CCHIT questions governance, security of NwHIN
The Certification Commission for Health IT (CCHIT) focused its comments this week on the request for information (RFI) on governance and security of the Nationwide Health Information Network (NwHIN), published in the Federal Register by the Office of the National Coordinator for Health IT (ONC) on May 15.

"We believe, however, that the role of ONC in governance of the NwHIN should be carefully considered,” said Karen M. Bell, MD, chair of CCHIT. “While ONC is informed by the Health IT Standards Committee (HITSC), the Health IT Policy Committee (HITPC) and public comment, the NwHIN serves both public and private entities, and an independent public/private governance entity, also informed by the HITSC, the HITPC and public comment may be a more effective approach in establishing trust, gaining wide adoption and allowing for multi-stakeholder representation."  

The Chicago-based organization recommended that ONC support the development of an independent public/private governance entity which would be consistent with the direction of the HITECH Act and with its desire to promote innovation and to support an evolving environment.

“ONC should exercise its mandate to protect the privacy of individuals’ health data in accordance with the HIPAA and the American Recovery and Reinvestment Act (ARRA) by considering how best to apply these regulations to information exchanged on the NwHIN and regulate conditions of exchange (CTEs) that are limited to privacy policy and principles.”

In addition, the organization recommended NwHin network validated entities (NVEs) be tested for and comply with CTEs with respect to all data accessed through the NwHIN. According to CCHIT, multiple NVEs may have different business practices and privacy polices (e.g., opt-in consent vs. opt-out consent) pursuant to their reasons to share information limited to their internal specific structures and processes. “We also recommend that NVEs transparently report how they will assure that data accessed through the NwHIN are handled in compliance with the CTEs if their internal structures and processes differ from those of the CTEs.”

Policy related CTEs can be developed by ONC and included in regulation, according to CCHIT, but those related to technical standards (either interoperability or security) are best determined by an independent multi-stakeholder governance group with the benefit of HITSC recommendations. “We also believe that specific business practices be identified and transparently reported, rather than be part of the CTE process. The evaluation of technical standards for both interoperability and security is an objective, testable process that should be conducted consistently by all validation bodies.”

Public comment is due to ONC by June 29. The full letter is available through CCHIT.