Healthcare Information Security

Cybersecurity News

ONC HIT Report to Congress Discusses Data Privacy, Security

Health data privacy and security must remain a priority in push for interoperability, ONC says.

By Elizabeth Snell

LAS VEGAS - Health data privacy and security are just one of several potential barriers when it comes to modernizing and integrating the health IT infrastructure, according to the Office of the National Coordinator for Health IT (ONC).

Health data security discussed in ONC report to Congress

The ONC released its annual report to Congress on progress being made in health IT earlier this week, and explained that there is a large amount of data available now that was not available six years ago.

ONC discussed recent steps that have been taken to further interoperability, and also touched on potential barriers and areas that still need work to improve the nation’s health IT infrastructure.

“Health IT is now widely used by most hospitals and providers, and the electronic exchange of health information among these providers continues to increase,” stated the report’s executive summary. “However, collaborative commitments across government and industry are needed to address remaining challenges for the U.S. to realize the full benefits of a secure, interoperable electronic health information infrastructure that seamlessly supports the health system and provides individuals with safe, person-centered care.”

In terms of healthcare data privacy and security, the ONC explained that implementing federally recognized national interoperability standards, policies, guidance, and practices for electronic health information is one of HHS’ priorities. Moreover, best practices to help further this goal need to be adopted.

Consumers need to be able to easily and securely access their health information, according to the report. HHS will also work to assist providers in sharing “individuals’ health information with their patients and other providers whenever permitted by law, and not knowingly and unreasonably block electronic health information.”

When it comes to enhancing the privacy and security of electronic health information, ONC highlighted the new requirements included in the 2015 Edition Final Rule. While the new criteria cannot guarantee that a health IT product is secure, the report maintained that the technical requirements shift the responsibility to the manufacturers and developers.

“Because privacy and security functionality and cybersecurity issues continue to evolve, ONC regularly evaluates available technical standards and may add updated certification criteria that support the privacy and security of electronic health information,” the report’s authors wrote.

Moreover, there is a technical standard in the Final Rule that lets providers flag sensitive health information while still allowing that data to be included in an electronic data stream. This supports the interoperable exchange of sensitive health information for individuals whose data may be able to receive additional protections.

Additionally, ONC added security requirements to the API certification criteria to ensure that consumer apps are authenticated, data is encrypted, at rest is a technical default, and data exchanges are audited. Lastly, the 2015 Edition final rule certification criteria includes requirements that EHRs certified under the ONC Health IT Certification Program allow patients to choose to transmit their data to third parties of their choosing via either encrypted email (i.e., Direct protocol) or unencrypted email, as is the patient’s right under the HIPAA Privacy Rule, 45 CFR 164.524.

Information blocking is a key barrier to interoperability, ONC explained. It is important to understand that current law does not “directly prohibit information blocking and provides no effective means to investigate and remedy it.” Furthermore, information blocking may interfere with HIPAA regulations in some cases when it comes to individuals attempting to access their own health information.

There also are variations between state and federal laws when it comes to privacy, which can create confusion among providers and make it difficult to implement new technologies while still staying secure.

“These statutes and regulations vary from state-to-state, often narrowly targeting a particular population, health condition, information collection effort or specific type(s) of health care organizations,” ONC explained. “These diverse state laws are philosophically aligned towards preventing health-status discrimination.

Overall, ONC said the nation needs an interoperable health system that lets individuals use their data, while also allowing providers to “to deliver smarter, safer, and more efficient care.”

“Priority actions over the next year will focus on continuing to build the economic case for interoperability, including increasing incentives and improving the regulatory and business environments; coordinating with health IT stakeholders to enhance consumer access; coalesce around a shared set of technical standards; exposing and discouraging health information blocking; and ensuring the implementation of robust privacy and security protections.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks