It has come up with useful recommendations, Blumenthal said, on the so-called “meaningful use” criteria by which physicians and hospitals can qualify for the subsidized purchase of electronic health-record systems under the stimulus law. Blumenthal also said the committee has provided helpful advice on data standards, and implementation specifications for the electronic sharing of healthcare information and guidance on appropriate regulations to govern the certification of EHR systems to standards under the stimulus law.
“Those will be out in a matter of months,” Blumenthal said. “Your work on those is done. That gives us the opportunity to look forward to a next set of tasks.”
There's much work ahead, Blumenthal said, and he ticked off a list of new tasks for the committee, including a rewrite of the national HIT framework. Blumenthal said his office is required under the stimulus law to update the nation's official IT plan released in 2008 by Robert Kolodner, his predecessor at ONC, under “different circumstances.”
Those differences include new tenants at the White House, the allocation by Congress of an estimated $34 billion for a health IT subsidy programs through the HITECH section of the stimulus law, and the inclusion in the law of a number of significant additions to federal healthcare informant privacy and security protections.
“Appropriately,” he said of the national HIT plan, “I think it needs to be revisited.”
But Blumenthal said two other priorities are most pressing.
One is to create an overarching national policy for health information privacy and security.
“The need became clear to me when we were talking about privacy and security,” at the prior HIT Policy Committee in September. Three privacy advocates gave testimony at that meeting.
“We realized,” Blumenthal said, the nation hadn't “had a set of principles that make sense. We have decided it would be helpful to have a privacy and security work group.”
According to a slide presentation Blumenthal used while making his remarks, the new work group will “create recommendations based on results of the September privacy hearing.” He said the new HIT Policy Committee's privacy and security work group will leverage the work of its counterpart privacy and security work group of the HIT Standards Committee, a second IT advisory panel created under the stimulus law, which is to provide recommendations to Blumenthal on technical matters.
The standards committee has a Nov. 19 hearing scheduled on security issues.
Blumenthal said his other time-sensitive, highest priority is for the HIT Policy Committee to take a fresh look at continued development of the proposed National Health Information Network, or NHIN.
In the past, he said, the NHIN “has been conceived as a network of networks. We are thinking about whether that model is exactly the right model.”
Blumenthal was unavailable for a follow-up interview to further explain who among more than a dozen witnesses at the Sept. 18 HIT Policy Committee convinced him of the need for fresh approach to privacy and security policy. Three of the witnesses that day were information technology privacy experts.
One was Robert Gellman, a Washington-based lawyer, and a former Capitol Hill staffer and a former member of the National Committee on Vital and Health Statistics who has written recently about medical identity theft. Gellman said he supports the new requirement in the stimulus law to provide a computerized accounting of disclosures of patient information for treatment, payment and other operations. But the law still leaves “a huge loophole” for healthcare worker snooping and medical identity theft by not similarly requiring a computerized accounting of users of medical records.
Another witness was Deborah Peel, an Austin, Texas, psychiatrist who founded the Patient Privacy Rights Foundation. Peel testified that patient control over the release of their health information is supported by the U.S. Constitution, many state constitutions and common law in all 50 states. Far from being a barrier to health information sharing, patient control over their information “is the easiest, cheapest and most efficient enabler of health information exchange” in that it “assures ‘data liquidity' by eliminating the need for expensive, complex and cumbersome agreements among stakeholders for HIE.”
A third privacy expert was Latanya Sweeney, a member of the HIT Policy Committee appointed to fill a slot reserved by statute for a privacy expert. Sweeney is a professor of computer science, technology and policy at Carnegie Mellon University and director of its Data Privacy Lab. Sweeney has a doctorate in computer science from the Massachusetts Institute of Technology and reportedly worked under contract to the Defense Department on developing privacy protections in national security surveillance scheme, according to news reports.
In her written testimony Sept. 18, Sweeney said, the best way to address most stakeholder concerns over privacy, usability, liability and accountability “is through technology design. Unfortunately, technology is usually deployed, and then afterwards, privacy and other stakeholder barriers emerge, leaving society in a ‘take it', ‘leave it', or ‘try to mend it' position. We can do better.”
“When technology developers consider privacy and stakeholder concerns throughout the design process, resulting technology promises to be ‘worry free' and, therefore, likely to enjoy user acceptance, societal adoption and organizational uptake,” she said. “But design should precede adoption of existing standards, practices and overarching principles. Otherwise, we risk igniting new stakeholder problems and exasperating old ones by applying existing approaches in a different context and on a different scale.”
Paul Tang, the chief medical information officer of the Palo Alto (Calif.) Medical Center, and co-chairman of the HIT Policy Committee, said, he was “influenced” by what Sweeney said at the privacy hearing. “We need to define what the architecture should look like.”
Blumenthal said the ONC has been “working intensively on NHIN options” and would like to present them to a work group and the full HIT Policy Committee. “I'm not enough of a techie to know whether that qualifies as architecture,” Blumenthal said, “but it looks pretty to me, so maybe we can call it architecture.”
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.