Previous, we touched on the new security breach notifications introduced through American Recovery and Reinvestment Act of 2009 (ARRA). https://enclavesecurit.wpengine.com/blogs/kellitarala/2009/03/01/hitech-act-and-security-breach-notifications/. In this post, we will discuss the goals for the National Coordinator for Health Information Technology.
Government/Agency Leadership Infrastructure: A Health Records Czar?
Currently, The Department of Health and Human Services (HHS) is the United States government’s principal agency for protecting the health of all Americans. HHS administers more than 300 programs that include health and social science research, Medicare and Medicaid, and health information technology.
The new American Recovery and Reinvestment Act of 2009 (ARRA) establishes additional government and agency involvement in setting policy, standards, specifications, and criteria for Health Information Technology (HRT) and Electronic Health Records (EHR) systems. The Office of the National Coordinator for Health Information Technology (ONCHIT) will be the primary agency involved in this effort. The National Coordinator will be responsible for three significant goals:
· Developing a nationwide HIT infrastructure that improves health care quality
· Reducing health care costs
· Protecting patient health information
The Office of the National Coordinator for Health Information Technology will be required to update the Federal Health IT Strategic Plan to address the use of EHR technology, including privacy and security of health information.
HIT Policy Committee
A Health Information Technology (HIT) Policy Committee will make policy recommendations to the national coordinator The policy recommendations will address standards, specifications, and certification criteria, including authentication, privacy, and security of individually identifiable health information. Recommendations also will cover accounting for disclosures of health information; encryption of health information, including during transmission over the nationwide health information network; and comprehensive collection of patient demographic information. The HIT Policy Committee will consist of health care providers, health care workers, information privacy and security, insurance, and information technology vendors as well as a broad range of constituents, including patients.
At last, recommendations on technology and technology guidance will be included in efforts to secure and protect our healthcare records. This is a big change from the current stance of health information protection under HIPAA. The HIPAA guidelines are vague and open-ended. This has lead to inconsistencies regarding security and privacy controls around personally identifiable information (PII). For example, a healthcare provider may decide to implement encryption on all laptops, and a different healthcare provider may decide that encryption on mobile devices is not necessary. The lack of technology guidance and technology standards in HIPAA is one reason why it is ineffective and unenforced by HHS. With the creation of a National Coordinator of Health Information Technology and a Health Information Technology Committee, let’s hope that personally identifiable health information will be truly protected.