HITECH Stage 3: Concerns RaisedMany Privacy, Security Issues Highlighted in Comments
Difficulty complying with federal as well as potentially conflicting state privacy and security regulations is among the concerns expressed in comments about proposed rules for Stage 3 of the HITECH Act electronic health record incentive program.
Other privacy and security concerns include the need for more guidance on health information exchange and patient consent issues and potential inconsistency between HIPAA and HITECH requirements.
Nearly 600 organizations and individuals submitted comments on the Stage 3 proposal by the Jan. 14 deadline. The Department of Health and Human Services recently finalized rules for Stage 2, which starts in 2014. The HHS Office of the National Coordinator for Health IT is now working on rules for Stage 3, which starts in 2016.
A common theme of privacy and security commentary is concern about the difficulty for health providers to navigate HIPAA and the privacy laws of various states on obtaining patient consent to exchange data, protecting sensitive data and conducting health information exchange.
In its Stage 3 proposals, the HIT Policy Committee asked for feedback on several questions, including two related to how EHRs and HIEs can manage information that requires patient consent before it can be exchanged.
In its comments to ONC, the College of Health Information Management Executives, an association for CIOs, writes that managing patient consent when exchanging information among providers is complicated "by the lack of consistent policies across the country."
CHIME urges "more study of how HIEs might efficiently handle sensitive patient data. The current limited nature of information sharing leaves many unanswered questions."
The American Medical Association voices similar worries.
"One of the major concerns with and barriers to EHRs and mobile technology use and participation in HIEs are the conflicting federal and state privacy and security laws," AMA writes. "We are also concerned about potential liability that physicians could face if their vendor's EHR or the HIE that they participate with are hacked or if a cloud-based product that they use is illegally accessed."
"Legal barriers to HIE implementation also exist due to lack of laws in some states, conflicting state and federal laws, and lack of national guidelines especially when various laws conflict."
In its comments, AMA recommends that guidance be provided to physician practices that are considering implementing an informed consent process. The AMA also urges HHS to work with states to develop uniform privacy and security recommendations that:
- Adequately protect patient and healthcare provider data from inappropriate access, use, or disclosure;
- Do not unduly impede physicians and other healthcare providers from efficiently operating their practices or caring for their patients; and
- Eliminate barriers to the use of mobile technology and participation in HIEs and the interstate exchange of health information.
The AMA also ask regulators to consider the impact "overly burdensome privacy and security regulations" could have on EHR adoption and physician participation in the HITECH program.
The AMA also calls for outside analysis of the EHR incentive program before ONC proceeds with Stage 3 rulemaking.
"We are hearing more and more from physicians that the meaningful use program has become a large data collection process which deflects attention and time from relevant data needed to care for patients," the AMA writes. "Given the concerns raised with the current program, an external, independent evaluation is necessary to improve and inform the future of the program."
Queries and Responses
The American Academy of Family Physicians questions the ability of small providers' EHR systems to securely respond to queries from outside EHRs - which is a proposal for Stage 3.
"Infrastructure for these types of outside queries is severely lacking. A majority of AAFP members do not practice in the coverage area of fully functional health information exchanges which could provide this type of functionality," the group comments. "HHS' efforts must enable ubiquitous access to and use of fundamental health information exchange prior to requiring these types of advanced queries."
AAFP also suggests that "a robust mechanism" for obtaining patient consent is lacking. "This will likely require use of role-based certificates for encryption/decryption of data at rest," AAFP suggests.
Complaints About Overdue Regs
The American Health Information Management Association used its comments, in part, as an opportunity to nudge HHS and the Office of Management and Budget to speed up release of a long overdue omnibus package of regulations, which is slated to include, among other things, modifications to the HIPAA privacy, security and enforcement rules. The delay in the release of those regulations poses potential conflict with possible requirements in Stage 3 of the HITECH EHR incentive program, AHIMA notes in its comments.
"We are concerned with developing Stage 3 requirements without the healthcare industry's understanding of the detail expected in the HITECH-HIPAA omnibus rule," AHIMA writes. "We urge the HIT Committees and ONC, as well as Office for Civil Rights, to encourage the Office of Management and Budget to release these rules and then initiate a second request for information related to these rules for public comment."
In its request for comments on Stage 3 proposals, ONC's HIT Policy Committee said it is considering requiring providers to attest to implementing HIPAA Security Rule provisions regarding staff outreach and training and sending periodic security reminders.
AHIMA opposes proposals that providers attest to meeting specifics of HIPAA at part of their Stage 3 meaningful use attestations, says Diana Warner, director of health information management solutions at AHIMA.
For instance, AHIMA opposes any possible Stage 3 rules for which healthcare providers would need to attest to meeting HIPAA training of staff. "There's concern about the Stage 3 setting up two different set of rules to meet," she told HealthcareInfoSecurity.
Specifics such as privacy and security training for staff should be spelled out as part of HIPAA, not the HITECH meaningful use rule, she says, because not all organizations are participating in the EHR incentive program.
On the other hand, the Healthcare Information and Management Systems Society says in its comments that it would favor such attestation requirements in Stage 3.
"HIMSS agrees that the 'human element' - employee security awareness and organizational culture - are important indicators of an entity's ability to protect information," HIMSS writes in its comments. "If security is a core value of an organization, it will be reflected in the work environment, for example posters on the walls, how they train employees and how they sanction employees who violate security policy. Recognizing these factors, HIMSS suggests requiring attestation in all three of these areas."
Tracking Adverse Events
On a safety-related topic that touches upon medical device security issues, the non-profit coalition iHealth Alliance urges HHS to include in Stage 3 a requirement for adverse drug and device events to be recorded in EHRs to improve post- market surveillance by the FDA.
"Inclusion of [adverse event] reporting within EHRs will deliver meaningful outcomes by improving patient safety, increasing clinical efficiency, and directly reducing the administrative burden of providers," the alliance writes. "Postponing the integration of safety event reporting within EHRs puts patient safety at risk and will negatively impact health outcomes."