As the “meaningful use” criteria is being written for the adoption of health IT for healthcare providers, government officials are beginning to worry about the implications of the Federal Information Security Management Act (FISMA) regulations on such a new industry. Many organizations are struggling to meet the Health Insurance Portability and Accountability Act (HIPAA) regulations and other state laws on security. Some officials believe that forcing them to comply with FISMA as well could stop companies from adopting electronic health records (EHRs).
Vish Sankaran, Director of the Federal Health Architecture for the Office of the National Coordinator, called FISMA “a showstopper for us.”
Under FISMA regulations, private-sector healthcare would have to meet FISMA standards before receiving information from the National Health Information Network (NHIN). Government officials are looking to the Office of Management and Budget to set lower guidelines that would allow private-sector providers to exchange information with federal agencies without full adoption of FISMA.
Julie Boughn, the CIO for the Center for Medicaid Services (CMS), believes that health providers should have strict FISMA-like standards because it is a good business practice, yet she does not want government agencies to be stuck with the job of certifying all of the companies. She thinks that they should set their own standards, similar to the way that online stores set theirs.
Boughn said “we should be doing this because if the public would lose confidence in us, then we would set this goal of electronic health records back,” but she also believes that “scaling FISMA oversight to millions of healthcare providers would be a daunting and expensive challenge.”
What officials are calling for is some sort of compromise between the two sets of regulations. Sankaran has suggested a “HIPAA-plus” or “FISMA-lite” set of standards that would create a realistic system for certifying private healthcare providers. HIPAA, which was designed for hospitals and doctors before the electronic age, has only 101 security controls while FISMA has 171 controls.