In an development that should come as a welcome surprise to security watchers critical of U.S. federal information security efforts as too focused on compliance (at the expense of effectiveness), the Federal CIO Council announced last week that a new task force has been established (it held its first meeting on September 17) and begun work on new metrics for information security that will focus on outcomes. This effort is the latest development in a groundswell of activity both within Congress and parts of the executive branch to revise the requirements under the Federal Information Security Management Act (FISMA) to put less emphasis on compliance with federal security guidance, and more emphasis on results from implementing security controls. Legislation in various forms of development from both the house and the senate would require a similar re-alignment of security measurement approaches, so the action by the CIO Council would seem to be partly in anticipation of such requirements being enacted in law. The collaborative group includes participants from several key agencies as well as the information security and privacy advisory board (ISPAB). The schedule for the group appears quite ambitious: the task force is expected to have a draft set of metrics available for public comment by the end of November.
News this week that the personal records of as many as 70 million U.S. veterans were contained on a faulty hard drive sent by the National Archives and Records Administration (NARA) will once again serve to highlight disconnects between security and data privacy policy and practice. The public comments made by NARA officials concerning this incident also highlight some of the issues with current exceptions to data breach disclosure rules put in place by the federal government.
The security problem in this incident is that the media in question was not sanitized as it should have been according to federal and Defense Department policy. NARA had no intention of sending any data out of its custody; it merely wanted the hard drive repaired. NARA officials have defended their actions by saying that the return of hardware media such as disk drives is a routine process, and the fact that unencrypted personal data was on the drives doesn’t violate any rules. The situation was brought to light through the actions of an IT manager who reported it to NARA’s inspector general. NARA had not disclosed the loss of records to federal authorities (which it is required to do under federal regulations even if it believes no actual breach of personal information has occurred), and also chose not to notify veterans whose records might be affected. The manager who reported the breach and agency officials appear to differ markedly on whether the situation constitutes a breach: one the one hand the manager characterized the loss as “the single largest release of personally identifiable information by the government ever,” while the official position stated by the agency is “NARA does not believe that a breach of PII occurred, and therefore does not believe that notification is necessary or appropriate at this time.”
The position articulated by NARA calls to mind the “harm” provision in the personal health data breach notification regulations issued by HHS and the FTC that went into effect last week. In a change from the language in the HITECH Act that mandated the regulations, the final version of the HHS rules include an exception to the breach notification requirement if the organization suffering the loss of data believes that no harm will be caused by the loss. (The FTC rules have no such exception.) The self-determination of harm and the incentive organizations would have to minimize the estimate of harm to avoid disclosing breaches has angered privacy advocates and seems likely to result in under-reporting of breaches. The difference between the common sense perspective and the official NARA position on this latest data loss is strong support for the argument that leaving the determination of significance about breaches up to the organization suffering the loss will result in individuals not being notified that their personal information may have been compromised.
The HITECH portion of the American Recovery and Reinvestment Act included lots of financial incentives for health care providers to adopt and “meaningfully” use health information technology such as electronic health record systems. It also directed the Office of the National Coordinator for Health IT within HHS to perform a variety of activities “consistent with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information.” (P.L. 111-5, §3001(b)). What is not explicit in the HITECH Act is what funding, if any, should be specifically allocated to establishing or operating such an infrastructure. There seems to be an assumption that at some point one or more private sector organizations will either directly provide infrastructure services used for health information exchange or manage the information flow among health information exchange participants, either under contract on behalf of the federal government or on their own. However, to expect the private sector to step in and provide infrastructure services, even using the Internet, there needs to be a revenue source or other business opportunity to attract service providers. This is hardly an insightful observation, but the lack of attention to incentives for infrastructure, security, monitoring, and other necessary services seems destined to slow health IT adoption.
As noted last week by Dr. John Loonsk — currently chief medical officer for contractor CGI Federal but formerly a member of the management team within the Office of the National Coordinator responsible for developing the Nationwide Health Information Network (NHIN) — in the absence of federal-level coordination of infrastructure development efforts, and, Dr. Loonsk argues, stimulus funding dedicated to those efforts, health information exchange capabilities may be provided separately and incompatibly at regional or state levels, frustrating the widespread interoperability goals the NHIN is intended to achieve. If health IT will really produce anything like the cost savings so often projected, some portion of any savings to be realized could be allocated to paying health information exchange participants, on either a transactional or per-record basis. In theory the amount of money involved could be quite small and still provide the necessary financial incentive to potential service providers. In the early 1990s When the U.S. automated teller networks first made their regional networks interoperable, each ATM transaction generated just 12 cents for the parties involved — 7¢ to the acquirer, 5¢ to the issuer — but that provided enough incentive to achieve widespread interoperability within a couple of years. Not insignificantly, the process of linking regional networks was greatly facilitated by the fact that virtually all of them were using the same technologies, including computing platforms and telecommunications protocols.
Having a financial incentive built into health information exchange could simultaneously foster greater adoption and help participating entities maintain compliance with various privacy and security requirements. If, for instance, the holder of a health record was entitled to a payment each time the record was accessed or information from it was sent to a requester, not only would record holders have an incentive to make the data available for exchange, but by logging each transaction in order to generate billing records, the record holder would also produce an accounting of disclosures as required under HIPAA.
To date, entities exchanging health information purportedly as part of the NHIN are not actually under any sort of monitoring or oversight by any NHIN governing authority, although the provision for such monitoring is included in the Data Use and Reciprocal Support Agreement that has been executed by MedVirgina, the Social Security Administration, and other early adopters of the NHIN technical solution components. Without such monitoring place, the NHIN in “limited production” as it now stands is simply pairs of exchange partners using an agreed-upon messaging format to send information over the Internet between instances of gateway application software that can send and receive those messages. Without a set of services layered on top of that public infrastructure, there will be neither the framework within which new service providers can make their capabilities available nor any means to establish the sort of quality of service and other performance levels commonly associated with purpose-specific network infrastructure today.
The rules contained in the HITECH Act requiring HIPAA-covered entities, business associates, and non-covered entities that provide personal health records (PHR) to disclose breaches of personal health information go into effect on September 23. The draft rules were published as interim guidelines in April, and the final version of the disclosure rules was published by HHS last month, with a corresponding rule covering PHR breaches published by the FTC at the same time. The rules will greatly expand the scope of organizations subject to breach disclosure requirements, although HHS did include a provision in the rules that unauthorized disclosure is not considered a breach under the regulations unless it causes or has the potential to cause significant harm to individuals whose data is disclosed. This exception is troubling to privacy and consumer advocates because it introduces a measure of subjectivity into what seemed to be an objective requirement (the harm provision was not part of the language in the HITECH Act), and it raises the possibility that organizations who suffer disclosures will understate the risk in order to avoid having to comply with the rules.
The rules still apply only to unsecured data — in HITECH legalese that means data that is not rendered “unreadable, unusable, or indecipherable” — so tomorrow also serves as an unofficial deadline by which organizations holding personal health information should implement encryption for their data at rest as well as data in transit. It remains to be seen whether major PHR vendors like Google Health and Microsoft Healthvault will add record encryption to the set of security and privacy protection measures they already have in place.
Word coming out of the Health IT Standards Committee last week is that the panel has approved a framework for the transmission of patient data from providers to federal government agencies such as the Centers for Medicare and Medicaid services. The proposal came out of a progress report from the committee’s Clinical Quality Workgroup presented on September 15. The process for gathering and reporting the quality measures (as shown in the image at right) involves the use of two intermediaries between sender and receiver: the first would be a health information exchange or other data collection and aggregation service provider, while the second would be responsible for processing and reporting quality data from the health records being transmitted.
While the usual emphasis in this space is on security and privacy issues (several of which are relevant to a multi-entity transaction flow such as this one), just as noteworthy for this proposal is the possibility that it represents a business opportunity for participation in health information exchange efforts. One of the big unanswered questions in the health IT debate is what incentive private-sector players will have to facilitate, enable, or provide health information exchange services. To date, no one has proposed any sort of revenue generation model whereby service providers or data owners might be paid on either a per-transaction or per-record basis for responding to health data requests, yet the overall success of health information exchange depends on high levels of participation. The incentives included in the Recovery Act are designed to offset the costs of acquiring and implementing electronic health record systems, and are therefore targeted at health care providers. What is less clear is how health information exchanges, such as the ones envisioned to link large numbers of providers together using the NHIN or other infrastructure, will be compensated for their services. Some of the key technical roles being proposed for health information exchange seem to present a need for service providers to fulfill the roles. The health data quality intermediary featured in the HITSC proposal is one such opportunity; others might include local or regional health information exchange operators that offer connectivity to health IT infrastructure, software-as-a-service or cloud-based EHR solutions offering access to small physician practices or other health care providers unwilling to implement their own local EHR systems, and credential issuers (in the form of security token services) that would provide identification and authentication claims to data requesters in a federated authentication model.