Robert Kolodner M.D.
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services
Protecting Patient Privacy in Healthcare Information Systems
Oversight and Government Reform Committee
Subcommittee on Information Policy, Census and National Archives
U.S. House of Representatives
Tuesday June 19, 2007
Honorable Chairman Clay, thank you for the opportunity to submit testimony on behalf of the Department of Health and Human Services (HHS) about protecting patient privacy in healthcare information systems.
On April 27, 2004, the President signed Executive Order 13335 announcing his commitment to the promotion of health information technology (health IT) to improve efficiency, reduce medical errors, improve quality of care, and provide better information for patients and physicians. At that time, the President also called for widespread adoption of electronic health records (EHRs) by 2014 so that health information will follow patients throughout their care in a seamless and secure manner. Reaching this ambitious goal requires cooperation among Federal agencies and Departments that play a role in advancing our understanding and use of health IT, coordination across all Federal health IT programs; and coordination with the private sector. Toward those ends, the President directed the Secretary of HHS to establish within his office the position of the National Coordinator for Health Information Technology to advance this vision.
Moreover, on August 22, 2006, the President issued Executive Order 13410 to ensure that health care programs administered or sponsored by the Federal Government promote quality and efficient delivery of health care through the use of interoperable health IT, transparency regarding health care quality and price, and better incentives for program beneficiaries, enrollees, and providers. The Executive Order further advances movement towards a modern health information system by directing, to the extent permitted by law, that "[a]s each agency implements, acquires, or upgrades health information technology systems used for the direct exchange of health information between agencies and with non-Federal entities, it shall utilize, where available, health information technology systems and products that meet recognized interoperability standards."
Safeguarding personal health information is essential to our national strategy for health IT. A strategy devoid of measures to ensure privacy and security would neither advance our interests nor those of the American people. HHS’s strategy recognizes the importance of collaboration with both the public and private sectors, including representation from consumers of health care services. Many of our activities rely on public input, recommendations from Federal advisory committees, and deliverables from contracts with a wide variety of health care and IT sector collaborators, among other sources. Nationwide health IT adoption can only be accomplished through the coordinated effort of many stakeholders, within both state and Federal governments and the private sector. HHS has taken great care to engage representatives of all these sectors in our many health IT initiatives – an effort that involves many processes and the work of thousands of participants.
Health Information Privacy and Security
The movement towards interoperable electronic health records will create both new challenges and new opportunities with respect to protecting the privacy and security of health information. When protecting Federal information, including personally identifiable information and health information, the Government already has a robust framework in place and numerous policies related to the privacy and security of information, including but not limited to: requirements set forth in the Federal Information Security Management Act (FISMA), the Privacy Act, Office of Management and Budget policies, and guidance and standards put forth by the National Institute of Standards and Technology (NIST). For example, under FISMA, government information (including health information and personally identifiable information) is required to be categorized and protected based on the level of risk associated with that information. Guidance documents and standards exist for agencies to follow - requiring minimum technical, operational, and management controls.
HHS has promulgated several rules that establish critical foundations of Federal confidentiality, privacy, and security protections for health information across the health care system, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the HIPAA Security Rule, and the Confidentiality of Alcohol and Drug Abuse Patient Records Regulation. Taken together, these Rules establish the foundational principles of, and form the context for, the comprehensive privacy and security approach HHS continues to take as part of our national health IT agenda. Furthermore, HHS believes the current HIPAA statute provides an appropriate amount of flexibility to protect health information exchanged by HIPAA covered entities in the health IT environment while allowing best practices to emerge. However, there are differences between Federal laws, State laws and business practices, which can provide additional challenges for the sharing of health information in a private and secure manner, an issue that is currently being examined.
The number, type, and sophistication of tools that protect electronic information are growing at an ever-increasing rate and provide the opportunity to offer health privacy protections beyond those in the paper environment. For example, implementation of role-based access controls and auditing, when implemented electronically, can limit access to a patient’s record to only those individuals who need the information for treatment. Audit trails can automatically record who viewed the health record and can be used after the fact to identify any unauthorized access, leading to improvements in training or, if warranted, corrective action.
HHS is very committed to privacy and security as it works toward the President’s goal of widespread interoperable electronic health records. Ultimately, the effective coordination of health IT activities will help create an environment in which the health status of the American public is improved while information remains private and secure.
Ensuring Privacy and Security Protections through Health IT
Protecting health information in an interoperable electronic environment requires a coordinated effort by all stakeholders. At HHS, we’ve leveraged existing foundations; created new public-private collaborations; and partnered with other federal departments, states, health care organizations, and consumers to continue this critical dialogue. Privacy and security policies must be coordinated and developed openly – with abundant public input – in order to ensure a high degree of trust. Many privacy and security frameworks are in existence, and we need to leverage the work that has been done as we apply these principles in the area of health IT. Further, this is both iterative and informed. Technological solutions are being advanced to support the confidentially of patient data and to accommodate current and future policy decisions.
To that end, HHS has initiated several projects focusing on the development and harmonization of privacy and security standards. HHS directed the establishment of the Healthcare Information Technology Standards Panel (HITSP), which has focused on the harmonization of standards, including those related to privacy and security. ONC continues to work closely with the Certification Commission for Healthcare Information Technology (CCHIT) to develop certification criteria for electronic health records and networks. The Department has also been actively advancing the Nationwide Health Information Network (NHIN) Initiative, which will ensure consumers have an active role in determining the uses of their health information while supporting local and state policies.
We are working to achieve a balance between our technical capabilities to exchange health information and the privacy and security policies that protect it. Appropriate privacy and security policies must account for available technologies and anticipate technological improvements, without being outpaced by innovations developed for the NHIN and interoperable health IT. At the June 12, 2007, American Health Information Community meeting, I described the process HHS is undertaking to develop a privacy and security framework that will meet the expectations of health care consumers and foster the adoption of practices that promote trust in this new environment. One of our first steps will be to engage public and private entities, including the general public, to refine and build consensus around a set of privacy and security principles to protect individuals’ health information in an interoperable electronic environment applicable to both the public and private sectors.
HHS has invested significant resources and efforts in our nationwide strategy for protecting health information. Our national health IT agenda approaches privacy and security through a full suite of activities that both inform current work and prepare for future needs.
Privacy and Security Solutions for Interoperable Health Information Exchange
The Privacy and Security Solutions contract awarded to RTI International (RTI), co-managed by the Office of the National Coordinator for Health Information Technology (ONC) and the Agency for Healthcare Research and Quality (AHRQ), has fostered an environment for states and territories to: (1) assess variations in organization-level business policies and state laws that affect health information exchange; (2) identify and propose practical solutions, while preserving the privacy and security requirements in applicable Federal and state laws; and (3) develop detailed plans to implement solutions to identified privacy and security challenges. States and territories – through the participation of many volunteer stakeholders including physicians, pharmacists, consumers, health IT vendors, laboratories, attorneys, insurers, etc. – have focused their work on an analysis of eighteen health information exchange scenarios which expose challenges their state or territory may face in an electronic environment. The scenarios, which touch on issues such as treatment, payment, research, and bioterrorism, provided states and territories a framework within which to map their variations in business practices and policies to the nine supplied “domains” of privacy and security:
- user and entity authentication;
- authorization and access control;
- patient and provider identification;
- transmission security;
- information protection;
- information audits;
- administrative and physical safeguards;
- state law; and
- use and disclosure policy.
The 34 states and territories that are part of the Health Information Security and Privacy Collaboration (HISPC) under the Privacy and Security Solutions contract participated in ten regional meetings in the fall of 2006 and one nationwide meeting in March 2007, where they exchanged experiences with regional counterparts and discussed the appearance of common themes such as differing applications and interpretations of HIPAA regulations, state consent laws, and state variations in protections provided to sensitive information, such as HIV/AIDS information and mental health records. This summer, RTI will publish three reports that describe the variations in organization-level business policies and state laws which pose challenges to private and secure electronic health information exchange; state plans to implement solutions to address those challenges; and recommendations for the federal government to consider. Starting in July, the states and territories that are part of the HISPC will begin operationalizing their implementation plans as well as preparing collaboration strategies with all states and territories for regional and multi-state solution development.
State Alliance for E-Health
ONC contracted with the National Governors Association Center for Best Practices to create the State Alliance for e-Health (State Alliance). The State Alliance is an initiative designed to improve the nation's health care system through the formation of a collaborative body that brings together key state decision makers. This body, led by Governors and other high-level executives of states and U.S. territories, is charged with: (1) identifying, assessing and, through the formation of consensus solutions, mapping ways to resolve state-level health IT policy issues that affect multiple states and pose challenges to interoperable electronic health information exchange; (2) providing a forum in which states may collaborate so as to increase the efficiency and effectiveness of the health IT initiatives that they develop; and (3) focusing on privacy and security policy issues surrounding the use and disclosure of electronic health information. The Health Information Protection taskforce, one of three taskforces under the State Alliance, is responsible for examining privacy and security issues. With coordinated input from HISPC participants and testimony from experts in health privacy and security, this taskforce will recommend to the State Alliance policies for states and territories to adopt (and vehicles to facilitate adoption) that will encourage, where appropriate and without diminishing protections, uniformity in their health IT privacy and security practices.
Development of Best Practices for State HIE Initiatives
ONC has awarded a contract to the Foundation of Research and Education (FORE) of the American Health Information Management Association (AHIMA) to gather information from existing state-level Health Information Exchanges and define, through a consensus-based process, best practices, including privacy and security practices, that can be disseminated across a broad spectrum of health care and governmental organizations. FORE derived the information from health information exchange policies and other sources on governance, legal, financial and operational characteristics, and health information exchange policies. From their findings, they developed guiding principles and practical guidance for state-level health information exchanges. AHIMA also developed a workbook and final report to disseminate guiding principles, and recommendations on how to encourage conformance with best practices and coordination across state and federal initiatives.
American Health Information Community: Confidentiality, Privacy, and Security (CPS) Workgroup
In September 2005, the Secretary established the American Health Information Community (AHIC), a federally-chartered advisory committee made up of key leaders from the public and private sectors, charged with making recommendations to HHS on key health IT strategies. On the basis of a recommendation issued jointly by three of its workgroups (Chronic Care, Electronic Health Records, Consumer Empowerment), the AHIC created a workgroup in the summer of 2006 specifically focused on nationwide privacy and security issues raised by health IT activities and the findings of the other AHIC workgroups. Privacy and security are one of the most consistent threads between each of the workgroups and their breakthrough projects. The members for this Confidentiality, Privacy, and Security workgroup were carefully selected to assure that there was sufficient privacy and security expertise, sufficient consumer input, and representation of relevant health care stakeholders that may be affected by any recommendations developed. The workgroup’s first set of recommendations to the AHIC on patient identity proofing were advanced and accepted after deliberation by the AHIC on January 23, 2007, for recommendation to HHS. In the next phase of the NHIN Initiative, selected contractors will be required to meet privacy and security functional requirements and specifications derived from NCVHS and relevant AHIC recommendations (including the CPS recommendation above) as well as other health IT initiatives. Additionally, on June 12, 2007, the AHIC accepted a recommendation from the workgroup that expressed how and to whom privacy and security protections should apply in an electronic health information exchange environment. Its letter to the AHIC (available at http://www.hhs.gov/healthit/community/meetings/m20070612.html) describes in greater detail the work undertaken thus far and the workgroup’s next steps.
In addition, the ONC is currently working to ensure that the AHIC CPS workgroup works collaboratively with the National Committee for Vital and Health Statistics, to address the challenges posed by secondary uses of health information in an electronic environment including those related to non-HIPAA covered entities.
The Certification Commission for Healthcare Information Technology (CCHIT)
In September 2005, ONC directed CCHIT to advance the adoption of interoperability standards and reduce barriers to the adoption of interoperable health information technologies through the creation of an efficient, credible and sustainable product certification program. The CCHIT membership includes a broad array of private sector representatives, including physicians and other health care providers, payers and purchasers, health IT vendors, and consumers. An important part of CCHIT’s work is to set criteria for, and certify the security of, health information systems. The certification process CCHIT has developed promotes well-established, tested, security capabilities in health IT systems and helps make certification a major contributor to protecting the privacy and confidentially of the data these systems manage.
CCHIT has set criteria for the certification of ambulatory EHR systems, including twenty-nine security criteria that EHRs had to meet to achieve certification in 2006. As of May 2007, CCHIT has certified over 80 ambulatory EHRs that meet these security criteria and several additional criterion for functionality and interoperability. As new privacy and security standards are harmonized, they will be incorporated into future versions of the certification criteria.
Healthcare Information Technology Standards Panel (HITSP)
Pursuant to a contract with ONC, the American National Standards Institute (ANSI) convened the HITSP in September 2005, to identify standards for use in enhancing the exchange of interoperable health data.
A part of the HITSP mission is to harmonize the standards necessary to allow for the protection of the privacy and security of health data. The panel guides the collaboration of its member organizations through a standards harmonization process that leverages the work and membership of multiple standards development organizations along with the expertise from the public and private sector. The panel engages in a consensus-based process to identify the most appropriate standards, to identify overlaps and gaps in standards where they are inadequate or unavailable and specifies the use of those standards to advance interoperability.
On October 31, 2006, HITSP presented and the AHIC accepted and subsequently recommended to the Secretary, three “Interoperability Specifications” that include 30 consensus standards and over 800 pages of implementation guidance for recommendation to HHS. Recently, HITSP formalized the workgroup it created to focus on privacy and security by establishing a technical committee to identify, evaluate, and select standards for privacy and security to support the current suite of Interoperability Specifications and 2007 use cases.
Nationwide Health Information Network (NHIN)
In November 2005, ONC awarded contracts to four consortia to develop prototypes capable of demonstrating potential solutions for nationwide health information exchange. This initiative is foundational to the President's vision for the widespread adoption of secure, interoperable health records within 10 years. The NHIN’s vision is to become a “network of networks” where state and regional health information exchanges and other networks that provide health information services work together, through common architecture (services, standards and requirements), processes, and polices to securely exchange information. In particular the NHIN will: provide consumers with capabilities to help manage the flow of their information; allow health information to follow the consumer; provide critical information to clinicians at the point of care; and improve healthcare, population health, and prevention of illness and disease.
The first year of the NHIN initiative produced four prototype architectures and a number of architectural products that will be used in the second year of this initiative. A critical portion of the required NHIN prototype deliverables was the development of security models that directly address systems architecture needs for securing and maintaining the confidentiality of health data. The NHIN prototypes included the development of architecture that would provide consumers with the ability to manage disclosures of their electronic health information. Furthermore, each participant was required to comply with security requirements established by HHS and Federal laws, where applicable, to ensure proper and confidential handling of data and information. Each delivered important architecture capabilities that will be used in the next steps of the NHIN to address the complex issues of authentication, authorization, data access restrictions, auditing and logging, consumer controls of information access and other critical contributions.
This second year of the NHIN initiative will involve the demonstration of trial implementations in real-world healthcare environments while maximizing the use of existing infrastructure. The trial implementations will be functional across healthcare markets in the service area selected as well as with other participants in the NHIN cooperative and specialty networks involved in use case activities. Moreover, trial implementation sites will be required to demonstrate “core” services, including a suite of consumer services. These services will, in a demonstrable way, empower consumers with knowledge and choice. For certain interactions within a trial implementation, consumers will be given an increased role in determining the confidentiality, privacy, and security of their health information.
Health IT privacy and security policies and their associated technological solutions cannot be developed in a vacuum. A key component for assuring that appropriate privacy and security protections are in place is to assure that these efforts develop in tandem and that coordination is consistent throughout these efforts. This is the role of ONC. We have a conscientious, experienced, and passionate staff that works together closely on these activities and other privacy and security related activities throughout HHS and the other Departments and Agencies to ensure that health IT policy decisions and technology solutions are appropriately coordinated and addressed.
Protecting health information is of the utmost importance and essential to the success of interoperable electronic health information exchange. Proper policies that instill confidence and trust must evolve with technology advancements and vice versa. Not letting one get too far ahead of the other is a concern we share and are working hard to continue to manage. As a leader in this area HHS has invested in multiple coordinated initiatives to ensure health information will be protected as we enter this new era of health and care.
Mr. Chairman, thank you for the opportunity to submit testimony today.
Last revised: June 18, 2013