The Security Scrutinizer with Howard Anderson

Timely HIE Privacy Guidance Meets Need

Rather Than Wait, Feds Spell Out Recommendations

Rather than wait for the release of a proposed regulation later this year, government officials have issued privacy and security recommendations for health information exchanges that have received federal funds (see: HIEs Get Privacy, Security Guidance).

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

That's good news, indeed, because exchanges need to make sure they have adequate privacy protections in place before they accommodate millions of patient data transactions.

Because it could take many months for the NwHIN Governance Rule to be proposed, finalized and implemented, ONC's new guidance for federally funded HIEs is very important. 

And there's more good news on the regulatory front. An omnibus package of HIPAA modifications, which is long overdue, has been sent to the Office of Management and Budget for review - the final step before regulations are published. If there are no major holdups, the regulations could be published by summer, at long last. Fingers crossed.

The Department of Health and Human Services' Office of the National Coordinator for Health IT has sent federally-funded HIEs guidance that spells out what they should be doing to protect patient privacy. While the guidance stops short of an outright mandate, it's a welcome step that could help the exchanges build public trust if they actually follow the recommendations, such as by making extensive use of encryption. The program information notice containing the guidance points out that HIEs that are not taking the recommended privacy and security steps must develop a "strategy, timeline and action plan for addressing these gaps."

Many months ago, the Privacy and Security Tiger Team devised a long list of privacy and security recommendations for HIEs. Until now, it appeared that those recommendations wouldn't have an impact until they were included in the Nationwide Health Information Network Governance Rule. But that rule, unfortunately, is still in the works.

So I was delighted to see ONC take the interim step of encouraging federally funded HIEs to follow much of the team's recommendations right away.

The NwHIN Governance Rule, mandated under the HITECH Act, could potentially include privacy and security measures required for all HIEs. Joy Pritts, ONC's chief privacy officer, told me following her presentation at the National HIPAA Summit in Washington: "My suspicion is that the governance rule will have a broader applicability," meaning the rule could apply to HIEs whether or not they receive federal funds. She would not, however, predict when that proposed regulation might be published.

Because it could take many months for the NwHIN Governance Rule to be proposed, finalized and implemented, ONC's new guidance for federally funded HIEs is very important. I'm hoping that the many HIEs that have not received federal funds will carry out the recommendations in the guidance as well.

HIPAA Modifications

Meanwhile, we're anxiously awaiting the release of the omnibus package of regulations this summer that will include, for example, modifications to the HIPAA privacy, security and enforcement rules as well as a final version of the HIPAA breach notification rule.

The breach notification rule update will include clarification of how to determine whether a breach must be reported to federal authorities, says Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights. That's good news, because the interim final rule, now in effect, is far too ambiguous on this subject.

"We are hopeful that the standards [in the final rule] will be sufficiently clear and objective going forward" for how to determine if a breach is reportable through a risk assessment, McAndrew says. "We are working on some additional guidance which will help entities, particularly smaller entities ... to identify what the proper steps are to a risk assessment."

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.