ONC Chief Lists Security as His Biggest Current Challenge

In a two-part interview, Micky Tripathi, the head of the Health and Human Services Department's Office of the National Coordinator for Health Information Technology, talks about his department's top priorities and other pressing issues.

Micky Tripathi, PhD, MPP, took the helm of the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology on the first day of the Biden administration in 2021. In a sequel to his two-part conversation with HealthLeaders a year ago, he addresses the ONC's top priorities, as well as health IT issues such as total cost of ownership and going beyond rule-making to help healthcare systems optimize their investment.

This interview has been lightly edited for brevity and clarity.

HealthLeaders: What you see right now as the top technology challenges facing U.S. healthcare?

Micky Tripathi: Certainly security is going to be top of mind for everyone. It's a huge and ongoing challenge. I don't know that that's any different than it should be at any given time. But as we have more and more electronic health record penetration and more interoperability, certainly the security issues related to that rise equally. So that's one very big challenge that we have from a technical perspective.

The other is having appropriate governance around data sharing. I know that's not necessarily a technology issue, but the minute you start to share information, you start to have issues related to data quality, data governance, data use, all of those kinds of things. And then last is privacy. Privacy is a very big deal. And certainly, as we think about the intersection of privacy and technology in healthcare, you start to confront the issues related to information crossing the HIPAA boundary into the hands of individuals and the lack of general privacy law protecting that information once it's in their hands.

HL: How is the US government addressing these challenges?

Tripathi: With security, it's a kind of a multi-pronged thing. From an ONC perspective, we have our certification role, and certification requirements that relate to the basic security processes and technologies that are required for certified health IT systems. And that is very much coupled with the HIPAA security rule, which has a whole bunch of requirements related to what HIPAA-regulated entities are required to put in place, things like encryption. So that works very much hand in glove. And other parts of the department, like the CIO's office, also have been active in trying to inform the healthcare delivery system and healthcare providers about the need for security protections in their environments.

At the end of the day, every place that is managing IT, the security is only as good as the policies that they implement, and their diligence around those policies and technologies. That's the bigger challenge: That we live in a very fragmented healthcare delivery system, and there's nothing that the federal government can do to say, let's just turn this crank, or flip this switch, and everyone will be secure. It's really about constant diligence, constant awareness, and making sure that there's alignment and awareness of security issues.

Micky Tripathi, head of the Health and Human Services Department's Office of the National Coordinator for Health Information Technology. Photo Courtesy ONC.

With respect to data use, we [have] things like TEFCA, the Trust Exchange Framework and Common Agreement. The hope for that is that you start to have greater commonality and transparency around the rules for sharing information, and a common understanding of a basic set of ground rules for the sharing of information. And that helps to lead to more responsible and more appropriate use. We're also starting to look at issues like algorithms, and what role they play as we think about data use, and certainly everything we're doing with respect to health equity, related to being able to have the capture of that data in better ways, and how do we think about appropriate and responsible use as well.

So [those are] areas that we need to explore and get more into, but we're certainly looking at those as well. TEFCA allows individuals to access information through apps, and those apps are required, contractually. If they're going to want to provide services on TEFCA to individuals, they're required to essentially meet the requirements of the HIPAA privacy and security rule, where as a general matter, they're not required to, because they aren't regulated entities. What we've done is tried to say, well, that if TEFCA is offering a value that they want to participate in, then contractually, they would be required to meet those requirements as well. So in the absence of regulations and policies over which we have no direct authority, we're trying to say, let's do everything we can, to get more of those kinds of protections in the interests of individuals.

HL: Is there a bigger policy role that the federal government should play in looking at equity through the lens of, we have this tremendous investment in AI, through all these private actors, but fundamentally, it seems like a very much succession of black boxes? We don't know how these APIs work. The algorithms are proprietary. So we end up with equity questions that we don't have easy answers to, regarding, is this algorithm endangering a particular population?

Tripathi: Yeah, that's some of the things that we're looking at. There is an interagency group that's been launched to look specifically at AI and equity that's across the US government. And that's just getting started. But the idea there is to start to catalog and capture what's going on across the different federal agencies. What are the different authorities that those agencies have, and how do we want to think about this from a federal government perspective?

Different agencies, the NIH and FDA, have published different sets of guidelines, rules, and principles related to ethical uses of AI. But to your point, a lot of it is still proprietary. There's limits to what you can do there. But we are taking a look at that for sure, across federal agencies and within the federal government. Within ONC, we are looking at it through the lens of electronic health records, which are increasingly the source of data, and increasingly, the ways that AI results get injected into decision making. So we're certainly taking a look at that.

Editor's Note: Part 2 of the HealthLeaders interview with ONC Chief Micky Tripathi can be accessed here.