Dixie Baker: Top 2011 Security TrendsSpotlights EHR Configuration and 'Health Internet'
Hospitals and clinics alike will be scrambling next year to qualify for electronic health record incentive payments under the HITECH Act, Baker notes. EHR software certified as qualifying for the incentive program must offer a long list of security functions, and users will be working to determine how to configure those functions to help comply with the HIPAA privacy and security rules, Baker says.
In an interview (transcript below), Baker identifies other key trends for 2011, including the emergence of a "health Internet" to handle exchange of health information among physicians and hospitals, as well as consumers.
Baker also addresses:
- Recent regulatory activity and the challenges involved in crafting a rule for how to disclose who has viewed an EHR outside of the organization that generated the information;
- The need for annual risk assessments as well as implementation of security protections "to mitigate your worst nightmares;"
- The role that cloud computing can play in managing risk.
Baker is senior vice president and chief technology officer for health and life sciences at Science Applications International Corp., a McLean, Va.-based scientific, engineering and technology applications company.
The consultant has played a key role in the federal government's efforts to set policies and standards for healthcare data security. She chairs the privacy and security workgroup of the Health Information Technology Standards Committee. She's also a member of the full committee, as well as the privacy and security workgroup of the HIT Policy Committee and its privacy and security tiger team. Baker, who holds a PhD in education research and methodologies from University of Southern California, has been with SAIC since 1995.
HOWARD ANDERSON: Several federal rules and regulations regarding healthcare privacy and security issues mandated by the HITECH Act have been enacted, with more in the works. Please provide an overview.
DIXIE BAKER: The HITECH Act contains quite a few provisions in the areas of security and privacy for electronic health information. First of all, it broadened the scope of the HIPAA security and privacy rules to include business associates, which are people and companies who are under contract with covered entities to perform services that involve protected health information. Before HITECH, business associates were accountable only to the terms of their contracts with the covered entities. Now, business associates are directly responsible for complying with HIPAA just the same as the covered entities, with oversight from the Department of Health and Human Services. This provision took effect in February and is a huge change.
Second, HITECH provided transparency for breach victims, so every individual whose health information may have been disclosed as a result of a security breach from an unprotected system that is operated by either a covered entity or a business associate must be notified of that breach. And if more than 500 individuals are affected, the Secretary of Health and Human Services must be advised and the media must be notified as well. The breach notification interim final rule was published in August of last year and became effective in September 2009. And a similar rule for personal health records was published by the Federal Trade Commission. The HITECH Act also introduced a more stringent penalty structure, which became effective the day after the law was enacted last year. New regulations regarding enforcement and penalties went into effect in November.
Dramatic Privacy Protection ChangesBut perhaps the most dramatic changes in privacy protection were contained in Section 13405 of the HITECH Act. That section prohibits the sale of health information. It allows a patient to restrict the sharing of health information related to treatment for which the patient paid in cash. It gives consumers the right to obtain an electronic copy of their health record. It requires guidance on what constitutes minimum necessary, and it requires that covered entities keep an accounting of all disclosures made through an EHR -- even those disclosures made for treatment, payment and healthcare operations.
The HIPAA privacy rule allows covered entities to disclose health information for treatment, payment, and healthcare operations without a patient's written consent. While the disclosures still don't require written consent, covered entities are required to document each of these disclosures, and the accounting must be available for the consumer. In July of this year, HHS published a notice of proposed rulemaking that proposed revisions to the HIPAA privacy and security rules to incorporate most of these new HITECH provisions. ... But regulations for maintaining and providing an accounting of disclosures was not included. Instead, in May of this year, HHS released a request for information that sought input on the interest of individuals in learning about disclosures and the administrative burden that might be associated with this requirement. ...
The response to this RFI was overwhelming, and the HHS Office for Civil Rights is still sorting through the issues. Much of the feedback that I've read reflects a misunderstanding of or perhaps ambiguities around the definition of what a disclosure is. A disclosure is defined as the release, transfer, provision of access or divulging of information outside the entity holding the information. But many of the comments related to the difficulty and/or the usefulness of recording the reason for each access that any user within an organization makes.
Unfortunately, the line between inside and outside is not always clear. For example, physicians working in a hospital may be business associates of that hospital and not employees. So it is a complex issue, and I'm sure that the Office for Civil Rights is faced with some major challenges in writing that regulation. They haven't published a date for publication of the NPRM at this point. However, I would observe that, at least in my opinion, the regulations that have been published so far have been quite reasonable and consistent with the overall objective of raising the bar without crippling the system. So I expect this regulation to hold to that principle as well.
Privacy, Security TrendsANDERSON: As the year draws to a close, what would you say are the top five trends in healthcare information privacy and security for 2011?
BAKER: Number one is obvious: Increased adoption of certified EHRs, along with that a greater need for guidance on how to configure and use the security features that are incorporated into those EHRs to support HIPAA compliance.
Second would be privacy and security policy and governance to address emerging new business models, like the accountable care organizations called for in healthcare reform ... as well as health information exchanges, the insurance exchanges, personal health records and virtualization or cloud computing.
Third is ... increased transparency and involvement of consumers, including more choices and along with those choices a greater need for effective consumer-friendly communications and information.
Fourth is the emergence of a "health Internet" that provides security, privacy, transparency and choice around the exchange of health information, both among health care entities and between health care and consumers.
And then fifth, and this may be wishful thinking on my part, is I would like to see a shift in perspective about security protections from viewing security as a compliance issue to realizing its role as an essential enabler for safe, reliable health care and trust in the healthcare system.
Health InternetANDERSON: When you talk about a health Internet, are you thinking along the lines of the Nationwide Health Information Network standards or something else?
BAKER: Something else. The NHIN standards really are geared more for exchanges between health care entities, and specifically large healthcare entities -- both federal government entities and private entities. This past year, the HHS Office of the National Coordinator for Health IT also launched another initiative called NHIN Direct (renamed The Direct Project), which was really geared toward provider-to-provider direct exchanges. The health Internet will encompass both NHIN and NHIN Direct. But in addition, it will also encompass exchanges with consumers as well.
Risk Management AdviceANDERSON: So in light of all your predictions, what advice would you give to healthcare CIOs and chief information security officers as they set their security spending priorities for next year and beyond? What investments and strategies are most important for protecting sensitive patient information?
BAKER: Well first, I would say to every CIO, if you haven't already done so, you should start performing an objective risk assessment and risk mitigation planning on an annual basis and whenever a major change is made in your IT infrastructure. HIPAA calls for a risk assessment, but it doesn't say how often it should be done. It really should be done at least annually.
Then I would recommend implementing security protections to mitigate your worst nightmares. Don't just blindly check the HIPAA compliance boxes. As you set the risk mitigation strategy, assume that authorized people will make mistakes and will use systems in ways you would never dream that they would. Networks will crash; assume that software applications will behave in ways that are not described in the documentation and that people who you trust will not always come through for you. Then design your IT processes and systems with multiple layers of protection so that when human and technology mishaps do occur, your critical information, service assets and people will be protected.
As for the IT budgets, I'm sure that many, if not most, CIOs will be implementing certified EHRs or preparing their existing EHRs for certification to qualify them for the potential meaningful use reimbursement under HITECH. Fully demonstrating meaningful use will necessitate the implementation of secure transport for exchanges between provider organizations, exchanges with public health, and exchanges for reporting the quality measures to the Centers for Medicare and Medicaid Services, as well as exchanges with consumers. Certified EHRs will include the basic services for endpoint authentication, encryption and integrity protection of the data to be exchanged, but these services will need to be configured and used appropriately.
Also, those providers who opt for a software-as-a-service solution for their EHR should get secure transport as part of their solution. And speaking of software-as-a-service, I would also encourage CIOs to consider virtualization, also known as cloud computing, as a potential risk mitigation approach as well as potential cost-saver.
Software-as-a-service solutions will enable you to keep identifiable health information and critical applications on a well-protected and backed up server, rather than on desktops. And infrastructure-as-a-service can help assure that your applications will have the resources they need when they need them. Of course, as most people realize, virtualization and cloud computing do introduce some new security risks that will need to be addressed, just as any IT solution needs to attend the security. So due diligence in selecting the service provider, as well as attention to addressing local administrative, physical and technical protections, will be key to making these solutions work for you.