Testifying before the U.S. House of Representatives Subcommittee on Technology and Innovation on Sept. 30, National Coordinator for Health IT David Blumenthal, M.D., updated legislators on his office’s progress and stressed the need for greater interoperability between electronic health record (EHR) systems in Stages 2 and 3 of meaningful use.
Although the oral presentations and Q&A were limited in scope, the details in the written testimony put a spotlight on interoperability and security issues.
Blumenthal said his office would work on adopting new implementation specifications and achieve agreement on vocabularies and code sets for particular exchange purposes as well as comprehensive privacy and security capabilities for EHR technology. In his written testimony, Blumenthal noted that “in the initial set, we adopted several standards for the electronic exchange of health information, but we recognize that greater specificity is necessary to reach our goals.”
Blumenthal described the ongoing development of a “standards and interoperability framework” to help develop and maintain a set of standards that can be reused across different use cases, and allow for greater coordination among public and industry stakeholders.
In response to a question about how the framework would help prioritize which standards to work on first, Blumenthal said, “It’s a means to an end.” The priorities for developing standards come from the meaningful use framework, and ONC works backward from there on the capabilities that systems must have, he added.
Others testifying before the committee pointed out gaps in interoperability and privacy standards. In her written testimony, Joyce Sensmeier, RN, vice president for informatics for Health Information Management Systems Society (HIMSS), highlighted three areas of concern regarding standards selection in Stage 1 meaningful use. Sensmeier noted that identifying an accepted data transportation method would have a dramatic impact on preparedness for Stage 2.
“It is important to designate standards for documenting the content of clinical summaries, but if we don’t know how to transmit these summaries or acknowledge their receipt, we will have limited interoperability,” she wrote. “Until the recommended transport standards are identified, EHR vendors will be forced to support all available transport methods or risk developing software that may not meet future interoperability needs. This lack of guidance creates marketplace confusion and wastes existing resources, ultimately delaying progress.”
Sensmeier also expressed concern regarding the selection of multiple standards for the same criterion, such as selection of two clinical summary content standards: Continuity of Care Record (CCR) and the Continuity of Care Document (CCD). “It is our recommendation that only one standard is selected for each criterion in future stages of meaningful use,” she wrote.
She also recommended that to ensure optimal software development, testing, and safe implementation by providers, the final rules for meaningful use and certification criteria should be available 18 months before the next stage of meaningful use commences.
In her testimony, Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, noted that the privacy provisions enacted in the stimulus legislation are an important first step toward addressing the gaps in privacy protection. But she identified several issues her organization advocates are not covered or are inadequately covered by the changes in the American recovery and Reinvestment Act (ARRA), including:
• Establishing baseline privacy and security legal protections for personal health records (PHRs);
• Ensuring appropriate limits on downstream uses of health information;
• Strengthening protections against re-identification of the Health Insurance Portability and Accountability Act (HIPAA) de-identified data;
• Tightening restrictions on use of personal health information for marketing purposes;
• Strengthening accountability for implementing privacy and security protections and safeguards.
On that final point, McGraw cited a recent HIMSS survey of large health care organizations that found that only 47 percent conduct annual risk assessments (which are required under the HIPAA Security Rule); 58 percent have no security personnel, and 50 percent reported spending 3 percent or less of organizational resources on security.
“The prospect of storing and moving personal health data electronically in an environment where security is a low institutional priority should give us all pause,” McGraw noted.