Federal health information exchange attention still focused on reconciling security requirements

Another opportunity this week for federal health IT executives working on information exchange to continue to focus attention on the challenge of reconciling different security and privacy laws applicable to federal and non-federal entities. As seen and heard previously, and this week at an Input event, there remains an implicit bias on the part of the feds to assert that being subject to FISMA somehow translates to more rigorous security. The continuity of this theme, plus what seem to be over-simplifications in the content of the article by the usually outstanding and insightful Mary Mosquera, prompted the following reply, submitted online to Government Health IT:

The statement in the article, “SSA does not provide healthcare, so HIPAA regulations do not apply” only addresses one end of the information exchange being described. MedVirgina is absolutely a HIPAA-covered entity, even if SSA is not. This puts different obligations in play for each participant in the exchange, which is the crux of the problem. Those quoted in this article (once again) imply that because FISMA is required for the federal government, government agency security is a stronger constraint (more specific and more detailed, if not more robust or actually “better”) than security requirements that apply to non-government entities. This is a false argument. Sankaran’s statement that “we can’t have the government having to check that all these systems are compliant” is particularly non-sensical. The only FISMA “auditing” that occurs now is internal, as agency inspectors general conduct FISMA compliance reviews of their own agencies. There is no independent audit of agencies for FISMA compliance, and there is also no penalty imposed (other than a bad grade on a scorecard) for agency failure to comply with FISMA requirements.

The scenario described by FHA lead Vish Sankaran where a small medical practitioner would be challenged to comply with all the requirements for security controls that would apply under the law is a red herring too. Small practitioners are already bound by HIPAA as covered entities, just as large hospitals are, and to the extent that these offices use computerized records (the standard industry term of use is ePHI or electronic personal health information), they must already adhere to the requirements of the HIPAA security rule. Sankaran implies that by exchanging data with government agencies, these practitioners would be subject to FISMA, but this is not the way the law works. Non-government entities like contractors are only bound by FISMA if they hold or process data “on behalf of” the federal government; merely storing or using copies of government data does not bring a private health provider under the coverage of FISMA, even if that data is owned by the government. The current situation described in this article, where federal agencies would want to hold private providers to FISMA’s requirements, may in fact be what federal health stakeholders want, but it is simply not a requirement under the law.