ONC Draft Federal Health IT Strategy Puts Privacy, Security in Focus

The Department of Health and Human Services released its proposed Federal Health IT Strategy for 2020 to 2025, developed with the Office of the National Coordinator for Health Information Technology. Privacy and security play keys roles in the plan, with a need to develop standards for APIs, among other key elements.

The plan outlines the goals, objectives, and strategies for the federal government around patient empowerment, the delivery of high-quality patient are, and improving overall health through health IT, through four key objectives.

HHS is seeking to promote health and wellness, enhance the delivery and experience of care, build a secure data-driven ecosystem to fuel innovation and research, and connect care and health data through an interoperable health IT infrastructure.

Among its privacy and security elements, the plan strives to “put individuals first,” by embracing patient-centered care that values patient privacy.

“ONC, along with our partners across the federal government, strive to promote a health IT economy that increases transparency, competition, and consumer choice, while also seeking to protect the privacy and security of individuals’ health information,” ONC Chief Don Rucker, MD, wrote.

“These efforts include coordinated investments, standards and policies for secure, standards-based APIs, and user-focused technologies,” he continued.

The agency is working to build a secure data sharing infrastructure centered around privacy and security. The hope is to build an integrated ecosystem able to support research, clinical decision making, population health management, and improve patient access to their own data and cost information.

To accomplish this, the agency intends to lean on standards-based APIs. However, as several industry groups have noted, there are a host of privacy and security challenges that need to be addressed before the rules are finalized.

But according to the proposed strategy, the agency aims to bolster the “secure access to large datasets of health information for use in quality improvement and outcomes research” and create a common vocabulary set between to improve the consistency, integrity, and data quality that will fuel data sharing between systems through APIs.

Further, the agency is working to empower patients through apps and other health IT research, aligned with their consent preferences to participate in research.

Privacy and security concerns are also at the center of the fourth goal to develop an interoperable health IT infrastructure. The plan seeks to promote secure health information access, exchange, and use, while protecting patient privacy.

“Patients and caregivers must be informed to understand how health data may be used and to provide their privacy preferences where appropriate,” the plan authors wrote. “Keeping health information secure, preventing breaches and fraud, and curtailing other harms is crucial for maintaining patients’ trust in their healthcare providers and the health IT they use.”

To accomplish this, privacy and security must be integrated into the design and use of health IT to promote the necessary security culture and protect health information, while implementing privacy and security mechanisms wherever possible, including encryption embedded in APIs and other technologies and the use of multi-factor authentication.

The plan also intends to improve patient understanding and control of their data to help them make more informed decisions about data exchange and how their data is used. The agency is seeking to provide technical assistance and guidance around health information exchange policies and regulations.

For ONC, it’s their role to foster the privacy and security of individuals’ health information across the sector, as it protects competition and innovation and provides research and health IT funding.

The need for health information privacy provides an opportunity for the sector to improve upon privacy practices beyond federal and state regulations. The proposal explained that both patients and their caregivers should be educated on data practices, associated risks, and be provided an opportunity to consent to data use.

“Government agencies, healthcare providers, health IT developers, researchers, and other stakeholders need to work together to implement robust mechanisms for ensuring the privacy of health information as more and more data are generated and health IT becomes more interoperable,” the report authors wrote.

What’s more, “healthcare organizations still have poor understandings of cybersecurity risks and best practices.”

Noting the significant concerns around health data privacy and security, especially as healthcare moves toward the cloud, the report authors stressed there’s a need to implement more robust mechanisms to secure the data as interoperability improves across the sector.

The proposal comes as the industry awaits the final rules from ONC and the Centers for Medicare and Medicaid services on information blocking and the Interoperability and Patient Access Proposed Rule. Industry stakeholders have told the HHS the rules need improvements around privacy and security, especially around the use of APIs.

“In developing this Plan for public comment, ONC collaborated with over 25 federal organizations involved in health IT,” according to the strategy. “ONC conducted research and considered recommendations from its Health IT Advisory Committee.”

Industry stakeholders are encouraged to provide feedback until March 18, which will allow ONC, in collaboration with other federal partners, to consider the comments and later publish a finalized version of the strategy.