The Security Scrutinizer with Howard Anderson

An Improved Health IT Strategic Plan

Still Plenty of Work to Do on Privacy, Security

The plan came out as Blumenthal was stepping down from his role at the helm of ONC. His successor, Farzad Mostashari, and his staff had a chance to review the comments and use them to revamp the strategic document. And it's good to see that the final version of the strategic plan, released this week, features more details on privacy and security.

Perhaps of greatest interest is how the plan now spells out a game plan for implementing privacy and security protections for health information exchange. ONC plans to involve a number of agencies in this long-overdue effort. Hopefully, that will mean that any regulations that emerge will adequately address the myriad issues involved in protecting patient information when it's exchanged regionally, statewide and, eventually, nationally.

One of the major areas being addressed through this process is pursuing policy changes that would afford individuals more meaningful choice as to whether their information may be exchanged electronically. 

Several groups advising ONC, among them the Privacy and Security Tiger Team, the Health IT Policy Committee, and the Health IT Standards Committee, have been tackling HIE privacy and security issues for many months. But now the Department of Health and Human Services has commissioned a new Inter-Division Task Force that will "develop an updated approach to privacy and security policies," building on the work of the advisory bodies, says Jodi Daniel, director of ONC's office of policy and planning. A Federal Health IT Taskforce also will provide feedback. The task force, formed by President Obama in 2010, encompasses six agencies, including HHS.

"One of the major areas being addressed through this process is pursuing policy changes that would afford individuals more meaningful choice as to whether their information may be exchanged electronically," Daniel explained in a blog this week.

The final version of the strategic plan notes that many of the privacy and security regulations governing health information exchange could wind up in the pending governance rule for the Nationwide Health Information Network. That rule will provide guidelines for HIEs and others that elect to use the NWHIN standards to ease the exchange of data.

But we're hopeful that the regulations also will wind up in criteria for future stages of the HITECH Act electronic health record incentive program, and, eventually, in modifications to HIPAA. After all, we want everybody to play by the same privacy and security rules, not just those who choose to use the NWHIN standards or apply for EHR incentive payments.

More Audits to Come

Meanwhile, if your organization is getting anxious about the possibility of a HIPAA compliance audit next year, consider this: HHS announced that it has launched a Medicaid Recovery Audit program, modeled after the two-year-old Medicare audit initiative (see: Medicaid Audit Program Launched).

Faced with the prospect of up to three federal audits, healthcare organizations have a lot of work to do. As we've reported earlier, hospitals need to get their documentation ready to prove they have a solid risk management program in place to comply with HIPAA (see: HIPAA Audits: A Preparation Checklist). Now it's time for all healthcare organizations to triple-check that processes for billing Medicare and Medicaid follow the letter of the law. The feds are looking for ways to crack down on overpayments and outright fraud as they search for ways to inch toward a balanced budget. The auditors they've hired get a contingency fee out of any improper payments they help recover. So they're motivated. Very motivated.

Are you adequately prepared for when the HIPAA, Medicare and Medicaid auditors come knocking at your door?

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.