Fine-Tuning the HITECH Stage 2 Rules

HIT Policy Committee Addresses Privacy, Security Issues
Fine-Tuning the HITECH Stage 2 Rules

The Health IT Policy Committee, a federal advisory panel, is making some recommendations for modifications in the privacy and security provisions in the proposed rules for Stage 2 of the HITECH Act electronic health record incentive program. For example, it wants more details included about the security of patient portals.

See Also: The State of Personal Cybersecurity and Privacy: 2020

The committee, in its formal comments on the rules, also plans to strongly endorse retaining in the final meaningful use rule a proposal to require participating hospitals and physicians to conduct a risk assessment that specifically addresses "the encryption/security of data at rest."

At its May 2 meeting, the committee went over a draft of a detailed matrix showing the major elements of the rules and comments on each. A revised version of that matrix will be submitted on May 7, the deadline for comments on the rules, which regulators expect to finalize this summer. To view the draft matrix, click on HITPC Stage 2 NPRM Comments on the web page for the May 2 meeting.

Secure Patient Portals

In commenting on the proposed EHR software certification rule for Stage 2, the committee is asking for clarification of security measures for patient portals, which enable patients to download their records. Acting on a recommendation of the Privacy & Security Tiger Team, the committee is asking regulators to provide more guidance to providers and EHR vendors on the application of the HIPAA security rule to portal functions. It's also asking that regulators take steps to help ensure that information on data "provenance," or the source of data, be in a format that's easy for patients to read.

In addition, the committee is encouraging the Department of Health and Human Services' Office of the National Coordinator for Health IT to formally endorse best practices on educating patients about the potential risks associated with using patient portals' view, download and transmit capabilities.

The tiger team's recommendations regarding portals are among the most significant privacy and security modifications that the committee is endorsing for inclusion in the final certification rule, says Deven McGraw, the team's co-chair. "We've tried to make sure that patient portals are implemented securely, in a way that ensures the information is useful to the patient and anyone else the patient might share it with," McGraw says.

The committee, acting on another tiger team recommendation, also will ask ONC to include in a preamble to the final certification rule details on best practices for matching the right patient to the right record through standardized demographic data fields.

McGraw recently explained the various privacy and security provisions in the proposed rules in an interview.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.