A Security Checklist Worth ReadingDeven McGraw's Congressional Testimony Offers Timely Insights
McGraw, director of the health privacy project at the Center for Democracy & Technology, also made good use of her five minutes of verbal testimony before the panel, hammering home an important message: HIPAA and the HITECH Act lack strong enough security requirements.
Her testimony should be required reading for anyone involved in preparing healthcare laws and regulations, and for anyone who cares about the issues.
While the standards for EHR software certified for the HITECH incentive program require the applications to include a long list of security functions, such as encryption and the ability to create an audit trail, the HITECH rules and HIPAA stop short of mandating actual use of these functions, McGraw pointed out.
"We're not being terribly clear with providers about using these functionalities," she told subcommittee members. "That's a major deficiency."
In her written testimony, McGraw noted that those receiving EHR incentive payments under the HITECH Act are required to "perform a security risk assessment and respond to any deficiencies discovered, but this falls short of a clear requirement to implement or have a plan for implementing the (security) functionalities required for EHR (software) certification. The Center for Democracy and Technology is continuing to advocate with regulators for strengthened security requirements."
McGraw's written testimony also pinpoints other key unresolved issues, including the need for:
- Stronger standards to ensure that de-identified data used for research and other purposes cannot be re-identified;
- Federal guidelines to protect personal health records;
- Stronger enforcement of HIPAA, including banning those with significant violations from the federal EHR incentive program;
- Tougher limits on business associates' access, use and disclosure of data "to only what is reasonably necessary to perform the contracted services;"
- Further tightening of rules regarding use of patient data for marketing.
McGraw serves as co-chair of the privacy and security tiger team that's advising regulators. The team recently issued recommendations on several issues, including obtaining patient consent to exchange their information. And it's now working on several additional security issues.
Her Congressional testimony, which covers many, but not all, of the critical security issues, should be required reading for anyone involved in preparing healthcare laws and regulations -- and for anyone who cares about the issues.