What is the ONC?” is a good question for public health, because for the longest time, it seems that health information technology and public health were not connected in the United States (US). ONC stands for “Office of the National Coordinator” which meant “for health information technology (IT)” and so I was used to calling it ONCHIT. Now it is just called HealthIt.gov, and what it is has evolved over time as much as its name.
What is the ONC?
The ONC is the health information technology standards agency at the federal level in the US. You may be surprised to learn that the ONC has only been around since 2009. Before then, you could buy medical records systems that were totally insecure. You probably still can, but the ONC has made that pretty difficult through regulation and other approaches.
What does the ONC do?
The ONC was created as part of the HITECH Act of 2009, which was kind of an edit to the HIPAA act of 1996. The ONC was needed in an emergency capacity, mainly to set tech standards in healthcare so we didn’t have all these slapdash medical record companies putting together crap for software and calling it a database. But it ultimately went on to do more, such as certifying medical records software for “meaningful use”.
Before HITECH, medical records systems would often be set up so that it was not very easy to do reporting. You could look up individual records, but good luck if you wanted to try to do population health with the data. There were really no standards on how to use the software, so places would use it “their way”. Now, with meaningful use standards, medical record systems are forced to produce reports with health metrics on them about the population in the medical records system. Basically, ONC certifies these systems that are able to do that, and those are now the ones that are available.
The overall dream with ONC was health data exchange. I never believed in that dream, because the US healthcare system is too fragmented for something like that to occur at any reasonable cost. Nevertheless, ONC and the federal government have sunk a lot of funding into data exchange, and now we have huge data marts full of health data all over the US just waiting to be breached and overanalyzed.
My Take on the ONC
I was happy when they set up the ONC, because we needed the ONC much earlier than we got it. I needed it in 2004, when a place where I was working was conned into buying some trash that was supposed to be a medical records system. I could tell it was trash because the company didn’t hide it very well, but the way they saw it, all they had to do was charm doctors into believing their impossible promises, and once that happened, the doctors would insist on buying it. This had happened before 2004 to me, but the 2004 experience was particularly painful. Millions of dollars were wasted on a failed implementation, and that money could have gone toward research or patient care.
That being said, since the ONC was set up in 2009, there have been problems. On one hand, it has caused regulation and certification, which is good. But this has driven up two important things: the cost of healthcare, and the amount of data collected in healthcare systems. These two things have caused enormous problems.
Let’s look at the first thing – regulation and certification driving up costs. Where informatics systems are implemented optimally in healthcare in the US – with meaningful use and all that – the care delivery feels very impersonal. Everyone is always doing data entry, including the patients. Everyone is overmeasured – even the people doing the measuring. So while everything appears to be running right, it is a very expensive system to maintain, and the population health outcomes are minimally better at best.
Now the second thing – having piles of data collected about everyone. This has led to constant data hacks and breaches, because these systems are ripe targets. They are a hacker’s dream. The ONC and HITECH have not put in place any sort of regulations the require a certain level of cybersecurity. A hospital can be fined for having employees recklessly share information illegally under HIPAA, but there’s no mechanism to fine it if has bad cybersecurity, because HITECH and ONC don’t obligate facilities to rise to any particular standard. If they did, our health data would be more secure, but costs would go up even more.
So when we ask, “What is the ONC?” we can be assured that it is making and trying to enforce regulations about healthcare technology. The question is whether these regulations are worth what they cost, and if ONC’s current role is really helping the US improve its use of health information technology.
Updated April 9, 2022.
“What is the ONC?” is what I used to ask before I realized it involves health technology. Although ONC just means “Office of the National Coordinator”, this agency is now known as HealthIT.gov, as I explain in my blog post.