Come January 2011, providers can start applying for EHR meaningful use incentive payments and by May the first organizations could be getting checks for demonstrating they are receiving the benefits that EHRs have always promised.
That's wonderful ... but I remember a core tenet of the HITECH Act that spawned meaningful use was assuring consumers that their electronic protected health information was safe and secure. However, appropriate safeguards aren't in place and won't be in place when meaningful use starts. The Department of Health and Human Services is working to finalize new privacy and security rules, but that work should have been done by now.
A scant two months before at least $19 billion of taxpayer dollars become available for incentive payments, your electronic protected health information need not be encrypted under federal law. And provider organizations don't have to report major breaches of protected health information if they--not patients or regulators--decide that no harm will come from a breach. That "harm threshold" loophole in the breach notification rule remains.
The bottom line is that security requirements in Stage 1 meaningful use essentially endorse the status quo. So, let's look at the status quo.
The breach rule requires HHS to post reported breaches affecting 500 or more patients on a publicly accessible Web site. Breaches where the data under question is encrypted or otherwise made "unusable" need not be reported. Thirteen months after the federal breach Web site went live, there are more than 180 listed breaches. That's a little less than one major breach every two days. All of the breaches involve paper or unencrypted electronic information. But because of the harm threshold, how many major breaches have NOT been reported and listed because a provider organization decided--on its own--that no harm would result?
There are a lot of folks in the industry who believe that HHS has taken too long to finalize HITECH rules. I'm not part of that crowd. Congress gave HHS a ton of regulatory work and impossible deadlines. HHS in my mind has done a far quicker job coming out with HITECH rules than it previously has with other major initiatives. Does anyone remember how incredibly long it took to get the HIPAA transactions, privacy and security rules into effect?
But ... fixing major gaps in securing electronic protected health information should not have been an area that fell behind, and it can't keep falling behind. The federal government simply cannot assure patients that their health data is secure when that data doesn't have to be encrypted and providers can decide whether or not to report breaches.
HHS officials have to know this.
1. A good quality Security Risk Analysis of the whole PHI environment (not just the EHR system) covering all People, Process and Technology aspects.
2. Remediate high medium/high risk areas and deficiencies appropriately
That said, I am yet to see a MU discussion from providers, RECs, EHR vendors etc. even touch this requirement let alone the due diligence that is needed. Most RECs talk about providing security policy/form templates to cover the requirement. Aside from that not clearly not meeting the MU requirement, such an approach can only lead to increased breaches as more and more health records go electronic.
I also talk about the MU requirement in my blog post as well. http://rnc2.com/regulatory-compliance/hipaahhitech/providers-is-hipaa-security-risk-analysis-in-your-plan-over-the-next-few-months/
---------------------------- Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process
1. A good quality Security Risk Analysis of the whole PHI environment (not just the EHR system) covering all People, Process and Technology aspects.
2. Remediate high medium/high risk areas and deficiencies appropriately
That said, I am yet to see a MU discussion from providers, RECs, EHR vendors etc. even touch this requirement let alone the due diligence that is needed. Most RECs talk about providing security policy/form templates to cover the requirement. Aside from that not clearly not meeting the MU requirement, such an approach can only lead to increased breaches as more and more health records go electronic.
---------------------------- Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process