ONC's DeSalvo on Privacy, SecurityNew National Coordinator for Health IT Outlines Priorities
Privacy and security are vital components of all major projects that the Office of the National Coordinator for Health IT has under way, says Karen DeSalvo, M.D., who heads the office.
"We consider privacy and security an important part of the work that we do," says DeSalvo in an interview with Information Security Media Group (edited transcript below). "It's increasingly complex as we think through care models, mobile health, ehealth, telehealth and the broader issues of big data and how we make certain that people's health information is first and foremost there to improve their care wherever they are ... but, as they desire, is also available [for research] to help advance the health system and population health overall."
But she stresses that de-identified patient information should be made available for research only with patients' consent, and officials must "make certain patients understand the implications."
DeSalvo, who took on the job of national coordinator for health IT in January, also notes: "The way we are making decisions at ONC, we're building in processes that ensure we consider every aspect of the decision," including critical privacy and security issues.
In the interview, DeSalvo also discusses:
- Why ONC is revamping its advisory workgroups;
- Why attaining secure nationwide health information exchange within the next three years is an important focus at ONC;
- The most pressing security and privacy issues facing healthcare and healthcare IT.
Before joining ONC, DeSalvo was the New Orleans health commissioner and senior health policy adviser to Mayor Mitch Landrieu. During her tenure as health commissioner, DeSalvo led efforts to modernize the New Orleans healthcare system following Hurricane Katrina. DeSalvo also served as president of the Louisiana Health Care Quality Forum, which leads the state's HIE and regional extension center projects.
Key Privacy, Security Issues
MARIANNE KOBALSUK MCGEE: What do you see as the most pressing data privacy and security issues related to healthcare and healthcare IT?
KAREN DESALVO: The nation has seen great advancement in the structured capture of health information at the point of care, because of the dramatic increase in the adoption of electronic health records in a clinical environment by providers, like doctors, and other health professionals at hospitals. The success brings with it this increasing appreciation that we have to be certain we are doing all we can to consider the privacy and security issues, and desires, of the consumers whose data is being captured.
They have the complexity added too, in a positive way, just simply because of the consumer engagement element, that we are building in expectations that consumers have the opportunity to view and download and transmit their health information and that they also, over time, want to be able to share information that they collect about themselves into the electronic health record. It is a quickly moving and dynamic marketplace that consumers have a right in because they own their own data; it is our job to work with them to see that the privacy and security expectations are met.
HIT Policy Workgroups
MCGEE: What are the workgroups that advise the HIT policy committee and where do you see privacy and security policy issues fitting in?
DESALVO: So we have been working with the policy committee for the last few months on the strategic refocusing for that really important body that advises the ONC and HHS on the national HIT strategic agenda. This is a group that has done great work on a voluntary basis to ensure that this adoption phase and other work on the HITECH Act has been accelerating and moving forward. And as we all thought about the next five and 10 years, the policy committee was ready to think about doing some restructuring and leaning forward, as we say, to see that we can make certain we have folks to provide advice and guidance to us at HHS. This realignment and restructuring of the workgroups serves as a function of doing just that. We have an expectation that the kinds of groups that we've formed will be able to look ahead as much as possible, while also providing important advice for the decisions that we are, at ONC and HHS, making today. ...
I also want to share that as we were thinking through all of the workgroups, it's really clear that it's a very matrix function. I think privacy and security is a perfect example that it simply cannot make policy a technology decision without the usability, safety and interoperability care model that might include behavioral health without considering privacy and security issues. I lean a lot on our team inside of ONC and our partners outside to make certain that we're taking into consideration those issues as we are developing policy and technology going forward.
Focusing on Privacy
MCGEE: How might the changes that you are envisioning for ONC help to sharpen its focus on privacy and security issues?
DESALVO: We made an investment in the budget process last year to increase the size of the staffing in the privacy and security area. So if nothing else, I hope that's a clear signal that we consider this an important part of the work that we do. As I said, its increasingly complex as we think through advanced care models, mobile health, e-health, telehealth, and just the broader issues of big data ... how we make certain that people's health information is first and foremost there to improve their care wherever they are and to help them improve their own health; but as they desire, it also is available to help advance the health system and population health overall. But, let them do that only with their consent and make certain that they understand the implication. The marketplace is moving so quickly, and thinking about ways that we can take advantage of the digital health information that people are collecting on themselves or that are part of the health record to create a learning health system, we have to make certain that we're continuing to make the right infrastructure investment to ONC so that we can keep up. ...
We have wonderful partnerships with, for example, the White House and the Big Data Initiative. So this is an all-hands-on-deck effort, just in the same way we do in our other collaborative, technology and policy work. So it is important; it will remain important. I believe because of the demands of the marketplace and big data questions and consumer engagement desires that we will increasingly be thoughtful about it and paying attention. I will say structurally, the way that we're making decisions in ONC, we're also building in processes that ensure that we consider every aspect of the decision; but certainly privacy and security are at the table and part of making those decisions with that.
Big Data, Consumer Engagement
MCGEE: Why are big data and consumer engagement so important?
DESALVO: Well, I'll start with big data; the White House has an initiative that John Podesta is leading. There have been a series of conversations with the private sector about the challenges and opportunity, and we have been participating in those. There will be a report coming out around some of the next steps that the federal government believes we need to undertake to make sure we are supporting the American taxpayers and people of this country, but also that we're thinking through with our policy and regulatory levers that are going to keep data as private and secure. They've been rich conversations. Everyone seems clear that big data is being collected in all corners of our lives, and that increasingly patients are generating their own data on their own health. They want to make certain that it's acceptable to them in their decision-making about their own care, that it's there and available as they move across the care continuum. But consumers often say in surveys that if the information can be helpful to advance science, to improve quality and safety of care, as long as it protects their privacy and security in a way that they defined and they're not discriminated against, they're open to ways that it might be part of anonymized data, for example. It's a really quickly moving and high-energy space. You ask why it's a priority; it is for us, but it is certainly clear that it is for the community and consumers who see this real opportunity to begin to improve the health of the population if we do the right thing with the data.
Consumers also are taking advantage increasingly of technology that is available to them ... to input their own data, whether that's through texting or through websites. That information in a cloud is useful to them, but they would like to see that their healthcare team or other caregivers have that information available also. ... But it also comes with potential issues. And so, again, part of our responsibility is to think through what those are and make certain that we are considering ways that we can protect their privacy and security.
I might add one other dimension, which is, at HHS we have been working again with the community, thinking a lot about areas that are not part of the traditional meaningful use program, like behavioral health. I'm thinking of people who are in the behavioral health system, whether that's for mental health or substance abuse, and seeing that they have an opportunity to share their health information, when they want to, or it can be segmented appropriately. So we've been doing some work on areas like data segmentation. These are nuanced policy and technical issues that the privacy and security team is at the forefront of, and helping us think of ways that the country can get its healthcare and health needs met - but do so in a space that is sufficiently private and secure. Again, those are really priority issues for the country because there is demand from the consumer and patient, but there's also a need to make sure that we're providing the most comprehensive care for folks. That's not just a technology or policy issue straight out; it also has important product and security implications that we want to help solve.
Nationwide Health Exchange
MCGEE: Do you still think that nationwide health information exchange is attainable over the next three years?DESALVO: It is our goal. We would like to see that we are weaving together these pockets of data that are useful, only insomuch as they're available to the patient, caregiver, provider, hospital, and the doctor at the point of care. If you need the information to save their life, it's not helpful if it's stored someplace and not visible at that clinical encounter. As we look as a country at this national priority of reducing the cost of care, one of the top priority ways we can do that is through reducing redundancy and having health information available for the right decisions for providers and patients; the care environment can help reduce repeat tests, for example. There is a need to do it, whether it's to save lives or lower cost, and ultimately it's going to help us improve health because it will give us a window into ... how we can direct the resources we have to do a much better job of overall health. So it remains a top priority. We're working on this internally as an opportunity to conceptualize our framework. We are convening our federal partners, and we'll be working next with the policy and standards' committees, and then of course [trying] the best we can with everyone in the private sector to get a national agenda around all of the IT, but with interoperability as a top priority.
There's a report that ... ONC funded, and that brought actual points to some other opportunities and ways to advance the interoperability space. It calls for an even more aggressive timeline. The reason I point it out is, it speaks to the fact that from all corners we're hearing that there are stakeholders, doctors, patients and others who are ready for the information to be flowing more freely with them. And that is exciting, it's a challenge; we are moving ahead as quickly as we can to see that we can meet that challenge. ...