Fine-Tuning the HITECH Stage 2 RulesHIT Policy Committee Addresses Privacy, Security Issues
The Health IT Policy Committee, a federal advisory panel, is making some recommendations for modifications in the privacy and security provisions in the proposed rules for Stage 2 of the HITECH Act electronic health record incentive program. For example, it wants more details included about the security of patient portals.
The committee, in its formal comments on the rules, also plans to strongly endorse retaining in the final meaningful use rule a proposal to require participating hospitals and physicians to conduct a risk assessment that specifically addresses "the encryption/security of data at rest."
At its May 2 meeting, the committee went over a draft of a detailed matrix showing the major elements of the rules and comments on each. A revised version of that matrix will be submitted on May 7, the deadline for comments on the rules, which regulators expect to finalize this summer. To view the draft matrix, click on HITPC Stage 2 NPRM Comments on the web page for the May 2 meeting.
Secure Patient Portals
In commenting on the proposed EHR software certification rule for Stage 2, the committee is asking for clarification of security measures for patient portals, which enable patients to download their records. Acting on a recommendation of the Privacy & Security Tiger Team, the committee is asking regulators to provide more guidance to providers and EHR vendors on the application of the HIPAA security rule to portal functions. It's also asking that regulators take steps to help ensure that information on data "provenance," or the source of data, be in a format that's easy for patients to read.
In addition, the committee is encouraging the Department of Health and Human Services' Office of the National Coordinator for Health IT to formally endorse best practices on educating patients about the potential risks associated with using patient portals' view, download and transmit capabilities.
The tiger team's recommendations regarding portals are among the most significant privacy and security modifications that the committee is endorsing for inclusion in the final certification rule, says Deven McGraw, the team's co-chair. "We've tried to make sure that patient portals are implemented securely, in a way that ensures the information is useful to the patient and anyone else the patient might share it with," McGraw says.
The committee, acting on another tiger team recommendation, also will ask ONC to include in a preamble to the final certification rule details on best practices for matching the right patient to the right record through standardized demographic data fields.
McGraw recently explained the various privacy and security provisions in the proposed rules in an interview.