see the HIPAA Journal Privacy Policy

Patient Consent: Basic Choice or Granular Choice

At present the HIPAA Privacy Rule requires all covered entities to obtain consent from the patient before their Protected Health Information is used. Authorization is not required before data is shared for treatment purposes, payments or operations, but other uses are restricted. In order for a healthcare provider to obtain consent to use data – for a variety of purposes that ultimately benefit patients – they must obtain consent, and they currently do so by “basic choice” – I.e. patients allow their data to be shared data or not.

The ONC proposes that patients are given much greater control over the data that can be shared, and wants to introduce “granular choice” This would allow patients to give their consent for data to be shared with certain individuals, under certain situations and even to specify the exact data that can be shared.

The Healthcare Information and Management Systems Society is one of a number of critics of this proposed change, saying that it will just add to the confusion and that it is not necessary to further tie down HIPAA-covered entities with even more regulations, especially when these are largely unnecessary.

Cybersecurity Improvements

The AHA does not believe that there is any need to make major changes to legislation to ensure data is properly protected from being accessed from unauthorized individuals. Standards currently exist to protect privacy and maintain security, such as the National Institute for Standards and Technology (NIST) framework. The AHA suggests using this and not trying to reinvent the wheel.

There are clearly a number of hurdles to overcome and a great deal of feedback to consider before the final Interoperability Plan is released. With all points considered it is hoped that the final version of the Interoperability Plan will prove to be workable in practice.

Other Suggestions made to the ONC


  • Avoid over-regulation and excessive governance
  • Improve interoperability but not at the expense of patients – The provision of patient care must be the primary focus
  • Create a central portal for healthcare providers to access cybersecurity threat information across critical sectors
  • Guidance should be issued on a full holistic risk management plan – the creation of a model that can be broadly followed.
  • Further guidance issued on the encryption of data. When is it necessary? What level of security is required? What types of devices must employ encryption?

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.