National Patient Identifiers have been sparking a lot of discussion in the blogosphere in the last few months. Last month a Forbes article posited that a “128-Byte Data Field“ identifying an individual could save lives and millions of dollars.
The future of Electronic Health Records (EHR) security will be impacted by the findings of several studies conducted in the past year. From what I can tell, these studies bring with them both good and bad news.
In 2009, the Ways and Means committee put forth the Health Information Technology for Economic and Clinical Health Act or HITECH Act. The bill states that Health information technology helps save lives and lower costs. One of the four major goals of the legislation is to “Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care”.
Stage 1 of the program required hospitals and eligible professionals (physicians) to conduct or review a risk analysis and implement security updates as necessary to correct identified security deficiencies.
The proposed Stage 2 rule includes the identical requirement. But it adds that the assessment must include “addressing the encryption/security of data at rest.”
The proposed rule specifically states: “We do not propose to change the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements or require any more than would be required under HIPAA. We only emphasize the importance of an eligible professional or hospital including in its security risk analysis an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”
Recommended Security Changes
The proposed rule would not alter the HIPAA Security Rule’s requirements on encryption. Under that rule, encryption is “addressable,” which means it must be implemented if doing so is reasonable and appropriate – which stops short of an outright mandate.
Office of the National Coordinator for Health IT, proposes ” that Electronic Health Record [EHR] vendors … by default enable encryption of data on end-user devices if any data is kept on user devices after the session ends”.
That Secure Messaging is used when doctors communicate with […]
Department of Health and Human Services’ Office for Civil Rights’ recent notice of proposed rulemaking on accounting of disclosures introduces a valuable privacy tool for individuals—the access report.
The HIPAA Security Rule’s information system activity review specification [164.308(a)(1)] requires organizations to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” The rule’s audit controls standard [164.312(b)] requires organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Adam Greene, the primary author of the proposed accounting of disclosures rule mandated under the HITECH Act, states that the proposed rule takes a two-pronged approach.
First, the proposed rule spells out revised HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health.
Second, the proposal requires providing patients, upon request, with “access reports” that summarize who electronically accessed their information. Greene explains the rule attempts to address “What’s the best way to get the information that individuals are most interested in, which is, who has seen their records?” He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed them.
Kate Borten, president of The Marblehead Group, a health information privacy and security consulting firm, agrees that the Access Report recommendation deserves industry support.
“Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized user—a serious problem wherever many users have access […]