HIE Security, Risk Analysis in SpotlightAdvisers Tackle HITECH Stage 3 Rules, HIE Guidelines
In a flurry of activity, federal advisers this week approved more privacy and security recommendations for Stage 3 of the HITECH Act electronic health record incentive program, and regulators outlined new plans to bolster secure health information exchange.
Advisers recommended intensifying the focus on risk assessments in Stage 3 of the HITECH Act incentive program. They also spelled out security guidance for certain health data queries made via health information exchanges. Plus, federal officials outlined privacy and security concerns related to health information exchange that require further study.
Shining Light on Risk Assessment
The Health IT Policy Committee, at a meeting on Aug. 7, voted to accept two sets of recommendations from its Privacy and Security Tiger Team. The committee advises the Office of the National Coordinator for Health IT, which oversees the HITECH Act EHR incentive program, as well as sets the policy and standards agenda for nationwide health information exchange.
One set of tiger team recommendations approved by the committee is that the meaningful use requirements for Stage 3 of EHR incentive program should "shine a brighter spotlight" on risk analysis.
ONC's advisory committees are beginning to draft recommendations for Stage 3, which is slated to begin in 2016. A final rule spelling out Stage 3 requirements is still several steps away from completion.
While Stages 1 and 2 of the HITECH program already require that eligible healthcare professionals and hospitals conduct a HIPAA security rule risk assessment as part of their attestation of meeting meaningful objectives, the tiger team recommendations for Stage 3 went a bit further. For Stage 3, the risk assessment attestation would need to address specific meaningful use objectives that might create new security risks.
"We don't mean to suggest that every new meaningful use objective needs a risk assessment," Deven McGraw, tiger team chair, told the committee members. "But the [attestation of risk analysis] needs to be directed at risks created by new meaningful use functions."
Possible meaningful use objectives that could merit a specific risk assessment include patients viewing, downloading and transmitting their electronic health records, she says.
"The goal is that security risk analysis needs to be done across the board, but this [recommendation] is designed to call out specific areas [providers] would need to attest to," Joy Pritts, chief privacy officer of ONC, told committee members.
For added accountability, the tiger team recommends that healthcare providers be required to identify in their Stage 3 attestations the individual or individuals who conducted the risk analysis.
The tiger team decided to make these recommendations based on Department of Health and Human Services' Office for Civil Rights reports, based on its first HIPAA compliance audits, about how poorly many healthcare providers do in conducting security risk assessments, McGraw said.
"After hearing OCR's results, we decided we can't shine too bright of a spotlight on this," she added.
The HIT Policy Committee also voted to approve a tiger team recommendation that no special privacy or security policies are needed at this time for non-targeted health data queries.
The query proposals could be included in criteria for Stage 3 of the HITECH Act EHR program.
Non-targeted queries include clinicians sending requests via a health information exchange to locate all records about a patient from the individual's previous healthcare providers whom are not known.
The tiger team recommended that non-targeted queries should abide by the same policy recommendations that the HIT Policy Committee approved in April for targeted queries. Targeted queries involve a healthcare provider sending an electronic request for patient data to a known healthcare provider.
Key in those recommendations are that data holders should be reasonably assured that there is a treatment relationship between a patient and the data requester; that data holders makes the decision about whether to respond to the request; and that the identity of the data requester is authenticated.
When the tiger team back in the spring first presented these same non-targeted and targeted query recommendations to the HIT Policy Committee, some committee members expressed concern that the proposals might not be robust enough to protect certain patient data, such as information related to substance abuse treatment, in non-targeted queries.
The committee on May 7 instructed the tiger team to take a closer look at some possible policy issues involved with non-targeted queries (see:HIE Queries: Protecting Patient Privacy).
Subsequently, the tiger team hosted a June virtual hearing in which leaders of eight health information exchange organizations described their various policies regarding issues such as patient opt-in or opt-out forms of consent; disclosures of sensitive health data; geographic limitations in data sharing; and participant trust agreements (see: HIE Leaders Share Privacy Concerns). After hearing that testimony, tiger team members reaffirmed their original recommendations.
In addition to the HIT Policy Committee discussions about privacy and security of non-targeted queries, leaders from ONC and the Centers for Medicare and Medicaid Services this week outlined plans for accelerating secure health information exchange among healthcare providers.
As a result of over 200 responses that HHS received to a recent request for information, ONC and CMS are looking for ways to better engage long-term care providers and behavioral health professionals in secure data exchange.
In addition, CMS is looking for ways to fund payment incentives for healthcare providers and infrastructure investments for state health information exchange efforts, Patrick Conway, CMS's chief medical officer, said during an Aug. 7 webinar.
"Our intention is to deliver policies and programs to encourage providers to routinely exchange information, says ONC leader Farzad Mostashari. "We intend to rely on all applicable statutory authorities, regulations and policies to accelerate health information exchange."
Based on the feedback that HHS received from its recent RFI, ONC and CMS this week also released a white paper, Principles and Strategy for Accelerating Health Information Exchange.
While the white paper notes that the recent RFI did not request information specifically related to privacy and security, "a large number of respondents submitted comments on these topics."
Respondents, for example, expressed concerns about complying with state and federal privacy laws, particularly those that require patient authorization related to exchanging sensitive health information.
"They recommended HHS undertake additional work on developing standards and technology to facilitate electronically obtaining patient consent to disclose their health information and communicating that consent along with the related health information," the white paper notes. "Commenters expressed reluctance to exchange health information due to concern about the potential breach of electronic protected health information, potential liability and the assignment of responsibility."
In addition, "commenters stated that there is an opportunity for HHS to reduce the potential risks of engaging in exchange by focusing more resources on consent policies, patient data-matching, and associated technologies," according to the white paper.
Regulators at ONC and CMS are studying ways to address the concerns and gaps outlined by commenters.
During the ONC/CMS webinar, Mostashari also addressed a misconception that's been circulating about patient privacy and the federal government's healthcare reform efforts. "There is no central [federal] database for all healthcare information," he said, repeating the phrase several times.
Mostashari announced on Aug. 6 that he will be stepping down from his post at ONC after four years at the agency, including the last two years in the top spot (see: After Mostashari: What's Next?.