From all the talk about new regulatory requirements around data accessibility related to health care and other businesses, you’d think details on how the health care vertical needs to format and secure medical records were iron-clad. Not so.
Despite recent efforts, Congress has yet to catch up with the private sector on the matter of standards and regulation related to electronic health care, leaving independent bodies to take matters into their own hands.
For example, in working to launch HealthVault, Microsoft Corp. was on its own to decide on the appropriate security measures it needed to take. Since federal privacy laws such as HIPAA don’t apply to software makers, Microsoft needed to go above and beyond existing government standards to ensure HealthVault stays airtight.
HIPAA doesn’t apply to software makers because programs such as HealthVault store copies of information that consumers have opted to archive online, explained Nate McLemore, director of business development for Microsoft’s health solutions group.
So the software giant collaborated with privacy rights groups, McLemore said, to make sure they approved of HealthVault’s security and privacy protections. “They think the HealthVault model is actually better than HIPAA at protecting consumer choice and control,” he said.
Kaiser Permanente is pleased with Microsoft’s privacy and security provisions, said Jan Oldenburg, practice leader in Kaiser Permanente’s health portfolio Internet services group.
Microsoft’s protections seem to be going over well with privacy rights advocates, too. Deborah Peel is a medical doctor who founded the Patient Privacy Rights Foundation, one of the groups comprising the Coalition for Patient Privacy. Peel told Healthcare IT News last October that Microsoft had agreed to adhere to privacy principles the coalition developed in 2007.
“We think they’re setting a new amazingly high bar and frankly, we think what they’re doing is really the best practice that the entire industry needs to follow,” she told the journal.
One of the ways Microsoft is doing that is by using the Continuity of Care Document (CCD) interoperability standard for the electronic exchange of medical data. CCD is gaining support from the federal government and has been approved by leading health care groups as the protocol for transmitting sensitive data.
Right now, CCD appears to be the preferred standard. And, to be sure, CCD was a big reason why Kaiser Permanente chose to pilot its project with Microsoft rather than Google.
“When we asked about it, [CCD] was on their backlog and road map,” Oldenburg said of Google. But look for Kaiser Permanente to partner with Google sometime soon, she added. “We actually are assuming that over time we will work with both — it’s not so much that this is an exclusion ... [but] Microsoft was specifically using [CCD].”
At least one analyst takes Microsoft’s choice of CCD with a grain of salt. There’s still a question nationally of creating a single, uniform data set, said Insight Research Corp.’s Robert Rosenberg, “and though Microsoft would love to think they’re in a position to dictate that kind of thing, in fact, I think it really has to come from the government. ... Security and blah, blah, blah, that’s a given. It’s really trying to create a uniform set of data that can be used all the way from the physician’s office up through these big insurance/HMO conglomerates — that there is a single way to identify and categorize pieces of data.”
In other action on this front, the nonprofit Certification Commission for Healthcare Information Technology (CCHIT) is tackling personal health records standardization and plans to certify functionality in 2009. The organization does have government support for this endeavor — it landed a contract with the Department of Health and Human Services in 2005 to develop, create prototypes for, and evaluate certification criteria and inspection processes, for electronic health records.
Meanwhile, communications service providers like Verizon Business are working the issue as well. The former MCI runs a health care division that certifies firms’ security and regulatory compliance. One of its customers is TriZetto Group Inc., a provider of administration software, professional services and business process outsourcing to the health care vertical. At least twice a year, Verizon Business tests TriZetto’s assets, including data centers and MPLS networks. TriZetto then earns compliance certification, which instills customer confidence, said Gary Starling, chief security officer for TriZetto.
But what passed muster last year might not work this year, illustrating how compliance is a process and not “a finish line,” said Cindy Bellefeuille, director of product management security solutions for Verizon Business. Controls overseen by regulations such as HIPAA can change as technology evolves. Service providers have to stay ahead of the curve.
“One can’t think of data that can be more sensitive than the health of an individual,” Bellefeuille said.
Barry Zipp, executive director of managed business applications for Verizon Business, agreed. “We have a stake as a health care user to ensure that health care technology is being optimally applied across the industry,” Zipp said.
Related Articles:
Picture of Health: Networking to Play Growing Role in Medical Vertical
My Mother Always Wanted Me to be a Doctor
Cisco Provides a ‘Blessing’ Undisguised
Thank You, Dr. President
US Internet Industry Association Lobbies for eHealth
AT&T, Covisint, Microsoft Roll out eHealth Platform
Nortel Announces Multiple New Healthcare Customers
