The Health IT Standards Committee approved privacy and security standards for electronic health record systems on Tuesday, September 15th. The federal advisory panel is tasked with delivering a set of standards that meet the HITECH Act's more stringent rules under the Health Insurance Portability and Accountability Act (HIPAA).

David McCallie, vice president for medical informatics at Cerner Corp. and a Health IT Standards Committee workgroup member, said the standards have been designed to become progressively tougher without impeding health information exchange. What does that look like to the rest of us? McCallie brought up the example of information exchange between two organizations that have different privacy and security policies. He posed the question of whether the standard should follow the high-bar or low-bar policy.

Will opting for the high-bar policy discourage entities from participating in health information exchange because the changes are too complex or would face resistance from an organization's leaders? Or will supporting the low-bar policy make people nervous about potential vulnerabilities? If the standards will be embracing more stringent rules, I'm assuming the answer is to opt for the high bar.

I'm no expert in the evolving privacy and security standards, but a few things came to mind as I read about the committee's endorsement. The Federal Health Architecture (FHA) has been working to establish health information exchange among a number of federal agencies. That's a done deal. The next big step for FHA is figuring out how to deal with data from the Department of Defense (DoD) when it moves into the private sector. If data coming from the DoD is classified federal data, which is tightly controlled through the Federal Information Security Management Act (FISMA), any receiving entity of that data will need to comply with FISMA. I suspect that would be akin to raising the privacy and security bar for the receiving entity, which would mean a lot of policy changes. It would be worthwhile to see what progress, if any, FHA has made in this area and how FHA's work can inform the Health IT Standards Committee's work.

The other thing that came to mind is the various health information exchanges (HIEs) and regional health information organizations (RHIOs) that are currently exchanging health data. There are many examples of the federated model, in which clinical information is not stored in a central repository. Fallon Clinic, and partners Fallon Community Health Plan and the UMass Memorial Health Care System, developed SAFEHealth (Secure Architecture For Exchanging Health Information). This HIE is a federated model with edge servers, so only data the participating entity is willing to share sits on the servers. As such, no major changes in an organization's privacy and security policies are needed.

The central repository model requires participants to agree to the HIE or RHIO's policies, so participants with different privacy and security policies have had to make changes. And one imagines that original participants and new participants have decided that the benefits of health information exchange outweigh adjusting their privacy and security policies.

As I wrote earlier, I'm not an expert in this area. The committee comprises members with enormous expertise. At the same time, there are successful HIEs and RHIOs out there to glean best practices. And FHA's work, which should be commended for the scope and success of its endeavors, has a lot to offer, too.