Fixing HITECH Stage 3 Proposed RulesWhy Narrower Risk Assessment Provision Is Problematic
Buried in the 301-page proposed rule for Stage 3 of the HITECH Act "meaningful use" program is a "narrowing" of a security risk assessment requirement for healthcare providers that participate in the electronic health record financial incentive program.
Some security experts believe the proposal runs the risk of watering down the importance of healthcare providers conducting a broader HIPAA security risk analysis. Their concerns are valid.
This is a huge step backwards and it implies that PHI is primarily at risk in the EHR.
The Stage 3 risk assessment proposal states that healthcare providers are required annually to conduct or review a security risk analysis "to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI created by or maintained in certified EHR technology" (see Analysis: HITECH Stage 3 Security Rules).
Federal regulators say they still expect HIPAA covered entities - including hospitals and physician practices participating in the meaningful use program - to conduct a broader HIPAA security risk analysis and to mitigate risks as a matter of HIPAA compliance.
But the narrowly worded, EHR-centric risk assessment requirement in the HITECH Stage 3 proposal is bound to fuel confusion - and excuses - among healthcare providers about what they must do under HIPAA, versus what they must do to qualify for HITECH financial incentives or avoid payment penalties that will begin in 2018.
"In the Stage 3 notice of proposed rulemaking, we are only stating the requirements for MU," a spokesman for the Centers for Medicare and Medicaid Services, which administers HITECH Act financial incentives, tells me in an email. "If they are a HIPAA covered entity, they still need to comply with the HIPAA requirements."
But that's not what CMS specifically will be looking at as part of the narrower requirement, because CMS doesn't have enforcement authority over HIPAA. That job belongs to CMS' sister agency at HHS - the Office for Civil Rights, which has been trying hard the last couple years to impress upon healthcare providers why HIPAA security risk assessments are critical (see HIPAA Audits Are Still On Hold).
Commenting on the narrower risk assessment provision in the proposed Stage 3 rule, security expert Mac McMillan, founder of consulting firm CynergisTek contends: "This is a huge step backwards and it implies that PHI is primarily at risk in the EHR. It also presumes that the EHR is not at risk from elsewhere on the network. While that may be the main repository for this information, it is clearly not where it is most at risk if you look at the statistics."
Security expert Tom Walsh, president of consulting firm tw-Security, adds that the proposed requirement for annual risk assessment of EHR data isn't exactly a walk in the park either, especially for smaller healthcare organizations. He notes that the proposal estimates that the "burden" on healthcare entities to perform the risk analysis is six hours. "That's a laugh. I've been doing risk analysis for a long time. It takes a lot longer than six hours to do for an analysis."
The proposed Stage 3 meaningful use rule that was unveiled by CMS on March 20 is slated to be published in the Federal Register on March 30. That proposal was accompanied by HHS' Office of the National Coordinator for Health IT releasing its proposed 2015 Edition Health Information Technology Certification Criteria rule for certification of EHR technology in the next round of the HITECH Act program.
McMillan argues that the proposed rules are lacking in privacy and security requirements that could potentially bolster the protection of patient data.
"After [regulators have been] talking about increased requirements for encryption, stronger two-factor authentication and greater emphasis on disaster recovery, none of these things made it into the rule," he notes, adding that the proposals are "singularly unimpressive from a privacy and security perspective."
So what do you think of the proposed Stage 3 rules? Do the regulations do much to improve patient data privacy and security? Or do they let healthcare providers and technology developers off the hook? Please comment in the space below.
And don't forget to share your feedback with regulators by submitting comments to HHS about the proposals by May 29.