Criticism of ONC’s EHR Interoperability Plan Builds
The Office of the National Coordinator for Health IT proposed an Interoperability Roadmap in January this year, to help the healthcare industry achieve the benefits that should come from moving over to electronic health record (EHR) systems.
The ultimate aim of the plan is to create an environment where medical professionals can share data on patients and access medical information quickly and easily, which in turn should have an important impact on patient outcomes.
After the issuing of the first draft, the ONC invited healthcare providers and other holders of healthcare data to read the roadmap and send in comments. That comment period ended on April 3, and many healthcare organizations took the opportunity to help the ONC achieve its goal. Criticism has been constructive and a number of concerns have been raised.
Timescale for Critical Actions
The Interoperability Roadmap calls for a number of actions to be taken by both stakeholders of healthcare organizations as well as industry regulators. These measures are critical to the overall success of the Interoperability Plan and are required at key stages – 3, 6 and 10 years. If these deadlines are not met, it is unlikely that the plan will achieve its ultimate aim within the ten year timescale. The American Hospital Association (AHA) has expressed concern about whether the timescales are realistic and suggests the plan needs to be grounded by reality.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Patient Consent: Basic Choice or Granular Choice
At present the HIPAA Privacy Rule requires all covered entities to obtain consent from the patient before their Protected Health Information is used. Authorization is not required before data is shared for treatment purposes, payments or operations, but other uses are restricted. In order for a healthcare provider to obtain consent to use data – for a variety of purposes that ultimately benefit patients – they must obtain consent, and they currently do so by “basic choice” – I.e. patients allow their data to be shared data or not.
The ONC proposes that patients are given much greater control over the data that can be shared, and wants to introduce “granular choice” This would allow patients to give their consent for data to be shared with certain individuals, under certain situations and even to specify the exact data that can be shared.
The Healthcare Information and Management Systems Society is one of a number of critics of this proposed change, saying that it will just add to the confusion and that it is not necessary to further tie down HIPAA-covered entities with even more regulations, especially when these are largely unnecessary.
Cybersecurity Improvements
The AHA does not believe that there is any need to make major changes to legislation to ensure data is properly protected from being accessed from unauthorized individuals. Standards currently exist to protect privacy and maintain security, such as the National Institute for Standards and Technology (NIST) framework. The AHA suggests using this and not trying to reinvent the wheel.
There are clearly a number of hurdles to overcome and a great deal of feedback to consider before the final Interoperability Plan is released. With all points considered it is hoped that the final version of the Interoperability Plan will prove to be workable in practice.
Other Suggestions made to the ONC
- Avoid over-regulation and excessive governance
- Improve interoperability but not at the expense of patients – The provision of patient care must be the primary focus
- Create a central portal for healthcare providers to access cybersecurity threat information across critical sectors
- Guidance should be issued on a full holistic risk management plan – the creation of a model that can be broadly followed.
- Further guidance issued on the encryption of data. When is it necessary? What level of security is required? What types of devices must employ encryption?