Health IT advisory committees covering same ground, sometimes without coordination

Both of the two federal health IT advisory committees working in support of the Office of the National Coordinator (ONC) have taken up discussion on patient privacy and consent management, working through the respective privacy and security workgroups that each committee maintains. For its part, the Privacy and Security Workgroup of the Health IT Standards Committee has started looking at available standards activities related to consent management, including OASIS and the International Security and Privacy Trust Alliance’s Privacy Management Reference Model (PMRM) and IHE’s Basic Patient Privacy Consents (BPPC). The focus on the standards side appears to be primarily on BPPC, which has been around for a while but which seems to be getting a new and closer look, in part due to its support for at least a dozen consent models, including variations of opt-out and opt-in that are most often considered by healthcare organizations when choosing to enable consent management.

The Health IT Policy Committee has also been talking a lot about consent, after consistently receiving comments and testimony from patient privacy advocates about the need to include consent and support for consumer preferences, both in the context of meaningful use for EHR incentive funding and more broadly to encourage public confidence in electronic health records and health information exchange of personal data in those records. At the Policy Committee’s April meeting, the Privacy and Security Workgroup presented high-level details on its current work on consent, and suggested that formal recommendations may be forthcoming as soon as this month. Their emphasis on consent as a prerequisite to establishing the trust necessary to allow individuals to endorse health information sharing is one of several parallel activities centered on trust going on within the Policy Committee’s workgroups, within which the committee members seem to acknowledge that both policy directives and corresponding standards and technologies are needed.

What’s remarkable and more than a little disappointing about all the work these two privacy and security workgroups are doing on consent is how little they appear to be communicating with each other, much less coordinating their efforts. In response to an article in Federal Computer Week that was published online on April 23, Policy Committee member and Privacy and Security Workgroup chair Deven McGraw posted a comment on April 27 highlighting this lack of coordination:

I co-chair the Health IT Policy Committee’s privacy and security workgroup, and I have never seen this technical framework, nor has it been formally presented to the privacy and security workgroup members for their consideration.

In a somewhat similar vein, at the end of the Standard Committee’s April 28 presentation on “Standards for Consumer Engagement” from its Privacy and Security Workgroup chairs, among the questions listed for consideration by the Standards Committee is what the Standard Committee’s role should be with respect to Policy Committee efforts to address consent and related consumer engagement issues. John Moehrke, an engineer for GE Healthcare and HITSP member who gave a presentation to the Standards Committee on BPPC, noted that while listening to a recording of the April 20 meeting of the Policy Committee’s Meaningful Use Workgroup on patient consent and consumer engagement, he heard a lot of passion on consent but very little attention to or explanation of the key elements that need to be simplified if consent management is to be achieved in an implementable way. Presumably if the standards and technology available to help manage patient consent were better understood (as well as the consent provisions in the relevant laws) we might see more progress on consent solutions rather the current cycle of analysis paralysis.

To an outside observer, it may seem strange that two groups with such obviously overlapping interest areas (not to mention potential dependencies) would not coordinate their efforts on a regular basis, but unfortunately, this lack of interaction appears to be the rule rather than the exception, at least with respect to security and privacy matters, despite the fact that the Standards Committee routinely briefs the Policy Committee on it standards recommendations and related considerations. For example, at the March Policy Committee meeting John Halamka presented a summary of Standards Committee progress, including an item about “launching educational sessions on consent-related standards.” Maybe the Policy Committee Privacy and Security Workgroup can schedule one of these sessions before coming out with their recommendations on consent.

The Policy Committee and Standards Committee have a history of coming up with separate recommendations on similar topics, occasionally with conclusions that make it hard for anyone following the activities and recommendations of these advisory committees to know what they should do. For instance, last fall the Standards Committee’s Privacy and Security Workgroup presented on more than one occasion that the IHE Enterprise User Authentication (EUA) standard and the Kerberos authentication and authorization model would no longer be included as a recommended health IT standard beyond the 2011 timeframe. This recommendation, based on a questionable (in our opinion) interpretation of a draft revision of NIST Special Publication 800-63, is not part of the adopted security standards specified as certification criteria for EHR systems under meaningful use, setting up a situation in which an EHR vendor (or eligible provider who buys that vendor’s certified EHR) relying on EUA could be certified for 2011, but may need to replace its authentication mechanism in order to remain certified for 2013 and beyond. It’s hard to imagine that either the Standards Committee or the Policy Committee really intends for certification to be such a fluid target, but the Policy Committee had an opportunity to influence the criteria that ONC included in its rules, but apparently did not take advantage of it. The still-solidifying process and standards under which EHR products will be certified are just one example of an effort that would seem to be greatly facilitated by consistency and harmonization of recommendations between the Policy and Standards Committees.