FISMA is becoming a roadblock for electronic health record implementation, Government Health IT magazine reported this week.

The Federal Information and Security Management Act (FISMA), passed by Congress in 2002 to better protect the federal government against cyber attacks, mandates information security standards for all federal agencies. This includes the flow of data between the Centers for Medicare and Medicaid (CMS) and their contractors—over 200 hundred of them, processing billions of Medicare claims. The new worry from CMS, according to Government Health IT, is that healthcare providers sharing EHR files will be required to meet FISMA standards, which include an annual security test and FISMA certification.

A CMS spokesperson is quoted as saying that this would be more than “burdensome” for both CMS and health care providers and organizations.

The conundrum is that information will be moving between the HIPPA world (the private sector) and the FISMA world (the government)—that latter of which is much more secure, from a protocol/standards perspective. Federal agencies are held to a higher standard than the private sector with respect to information security.

For a long time, consumer groups have argued that HIPPA is a weak standard for patient information security. Yet, many worry that if FISMA is applied to the private sector, there will be a compliance crisis that will be costly to remedy. But why shouldn’t the transfer of health information be held to the highest security standards? Advocates of a middle ground argue “yes,” but not quite as stringent as FISMA. They standards should be more of a more of a “HIPPA-plus” or “FISMA-lite,” in the words of Vish Sankaran, a program director for the Federal Health Architecture project to connect health information entities.

In other words, get health care providers better engaged in securing healthcare information but do not stunt the growth of the EHR movement by placing the bar too high.

In the end, the Office of Management and Budget will dictate the debate through their determination of what falls under the FISMA umbrella. In August of 2008, OMB issued some guidance, stating that FISMA applies to groups that “possess or use Federal information—or which operate, use or have access to Federal information systems (whether automated or manual)—on behalf of a Federal agency.” OK, that could include a ton of organizations.

Confusing? You bet. This is government language after, all. Much like statistics, just mold it to your current need.

There is still debate over whether, for example, health information exchanges (HIEs) that “exchange” information but do not “access” federal information systems need to be FISMA compliant. In any event, there is a strong and important need to address information security in the field of healthcare. Will FISMA be the best vehicle for achieving information security with respect to patient information? That remains unresolved, but hopefully, the work to find a middle ground, coaxing the private sector into requiring more robust security standards, will be the outcome.

Above article published on

http://ohmygov.com/blogs/general_news/archive/2009/06/30/fisma-a-roadblock-for-ehrs.aspx