Timely HIE Privacy Guidance Meets NeedRather Than Wait, Feds Spell Out Recommendations
Rather than wait for the release of a proposed regulation later this year, government officials have issued privacy and security recommendations for health information exchanges that have received federal funds (see: HIEs Get Privacy, Security Guidance).
That's good news, indeed, because exchanges need to make sure they have adequate privacy protections in place before they accommodate millions of patient data transactions.
Because it could take many months for the NwHIN Governance Rule to be proposed, finalized and implemented, ONC's new guidance for federally funded HIEs is very important.
And there's more good news on the regulatory front. An omnibus package of HIPAA modifications, which is long overdue, has been sent to the Office of Management and Budget for review - the final step before regulations are published. If there are no major holdups, the regulations could be published by summer, at long last. Fingers crossed.
The Department of Health and Human Services' Office of the National Coordinator for Health IT has sent federally-funded HIEs guidance that spells out what they should be doing to protect patient privacy. While the guidance stops short of an outright mandate, it's a welcome step that could help the exchanges build public trust if they actually follow the recommendations, such as by making extensive use of encryption. The program information notice containing the guidance points out that HIEs that are not taking the recommended privacy and security steps must develop a "strategy, timeline and action plan for addressing these gaps."
Many months ago, the Privacy and Security Tiger Team devised a long list of privacy and security recommendations for HIEs. Until now, it appeared that those recommendations wouldn't have an impact until they were included in the Nationwide Health Information Network Governance Rule. But that rule, unfortunately, is still in the works.
The NwHIN Governance Rule, mandated under the HITECH Act, could potentially include privacy and security measures required for all HIEs. Joy Pritts, ONC's chief privacy officer, told me following her presentation at the National HIPAA Summit in Washington: "My suspicion is that the governance rule will have a broader applicability," meaning the rule could apply to HIEs whether or not they receive federal funds. She would not, however, predict when that proposed regulation might be published.
Because it could take many months for the NwHIN Governance Rule to be proposed, finalized and implemented, ONC's new guidance for federally funded HIEs is very important. I'm hoping that the many HIEs that have not received federal funds will carry out the recommendations in the guidance as well.
Meanwhile, we're anxiously awaiting the release of the omnibus package of regulations this summer that will include, for example, modifications to the HIPAA privacy, security and enforcement rules as well as a final version of the HIPAA breach notification rule.
The breach notification rule update will include clarification of how to determine whether a breach must be reported to federal authorities, says Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights. That's good news, because the interim final rule, now in effect, is far too ambiguous on this subject.
"We are hopeful that the standards [in the final rule] will be sufficiently clear and objective going forward" for how to determine if a breach is reportable through a risk assessment, McAndrew says. "We are working on some additional guidance which will help entities, particularly smaller entities ... to identify what the proper steps are to a risk assessment."