ONC's Savage outlines steps taken to address HIPAA in health IT

The Office of the National Coordinator for Health IT is taking action to better incorporate privacy and security into health technology, according to Lucia Savage, the agency's chief privacy officer.

Speaking Wednesday at a conference co-hosted by the Health and Human Services Department's Office for Civil Rights and the National Institute of Standards and Technology, Savage said that ONC has “an unusual role” to include HIPAA into the health IT context. She provided updates on several agency initiatives focusing on safeguarding electronic patient information, including:

Support to the National Health Information Sharing and Analysis Center (NH-ISAC): ONC this month awarded a grant to NH-ISAC to improve cybersecurity threat education to healthcare stakeholders. The goal is to help engage smaller healthcare organizations in threat analysis and preparedness

“This was part of the interoperability roadmap” so ONC was “committed to get this across the line,” Savage said. “It’s like neighborhood watch and collaborating with the police department, but on cyberthreats. Identifying and sharing will help everyone improve."

Open APIs: The 2015 edition of certified electronic health record technology requires open application programming interface (API) use effective Jan. 1, 2018. APIs will allow patients to use an app of their own choosing to obtain their health information and help in their own care. However, open APIs are a “new concept” for EHRs, Savage said. There also are security concerns, in large part because not all apps are the same, and patients are not regulated by HIPAA. She called upon app developers to “do the right thing” to create apps that provide protections and “develop trustworthy products,” noting that HIPAA at least “gives us a security floor.”

Blockchain technology: Blockchain technology is gaining steam, and ONC has called for white papers on its use in health IT. However, Savage said, blockchain is not perfect. It’s expensive, it may not be able to establish and interpret rules, may be hard to correct an error once a block is created and can be subject to storage problems. Moreover, 70 percent of it is located in China, which is alleged to be behind the Office of Personnel Management hack, which Savage said makes her “nervous.” She recommended that entities using blockchain conduct a security risk analysis to determine the risks.