In September 2024, the Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) released its 2024–2030 Federal Health IT Strategic Plan. The plan was developed in collaboration with more than 25 federal organizations and comments from the public. It defines the goals, objectives, and strategies of the government to improve health experiences and outcomes.
The 2024–2030 plan builds on ONC’s 2020–2025 version, emphasizing the policy and technology components that are essential for securing electronic health data.
More info: What is protected health information (PHI)?
ONC and healthcare
ONC advances the adoption and use of strong health IT infrastructures and promotes the nationwide exchange of healthcare. The HHS department coordinates nationwide efforts to implement advanced health IT and facilitates the secure exchange of health information. To this effect, ONC creates policies to improve healthcare in the United States through technology.
The department’s 2020–2025 Federal Health IT Strategy Plan concentrated on privacy and security along with strong API standards. Prime objectives of this plan included increasing patient empowerment and high-quality patient care, as well as improving health outcomes. Published in 2022, the Trusted Exchange Framework and Common Agreement (TEFCA) furthered the focus of the 2020–2025 plan. It defined the standards for interoperability as required by the 2021 21st Century Cures Act.
TEFCA broadened the idea of access by including health information networks, federal agencies, public health, individuals, payers, providers, and technology developers. Soon after, ONC updated its Common Agreement for Nationwide Health Information Interoperability through TEFCA for Qualified Health Information Networks (QHINs). A QHIN is a network of people or organizations working together to share data.
See also: What was the Nationwide Health Information Network (NHIN)?
The 2024-2030 Federal Health IT Strategic Plan
ONC’s 2024–2030 plan furthers the objectives of the 2020–2025 plan to improve health access and deliver better patient care. Accordingly, the broad goals of both plans center on:
- Promoting health and wellness
- Enhancing the delivery and experience of care
- Building a secure, data-driven ecosystem to accelerate research and innovation
- Connecting healthcare with health data
The 2024–2030 plan stresses the importance of the policy and technology components used to secure the data of all health IT users. Within, ONC added language to address advancing TEFCA “to create a universal governance, policy, and technical floor for nationwide interoperability; enabling individuals to access their [electronic health information] and simplifying connectivity for organizations to securely exchange information.”
Goal 1: promote health and wellness
The first goal aims to improve health experience and outcomes for individuals, populations, and communities. The overall idea is to increase reach and trust and therefore high-quality patient care. With this goal, the objectives are to help individuals and communities feel more empowered to manage their health, experience modern and equitable healthcare, and feel healthier and safer.
Specific tactics to reach this goal comprise:
- Protect individuals’ rights to share their health information with third parties, including third-party applications, of their choice
- Promote education, outreach, and transparency about the use of artificial intelligence (AI) technologies and how analyses and outputs of these technologies are applied across the healthcare ecosystem
- Leverage individual, population, and public health data to inform action at federal, state, local, Tribal, and territorial levels
Goal 2: enhance the delivery and experience of care
The second goal focuses on improving how patients and caregivers experience care, how healthcare providers and others deliver safe, high-quality care, and how health plans reimburse for care. The objectives of the second goal are to get providers to deliver improved care and reduce regulatory and administrative burden, expand access and reduce or eliminate disparities, improve competition and transparency, and get the health workforce to use health IT with confidence.
Some specific ideas to do this are:
- Use health IT to support payment for high-quality, value-based care
- Expand health IT use beyond hospitals and clinician offices
- Foster a safe and secure health application market
- Provide education and outreach on applicable regulations and expected business practices related to electronic health information sharing
- Leverage health IT expertise from different healthcare settings
Goal 3: accelerate research and innovation
The third goal emphasizes advancing opportunities to accelerate scientific discovery and innovations. Its objectives involve giving researchers and other health IT users access to high-quality data, enhancing individual and population-level research with health IT, and advancing health equity by using health data that incorporates underrepresented groups.
Strategies to reach this goal include:
- Streamline the secure access, exchange, and use of linked health research and post-market surveillance use
- Broaden the use of new technologies and analytic approaches that utilize structured and unstructured data
- Address bias in guidelines used in health IT
Goal 4: connect the health system with health data
The final goal concentrates on the policies and technologies needed to support the data needs of health IT users. Objectives are the development and use of health IT, providing health IT users clear and shared expectations for data sharing, ensuring underserved communities have access, ensuring that PHI remains protected, private, and secure, and supporting communities with modern and integrated public health systems.
Several plans created to make this happen are:
- Reduce financial and regulatory barriers to innovation
- Advance TEFCA to create a universal governance, policy, and technical floor for nationwide interoperability
- Advance equitable access to affordable technology and broadband
- Increase individuals’ understanding of and control over their health information
- Develop, align, test, and implement data standards
The importance of health IT in healthcare and HIPAA
Healthcare organizations operate within the stringent regulatory framework of the HIPAA Act. HIPAA sets national standards for safeguarding personal health data and ensures its confidentiality, integrity, and availability. The need to safeguard PHI is at the heart of creating a protected health IT environment. This is why ONC mentions HIPAA within its 2024–2030 plan and works with the regulations to promote health IT.
Integrating secure cybersecurity practices is not only defensive but can be offensive as well. Cybersecurity measures, such as data encryption and rigorous access controls, prevent unauthorized access and maintain patient-provider trust. A layered cybersecurity program helps organizations avoid severe penalties, legal repercussions, and reputational damage.
Such safeguards are needed to help ONC further its health IT strategies. By offering guidance and practical support, ONC facilitates the successful integration of health IT into healthcare and furthers its goals as laid out in its federal health IT plans.
Additional reading: HIPAA Compliant Email: The Definitive Guide
FAQs
Who must comply with HIPAA?
HIPAA compliance is required for:
- Covered entities: These include healthcare providers, health plans, and healthcare clearinghouses.
- Business associates: These are individuals or entities that perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI.
What are the penalties for noncompliance with HIPAA?
Penalties for noncompliance can range from monetary fines to criminal charges, depending on the severity and circumstances of the violation. The Office for Civil Rights (OCR) can impose penalties, which can range from $1307 to $68,928 per violation, with a maximum annual penalty of $2,067,813.
How does HIPAA impact electronic health records (EHRs)?
HIPAA mandates that electronic health records (EHRs) must be secured to protect patient information. This involves implementing access controls, encryption, audit controls, and transmission security measures.
How can an organization ensure HIPAA compliance?
- Conduct risk assessments: Regularly assess potential risks and vulnerabilities to PHI.
- Implement safeguards: Administrative, physical, and technical safeguards to protect PHI.
- Develop policies and procedures: Ensure clear guidelines for handling PHI.
- Training and awareness: Provide regular training to employees on HIPAA compliance.
- Incident response plan: Establish procedures for responding to breaches of PHI.