Giving Risk Assessments a BoostAdvisers Consider Provisions for HITECH Stage 3
The HIT Policy Committee recently asked its Privacy and Security Tiger Team to consider whether any security risk issues or HIPAA Security Rule provisions should be highlighted in the attestation requirements for Stage 3, which begins in 2016.
"We're leaning toward not requiring any additional security rule [provision] to be part of attestation in Stage 3," Deven McGraw, tiger team chair, told HIT Policy Committee members at a meeting on June 5.
The tiger team, however, is considering other options for boosting awareness of the importance of risk assessments in Stage 3. Based on the results of the Department of Health and Human Services' Office for Civil Rights' pilot HIPAA audit program last year, it's clear that many healthcare providers are coming up short when it comes to conducting timely risk assessments, McGraw says. "Based on ... HIPAA audits, the [risk assessment] requirement in the security rule is still not being met."
Of the 115 healthcare organizations audited by the consulting firm KPMG for HIPAA compliance during OCR's pilot program in 2012, the most common weakness was the lack of timely or thorough risk assessment, OCR officials say (see: What's Ahead for HIPAA Audits?).
As a result, the tiger team plans to investigate methods beyond attestation to call greater attention to existing HIPAA Security Rule requirements in HITECH Stage 3, McGraw says. The question to address, she says, is: "Is attestation the most effective way to ensure that risk assessments are being done and being done well?" A subgroup of tiger team members will examine the effectiveness of the attestation process, she told the committee.
The meaningful use rule for Stage 1 of the HITECH Act incentive program, which began in 2011, requires healthcare providers participating in the program to attest that they've conducted a risk assessment, as required under HIPAA. In Stage 2, which begins in 2014, healthcare providers will have to further attest that their risk assessment addressed encryption for data at rest. If they choose not to encrypt, they will have to document what other methods they're using to protect that data.
Health Information Exchange
The tiger team also is continuing its investigation into how to best ensure security for health information exchange that involves non-targeted queries (see: HIE Queries: Protecting Patient Privacy). A non-targeted query could include, for example, a physician sending a request via an HIE for all records about a patient from their previous healthcare providers, who are not known.
The team has scheduled a virtual hearing on June 24 to discuss matters such as whether non-targeted health data queries should be limited geographically to help assure proper access to patient records, she says. At the hearing, health information exchange organizations and HIE vendors will share their experience in dealing with non-targeted queries, says McGraw, who is director of the privacy project at the Center for Democracy and Technology, a non-profit civil liberties group.