Would you spend $19 billion to promote unsecured electronic health records? No? That would be crazy? Well, your government is getting ready to do just that.

Come January 2011, providers can start applying for EHR meaningful use incentive payments and by May the first organizations could be getting checks for demonstrating they are receiving the benefits that EHRs have always promised.

That's wonderful ... but I remember a core tenet of the HITECH Act that spawned meaningful use was assuring consumers that their electronic protected health information was safe and secure.  However, appropriate safeguards aren't in place and won't be in place when meaningful use starts. The Department of Health and Human Services is working to finalize new privacy and security rules, but that work should have been done by now.

A scant two months before at least $19 billion of taxpayer dollars become available for incentive payments, your electronic protected health information need not be encrypted under federal law. And provider organizations don't have to report major breaches of protected health information if they--not patients or regulators--decide that no harm will come from a breach. That "harm threshold" loophole in the breach notification rule remains.

The bottom line is that security requirements in Stage 1 meaningful use essentially endorse the status quo. So, let's look at the status quo.

The breach rule requires HHS to post reported breaches affecting 500 or more patients on a publicly accessible Web site. Breaches where the data under question is encrypted or otherwise made "unusable" need not be reported. Thirteen months after the federal breach Web site went live, there are more than 180 listed breaches. That's a little less than one major breach every two days. All of the breaches involve paper or unencrypted electronic information. But because of the harm threshold, how many major breaches have NOT been reported and listed because a provider organization decided--on its own--that no harm would result?

There are a lot of folks in the industry who believe that HHS has taken too long to finalize HITECH rules. I'm not part of that crowd. Congress gave HHS a ton of regulatory work and impossible deadlines. HHS in my mind has done a far quicker job coming out with HITECH rules than it previously has with other major initiatives. Does anyone remember how incredibly long it took to get the HIPAA transactions, privacy and security rules into effect?

But ... fixing major gaps in securing electronic protected health information should not have been an area that fell behind, and it can't keep falling behind. The federal government simply cannot assure patients that their health data is secure when that data doesn't have to be encrypted and providers can decide whether or not to report breaches.

HHS officials have to know this.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access