In response to his own rhetorical question whether the ONC was using an information exchange development model created by the Justice Department and the Homeland Security Department to create “a Trojan horse” to funnel patient data to the Justice Department, CIA and National Security Agency, among others, Blumenthal answered “absolutely no.”
Blumenthal did not specify the blog, or blogs, where the allegations were made, but a search on “government control” and the “NHIN” turned up the PPG Gazette, which included a call for readers to protest to the CMS during the public comment period for the proposed rule over the federal EHR subsidy program.
Blumenthal's remarks came after a lengthy presentation by ONC staffer Doug Fridsma on the development of NHIN Direct, an ONC open-development project aimed at providing a lighter-weight set of clinical messaging standards and protocols than the proposed national health information network, which heretofore has been a major focus of ONC efforts to promote interoperability of clinical information systems.
But Fridsma also made a presentation on using the National Information Exchange Model in guiding ONC-promoted interoperability work, and, according to Blumenthal, there has been “some speculation about whether NIEM is some kind of Trojan horse for government control over health information” and whether that “might make it inevitable” that data is transmittable “to the Department of Justice, the Department of Homeland Security, the CIA, the NSA—I don't know where else.”
The ONC would not make Blumenthal available to explain his remarks.
Fridsma, who was interviewed for this story, said the NIEM, in addition to being a framework for the development of information exchanges, also describes a process for developing exchanges, a method to achieve consensus, which could be used by healthcare industry data-exchange participants for the selection of tasks, or “use cases,” and for standards harmonization and the development of implementation specifications around those use cases.
Fridsma said in the interview it was the organizational development and process aspects of the NIEM, not the technological framework, that ONC plans to test-drive in developing NHIN Direct.
“It's a process based on good governance,” he said. “It's a good way to take user needs and translate them into things that can be used for information exchange.”
Privacy concerns about anything in healthcare coming proximately close to the NIEM, however, are not conjured up out of the vapors.
To start, the public is already way past skittish about government involvement in healthcare information technology, according to a very recent public opinion survey. The survey results indicate Blumenthal was speaking last week into a gale force headwind of public skepticism about government activities, particularly in healthcare IT.
The Ponemon Institute, Traverse City, Mich., in February produced a 13-page report based on a telephone survey of 883 adults that found that 75% of respondents feel that maintaining the privacy of the healthcare records was either important or very important, and that 67% indicated that it was either important or very important not to share their records without their consent.
Meanwhile, when asked, “Whom do you trust to protect the privacy of your health records?” just 23% answered “strongly agree” or “agree” when offered the choice of the federal government, specifically including HHS. On the other hand, 71% of respondents gave healthcare providers the thumbs up, strongly agreeing or agreeing to the same question.
In fact, for many of the trust issues the government faces—including those by HHS—the government only has itself to blame.
Back in 2001, the Defense Department embarked on setting up a massive, multimillion-dollar data surveillance network called Total Information Awareness that included medical records among its intended feedstock of information, according to the government's own records. Since then, the government's operation of a warrantless, domestic wiretapping program has become common knowledge.
More recently, the Justice and Homeland Security departments have promoted the development of state and local “fusion centers” to gather data from diverse sources, including records kept by the government and private sector firms, such as credit card companies, but also healthcare organizations. The NIEM framework is being used in the development of fusion centers, according to the not-for-profit privacy rights group, the Electronic Privacy Information Center.
Since their initial rollout in 2004 and 2005, fusion centers have expanded their scope beyond national security to include drug and other law enforcement capabilities. According to a 104-page set of Justice Department guidelines, “Collaboration and integration are key to the success of fusion centers” and that “Individual fusion centers should identify the crucial entities within their particular jurisdiction to incorporate into the center.”
Like TIA, fusion centers are designed to provide information for proactive, and not merely reactive responses, according to the guidelines, which suggest that “the fusion process supports the implementation of risk-based, information-driven prevention” as well as “response, and consequence-management programs.”
According to the guidelines, HHS is on a list of “various entities that fusion centers should consider for integration” as well as hospitals, primary-care physicians, health departments, mental health facilities and emergency medical services providers.
Primary-care physicians, for example, "can provide information regarding suspicious injuries and diseases and biographical information," according to the guidelines.
Going back to the days of the previous administration, HHS was repeatedly dinged by the watchdog General Accountability Office for not coming up with a comprehensive privacy policy, and finally settling on an official definition of privacy that said patients had an “interest” in protecting their healthcare information, but not a “right” to control its dissemination as an advisory panel had recommended.
Under President Barack Obama, the ONC continues to promote healthcare IT, but it took a full year to name a chief privacy officer, waiting until the last day of leeway under the law that created the position. Meanwhile, the ONC has met multiple deadlines for health IT rulemaking and launched an array of programs under the American Recovery and Reinvestment Act of 2009, and it has done so at times without full regard to the public's right to be informed of what it was doing, hosting a series of closed-door meetings.
Even last week, in speaking to the Health IT Standards Committee on NHIN Direct, Fridsma announced that work had been ongoing on NHIN Direct for about three weeks, and that the project held its kickoff meeting March 23. But Fridsma said during his slide presentation that “I've eliminated the actual names of the people that are participating. I'm not sure that we're ready to share all of those things, although I think if you go to the blog you can figure out who's there.”
Without specifically identifying the participants—and the group's blog, NHIN Direct.org http://blog.nhindirect.org/ did not identify the participants or their companies—Fridsma said the NHIN Direct group has “two PHR vendors, seven EHR vendors, five HIE technology companies, six state and regional HIOs, two integrated delivery networks, two consulting firms, one national network for exchange and four federal partners.”
To his credit, in addition to his pledge last week, Blumenthal has recognized publicly that work needs to be done on the privacy policy development gap. He also called for the creation of privacy and security work groups for his Health IT Policy and Health IT Standards committees.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.