At HIMSS16, Former ONC Policy Director Jodi Daniel Dishes on New EHR Certification Process, Healthcare Security

March 7, 2016
At HIMSS16 in Las Vegas, Jodi Daniel, former director of the Office of Policy within ONC, discussed the new proposed EHR certification rule with HCI Managing Editor Rajiv Leventhal, as well as other hot-button health IT topics.
Earlier this week at HIMSS16 in Las Vegas, the U.S. Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) proposed a new rule that would aim to further enhance the safety, reliability, transparency, and accountability of certified health IT for users. The “ONC Health IT Certification Program: Enhanced Oversight and Accountability” proposed rulemaking would change the ONC Health IT Certification Program to reflect the widespread adoption of certified electronic health records (EHRs) and the rapid pace of innovation in the health IT market, according to an HHS press release. 
The proposed rule would focus on three areas: direct review, enabling ONC to directly review certified health IT products, including certified EHR systems, and take necessary action to address circumstances such as potential risks to public health and safety; enhanced oversight, increasing ONC oversight of health IT testing bodies; and greater transparency and accountability, making identifiable surveillance results of certified health IT publicly available. The idea, according to Karen DeSalvo, M.D., National Coordinator at Health IT, who spoke about it at HIMSS16, is to create a feedback loop for the EHR development process that hasn't existed before. The comment period for the proposed rule ends on May 2. 
At HIMSS16 in Las Vegas, Jodi Daniel, former director of the Office of Policy within ONC, now with Crowell & Moring LLP as a partner in the Washington, D.C.-based firm’s healthcare group, discussed the proposed EHR certification rule with HCI Managing Editor Rajiv Leventhal, as well as other hot-button health IT topics. Below are excerpts of that interview. 
What are your initial takeaways about the new certified EHR technology proposed rule? What impact do you see it having?
I think it's a response to ONC's role to help address public health and safety. There was the FDASIA [Food and Drug Administration Safety and Innovation Act] framework that came out [in 2014]—the one that ONC did with FDA in which FDA said they won't look at health management and health IT software, and that if it's an ONC certified product, they will leave it to ONC [to review]. My take is that this is ONC's attempt to try to address that safety issue. They do say in the rule that they expect to use the oversight authority infrequently, and I think that's more about the safety concerns than the general user complaints.  
Jodi Daniel
Regarding the greater transparency and accountability aspect of this rule, what kind of information will developers and the government have to disclose to consumers that they don't already? 
I think that a general theme of the rule is that it lacks specificity. There are some questions in the transparency section as well as in the direct review section, where more specificity is needed to understand in what kinds of situations they will be using the authority, what kinds of data they would be asking for, and to really think through the impact of what is being proposed. I would expect that commenters will provide some input and ONC will flesh that out more. 
Some have said that the ONC EHR certification process, in its current form, hampers innovation. How would you respond to that assertion? 
I think it is fair to say that resources need to be spent to meet the certification requirements that may otherwise have been able to be spent elsewhere. That is a fair comment that vendors have made. That said, there is a lot of room for innovation beyond the certification requirements. Yes, it does take some resources, and I know vendors have spent time time to comply with those requirements, but there is plenty of room to innovate beyond what is being required by the government. 
Moving to other areas, can you use your HIPAA privacy and security expertise to shed some light in how far the industry has come in these areas?
The industry has evolved, but there needs to be more. There are going to be security risks and breaches no matter what anyone does, and it's really a game of trying to continually improve security protections and mitigating risks. So yes, there has been progress in protections and securing data, and yes, you will continue to see improvement. As the folks who try to breach information get more sophisticated, so will the technology. It is a continual process, and I do think the efforts spent on security by the developers and by the users will have to step up because there is so much concern. 
Do you think the recent HIPAA guidance we have seen from HHS' OCR [Office for Civil Rights] will have an impact? 
I helped write the original HHS requirements for the HIPAA rule back in 2000, and it was pretty groundbreaking back then. I think there has still been a limit to the number of folks who have taken advantage of their right to access their data, and the government has been trying hard to release guidance and promote patient access to their data, and make it easier for that to happen. 
There are a few things that will probably need to change beyond just messaging before we see patients really accessing their data in a widespread way. There needs to be a bigger benefit to patients rather than just having the data or knowing what's there. As you see more tools developed that help people make sense of that information or combine that information with other information, or where providers are asking for that information to go through the consumer, until you see something driving that, I don't think you will see huge adoption. 
I also think that there are still operational challenges that make it hard for patients to access their data. You still have to ask for it. I go into the doctor's office, and if there is new information, I still have to ask for it; there isn't an automatic feed. OCR did a good job of trying to say these are barriers that shouldn't be there, but there are still operational barriers to patient access to their data. Until it's easy and meaningful, we won't see widespread access to data. I think it's changing though. The government will continue to try to do what it can to promote access. They have been very vocal about that, it's been front and center for the last few years. They will continue to put out guidance and help folks in whatever way they can.
What are your thoughts on the interoperability pledge announced at HIMSS16? Does it have enough teeth? 
It is just a promise; there isn't necessarily a hook other than public awareness and transparency about who has done what. I think a lot of the commitments [in the announcement] are broad, so people can meet them in different ways. I think you will see a lot of folks meeting those commitments through things they were already doing or planning to do, so it's not clear to me how much change you will see as a result of this commitment. But it is good for the government to identify areas that they think people should be putting their energy and focus towards. They are getting lots of different stakeholders to align with a clear set of goals and directions. I think that there is benefit to that, but the [commitments] are high level and broad, and people can comply with them in many different ways. 
A pledge to do something isn't a hook to make them do something. So it is both positive and limited. There are some regulatory hooks already, there are interoperability standards and requirements to make data accessible, and this a layer on top of that. Could more have been done? Possibly, but the devil is in the details for each one of those as far as what the regulatory authority is and how far they could go. There probably would be some limitations in what ONC could do.