Security and privacy issues unaddressed in Stage 2 Meaningful Use proposal garner attention at policy meeting


The Stage 2 Meaningful Use notice of proposed rulemaking (.pdf) the Health and Human Services Department published March 7 addresses many but not all of the health IT policy committee's concerns around security and privacy.

"Most of what we've gotten through is an agreement that, 'Yes, we should in fact be thankful for what we were able to get and comment specifically and favorably on things that we recommended that were in fact included in the proposed rule," such as security risk assessments and encryption of data at rest, said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.

McGraw, who is the committee's co-chair of the certification and adoption workgroup, spoke April 4 at a health IT policy committee meeting in Washington, D.C. During the meeting, workgroups presented their responses to the proposed rule to the HHS's office of the national coordinator for health information technology.

Now the health IT policy committee will reconcile ONC's feedback with their initial suggestions, in order to re-draft recommendations for the health IT policy committee's approval May 2. The committee will submit a final recommendation to ONC by a May 7 deadline, explained one workgroup chairman, Paul Tang, vice president of Palo Alto Medical Foundation.

But even though ONC and McGraw's workgroup "got through the low hanging fruit," there are several issues in Stage 2 Meaningful Use that are still a concern, said McGraw. For example, the workgroup initially requested that electronic health record portals be tested to include secure view, download, and transmit capabilities that account for authentication. ONC did not include this in its proposal, saying it was fairly common technology and did not require additional testing.

Other workgroup suggestions that were not adopted were recommendations around the capability for EHR technology to be able to transmit amendments and patient upended data, programmatic mechanisms to block unauthorized attacks, e-prescribing controlled substances and testing EHR technology for the use of digital certificates, said McGraw.

"I want to really address the digital certificates. I think those are critical and the testing of those is absolutely critical. So, when we get back into committee that's something that's got to be really, really looked at. If we're not going to include digital certificates and authentication, how are we going to do it?" asked Gayle Harrell, a health IT policy committee member and a Florida state representative.

Another point of contention during the meeting was discussion around information collection.  

"Some of the comments that I've gotten around Stage 1 have been, 'Why are we collecting this?' And anytime you ask providers to collect something but it's not being used, it seems pointless," said ONC Director Farzard Mostashari.

"The reason why we're collecting this is to begin to look at disparities, but…if we could actually connect the collection of that information to addressing disparities, it would at least make it more clear--at least from a communication point of view--as to why we're doing it," said Mostashari.

It's really boils down to a workflow issue, said Judy Murphy, deputy national coordinator. The data entry and the benefits of data entry don't really connect, she said.

Computerized physician order entry "by itself doesn't work well. You have to have CPOE embedded in all of the rest of the stuff that the computer is doing--giving the physician value with information it's showing, not just 'here's something you have to do to collect that information,'" said Murphy.

Committee members repeatedly reminded each other that ONC has only one shot to get these policies right.

For more:
- go to the Health IT policy meeting page (includes agenda, audio and meeting materials)
- download the notice of proposed rulemaking (.pdf)

Related Articles:
VA to roll out early version of iEHR in 2014
CMS releases proposed Stage 2 meaningful use EHR objectives
Health information exchanges need work, says ONC official
ONC releases 5-year plan for health IT