Category: HITECH

HHS Actually Takes Action to LOWER the Penalties For One Of Its Enforcement Laws

On April 29, 2019, the United States Department of Health and Human Services (“HHS”) announced in the Federal Register through a Notification of Enforcement Discretion that effective immediately, it would be exercising its discretion regarding the application of HHS regulations concerning the assessment of Civil Monetary Penalties (“CMPs”) under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Specifically, HHS has changed its uniform cumulative annual CMP limit across the four categories of culpability and replaced it with tiered annual CMP limits increasing as the categories of culpability increase in severity.

In 2009, HITECH established four tiers of culpability with increasing penalties based on increasing severity. Those categories included: (1) the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

At the time of enactment of the HITECH Act, discrepancies were identified in the descriptions of the penalty ranges and uncertainty existed surrounding whether the $1,500,000 annual cap on CMPs should be applied to all of the categories of culpability. In the final regulations implementing HITECH that were adopted by HHS in 2013, the $1,500,000 annual cap was confirmed by HHS to apply to all categories. And, ever since then, HHS has been issuing penalties under the following framework:

Culpability Min. Penalty per Violation Max. Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect  – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

However, in a sudden change of position, HHS’ guidance this past week states that upon further review of the statute, it believes a better reading of the statute is to provide a tiered annual limit. Thus, under HHS’ new interpretation, there are new maximum annual limits to HIPAA enforcement actions as follows:

Culpability Min. Penalty per Violation Max. Penalty Per Violation Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect  – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

It is unclear how the “No Knowledge” category will work given that the maximum penalty per violation remains at $50,000 while the annual limit is only $25,000. A review of the Federal Register entry from HHS confirms these to be the numbers published by HHS, and thus, until HHS offers further guidance or begins applying these new figures to specific cases, there remains some uncertainty for this category of culpability.

Nevertheless, these changes should come as welcome news to providers and business associates trusted with protected health information (“PHI”) as a penalty for a HIPAA violation can add up quickly. Thus, these new annual limits will help to curb the financial sting of a violation, especially when the provider or business associate either is genuinely unaware of the violation or takes appropriate action in response to a violation. Only time will tell whether HHS’ clarification of its reading of the statute to require lesser annual CMP penalty caps marks a general shift toward lower penalties or fewer enforcement actions overall.

In the meantime, it would be wise for providers and business associates to continue demonstrating good faith compliance efforts to try and minimize the tier of culpability within which a particular penalty falls. Only through ongoing reviews, audits and assessments of privacy policies and procedures and general compliance programs will providers and business associates remain prepared and help to mitigate the penalty of a potential HIPAA violation.  Certainly with these new tiered annual CMP caps, those that handle PHI have an even greater incentive to remain focused on effective compliance efforts.

Revised Confidentiality Rules Under HIPAA Part 2 For Substance Use Disorder Patient Records

On January 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) within the Department of Health and Human Services published its final rule revising confidentiality rules for substance use disorder treatment programs.   A review of the Part 2 regulations for such programs and their overlap with pertinent provisions of HIPAA was the subject of a recent post on this blog.

The effective date of the revised regulations is February 2, 2018 with the exception of one provision which has a compliance date of within two years of the effective date.  The agency indicated that “[t]hese changes are intended to better align the regulations with advances in the U.S. health care delivery system while retaining important privacy protections for individuals seeking treatment for substance use disorders.”  An important aspect of this effort was aligning the substance use regulations with HIPAA and HITECH while recognizing the Part 2 regulations provide “more stringent federal protections” to safeguard individuals from discrimination and the legal consequences of improper disclosure.

The prior Part 2 regulations included a strict prohibition on redisclosure of information that is disclosed in the first instance with a patient’s consent.   SAMSHA’s new regulation approved the use of an abbreviated notice of prohibition of redisclosure which was intended to help the notice fit within space limitations of free-text fields in electronic health record systems.

The new regulation also permits disclosures with written consent for payment and health care operations activities.  The germane language in this regard is in the preamble to the regulation to indicate that the catalog of such activities is illustrative rather than an exhaustive list.  SAMSHA sought to balance the protection of confidentiality with the legitimate need to disclose information to obtain the benefits of emerging health care models promoting integrated care and patient safety.  It pointed to the existing provision in 42 CFR § 2.13(a) that was intended to ensure that information is not shared more broadly than the purpose(s) for which the patient consents.

SAMSHA also addressed the applicability of the Part 2 regulations to business associates and subcontractors in a fashion similar to the HITECH regulations.  It stated that the agency did not intend at this time to have Part 2 regulations apply to business associates and subcontractors. However, the agency left the door open to further alignment with HIPAA indicating that additional changes were under consideration.

With these latest changes and the promise of more to possibly come in the future, providers subject to these regulations must be sensitive to their applicability and complexity given the significant repercussions that can come from violations of HIPAA Part 2.

The Case for Breach Notification by Business Associates

A business associate is an individual or entity that performs functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  HIPAA requires business associates to agree, in writing, to appropriately safeguard protected health information received or created on behalf of a covered entity.

HIPAA regards a breach involving a business associate as “discovered” by the covered entity on the date that the business associate knew or should have known about it, provided that the business associate is acting as the “agent” of the covered entity.  In performing covered functions or providing covered services (such as claims processing, billing, utilization review, PBM management, or clearinghouse duties), most business associates also exercise actual or apparent authority on behalf of the covered entity; that is, with either express or implied permission from the covered entity, the business associate holds itself out to third-parties as being able to act in the place of the covered entity.  By doing so, they may qualify under federal law as “agents” of the covered entity.  The only time that a covered entity will not be charged knowledge at the time of its business associate’s breach is in the exceedingly rare circumstance where the business associate was not acting as the “agent” of the covered entity.

Regardless of agency status, HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days.  This 60 day time period is extremely important because the HIPAA Breach Notification Rule requires individuals affected by breaches involving protected health information to receive notice of the breach within 60 days of its discovery, regardless of the number of individuals affected.  In addition, breaches involving 500 or more individuals must be reported to the media and the government, within 60 days of discovery

In most circumstances, the effect of these provisions is that a business associate does not have to notify the covered entity of a breach for up to 60 days, but each day that the covered entity remains unaware is one fewer day that it will have to report the breach to affected individuals, and possibly the government and media.  Unless the business associate contract requires the business associate to provide information regarding a breach to the covered entity within a few days, a dawdling business associate can potentially make it more difficult, if not impossible, for a covered entity to make all required notifications.  This is especially true in breaches involving 500 or more individuals which require all three forms of notification to occur within 60 days of discovery of the breach.

Because HIPAA will treat almost all breaches involving a business associate as “discovered” by the covered entity before the covered entity has actual knowledge of the breach, covered entities should consider delegating breach notification responsibility to business associates in these cases.  This can be easily done by including language in the business associate agreement to the effect that the covered entity reserves for itself the option of having the business associate provide all notifications required by HIPAA (and/or any applicable state breach notification laws) in the event of a breach.  The reason for this is twofold: first, while HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days, in most cases, the covered entity will be “deemed to have knowledge” of the breach at the time the business associate knew, or should have known of it through the exercise of reasonable diligence.  Second, the business associate is likely to be better positioned to investigate the breach because of its proximity to the facts and individuals involved.

A business associate agreement should reflect the reality that covered entities have the ultimate responsibility to ensure that proper and timely notifications are made after a breach.  From the covered entity’s perspective, this means requiring their business associates to promptly report any breaches to the covered entity and to take the lead concerning all aspects of breach notification.   If the business associate is unequipped to provide breach response on its own, it can always outsource such functions, provided it first enters into a business associate agreement with that vendor.  If a business associate is unwilling to do either, then the covered entity may want to rethink its relationship altogether with the business associate.

Dealing with Insider Threats to HIPAA Security

While most Covered Entities rightly orient cyber security efforts against external threats, there has been a recent uptick in the intentional theft of protected health information (PHI) by employees and others from inside organizations. Although so-called “insider threats” are not the most common security problem, they are among the most costly and damaging. Because they originate from individuals who are trusted and therefore have a legitimate level of access to confidential data, they are also especially difficult to detect.

Illustrating this problem, in February 2015 a former hospital employee in Texas was sentenced to 18 months in federal prison after improperly obtaining PHI with the intent to use it for personal gain. More recently, a Blue Cross Blue Shield of Michigan (BCBSM) employee (and ten others in multiple states) was indicted on multiple counts of identity theft related crimes based on her alleged theft of BCBSM subscriber information.

According to the indictment, the BCBSM employee shared subscribers’ personal identifying information and distributed it to others who used it to apply for credit in subscribers’ names and make purchases across the country. Co-conspirators were arrested in Texas, Ohio and Michigan in possession of BCBSM subscriber information, counterfeit identification cards, and credit cards that were fraudulently obtained in the names of BCBSM subscribers. At other suspects’ homes, agents recovered BCBSM subscribers’ names, dates of birth and Social Security numbers in addition to counterfeit and re-encoded credit cards and gift cards. The indictment alleges that three of the co-conspirators used counterfeit credit cards at different stores and fraudulently obtained more than $742,000 worth of merchandise from Sam’s Club alone.

While indictments and prison sentences send a strong message from law enforcement about HIPAA protections, employers can also take important preventative steps to deter, thwart and detect potential insider threats. At a minimum, outbound data flows including email systems, printers, USB drives or other forms of removable media should be monitored for suspicious activity. This would not have necessarily stopped a group like those recently indicted in Michigan who used the low-tech method of taking screen shots of subscriber information, but it could detect other types of unauthorized data movements, such as those where data is removed directly from servers or corporate networks.

Most technological defenses, like passwords and other forms of user authentication, are designed to keep unauthorized users out, and consequently are of no use against insiders who, by definition, are authorized to access the systems that they target. As a result, combating insider threats requires a multidisciplinary approach. In addition to technological measures, employers should focus on deterrence by educating their workforce about security measures to detect unauthorized data exfiltration and possible consequences including jail time. Businesses should also think about who from the outside might target their data, which of their employees has access to that information, and how those individuals might pose a risk of data theft.   Employers should also get to know their employees’ regular workflows and routines. If someone who never accesses certain information or databases is suddenly doing so, that should be automatically flagged and investigated; so too if an employee is suddenly sending twice or three times the amounts of emails or data which could suggest that data theft is underway. From a HIPAA compliance standpoint, Covered Entities should consider the insider threat possibility as part of their regular risk assessment process and develop appropriate protocols in response.

While the insider threat, like many others, can never be completely eliminated, an active deterrence and monitoring strategy coupled with intelligent technical solutions can reduce it significantly.

New Encryption Requirements For New Jersey Health Insurers May Catch On In Connecticut, But Probably Would Not Have Protected Anthem Subscribers

New Jersey has enacted and Connecticut is considering a bill that would require health insurance companies to encrypt electronic information in their possession. These developments come as the massive breach of personal protected health information at Anthem Health continues to reverberate throughout the healthcare industry.

While the New Jersey law and Connecticut proposal requiring encryption are important steps that will protect individuals in cases where a laptop or flash drive is lost or stolen, they are unlikely to provide any serious defense to a determined attack such as that involving Anthem Health, which involves the compromise of administrator-level credentials.

The New Jersey law, which goes into effect on August 1, 2015, requires all health insurance carriers issuing benefits in the state to encrypt or otherwise render unreadable any “personal information” which they compile or maintain.  This “personal information” includes a first name or initial and last name linked with their Social Security Number, driver’s license or State ID number, address, or any other form of individually identifiable health information such as medical or billing records, medical record numbers, or a variety of other identifiers.

The Connecticut proposal, much like New Jersey’s law, would require insurance companies operating in Connecticut to encrypt all personal information records stored and transmitted by them.  Connecticut would also go further by requiring that any health insurance company who holds, uses or transmits personal information adopt secure user authentication protocols (such as mandatory user IDs, unique passwords, and other measures) and upgrade information safeguards to limit future risks.

While encryption of protected health information is strongly encouraged by changes to HIPAA made by the HITECH Act and subsequent regulations, it is not currently required by federal law.  However, as targeted attacks on health care data become more sophisticated and commonplace, encryption and other security measures are quickly becoming the industry standard.

It is unlikely that either New Jersey law or Connecticut proposal requiring encryption would have protected Anthem subscribers who have been affected by the most recent breach which was discovered by a system administrator who noticed that their own credentials were being used to log into the system and submit queries.  Unauthorized individuals, who gain access to an administrator account, can end-run around most, if not all, technical defenses.  No amount of encryption will protect against thieves who use phishing, social engineering or other means to steal the keys to the virtual kingdom.

OCR Director Discusses Upcoming HIPAA Audits, Additional Rulemaking in 2015

Audits of Covered Entities and their Business Associates which are required under the HITECH Act have been delayed into 2015, according to a comments made by Jocelyn Samuels, the Director of Health and Human Services’ Office for Civil Rights (OCR), because audit procedures have not been finalized. During a recent conference call with the media, Director Samuels would not commit to a specific timeline for the audits. These new audits will be done in-house by OCR and incorporate lessons learned from audits conducted in 2012 by KMPG of 115 covered entities in addition to changes following enactment of the Final Omnibus Rule in 2013.   Although all aspects of HIPAA compliance may be examined, it is expected that through these audits, OCR will closely scrutinize organizational Risk Assessment and Risk Management.   OCR anticipates that these audits will help it to identify best practices and uncover risks and vulnerabilities to privacy and security. Also according to OCR, the audits are expected to allow it to provide additional guidance and further refine future rulemaking regarding security and privacy.

In addition to the highly anticipated audits, OCR’s other plans for 2015 include:

  • A proposed rule that would allow individuals adversely affected by breaches of their protected health information to share in a percentage of the fine assessed by OCR against the party or parties responsible for the breach.
  • Additional guidance regarding the “minimum necessary” rule, which OCR views as intended to advance the policy goal that PHI only be used or disclosed when necessary for a particular purpose or to carry out a specific function.
  • Further clarification and guidance concerning the use of cloud storage and cloud computing services that have proliferated since the last major regulatory pronouncements related to the Security Rule.
  • Rulemaking related to the provision of an accounting of PHI disclosures upon request to patients.

ePHI Data Breach and the Consumer Fraud Act

The important protection against data breach liability by encrypting ePHI has been pointed out a number of times on this blog. Although not required by HIPAA or HITECH security rules, encryption is a practical solution to a potentially big problem. Indeed, the Office of Civil Rights has commented in the past that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable.” While not required, encryption is an “addressable” implementation that nonetheless becomes effectively required under the “reasonable and appropriate” standard of review applied to the retrospective evaluation of security measures utilized in data breach circumstances. The burden is on the covered entity to show that it was unreasonable and inappropriate to have used encryption.

In any event, the persuasiveness of the argument for encryption as a matter of routine was strengthened on January 9, 2015 when Governor Christie signed Senate Bill 562 into law as P.L. 2014, c. 88.

This is an amendment to the New Jersey Consumer Fraud Act that will be codified at N.J.S.A. 56:8-196 to 56:8-198. The new legislation has an effective date of August 1, 2015.

It uses the definition of individually identifiable health information found in the HIPAA Privacy Rule and incorporates it into a broader category of “personal information.” N.J.S.A. 56:8-196. As of its effective date the statute mandates that a health insurance carrier shall not compile or maintain computerized records with personal information “unless that information is secured by encryption or by any other method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” N.J.S.A. 56:8-197. It explicitly provides that “more than the use of a password protection” is required if the password program only prevents general unauthorized access and does not render the information “unreadable, undecipherable, or otherwise unusable.”   These requirements are directly at computer sytems broadly, including desktop computers, laptops, tablets or other mobile devices, or removable media.

New Jersey is the second state to impose explicit encryption requirements on personal information in a computerized form. Massachusetts had taken the first step with regulations effective in 2010 that had been promulgated pursuant to its anti-identity theft legislation. See generally 201 Mass. Code Regs. 17.04. The New Jersey restrictions currently apply only to health insurance carriers and do not extend to health care providers. This is consistent with the long-standing general proposition that the New Jersey Consumer Fraud Act does not apply to licensed professionals such as physicians or hospitals who are subject to comprehensive regulations by their own regulatory bodies. See, e.g., Macedo v. Dello Russo, 178 N.J. 340, 344-46, 840 A.2d 238, 240-42 (2004); Hampton Hosp. v. Bresan, 288 N.J. Super. 372, 381-83, 672 A.2d 725, 730-31 (App. Div.), certif. denied, 144 N.J. 588, 677 A.2d 760 (1996). But the statute certainly may be viewed as an expression of best practices if not an emerging standard of care.

Pursuant to N.J.S.A. 56:8-198 violations of the computer encryption statute are declared to be “an unlawful practice” subjecting violators to consequences under the Consumer Fraud Act. These include penalties of up to $10,000 for the first violation and up to $20,000 for the second and any subsequent violation. The Attorney General can bring an action for a cease and desist order and the court can order restitution. Lastly, an individual consumer who can demonstrate an ascertainable loss and a causal nexus between the alleged act of consumer fraud and the damages sustained can bring a private action for treble damages and attorney’s fees.

Overseas Hackers Suspected In Second-Largest HIPAA Breach In History Affecting 4.5 Million Patients

In its most recent SEC 8-K Filing dated August 18, 2014, Community Health Systems, Inc., (CHS), which operates over 206 hospitals in twenty-nine states, announced that an “Advanced Persistent Threat,” group originating from China used “highly sophisticated malware and technology” to infiltrate its computer systems “and successfully copy and transfer certain data” in the form of “non-medical patient identification data” including  names, addresses, birthdates, telephone numbers and social security numbers affecting 4.5 million individuals who were patients at CHS in the last five years.   This represents the second-largest breach of PHI in HIPAA history to date.

According to CHS, no credit card, medical or clinical information was compromised.    CHS has said that it has appropriately reported this incident in accordance with federal and state law, that it will be offering free credit monitoring to affected individuals, and that it possesses sufficient cyber/privacy liability insurance to address some of the losses related to remediation expenses, regulatory inquiries, litigation and other liabilities.

According to media reports, the intruders exploited the so-called Heartbleed flaw which allows the undetectable bypassing of virtually all security protections and permits the retrieval of sensitive data residing in the memory of computers or servers running certain software.  This permits intruders to “eavesdrop” and obtain passwords, banking credentials, and other sensitive data.  Heartbleed was first publicly revealed, along with a patch to fix it, by security researchers on April 7, 2014.

If this loss is the result of Heartbleed, it would represent the first known breach attributable to it.  Given the size of the breach, OCR will almost certainly investigate and examine whether CHS’s risk assessment and risk management programs were sufficient.  Since a patch was available on the date that the vulnerability was publicly announced, the investigation will likely focus on whether CHS should have updated its servers in a timelier manner between the time of Heartbleed’s revelation on April 7, 2014 and the attacks which occurred in April and June of 2014.  Fortunately for CHS and the individuals affected, CHS appears to have planned in advance for a breach, as evidenced by the presence of cyber/privacy insurance.

Focusing HIPAA Security Based on HHS’s 2011-2012 Annual Breach Report

The Department of Health and Human Services (HHS) recently released its 2011-2012 annual report on breaches of unsecured personal health information (PHI) to Congress.  In addition to the staggering number of individuals whose PHI was the subject of such breaches, this report, along with a companion report focused on breach notification rule compliance, provides valuable insights into OCR’s compliance trends

In 2011 and 2012, breaches involving over 500 individuals accounted for almost 98 percent of all individuals (almost 15 million individuals) whose PHI were compromised for these two years.

These data highlight key areas of vulnerability, particularly with respect to electronic PHI.  With the increasing adoption of certified EHR technology through Meaningful Use, the potential for technological exploitation of ePHI vulnerabilities will continue to multiply.  Strategies that could offset this risk include:

  1. Updating and Monitoring Risk Analyses and Risk Management.  OCR has already identified risk analysis and risk management as areas of increased compliance scrutiny. All PHI handlers must perform a thorough risk analysis that identifies and addresses potential risks and vulnerabilities to all ePHI in its ecosystem, regardless of its form or location.  This review would include all computers, tablets, mobile devices, USB “flash” drives and network transmission of ePHI.
  2. Conducting Regular Security Evaluations.       Security evaluations should be done periodically and also incorporated into any change in operations, such as facility, office or data relocation, that could potentially affect the security of PHI.   Clear policies and procedures should be put in effect which insure adequate physical and technical safeguards remain in place during the transition period through the resumption of normal operations.   Technical evaluations of new software, hardware, websites, and other changes to IT infrastructure should be performed by qualified experts before these systems go “live,” to insure that ePHI will not be inadvertently exposed.
  3. Monitoring Security and Control of All Portable Electronic Devices.  Polices should be implemented requiring that ePHI stored and transported on portable electronic devices be properly safeguarded.  This includes mandating the use of appropriate encryption technologies and clear policies and procedures concerning the receipt and removal of portable electronic devices and media containing PHI, and how such information must be secured while off-site.
  4. Secure Disposal of PHI and Media Containing PHI.  Employees should be given clear procedures to insure destruction of paper-based PHI that include documenting the proper disposition of the files.  Similarly, if an electronic device is going to be reused or repurposed, it should first be securely wiped to insure all ePHI is removed and rendered unrecoverable.  Any discarded electronic devices should be securely destroyed and that process adequately documented.
  5. Securing Physical Access Controls.  Physical security should not be overlooked in the technological landscape of modern healthcare. Organizations should insure that physical access to their facilities and workstations is limited to authorized employees.
  6. Continuous Employee Training.  Privacy and security policies and procedures are virtually worthless if employees are not properly trained on them.  Employees and managers should be trained (and re-trained) concerning high risk areas such as proper disclosure of PHI and security requirements.  Employees should also be made aware of sanctions and other consequences for failing to follow proper security and privacy policies and procedures.

HHS has previously stated that in 2014 it will emphasize compliance and security more than ever.  Already in 2014, HHS has collected more in resolution agreement settlements than it did in all of 2013.  Securing PHI is not only required by HIPAA, it also makes sound business sense in case your organization is investigated or randomly audited for HIPAA compliance.

ONC’s Look Ahead to “An Interoperable Health IT Infrastructure” Within 10 Years

The Office of the National Coordinator for Health Information Technology (ONC) had released an ambitious “concept paper” setting forth its “10-Year Vision to Achieve An Interoperable Health IT Infrastructure.”  The goal is to “make the right data available to the right people at the right time across products and organizations in a way that can be relied upon and used by recipients.”  ONC has identified three, six, and ten-year agendas towards this objective.

Though HIPAA’s implementation in 1996 and certified meaningful use of certified electronic health record technology (CEHRT) has led to impressive advancements in technological innovation, ONC’s ten-year vision promises even more changes yet to come.

Extraordinary leadership will be required of ONC in collaboration with state and local governments, as well as the private sector.  To achieve this, ONC has identified “five critical building blocks” upon which to focus its efforts:

  1. Core technical standards and functions which build upon existing health IT (HIT) infrastructure;
  2. Certification to support adoption and optimization of health IT products and services;
  3. Privacy and security protections for health information greater transparency for individuals regarding the business practices of entities that use their data, even those users are not specifically covered under the HIPAA Privacy and Security Rules;
  4. Supportive business, clinical and regulatory environments;
  5. Rules of engagement and governance.

Within three years, ONC intends to further standardize the vocabulary and structure of essential information, as well as address critical issues such as data provenance, data quality and reliability, and patient matching.  All of these efforts aren’t year towards improving the quality of interoperability and facilitating a vastly increased quantity of information which is captured by HIT infrastructure.  Simultaneously, a “common framework to enhance trust” will be implemented by addressing key privacy, security, and business policy and practice challenges related to the secure exchange of health information across existing networks.  In addition ONC intends to advance policy and programmatic stimuli to encourage the use of this information in a manner which supports care delivery reform, improves quality, and lowers costs.

Within six years, by 2020, ONC envisions that individuals, care providers, and public health departments will send, receive, find and use an expanded set of health information across the entire industry in support of “team-based” care. By this time, interoperability between CEHRT and medical devices will enable remote monitoring from virtually any location, including homes, schools, and workplaces.  Data aggregation will give rise to “multi-payer” claims databases and clinical data registries.  Using this information, providers will be able to aggregate and trend information within and across groups of patients, and payers (including Medicare and Medicaid) will be able to implement value-based payment systems based on clinical analyses.

In 10 years, according to this ONC report:  information sharing will be standardized and improved all levels of public health, enabling patient-centered research to be better targeted, and individuals will , be able to manage information from their own mobile devices and share that information seamlessly across multiple electronic platforms, such as healthcare providers, social service agencies, and consumer-facing applications.  In addition, these data will enable public health surveillance and retrospective analyses on an unprecedented level.

ONC’s roadmap depends on continued support and engagement from all healthcare stakeholders who are encouraged to be active participants in shaping the decisions which will define this industry for years to come.