House Subcommittee Hears Security PleasStronger Requirements, Uniform State Laws Advocated
In other testimony, the leader of a health information exchange in Oregon made a plea for standardizing state laws on healthcare privacy and security.
The HIPAA security rule, as well as the rules governing the Medicare and Medicaid electronic health record incentive program under the HITECH Act, don't go far enough on security, says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology.
While the standards for EHR software certified for the HITECH incentive program require the applications to include a long list of security functions, such as encryption and the ability to create an audit trail, the HITECH rules and HIPAA stop short of mandating actual use of these functions, McGraw lamented.
"We're not being terribly clear with providers about using these functionalities," she told the House Subcommittee on Technology and Innovation. "That's a major deficiency."
Work to be Done
In his opening statement, Subcommittee Chair David Wu, D-Ore, seemed to express sympathy with that point of view. "We still have a ways to go in promoting interoperability, coordinating many health IT projects under way, governing the standards development process and providing direction on privacy and security," he said.
And a background paper for the hearing sounded a similar theme: "There is little federal guidance beyond HIPAA for implementing these stricter privacy and security measures (called for in the HITECH Act.)"
Rules Fall Short?
In her written testimony, McGraw noted that those receiving EHR incentive payments under the HITECH Act are required to "perform a security risk assessment and respond to any deficiencies discovered, but this falls short of a clear requirement to implement or have a plan for implementing the (security) functionalities required for EHR (software) certification. The Center for Democracy and Technology is continuing to advocate with regulators for strengthened security requirements."
McGraw serves as co-chair of the privacy and security tiger team that's advising regulators. It recently issued recommendations on several issues, including obtaining patient consent to exchange their information. And it's working on several additional security issues.
State Law Uniformity
Richard Gibson, M.D., president of the Oregon Health Network, called for standardization of state privacy and security laws governing health information. He told the subcommittee that physicians in Oregon and Washington, for example, routinely exchange information and face varying state regulations.
"We need a federal effort to convene, sponsor and mandate development of model rules and laws that each state could take through its own legislative process," he said in written testimony. "A Uniform Privacy Code, as it were, like the Uniform Building Code, would provide interstate consistency and give EHR vendors confidence that their software would perform consistently wherever it is used."
Deb Bass, executive director at the Nebraska Health Information Initiative, another data exchange, told the subcommittee that federal regulators should create a national repository of best practices on many issues, including privacy and security. She noted in written testimony that 15 states use the Nebraska exchange's privacy and security policies as an example for drafting their own policies.
Subcommittee Chairman Wu raised the issue of whether patient information that is de-identified and shared with researchers and others could be re-identified and pose an invasion of privacy.
McGraw noted that, under the HIPAA privacy rule, 18 common identifiers must be stripped out of data for it to qualify as de-identified so it can be shared for research. She urged tightening of the de-identification standard, which is five years old, to help make sure data cannot be re-identified and to impose strong sanctions for violating privacy in this way.
The HITECH Act called for federal regulators to issue a report on this issue by last February. David Blumenthal, M.D., national coordinator for health information technology in the Department of Health and Human Services, told the subcommittee that a study is ongoing. "We have to look at the science of de-identification" and reach a consensus on what level of risk of re-identification is acceptable, he said.
In addition, the Health IT Standards Committee, which advises Blumenthal's office, will issue recommendations "that focus on strengthening the security capabilities of EHR technology and on standards for electronic health information exchange in support of meaningful use," according to Blumenthal's written testimony.
Blumenthal said his office is creating a standards and interoperability framework to help coordinate standards development efforts.
The standards for Stage 1 of the HITECH EHR incentive program lack sufficient standards for security, which are necessary for achieving interoperability, according to written testimony from Joyce Sensmeier, vice president for informatics at the Healthcare Information and Management Systems Society.
She expressed hope that standards for future stages would contain more thorough interoperability standards.
Blumenthal noted that the HIT Policy Committee already is working on standards for future stages.