Privacy Guidance: An Important StepTips on Building Trust Greatly Needed
I've been among those who have called upon the Department of Health and Human Services to offer much more detailed guidance on privacy and security matters. So I was delighted to see the HHS' Office of the National Coordinator for Health IT post a new guide addressing a variety of timely privacy and security issues (see: ONC Offers Privacy, Security Guide).
The 47-page guide offers a good overview of critical issues. It will be particularly useful to smaller organizations, especially physician group practices, that lack an information security staff. The guide offers a 10-step plan for addressing privacy and security when preparing for participation in the HITECH Act electronic health record incentive program.
Together, we hope to build a culture where privacy and security are valued to inspire confidence and trust in health IT and electronic health information exchange by protecting the confidentiality, integrity, and availability of health information.
Another useful component of the guide is a list of "myths and facts" about a security risk analysis. For example, it lists the myth: "Each year, I'll have to completely redo my security risk analysis." And it provides this summary of the real requirement under HITECH: "Perform the full security risk analysis as you adopt an EHR. Each year, or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks."
Joy Pritts, ONC's chief privacy officer, who headed the project, explains the purpose of the project: "The goal of the guide is to help ensure the privacy and security of health information, including information in electronic health records and mobile devices. Security and privacy are key components to building the trust required to realize the potential benefits of electronic health information exchange."
Indeed, building trust is key. If patients don't trust that their electronic records will remain private at their doctor's office, the hospital and beyond, the movement toward EHRs and health information exchange is destined to fail.
So the latest guidance is an important step. But we need more, including more detailed guidance for larger organizations. And we're looking forward to the final version of the HIPAA breach notification rule, and accompanying guidance, that hopefully will greatly clarify how to determine if a breach needs to be reported.
Just as conducting a risk assessment is an important component of an EHR implementation, so, too, it's critical in sizing up whether a security incident constitutes a breach that must be reported. And that's why the more guidance on risk assessments that HHS can provide, the better.
For many healthcare organizations, making sure privacy and security are "top of mind" requires a culture change. And that requires leadership by CIOs, CISOs and others. Be sure to check out our recent podcast on the subject, featuring Jan Hillier of Indiana University.
Summing up, here's how Pritts views the challenge that's ahead: "Together, we hope to build a culture where privacy and security are valued to inspire confidence and trust in health IT and electronic health information exchange by protecting the confidentiality, integrity and availability of health information."
That sounds like a good mission statement for everyone involved in healthcare information security.