Health info security laws a hurdle to health Internet

Federal agencies hope to use the government’s Connect software to share health information with private healthcare providers, but current information security and privacy laws significantly block their way, government health IT executives said yesterday.

Two key laws – the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA) – are a particularly steep hurdle to electronic record sharing among federal agencies and private sector providers, they said.

The combined technical requirements of the laws mean organizations must often take more than 200 steps – from doing risk assessments to setting up access controls – to assure their information and systems are safeguarded.

“And that is not a scalable model for the country,” said Vish Sankaran, program director of the Federal Health Architecture office, which is managing the Connect project. He made his remarks at a forum hosted Nov. 5 by market research firm Input Inc.

 “A small practitioner’s office would not have the infrastructure to manage all the security controls,” Sankaran added. “And we can’t have the government having to check that all these systems are compliant.”

Under HIPAA, healthcare providers and plans must protect patient information. And under the FISMA, federal agencies must safeguard, monitor and document that their networks and systems are secure.   

Federal agencies would like to exchange health information with private providers, Sankaran said. For instance, many veterans and military service members seek treatment from private providers, and their federal health programs want to receive updated information about patient medications and tests.

However, as the situation stands, the federal government would require private organizations that receive federally held personal information to meet FISMA conditions, he said.

The Connect software enables healthcare organizations to exchange information using standards designed for  nationwide health information network (NHIN), including privacy and security features.

The Social Security Administration crafted an approach using Connect to start exchanging information securely with MedVirginia, a central Virginia health information exchange, said Jim Borland, the agency’s health IT advisor. SSA electronically exchanges medical data of disability applicants to speed up processing.

SSA does not provide healthcare, so HIPAA regulations do not apply.

“But we needed to have reasonable assurance that the controls in Connect from the (Nationwide Health Information Network) specifications were sufficient enough for us to meet FISMA requirements,” Borland said. SSA certified the application as FISMA compliant.

SSA takes additional steps to reduce risk when the data is in transit, Borland said. First, SSA sends a query to MedVirginia with demographic information to match a patient. Once a match is made, SSA uses a substitute data key so that no further demographic information about the patient needs to be transmitted.

“The health data is being transmitted with the substitute key so that in the unlikely event it were ever intercepted it would not be associated with a particular individual,” he said.    

Sankaran said one of the underlying questions about privacy and security is who owns the data. For example, if the Defense Department sends health information from its AHLTA clinical record system to a patient’s third-party personal health record, like GoogleHealth or Microsoft HealthVault, it is not clear who owns that data, he said.

“If it’s the federal government’s data, there is a further obligation [under FISMA] for the entity receiving it,” he said. “If the patient owns it, and the patient authorized DOD to move the information into the private sector system, then the receiving entity will have the right security controls in place.”