MS Health Information Security & Privacy Center

ONC to release info-sharing tools

• By Kathryn Foxhall
• Mar 09, 2009

The Office of the National Coordinator for Health Information Technology (ONC) will release recommendations next month from the Health Information Security and Privacy Collaboration (HISPC), which has been working for three years to resolve policy differences among the states on sharing electronic health information.

Teams from 42 states have reconciled differences in their policies for handling health information, and at a conference last week, state officials said their efforts have laid the groundwork for interstate health information sharing and could speed the use of health IT funds from the economic stimulus package.

“As communities begin to quickly respond to health IT stimulus funding, ONC might suggest following this framework,” said Dr. Art Davidson, director of public health informatics at the Denver Public Health Department.

ONC will release the tools and recommendations of seven workgroups that have focused on information sharing hurdles related to patient consent, privacy, provider education, security standards and other issues.

In one project, a team evaluated six states’ requirements for audits and authentication and recommended common requirements for sharing health data among organizations, health information exchanges and the Nationwide Health Information Network.

To do so, the project tested different ways to report lab results and manage medication and came up with a tool to negotiate minimum acceptable requirements for sharing lab and medication data among states, said Francesca Lanier, HISPC project director at the Utah Department of Health.

Next steps will include monitoring use of the policies, expanding the number of transactions, and organizing a clearinghouse for information about standards, Davidson said.

But some observers expressed concern that focusing on the lowest common denominator when creating policies might remove incentives for building the strongest possible security and privacy agreements.

Michael Magrath, manager of health care and government marketing at Gemalto, a digital security company, said he was concerned that “states are going to adopt the minimum requirements rather than going above and beyond to secure the information.”

For instance, even so-called strong passwords can be stolen or compromised, Magrath said. “Why not have high levels of assurances through strong authentication, two-factor authentication,” similar to automated teller machines, which require both a card and an identification number.

Project members said they had to make certain trade-offs between requiring higher security levels and getting health IT systems up and running. But in general, they said, their findings urge health care organizations to go further if possible.