Patient Consent, Leveling Security Among Questions for Health IT Committee
Delving into the details of patient consent for sharing information will be among the questions for 2013 and 2015 standards that those looking at both policy and technical standards for health IT should consider next, said John Halamka of Harvard Medical School, vice chairman of the Health IT Standards Committee, at its meetings Tuesday. The standards for consumer consent after 2011 are “murky territory,” said privacy and security workgroup member David McCallie of Cerner Corp. The committee is making recommendations to National Coordinator David Blumenthal for an escalating series of requirements doctors and institutions must meet to qualify for incentive payments.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The workgroup found itself walking a line between technical standards and policy questions, McCallie said. One area it wrestled with was what should happen when networks with varying levels of user authentication requirements exchange information. Should all systems have to lift themselves to the level of the most stringent member? Or should they lower their requirements to those of the least strict member? Ultimately, McCallie said, the workgroup decided this was a policy, not standards, question. But technical tools could give systems an understanding of exactly what their counterparts are doing, which would allow them to make decisions based on their own policies. The workgroup is trying to balance security with ease of use and costs, Halamka said. Clearly there must be minimum requirements, as the system will only be as secure as its weakest link, Halamka said. But Veterans Affairs might have stricter requirements, for example, and better ability to implement them, than a solo practitioner, he said.
Perhaps there should be a standardized format for reporting breaches so the committee can dissect the information for patterns or weak spots, said federal Chief Technology Officer Aneesh Chopra. He said he doesn’t have a good perspective now on the greatest threat to patient data, whether rogue employees, foreign entities, mistakes in code or something else. Jodi Daniel, director of the office of policy and research within the Office of the National Coordinator (ONC), said ONC has been working with the Office of Civil Rights, to which entities would make breach reports, on what information should be reported. She said they hope to get intelligence from the reports that they can then return to the field with details on how breaches occur and how they can be prevented.
The committee approved the workgroup’s recommendations, modified for clarity since its last meeting, which focus on the technical standards systems must meet -- for example, having the capability to restrict access to those with user rights, to provide access during emergencies or to record and examine activity in information systems. The committee’s approval means it will send the standards on as recommendations to ONC.