Carolyn Duffy Marsan has an informative piece on Government Health IT about the different requirements of different pieces of federal legislation and how they impact sharing federally held health data with the private sector. She writes, in part:
FISMA has 171 information security controls that are mandated for federal agencies. In contrast, the U.S. healthcare industry must meet the Health Insurance Portability and Accountability Act (HIPAA), which has only 101 of the FISMA controls.
“There is a gap of approximately 70 controls between FISMA and HIPAA,” Sankaran said. The challenge in healthcare information exchange is that data will be flowing from a more-secure FISMA- compliant federal system to a less-secure HIPAA-compliant private sector system.
“How do you make sure the information remains secure as it flows through two different domains of security controls?” Sankaran asked.
Among the questions that needs an answer from OMB is whether data that moves from a federal computer system to a private sector system is still considered federal data, and whether the recipient of that data needs to comply with FISMA. “This requires clear guidance from OMB to the agencies’ Designated Approving Authorities (DAAs) about moving data between federal and private sector systems,” Sankaran said.
Read more on Government Health IT.