CHIME, MGMA, AMA, and other industry stakeholders are asking Congress to oversee implementation of HHS info blocking and interoperability regulations to address concerns, including privacy and security.
The American Medical Association, CHIME and five other industry groups are calling on Congress to oversee the implementation of the information blocking provision found in the 21st Century Cures Act to ensure patient privacy, safety, and data security as officials continue to drive interoperability initiatives.
Earlier this year, the Office of the National Coordinator, Department of Health and Human Services, and Centers for Medicare and Medicaid Services released several proposed rules to both drive interoperability and address information blocking.
As with any proposed rule, the industry has expressed support for the effort, as well as concerns around the speed of implementation, privacy risks, and the need for frameworks or standards to support the new model.
Leaders from American Health Information Management Association, American Medical Informatics Association, Federation of American Hospitals, Medical Group Management Association, and Premier, joined AMA and CHIME in calling Congressional oversight to address some of these issues.
While the groups applauded Congressional effort to improve and support effective health IT, they expressed concern around several competing proposed HHS interoperability efforts that could “jeopardize important goals to foster a healthcare system that is interoperable, patient-engaged, and reduces burdens for those delivering care.”
“The administration owes it to patients, physicians, Congress and our nation to listen and act on these concerns,” Jesse Ehrenfeld, MD, chair of the AMA’s Board of Trustees, said in a statement. “We still have a chance to get these policies right.”
“It is possible to improve access to medical information while promoting privacy and transparency,” he added.
Specifically, the groups asked Congress to incorporate additional rulemaking prior to finalization, appropriate implementation timelines, and revise enforcement, which should prioritize education and corrective action plans over monetary penalties.
Privacy and security should also be enhanced prior to implementation. To the groups, as it stands, the current proposed information blocking rule does not sufficiently address the Cures Act directives to protect patient data privacy and ensure health IT security.
“It is imperative that the committee continue its oversight of privacy and security issues that fall outside of the HIPAA regulatory framework,” the groups explained.
Much like AMIA and others have shared before, the use open APIs to fuel interoperability poses risks to patient privacy and data. While APIs have the potential to improve patient and provider access to data, it also brings the sector into “uncharted territory” where patients leave HIPAA protections behind.
The groups support the use of these apps to access their own data, but concerns are increasing that the data shared with these apps will be commoditized by app developers or other third parties in ways patients don’t expect.
To combat this, the groups recommended that certified APIs include functions that strengthen the control patients have over their data, including privacy notices, transparency statements on whether the data will be sold or disclosed, and adherence to industry-recognized best practices.
“This basic level of transparency is critical to strengthening patients’ trust in an increasingly digital healthcare system,” the groups wrote.
What’s more, CEHRT data segmentation capabilities should be prioritize as more sensitive data is exchanged. This should include standards and functionalities that enable data segmentation, tagging and privacy labeling, which are crucial to ensuring patient data privacy as the industry shifts into a health information exchange trust framework.
Third-party apps vendors also pose a serious risk, as currently there are no security guidelines for vendors or providers when they onboard these apps into their systems. The groups argued that ONC will need to address the security concerns of APIs and apps, by coordinating with impacted stakeholders.
“For example, API technology suppliers should be required to conduct surveillance and mitigate threats and vulnerabilities that could be introduced to an information system to which the API could connect, the groups explained.”
“Additional requirements are needed to mitigate security concerns that arise with the on-boarding of third-party apps onto clinician and other providers’ systems,” they continued. “Failure to do so could introduce significant cybersecurity threats to our healthcare system. Multiple stakeholders, including HHS’ own cybersecurity advisory group, have raised these concerns.”
Lastly, as multiple agencies are tasked with the privacy and security of patient and consumer data, Congress will need to develop a holistic approach to address the access, exchange, and use of health information of third-party apps not governed by HIPAA, “including the sale and commoditization of data not intended by patients.”
“While we are pleased the Administration is working to operationalize several requirements in Cures that seek to improve information sharing and patient care through use of APIs, at the same time it is imperative that policies be put in place to prevent inappropriate disclosures to third-parties and resultant harm to patients,” the groups explained.
Date: October 03, 2019
Source: Healthit Security
