New Security Rules for the Electronic Health Care Record Incentive Program

In 2009, the Ways and Means committee put forth the Health Information Technology for Economic and Clinical Health Act or HITECH Act. The bill states that Health information technology helps save lives and lower costs. One of the four major goals of the legislation is to “Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care”.

Stage  1 of the program required hospitals and eligible professionals (physicians) to conduct or review a risk analysis and implement security updates as necessary to correct identified security deficiencies.

The proposed Stage 2 rule includes the identical requirement. But it adds that the assessment must include “addressing the encryption/security of data at rest.”

The proposed rule specifically states: “We do not propose to change the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements or require any more than would be required under HIPAA. We only emphasize the importance of an eligible professional or hospital including in its security risk analysis an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

Recommended Security Changes

The proposed rule would not alter the HIPAA Security Rule’s requirements on encryption. Under that rule, encryption is “addressable,” which means it must be implemented if doing so is reasonable and appropriate – which stops short of an outright mandate.
Office of the National Coordinator for Health IT, proposes ” that Electronic Health Record [EHR] vendors … by default enable encryption of data on end-user devices if any data is kept on user devices after the session ends”.
That Secure Messaging is used when doctors communicate with […]

Keeping Electronic Health Records Safe

Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively).  At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.

According to a current listing on DataLossDB.org, four of the ten major data security breaches on the list involved medical records getting into the wrong hands.  The VA experienced one of the top ten data security breaches of all time (over 26 million records).  Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.

Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in […]

Why Government eCommerce Over Traditional Procurement?

There are several good reasons.

It has long been known that traditional procurement processes, whether public or private, are often arduous and time consuming. By establishing long-term purchasing contracts with strategic companies and letting junior buyers place delivery orders against those contacts from an online marketplace, senior acquisition professionals are freed to work on major acquisitions. Government eCommerce is also much more economical because online ordering is quick and easy once those contracts are enabled, and establishing multiple contracts for a given commodity also ensures competition and price competitiveness.

Government eCommerce also provides potential visibility into vendor inventories. Using a distributed architecture, online marketplaces can communicate directly with vendors using application integration tools. This allows secure, reliable messaging and data transmission; including elements like order status, back-order information, stock-on-hand, and stock-out data.

The DOD EMALL is an example of Government eCommerce in action. The Defense Logistics Agency’s (DLA) distributed architecture system allows Department of Defense and other Federal Agencies to house long-term contracts and leverage the government’s buying power. DOD EMALL currently maintains over 2000 individual contracts to support more that 60 million items—helping DOD EMALL to exceed $800 million in FY09.

As the world becomes more integrated online, its only logical that governments take proactive measures to keep pace with the private sector. Government eCommerce ensures that Federal, state, and local purchasing stays ahead of the curve.

Google+