HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

National Data Exchange Roadmap Released by ONC

The Meaningful Use program has helped encourage healthcare providers to make the move from paper files to electronic health records. Now the majority of organizations have moved to EHRs, the next step is for further policies and procedures to be developed to allow the healthcare industry to obtain the full benefits of digital record-keeping.

Covered entities must continue to invest in technology to improve communication of data while also employing the appropriate safeguards to protect it from prying eyes. To help the industry achieve the main benefits of EHRs, while ensuring the data is properly protected, the Department of Health and Human Services’ Office of the National Coordinator for Health IT has been working on a roadmap.

The ONC Interoperability Roadmap – A 10-Year Plan for EHRs

The first draft of the roadmap has now been issued. The main aim of this new Interoperability Plan is to make it possible for physicians and other medical professionals to obtain quick access to EHRs and to be able to view and share patient data in a timely manner. Access to this information could potentially save lives, and with the volume of electronic data stored on patients, it should be possible for that information to be accessed anywhere in the United States, no matter where the patient requires treatment.

Putting the Interoperability Plan in Action

Throughout the course of the 10-year plan there are a number of critical points by which certain objectives need to be achieved. These are essential to the smooth running of the plan, and will help regulators make sure that progress is being made. The most critical period is the first three years, during which time a number of barriers will need to be removed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The ONC has announced that the roadmap was based on the Federal Health IT Strategic Plan 2015-2020 together with the ideas and plans it put forward last summer and builds on its “10-year vision”.

Now that the draft roadmap has been released, the ONC has opened up a comment period where the document is open to public view and feedback is welcomed by covered entities on any issues which could prove problematic. The ONC will then read through the feedback and will try to accommodate changes before the final version is released later in the year.

Short Term Goals

Over the course of the next three years the following critical actions must occur:

Risk Assessment Guidance

The Office for Civil Rights must issue an updated Risk Assessment Tool to assist covered entities with this vital component of the HIPAA Security Rule. It is suggested that outreach programs are set up to educate health professionals on the importance of conducting continued risk assessments.

Preparedness and Response

To work with the HHS Office of the Assistant Secretary and coordinate on priority issues to ensure the public health system infrastructure can be maintained at all times.

Implement Infrastructure Cyber security Framework

To develop, with the National Institute for Standards and Technology, a Critical Infrastructure Cybersecurity Framework which will comply with HIPAA Security Rule obligations.

The Issue of Data Encryption to be Addressed

The uptake of data encryption technologies has been slow, and many healthcare providers have been criticized for not employing this data security measure even though it is not mandatory under HIPAA. The ONC plans to explore the issue and develop new standards which will cover the use of both data in transit and at rest. It will explore the issuing of incentives for adopting data encryption, and may issue guidance or propose further rule changes.

Access to Healthcare Data

Data can be encrypted to prevent interception or accidental disclosures, but at both ends that data must be accessible. There should therefore be a robust and secure authentication and identification process to ensure only authorized personnel are able to view PHI.

The ONC plans to assist in this regard by issuing a number of best practices which should be adopted to ensure that organizations are compliant with the Security Rule. It hopes the security standards can be raised to those in the financial industry. The ONC will also develop policies that cover multi-factor authentication, including user access and contextual appropriateness.

The Right to Privacy

The ONC plans an outreach program to ensure that the healthcare industry is fully aware of HIPAA Privacy Rule requirements governing when, to whom and under what circumstances PHI can be shared.

Obtaining patient consent before data is shared is critical under the HIPAA Privacy Rule, but is complicated by differing requirements from state to state. The ONC will work with federal and state governments to develop a “policy academy on interoperability” with regards to privacy, while considering moving to a granular choice model rather than basic choice, potentially allowing patients to be highly specific about the data they allow to be shared.

Paving the Way for Success

By breaking down a number of barriers in the early stages the way can be paved for further progress. The ONC does not rule out the introduction of new legislation to keep the plan on track and ensure the appropriate privacy and security controls are implemented. However, one of the main barriers is a lack of education and this is one of the main elements of the first three years of the plan: To raise cybersecurity standards by raising awareness of the issue and what is required under HIPAA Rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.