By Kelli Carpenter Fleming
There have been several recent governmental actions which highlight the balance between securing electronic patient information and the need for interoperability and appropriate exchange of such information. This article will summarize two of those recent actions.
ONC Proposed Rules
The Office of the National Coordinator for Health Information Technology (“ONC”) recently announced proposed rules designed to improve ONC’s Health IT Certification Program and increase interoperability entitled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing” (the “Proposed Rule”). The Proposed Rule addresses four (4) key ONC priorities: building the digital foundation of health record information, making interoperability easier, promoting information sharing, and ensuring proper use of health IT tools.
Included in the Proposed Rule are proposals to implement the EHR Reporting Program as a new Condition of Certification for developers of certified health IT; to modify and expand exceptions within the information blocking regulations to support health information exchange; and to update and reformulate several certification criteria to support health IT functionality in a way that adequately and appropriately supports interoperability and the access and use of health IT. The Proposed Rule also includes new policies aimed at promoting greater trust in the predictive decision support interventions used in healthcare technology. The focus of the Proposed Rule is to enhance the movement of electronic health information in a safe and compliant manner and to improve transparency with regard to health IT.
With regard to the Proposed Rule, Micky Tripathi, PhD, national coordinator for health information technology, said “In addition to fulfilling important statutory obligations of the 21st Century Cures Act, implementing these provisions is critical to advancing interoperability, promoting health equity, and supporting expansion of appropriate access, exchange, and use of electronic health information.”
The Proposed Rule was published on April 18, 2023 and will be open for public comment by interested parties for 60 days.
HHS Cybersecurity Task Force
On April 17, 2023, The HHS 405(d) Program announced the release of several resources designed to address cybersecurity concerns among healthcare providers and to secure electronic health information. These resources are beneficial tools for providers aiming to bolster cybersecurity efforts.
Knowledge on Demand offers free cybersecurity training on social engineering, ransomware, loss of theft of equipment and data, insider accidental or malicious data loss, and attacks against network connected medical devices. Providers looking to enhance employee training in these areas should consider utilizing Knowledge on Demand. All training should be documented.
Another resource, the Health Industry Cybersecurity Practices, was updated to include a discussion on the danger of social engineering attacks. These attacks are designed to trick employees into revealing information that can be used to infiltrate a system or network. The Health Industry Cybersecurity Practices include various cybersecurity guidelines, practices, methodologies, procedures and processes healthcare organizations can use to improve cybersecurity and better protect electronic health information.
Finally, the Hospital Cyber Resiliency Initiative Landscape Analysis provides an overview of how hospitals are or are not protecting themselves against certain cybersecurity threats, identifying best practices and areas of improvement. Every hospital should review this analysis to determine how well it is protecting its electronic information in comparison to industry peers.
Both of these recent initiatives support the government’s increased focus on the security and exchange of electronic health information.
Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Practice Group. Kelli may be reached at (205) 458-5429 or email@example.com.