Healthcare Information Security

Cybersecurity News

Final ONC Roadmap Highlights Health Data Privacy, Security

By Elizabeth Snell

The Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC) released the final version of its interoperability roadmap earlier this week, discussing the importance of health data privacy throughout the push for greater health information exchange.

Health data privacy and security discussed in finalized ONC roadmap

Connecting Health and Care for the Nation explains how nationwide interoperability can be achieved over the next decade, and that the goal of a learning health system that centers around patients is possible.

“If we steadily and aggressively advance our progress we can make it a reality,” states the executive summary. “We must focus our collective efforts around making standardized, electronic health information securely available to those who need it and in ways that maximize the ease with which it can be useful and used.”

The roadmap includes three high-level goals toward interoperability, broken down to take place over the next 10 years:

  • 2015-2017: Send, receive, find and use priority data domains to improve healthcare quality and outcomes.
  • 2018-2020: Expand data sources and users in the interoperable health IT ecosystem to improve health and lower costs.
  • 2021-2024: learning health system, with the person at the center of a system that can continuously improve care, public health, and science through real-time data access

In terms of health data privacy and security, the roadmap explains that strong and effective safeguards are essential in the interoperability push. There must be greater transparency in how individuals’ data is used, especially if it is not covered by HIPAA regulations. It will also be necessary to consider individuals’ preferences in how their data is handled.

To have an interoperable and learning health system, the roadmap states that there must be “a stable, trusted, secure, widely available network capability that supports technology developer-neutral protocols and a wide variety of core services.”

Improvements in health data privacy are also included in the first ONC goal, to take place between 2015 and 2017. Specifically, the roadmap states that “OCR will consider where additional guidance may be needed to help stakeholders understand how HIPAA Privacy and Security Rules apply in an environment where ACOs and other multi-stakeholder entities permeate the landscape in support of value-based purchasing.”

Overall, ONC highlighted four “pathways” that will be essential in achieving nationwide interoperability. First, improving technical standards and implementation guidance for priority data domains and associated elements is necessary.

“In the near-term, the Roadmap focuses on using commonly available standards, while pushing for greater implementation consistency and innovation associated with new standards and technology approaches, such as the use of application programming interfaces (APIs),” ONC explained in a blog post.

Second, there will need to be a shift from fee-for-service to value-based models. This applies to federal, state, and commercial payment policies.

Third, federal and state privacy and security requirements that enable interoperability will need to be properly aligned. As previously discussed on, the variation between state requirements can create a “patchwork” system.

Finally, consistent policies and business practices that support interoperability will need to be coordinated among stakeholders. Moreover, any policies or practices that hinder interoperability will need to be addressed.

It is important for both private and public stakeholders to work together, according to National Coordinator for Health IT Karen B. DeSalvo, MD, MPH, MSc., who wrote an introductory letter with the finalized roadmap.  

“We are committed to helping consumers easily and securely access their electronic health information when and where they need it most; to enabling individual health information to be shared with other providers and refrain from information blocking; and to implementing federally recognized, national interoperability standards and policies so that we are no longer competing between standards, but rather innovating on a set of core standards,” DeSalvo said.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks