Regardless of where you sit in the healthcare industryprovider, health plan, pharmacy, pharmacy benefit manager, manufacturer, employer or consumerthe advent of health information technology is changing the way the industry does business. Indeed, as the rhetoric increases and the momentum builds for widespread IT utilization, the question is no longer whether health information will eventually be created, stored and communicated completely by electronic means. It will. Rather, the question of concern is: How will we ensure the security of health information? And how do we do it in a way that doesnt burden the industry with unnecessary costs and complexities?
A lets hope for the best approach simply will not work and doesnt sit well with us and others in the industry. The amount of electronic personal health information that is created, stored and exchanged is growing in all segments of healthcare. Organizations in the industry, including employers, have been dealing with the challenges of ensuring they are acting prudently, efficiently and in compliance with various regulations with regard to personal health information. From the cacophony of standards, practices and guidelines, each organization has established its own unique policies and processes without the benefit of collaboration, creating little consistency and leaving efficiencies unrealized. Indeed, if we continue to go at security in our own ways, we will move further from, rather than closer to, appropriately protecting sensitive health information and garnering the necessary efficiencies and benefits. That is simply not an option.
Add to this an increase in the number of organizations imposing proprietary security requirements on their trading partners, and the complexity becomes even more apparent. While efforts have focused on certifying specific technologies, developing technical standards, and working on various components of privacy, there has not been progress on providing an overall framework to which healthcare organizations can adhere relating to information protection.
That is why we and many others have broken long-standing barriers and agreed to work together with industry representatives with whom we dont always see eye to eye on the protection of personal health information. The Health Information Trust Alliance (HITrust), a health information security organization, is spearheading this effort and is bringing together industry leaders who will shape the direction and establish such a common security framework.
We on the executive council of HITrust recognize that health and biomedical information technology holds the promise for quality improvement and cost containment, and we believe that this proposition is universally appealing, regardless of your role in the industry. We also know that we will not achieve the full potential of IT if we do not first establish widespread confidence in the security of electronic information, and that is why we are working to create a common security framework that can be used by all types of organizations that access, create, store or exchange personal health information. This means that there would be one set of measures and mechanisms in place that we all could recognize, adopt, support and be measured against both internally and externally. The benefits are huge: less complexity, more efficiency, easier communications and, of course, better security protection for patients and those who rely on the healthcare industry.
It is important to note that although privacy advocates and the general public often use the phrases information privacy and information security interchangeably, they are, in fact, very different. Health information privacy is about an individuals right to have his or her personal information be kept confidential. This right is defined in federal and state law and regulation. Information security, on the other hand, is the means and the mechanisms to protect privacy. While the right to privacy is relatively constant, information security must be capable of quickly adapting to changes in technology, to changes in business practices and, equally as important, to constantly changing threats. In other words, while government sets privacy standards, it is the private sectorthe primary handler of personal health informationthat is best equipped to establish the most effective means of protecting that privacy.
Throughout 2008, HITrust and its executive council members are bringing together a representative group of healthcare stakeholders across all segments of the industry to collaboratively develop this common security framework that will provide the industry with an actionable set of standardized practices. Through a series of facilitated sessions and working groups, we will create a comprehensive framework that leverages existing industry standards and best practices whenever possible, and will also be flexible to adjust to an evolving security environment and scale according to type, size and complexity of the organizations that are part of the health information supply chain. The framework will also establish uniform criteria against which organizations can measure their own security and related privacy functions, as well as provide a means for measurement by trading partners and others.
We have a seat at the HITrust table for our companies because we know that this is a unique chance to lead our industry in this important initiative. We look forward to working with other industry leaders in addressing the issues at hand and safeguarding our future.