HITECH Rules: An Analysis
Sorting Through the Security ComponentsThat's because a final rule creating standards for certifying EHR software for the program spells out the security components the software must include.
The rule is one of three that federal regulators have issued in recent days that affect healthcare information security. A second final rule for the EHR incentive program spells out how hospitals and physicians must "meaningfully use" EHR software to earn incentives. And another proposal would modify the HIPAA privacy, security and enforcement rules. Taken together, the lengthy, complex rules give security professionals plenty of issues to ponder.
The final rule creating EHR software standards "is a great step forward because it puts responsibility on the vendors to provide security functionality," says Mac McMillan, chair of the Healthcare Information and Management Systems Society's privacy and security steering committee and CEO at CynergisTek Inc. "This will help end the frustration of providers going to an EHR vendor for encryption and hearing them say 'I am not required to offer it to you.'"
No Mandates
But the meaningfully use rule stops short of mandating that hospitals and physicians must actually use an EHRs' security functions, including encryption.Many observers, however, praise the meaningful use rule for explicitly requiring hospitals and physicians to conduct risk assessments, which can lead them to invest in appropriate security technologies to address specific risks.
McMillan would have liked some security technology mandates included either in the meaningful use rule or in the proposal to modify HIPAA, which also lacks such mandates.
Under the meaningful use rule, both hospitals and physicians must "protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities." But those capabilities are not spelled out.
A Regulator's View
The HIPAA modification proposal is designed to carry out provisions of the HITECH Act, which does not require the mandating of specific security technologies, says Susan McAndrew, deputy director for privacy at the Department of Health and Human Services' Office for Civil Rights. Thus, no such mandates were developed in the proposed modifications, and none will be added in the final rule, she says.The original HIPAA security rule includes a requirement to safeguard and control access to protected health information. That rule "puts forth encryption as the primary and most prominent way to meet the standards," McAndrew notes.
But encryption is an "addressable" issue in HIPAA, which means that it's not mandated, she explains. Organizations have "the opportunity to make some judgment calls under what circumstances encryption may not be feasible for them," she notes. They then must document why they've chosen other security measures as a result of their risk assessment.
And how does an organization know, for certain, if its use of encryption and other security technologies meets HIPAA requirements? If it reports a major breach, as required under the HITECH Act, OCR will review its risk assessments and security policies. Plus, OCR is mandated under HITECH to launch a HIPAA compliance audit program, which is in the works.
Concrete Guidance?
With so much wiggle-room in HIPAA, a lot of security officers would have preferred some more concrete guidance in the HIPAA modification proposal or the "meaningful use" rule, McMillan argues.When security officers approach senior executives about investments in new technologies, such as encryption or two-factor authentication, they often hear, "Show me where it says that I have to do that," McMillan says. That's why he would have liked some sort of "minimal standards" for security technology use included in one or both of the rules.
The proposed HIPAA security rule modification should have included some limited, clear-cut encryption mandates, argues security expert Kate Borten, president of The Marblehead Group. She says regulators should specifically require that patient information on wireless and portable devices, as well as data traversing the Internet, should be encrypted "because of the heightened risk."
Including such a provision in HIPAA, rather than the meaningful use rule governing the voluntary EHR incentive program, would help ensure that all organizations take adequate precautions, she contends.
The Rules of the Game
Both the meaningful use rule and the software standards rule will be officially posted on the Federal Register July 28. For now, they're available in near-final form at the Federal Register public inspection desk.The EHR incentive program, which will provide as much as $27 billion in Medicare and Medicaid incentives over the next 10 years, was created by the HITECH Act.
The requirements for meaningful use of EHRs, as well as the software standards, will evolve in future phases of the incentive program. The software certification program is slated to start this fall.
Software Standards
To be certified as qualifying for the federal incentive program, EHR software must be able to:
- Encrypt and decrypt electronic health information within an organization and also when it is exchanged with others;
- Verify the identity of a person or entity seeking access to electronic health information;
- Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access information;
- Terminate an electronic session after a predetermined time of inactivity;
- Enable a user to generate an audit log;
- For records that are exchanged, verify that the information has not been altered in transit.
Borten of The Marblehead Group says she's pleased that the software standards spell out that the audit capabilities must include the ability to audit those accessing records in "read-only" mode.
She says virtually all EHRs can audit when someone has added, deleted or updated information in a record. But to track inappropriate access by an authorized user, such as someone snooping on a celebrity or a relative, requires the ability to audit "read-only" access as well, she stresses.
While creating minimum technical specifications for security functions of EHRs is a big step forward, hospitals and physician groups will need to make sure they offer adequate training, with the help of vendors, on how to use the security functions, says Dan Rode, vice president of policy and government relations at the American Health Information Management Association.
Accounting for Disclosures
The rule lists as "optional" the ability to provide patients with a complete accounting of who has accessed their electronic records. "We recognize that significant technical and policy challenges remain unresolved," the rule states.Some provider organizations and software vendors have argued that accounting for who has viewed a record would require massive revisions in the EHR software now on the market, notes McMillan of CynergisTek. But he argues that regulators should have announced plans to require EHR vendors to offer this functionality by a specific deadline date. "To just make it 'optional' to account for disclosures was a mistake," he contends.
The OCR's McAndrew says her office will issue a proposed rule on disclosing who has accessed records, as required under the HITECH Act, by the end of this year. She acknowledges this rule-making task is proving difficult. "There is a wide range of opinion on all aspects of this new requirement, including the primary factors we should take into account when balancing benefits to individuals against the burden on covered entities."
(See also: Related story on the meaningful use rule's risk assessment mandate.)