The October HIT Standards Committe meeting

As I discussed in yesterday's blog, the focus of the October HIT Standards Committee was Standards adoption and implementation.
 
The day started with comments from David Blumenthal. He briefly described the Nationwide Healthcare Information Network (NHIN) as an evolving vital element of our national health information strategy. He emphasized that we need to expand the scope of our NHIN thinking to include consumer health information platforms in addition to the provider and government organizations that have been the focus to date. He also noted that we need to move from pilots/prototypes to scalable real world implementations, establishing the right governance mechanism for the NHIN.
 
The Clinical Operations update followed and included a discussion of gaps in the current work. We started with a discussion of patient access to an EHR. Should we include clinical summaries, the entire record, or the standard data elements that can be exported to commercial PHRs such as Google Health and Microsoft Healthvault? We heard about experiences at Kaiser, Geisinger, BIDMC and others. It's clear that PHR data sharing is very heterogeneous at the moment and that convenience transactions such as appointment making, medication renewal, and referral management may be more important to patients than full access to every aspect of their record. The HIT Policy committee will be asked to define minimum requirements for patient access to EHR data.
 
We discussed needed enhancements to vocabularies including a national SNOMED-CT to ICD9/ICD10 mapping, RxNorm mapping to National Drug File Reference Terminology (NDF-RT) and Standard Product Labeling (SPL), a standard lab compendium for ordering, UCUM guidance and testing, and a national infrastructure to distribute and maintain codesets. I discussed this need for enhanced vocabulary tools in yesterday's blog. Our action item today was to create a Vocabulary sub-Workgroup that will address these issues and propose priorities and solutions to the entire Committee and ONC.
 
We heard an update from the Clinical Quality Workgroup about the re-tooling of quality measures to be more EHR-centric. Good progress is being made.
 
Next, we focused on privacy & security. Dixie Baker and Steve Findlay summarized a few updates to the standards matrix - SOAP 1.2 is the current recommended version and per evolving federal guidelines (NIST SP 800-63-1), Kerberos will be allowed but not required for 2011 because Federal systems will begin disallowing Kerberos in 2013. NIST SP 800-63-1 is cited as implementation guidance for "Level 2" certification criteria for authentication, but we've been careful not to impose Federal FISMA criteria on the private sector.
 
We discussed enhancements to privacy and security standards efforts, especially for 2013, including:
 
* A healthcare specific XML schema and vocabulary for representing subject, resource, action, and environmental attributes in security assertions i.e. SAML for healthcare
* A standard XML schema and vocabulary for representing consumer consents i.e. my CAML proposal
* Baseline security and privacy policies for the exchange of EHR information
* Standards for exchanges between the healthcare enterprise and the consumer
* Specification of Health Information Exchange assumptions and associated privacy and security policy. This relates to my blog yesterday in which I noted that policy guidance is really essential to pick the simplest set of security constructs needed to protect confidentiality.
 
Our action items today were
 
1. To spend the entire November HIT Standards Committee meeting hearing testimony from stakeholders on Security issues.
 
2. To work with ONC to ensure seamless communication and coordination between the HIT Policy Committee and HIT Standards Committee regarding privacy and security issues
 
3. To specify our assumptions for HIE information exchanges and share those assumptions with the Policy Committee so that they could specify a policy framework that then could serve as the basis for constraining security and privacy standards. One of our committee members noted that policy constrains architectural possibilities, enabling selection of the simplest set of standards needed to meet requirements.
 
Given the emphasis of the meeting on adoption and implementation, we discussed next steps regarding our new Implementation Workgroup. Specifically we will arrange for a day of testimony on October 29 from many stakeholder groups to better understand adoption and implementation issues, needs for enhanced implementation guidance, and identification of enablers that would accelerate interoperability such as new tools or filing standards gaps. We'll also conduct an online forum and accept written testimony. This feedback process is very important to ensure rapid cycle improvement in the standards making and standards selection processes. Per my blog yesterday, this will help with resolving the outstanding common data transport issues.
 
We ended the meeting with a discussion of the results from the privacy hearings conducted by the HIT Policy Committee on September 18.
 
Thus, we have action steps to resolve all the issues I raised on my blog yesterday - alignment of policy and standards activities to create the parsimonious set of security standards to protect confidentiality, a working group to resolve outstanding vocabulary issues, and a feedback process to resolve common data transport and other standards adoption/implementation issues.
 
A great meeting and I look forward to our day of implementation testimony on October 29 and our day of security testimony on November 19.

John Halamka, MD, blogs regularly at Life As a Healthcare CIO.