Impact Insights

How Healthcare Interoperability Affects Information Security

The evolution of healthcare interoperability includes the exchange of patient information across organizations, vendors, technologies, and geographical boundaries. In some national debates, interoperability is defined as the exchange of information between electronic health records (EHRs), providers, personal health records, public health agencies, health plans and organizations conducting clinical research. Interoperability may be viewed as an enabler for better patient care and outcomes.

In recent years, we saw healthcare interoperability provisions incorporated into various federal regulations. The HITECH Act brought about the Meaningful Use Program, which encouraged the provider and vendor communities to work together for development and adoption of electronic health records. The Office of the National Coordinator continued to develop standards, strategies, and plans for advancing interoperability. Various state governments incorporated interoperability into Medicaid requirements, evaluated technology certifications and filed anti-trust actions against vendors. In addition, the Food and Drug Administration (FDA) published guidelines on device interoperability.

Most recently, the Trusted Exchange Framework (TEF) Draft 2, released on April 19, 2019 supports the 21st Century Cures Act’s goal of advancing nationwide interoperability. The TEF and the Common Agreement may be designed to ease the flow of Electronic Health Information (EHI), providing patients and providers with secure access to patient data. Further, the TEF and the Common Agreement would make entities apply appropriate safeguards that ensure EHI is exchanged in a safe and secure environment for appropriate purposes.

The TEF creates a common set of principles that are designed to facilitate trust between entities. These include standardization; transparency; cooperation and non-discrimination; privacy, security, and patient safety; access; and data-driven accountability. It is noted in the TEF Draft 2 that HIPAA Privacy and Security Rules compliance applies to all covered entities and business associates. However, the 21st Century Cures Act emphasizes the need to improve patients’ access to all of their EHI.

Patients, providers, health plans and networks may not be willing to exchange data through the Common Agreement if non-HIPAA entities (e.g.: various federal agencies, smartphone app developers, etc.) present privacy or security risks because they are not obligated to abide by the HIPAA Rules. In order to meet the goals of the 21st Century Cures Act, the Common Agreement requires non-HIPAA entities, who elect to participate in exchange, to be bound by the safeguards provisions of HIPAA. How will this be interpreted and enforced between HIPAA entities and non-HIPAA entities?

As part of the Common Agreement, the Minimum Required Terms and Conditions (MRTCs), include provisions that address meaningful choice (use/disclosure), written privacy summaries, data integrity, identity proofing, access control, user authentication, breach notification and auditing consistent with industry best practices. All entities exchanging EHI would need to evaluate their security program for the protection of Controlled Unclassified Information (CUI), and develop and implement an action plan to comply with the security requirements of the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations). A CUI category includes EHI. This Publication provides guidelines for CUI. Entities that handle EHI are required to demonstrate the security controls and be compliant with the NIST 800-171 requirements regardless of whether they are a Covered Entity, Business Associate, Participants and Participant Members. Currently, ONC is requesting public comments for the MRTCs privacy and security requirements before June 17, 2019.

In summary, while healthcare interoperability may enable better patient care and outcomes, it is changing the healthcare industry landscape including entities’ relationships, technological advances and the reasonable steps to promote the confidentiality, integrity, and availability of EHI.