ONC Backs Off Rule-making For Governance of Health Information Exchange

By Leslie Francis

Establishment of the infrastructure needed for the efficient, accurate, and secure exchange of health information is a crucial piece of improving care in the US.  Exchange fosters the ready availability of information, reducing redundancy and hopefully improving care quality.  To this end, proposals for a National Health Information Network were highly touted during the Bush Administration and continue to be supported by the Obama Administration, the Office of the National Coordinator for Health Information Technology (ONC) was established in 2004, and several federal advisory committees (the ONC Policy Committee and the ONC Standards Committee) were established by Congress in the HITECH Act in 2009.  Yet progress towards health information exchange remains halting at best–some hypothesize because of resistance within the private sector itself.  Recent developments at ONC are not encouraging.


For good reasons, among them security and privacy, the idea of a “nationwide health information exchange” has morphed to a “NwHIN“–a network of networks, rather than a single data repository–and the “Direct Project” for “simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”  When ONC moved to the NwHIN approach, it established a Governance Work Group under the aegis of the Health IT Policy Committee to prepare recommendations for NwHIN governance, including standards, policies, and procedures. Last spring, ONC requested information on important governance topics in preparation for rule-making. In the words of Steven Posnack, Director of the Federal Policy Division at ONC, “We need a common set of rules (expressing technical, privacy and security, and business practice requirements) to create a consistent trust baseline for stakeholders.”

On September 7, Farzad Mostashari, ONC head, announced the decision to back away from any rule-making at this time. The primary stated reason for the decision is that exchange development is proceeding rapidly in new directions and regulatory intervention might impede process. ONC promised to continue to promote good practices for robust and secure exchange by “shin[ing] the light on good practices.”  ONC will actively engage with entities developing governance structures and will continue to provide guidance and tools.  Reassuringly, ONC will continue to evaluate the consumer protections that now exist and work through federal partners to this end.  And ONC will “rigorously” monitor progress to assure that if there are market breakdowns or systemic problems, it will once again seek input from the public, from stakeholders, and from its own advisory committees.

Whether ONC is correct that regulation at this time might have threatened progress will remain an untested proposition.  What is clear is that multiple barriers to exchange remain–and that these barriers contribute to care inefficiencies and worse.  What is also clear is that security and privacy policies–for identity proofing and authentication, for example–are important to consumers and, in the language of ONC, to “trusted exchange.”  In many cases, exchange partners now rely on separate data use agreements–contracts–to set their terms of exchange and to incorporate data protections that the partners believe are necessary. This mechanism is not only cumbersome particularly when multiple parties are involved in exchanges but also leaves data protection up to the vagaries of contract enforcement.  ONC’s aim in the RFI was to establish some basic rules of the road; their hope at present is that without additional regulation traffic will flow freely and safely, without harm to passengers.  I am not sure that I am reassured.

Cross-Posted from HealthLawProf Blog

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.