ONC reveals new HIE privacy and security requirements

The Office of the National Coordinator for Health IT (ONC) has released new requirements and guidance for health information exchanges operating in the State Health Information Exchange Cooperative Agreement Program, according to Joy Pritts, chief privacy officer for ONC, speaking at the 20th National HIPAA Summit in Washington, D.C. this week.

The Program is an ONC-funded initiative to provide for the secure exchange of health information within and across states lines, and an essential part of using electronic health records in a meaningful way to qualify for the EHR incentive programs, according to ONC. The requirements and guidance, sent March 22 to the 56 states and territories participating in the program, provides additional direction to keep the information protected.

Several key provisions of the requirements, according to Pritts, include:

  • Patients need to have access to their records in the HIEs to make corrections and resolve disputes regarding the accuracy of their health information. "If a provider can go to one place to get your complete medical record, why can't you?" said.
  • Individuals should have "meaningful choice" when an HIE stores, assembles or aggregates data, whether their health information may be exchanged through the HIE.
  • Individuals should have choice as to which providers can access their information.
  • Providers requesting or accessing health information by electronic means for treatment should have, or be in the process of establishing, a treatment relationship with the patient who is the subject of the requested information.

"'Don't surprise the patient' is a mantra we took to heart," said Deven McGraw, co-chair of ONC's Tiger Team, also speaking at the conference. The Tiger Team advises ONC on privacy, security and other health IT issues; many of its recommendations were included in the new requirements.

"Trust was the bottom line," McGraw said. "What will make people feel comfortable with HIEs?"

To learn more:
- here's the new program guidance (.pdf)
- check out this Health Info Security article

Suggested Articles

Roche, which already owned a 12.6% stake in Flatiron Health, has agreed to buy the health IT company for $1.9 billion.

Allscripts managed to acquire two EHR platforms for just $50 million by selling off a portion of McKesson's portfolio for as much as $235 million.

Artificial intelligence could help physicians predict a patient's risk of developing a deadly infection.