The noise and incessant murmur of website “glitches” reached a fever pitch during congressional hearings last week. While politics grabbed the headlines, HHS continued digging out from the federal government shutdown: News surfaced of an intra-agency collaboration between ONC and FDA on Unique Device Identifiers; legislation was introduced, representing the next step toward defining FDA’s role in regulating health IT; and NIST unveiled a draft version of a volunteer federal government cybersecurity framework, that is likely to have far-reaching implications for all sectors of the US economy. Welcome to the “glitches give me twitches” edition of the Washington Debrief, covering what CIOs need to know from the week that was Oct. 19-25, 2013.
FDA, ONC to Collaborate on Unique Device Identifiers; Officials Hope for Quick Integration with EHRs
Last week, FDA officials announced that an employee would be on detail within ONC to “ensure the right standards are in place to capture [Unique Device Identifier]” data and determine how to make the best use of the information. Resulting from passage of last year’s FDA Safety and Innovation Act, medical device manufactures will be required to include UDIs on all class three devices within a year; lower class devices will eventually be required to include similar information on devices. Jeffrey Shuren, director of FDA's device center, believes the intra-agency collaboration will “also allow the agency to engage more with the provider community.” He believes there is a good chance that UDI information will be integrated within EHRs faster than FDA Safety and Innovation Act dictates because providers have long-called for such data. He suggested that Stage 3 rulemaking presents a perfect opportunity to ensure a standardized approach to capturing and using UDIs. As part of the Health IT Policy Committee’s Request for Comment, it was suggested that providers capture UDI information for 80 percent of patients with implanted devices. Another way that Meaningful Use could be leveraged to hasten the integration of UDI data within EHRs is through patient educational requirements for Stage 2. Under Stage 2 final rules hospitals are required to provide patient-specific educational resources for more than 10 percent of all unique patients admitted.
What do you think? Is an 80 percent threshold for capturing UDIs a reasonable threshold? Do you think educational material on UDIs is a good way to meet Stage 2 requirements?
Feds Seek Input on Preliminary Cybersecurity Framework
The National Institute for Standards and Technology has released a draft cybersecurity framework to help organizations responsible for “critical infrastructure” services to manage cybersecurity risk. Critical infrastructure is defined in a presidential executive order (http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf) as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The same Executive Order, 13636 – Improving Critical Infrastructure Cybersecurity, called on NIST to develop a voluntary Cybersecurity Framework by February 2014 and this draft framework is meant to solicit stakeholder feedback. According to the Preliminary Cybersecurity Framework (http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf), NIST used existing standards, guidance, and best practices to achieve outcomes that can assist organizations in managing their cybersecurity risk. “Building off those standards, guidelines and best practices,” NIST says, “the Framework provides a common language and mechanism for organizations to: (1) describe their current cybersecurity posture; (2) describe their target state for cybersecurity; (3) identify and prioritize opportunities for improvement with the context of risk management; (4) asses progress toward the target state; and (5) foster communications among internal and external stakeholders.”
CHIME will be playing an active role with the American Hospital Association to assess government plans to bolster cybersecurity requirements in healthcare delivery and engage officials on how best to move forward. Please look for future opportunities to lend your information security expertise to shape this evolving and important area of policy.
Legislation & Politics
Bipartisan Bill Looks to Define FDA’s Role in Regulating Health IT
A bipartisan group of House members introduced legislation last week meant to define areas for which the Food and Drug Administration should have regulatory purview of health IT products. The bill would limit, or focus, FDA’s oversight to those mobile medical applications that change the physiology of a patient and that has little opportunity for human intervention. The Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act (http://blackburn.house.gov/UploadedFiles/BLACKB_044_xml.pdf) (HR 3303) was introduced by Rep. Marsha Blackburn (R-TN) and co-sponsored by a bipartisan group of House lawmakers, including Republicans Phil Gingrey (GA) and Greg Walden (OR) as well as Democrats Diana DeGette (CO) and G.K. Butterfield (NC). The SOFTWARE Act borrows largely from the conceptual framework developed by the Bipartisan Policy Center, which CHIME helped develop. Beyond instructing FDA to focus on that narrow segment of medical applications, it codifies language that would exempt clinical and health software from FDA regulation. The legislation (http://blackburn.house.gov/UploadedFiles/BLACKB_044_xml.pdf) defines clinical software as clinical decision support software or other software that captures, analyzes, changes or presents clinical data but that does not change the structure or the function of the body. Health software would be any software that is not medical software or clinical software but still captures clinical data and acts as a platform for secondary data, according to the bill.
CHIME will continue to be engaged on this subject as recommendations make their way into policy – either through legislation or regulation.\
Edited for HCI publication by Gabriel Perna