Security standards potential 'showstopper' for health network

Health care providers must comply with federal information security requirements before agencies can participate fully in a national network to exchange electronic records, according to a government technology official.

Finding a security standard that meets government and industry requirements is among the biggest challenges facing the National Health Information Network, which allows federal agencies and private sector providers to share records, said Vish Sankaran, program director for federal health architecture at the Office of the National Coordinator of Health Information Technology. ONC, which is part of the Health and Human Services Department, is coordinating efforts to build the network.

Agencies are guided by the 2002 Federal Information Security Management Act, while health care providers must comply with standards set by the 1996 Health Insurance Portability and Accountability Act.

The government can't force private sector providers to implement standards developed for federal agencies, Sankaran noted: "What happens when records [are transferred] outside the federal agency's network? Is the health care provider that receives the records required to follow FISMA regulations? That's a showstopper at this point."

In December, the Social Security Administration announced that it will use NHIN to obtain records of applicants for disability benefits, making it the first agency to join the network. Because SSA will receive records, and not distribute them, FISMA compliance is not a factor. Examples of where the issue could emerge include transfers of veterans' medical records from the Defense or Veterans Affairs departments to private hospitals or medical practices.

"The health care industry in general doesn't pay any attention to FISMA," said Ali Pabrai, chief executive of Ecfirst.com, which offers regulatory compliance solutions and certifications in the area of information security. "It's not in their vocabulary. The private sector is used to working with multiple regulatory requirements so that is not as much of a problem, but what becomes critical is the need to adopt an [IT] framework that supports two significant regulations. That is the hurdle."

One alternative to placing the burden of compliance on providers would be to offer certifications to vendors that sell network applications to health care organizations. Organizations that handle government records then could invest in a FISMA-compliant software solution.

Officials with the nonprofit Certification Commission for Healthcare Information Technology have had a number of internal discussions about addressing FISMA, said John Morrissey, CCHIT spokesman.

"In general, what we want to do is be able to offer certification above and beyond the regular certification for electronic health record vendors that layers on the advanced security and advanced interoperability capabilities," he said. Certification should not be required, he added.

"If a vendor mainly sells to the small and mid-size physician practices for example, they shouldn't have to have all of the higher capabilities that would be required to meet FISMA," Morrissey said. "It would price them out of the market. We need to figure out a way to strike a balance between the core features and interoperability needed by the average physician practice out there, and the more sophisticated and advanced capabilities for those dealing with the federal government.