Perhaps the most critical advantage the health IT industry has is that when it comes to the digitization of patient records, everyone is onboard. But just because it’s a bipartisan issues, it doesn’t mean any of it has come easy, particularly the interoperability piece.
That’s where ONC comes in. As part of the 21st Century Cures Act, ONC is charged with developing a framework to address the issues that are hindering the flow of data, all while ensuring data is secure. As Chief Privacy Officer, Kathryn Marchesini is front and center in that effort. In this interview, she discusses ONC’s key priorities, and how they work to obtain and incorporate feedback from all types of stakeholders. Marchesini also talks about how she has benefited from her experience as a technology consult, and the importance of having dedicated IT security leaders.
- ONC’s goal “inspire confidence and trust in health IT”
- Being the “voice of privacy & security”
- Soliciting feedback through multiple platforms
- “Everyone has a different perspective and a different experience.”
- Trusted Exchange Framework to “focus on areas where the industry couldn’t agree.”
- Wading through 200-plus comments
- Defining exceptions for data blocking
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
It’s about making sure there’s support for accessing, sharing, and using electronic health information from a multitude of sources, for a variety of purposes, while ensuring a coordinated approach to privacy and security.
ONC is very public-facing; to the extent that a particular group is interested in meeting with them, ONC is always willing to hear from various stakeholders, including healthcare providers.
At a very high level, the Trusted Exchange Framework was developed to help address interoperability in the 75 percent of states where information does not freely flow where and when it’s needed most by the patients and their providers.
What Congress has asked ONC to do is define the exceptions for what information blocking is, when it’s okay for information not to be shared for a particular purpose, or if there’s an existing law that requires an organization to meet some conditions before information is shared.
Gamble: Hi Kathryn, thanks so much for taking some time to speak with healthsystemCIO.com.
Marchesini: Happy to, Kate. Thanks again for having me.
Gamble: Sure. To start off, can you give a high-level overview of your role as chief privacy officer?
Marchesini: Much of what I focus on deals with looking at privacy and security issues at the intersection of accessing, using, maintaining, and sharing electronic health information, particularly those issues that are germane to health IT and emerging technology as it’s being developed and implemented. It’s also making sure electronic health information is securely available through the healthcare infrastructure to improve the health and care of all Americans in their communities, as well as in support of the HHS Department’s mission to enhance and protect the health and well-being of all Americans.
I’m also working to encourage ONC to continue inspiring confidence and trust in health IT and electronic health information exchange as the healthcare infrastructure evolves. In a way, I serve as a constant voice of privacy and security in helping make sure that as ONC is making policy and technical decisions impacting the privacy and security of health information — particularly as they relate to supporting the relevant statutory activities outlined in the 21st Century Cures Act to help modernize and personalize healthcare — that we continue improving individuals’ access to their electronic health information. It’s also about encouraging greater innovation, supporting research, and streamlining the overall health system.
Lastly, as part of my role, I coordinate closely with the HHS Office for Civil Rights which is the federal entity in charge of administering and enforcing the HIPAA rules, as well as other divisions of HHS, federal partners, and industry efforts that are working to modernize the health IT infrastructure. It’s about making sure there’s support for accessing, sharing, and using electronic health information from a multitude of sources, for a variety of purposes, while ensuring a coordinated approach to privacy and security, particularly as it relates to identifiable electronic health information. We also need to make sure we’re working to address areas of stakeholder uncertainty and perceived barriers to digital health, as well as working to enhance the nation’s health IT infrastructure.
Gamble: So just a few little tasks on your plate.
Marchesini: Just a few.
Gamble: When you talk about working with ONC and to be that voice of privacy and security, who are some of the people that you communicate with on the provider side or how do you get to really understand what they’re working on and what’s most important to them?
Marchesini: As part of the 21st Century Cures Act, ONC had some initial conversations and listening sessions with various stakeholders including healthcare providers and industry groups that represent them. ONC is very public-facing; to the extent that a particular group is interested in meeting with them, ONC is always willing to hear from various stakeholders, including healthcare providers. In addition, ONC has a health IT feedback form that is available on HealthIT.gov. Oftentimes, individual groups, healthcare providers, developers, patients, consumers, as well as advocacy organizations reach out through using that mechanism, particularly around issues they may be facing related information blocking and other issues.
Lastly, ONC has a federal advisory committee, HITAC (Health Information Technology Advisory Committee). It’s a public conversation group that is made up of healthcare providers, consumer and patient advocates, and other members of the industry. So when there are particular issues that ONC is interested in hearing about, those conversations are happening in a public forum. And if they’re interested in learning more, that information is available as well on HealthIT.gov, which includes an area about the FACA organization.
Gamble: That’s really important to bring in advocates, vendors, and consumers, because you want to get all of those viewpoints.
Marchesini: Absolutely. Everyone has a different perspective and a different experience.
Gamble: Right. Now, a few months ago, ONC released a draft of the Trusted Exchange Framework. Can you talk about that, and what it aims to do?
Marchesini: I’m happy to. Through the 21st Century Cures Act, Congress asked ONC to develop a Trusted Exchange Framework (TEF) to address issues with the interoperable flow of health information across disparate networks and alignment and gaps related to enabling Trusted Exchange nationally. In the draft framework that was released earlier, ONC is attempting to create a single on-ramp to interoperability for all, including proposing baseline privacy and security practices in place for organizations that share electronic health information.
ONC tried to identify and focus on areas where the industry could not agree, or there was a need for ONC to make a decision. Through the Draft TEF, ONC asked the health IT community, as well as stakeholders, what they think about the components of the draft. And as part of TEF, ONC gathered industry feedback, as well as through the public comment period.
ONC is now reviewing the more than 200 comments that were received. Some of the concerns that were raised included whether there would be enough interest in organizations to become qualified health information networks, what the role of existing regional health information networks would be, and the establishment of the vision ONC has outlined regarding a regional coordinated entity (RCE).
We received comments from a number of existing regional HIEs that expressed their support of the Draft Trusted Exchange Framework. From what we’ve been able to see, they felt that the proposal could enhance their current business and even expand their efforts to include community and social services, as well as behavioral health. With that, we understand there are some difficulties required in meeting the infrastructure needs to scale interoperability for the entire nation, but we expect that many will meet that challenge. Overall, at a very high level, the Draft TEF was developed to help address interoperability in the 75 percent of states where information does not freely flow where and when it’s needed most by the patients and their providers.
Gamble: One of the issues that often comes up — and you alluded to it before — is data blocking, which has really become a divisive issue in the industry. I imagine it’s really challenging to try to create a rule that defines it.
Marchesini: There is a lot that ONC is trying to focus on, but the 21st Century Cures Act actually defines what information blocking is. It’s broadly defined as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information, and if that practice is known by a developer, an exchange, a network, a provider.
As part of the rule-making activity, Congress did define what information blocking is, but what Congress has asked ONC to do through its rule-making activities is define the exceptions for what information blocking is, when it’s okay for information not to be shared for a particular purpose, or if there’s an existing law that requires an organization to meet some conditions before information is shared.
A lot of our work has been informed by ONC’s previous reports to Congress on information blocking, the public gathering I mentioned earlier, the health IT feedback form on ONC’s website, and comments that ONC’s staff hears directly when meeting with clinicians and other providers, as well as through coordinating with the Trusted Exchange Framework activities. And so I would say, stay tuned for when the proposed regulation about the exceptions to information blocking is released later this year.
Gamble: Right. Another thing I wanted to address about the Trusted Exchange Framework is the proposal that breaches are reported within 15 days. There are some who believe that’s too difficult, especially for large, complex systems. How do you think those concerns will be addressed?
Marchesini: That’s a great question. What I can share is that ONC did ask the health IT community and stakeholders to tell us what they think about the components of the Draft Trusted Exchange Framework, and this included solicitation input from the public. We’re just now beginning to review the public comments and ONC is also sharing comments related to privacy and security. In this case, breach notification would fall under that with the HHS Office for Civil Rights. We’re working closely with them as well as our federal partners as we draft and release the final Trusted Exchange Framework.
Gamble: I’m sure it’s very complex, because there are so many different factors that go into this.
Marchesini: Right. And in this area, as well as other areas, we’re aware that there are state law requirements relating to breach notification as well. There’s a lot of interest in this area.