Stage 2 EHR Incentive Rules: Get ReadyAddressing New Privacy, Security Issues
Healthcare organizations need to take steps now to prepare for compliance with the proposed rules for Stage 2 of the HITECH Act electronic health record incentive program, says attorney Adam Greene.
Three components of the proposed Stage 2 meaningful use rule that have significant privacy and security implications, Greene says, include providing patients with access to their medical information via portals, ramping up participation in health information exchange and providing secure messaging for patients.
Greene, a former official at the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, says that providing patients with online access to their records raises such issues is how to handle patient authentication as well as how to manage access to records by authorized representatives of patients.
Healthcare organizations will need to determine "what are the new threats and vulnerabilities that are introduced that will need to be addressed in the risk analysis and risk management plan," Greene says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
In the interview, he also says healthcare providers should:
- Ask their electronic health records vendor to describe, in detail, how they'll manage their patient portal and how they'll log access to it;
- Ask health information exchanges to describe how they are applying encryption of messages and authentication of parties exchanging information;
- Discuss with EHR software vendors how they'll meet the proposed Stage 2 software certification rule requirement to encrypt data stored on mobile devices by default, addressing both hardware and software issues.
Greene also discusses the implications of the recent OCR settlement in the BlueCross BlueShield of Tennessee breach case, which included a $1.5 million penalty. "If you lose the records of 1 million individuals, or possibly significantly less, you should be prepared for a thorough OCR investigation and the possibility of a settlement or fine," he stresses.
Greene is a partner at Davis Wright Tremaine LLP in Washington, where he specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
Proposed Stage 2 Rules
HOWARD ANDERSON: Federal regulators recently released proposed rules for Stage 2 of the HITECH Act electronic health record incentive program. Based on the proposed rules' privacy and security provisions, what are the most important steps healthcare organizations should start taking to prepare to comply and what questions should they be posing to EHR vendors?
ADAM GREENE: Meaningful use is going to bring a lot of new and challenging privacy and security issues to the forefront for organizations. I think the three biggest issues are going to include providing patients with real-time access to their medical information, participating in health information exchange and doing secure messaging with patients. For the real-time access to parts of the medical record, providers should start thinking about issues such as: How will the provider manage authentication of patients? Does that need to be in person, or is there going to be some sort of remote authentication available? How will the provider manage access by "authorized representatives," including challenging situations like minors and reproductive services [when] parents may or may not have access to that information under state law?
When the default is to provide patients with access to certain records without any affirmative decision by the provider, will the providers still deny access to certain information where permitted under HIPAA? Is this real-time access going to really eliminate the whole basis for denying patients access in certain situations, or do providers have to be a lot more proactive with identifying which records could potentially cause harm to patients or others and flagging those ahead of time so that if a patient seeks real-time access there will be a denial still in place?
Then also, what are the new threats and vulnerabilities that are introduced that will need to be addressed in the risk analysis and risk management plan? This is a really large new access to essentially the electronic health record, and so that's going to bring with it a lot of different threats and vulnerabilities that will need to be addressed in the risk analysis.
Health information exchange is a whole other set of issues. Ready or not, meaningful use is now pushing people to actively participate in health information exchange. Is the disclosure permitted under HIPAA without an authorization? It's important to remember that meaningful use doesn't replace the need for HIPAA authorization where that may be required. What are the potential threats and vulnerabilities? Once again, this is another area where you'll be opening up your systems like never before, and that's going to introduce a wide variety of reasonably anticipated threats and vulnerabilities. Is the information going to be encrypted in transit? Does "minimum necessary" apply, and if so, does it create any challenges?
For example, a healthcare provider can rely on a requester who's another covered entity and has only requested the minimum necessary amount of information where reliance is reasonable. And it's a really big question as to: Are there going to be circumstances in health information exchange where you have to start looking at whether a particular request is reasonable? Now, meaningful use Stage 2 is really much more focused on directed health information exchange, sending something from the meaningful use provider to a third party, but it's important to start thinking about that next level of health information exchange.
Then finally: secure messaging. What information needs to be sent via secure messaging? There's guidance from the Office for Civil Rights that indicates that not all e-mails, for example, necessarily need to be encrypted. Appointment reminders, for example, need not be encrypted. So it's important to keep that in mind when looking at instituting secure messaging. If under HIPAA previously, you're able to do certain things via unencrypted messages based on having done a thorough and accurate risk analysis, there's not necessarily a need to change that with respect to meaningful use, and it's important to keep that in mind because secure messaging is a great platform, but it's not always the most user-friendly platform for the actual patients.
A few things to talk about with EHR vendors now, rather than waiting and complaining once they actually put out the product, include: What tools will be provided with respect to managing the portal, especially with respect to authorized representatives? Can they have a separate username and password from the actual patient? Can their access be tied to age? For example, if a parent has access to the record, can that be tied somehow to the fact that once the minor becomes 18 or some other age, could that be flagged and potentially cut off? Can they have more limited access to the record? Could they have view-only access, for example, rather than full access as the patient may have? Will the software do a good job of logging access to the portal? Will health information exchanges, will all exchanges, be encrypted? How will you be able to authenticate that you're sending it to the right person and not sending it to the wrong party? All of these are things to start talking with your EHR vendors about now and make sure it's on the top of their list.
Encrypting Data Stored on Devices
ANDERSON: What about this provision in the certification rule that says the EHR software should be set up so that as a default mechanism, if data is stored on a mobile device, it should be encrypted?
GREENE: Well, it does represent an interesting challenge with respect to the interplay between the EHR software and the rest of the device. I would say one of the challenges there is making sure you understand from your side of things that just because your EHR software may be encrypted on the device doesn't mean your device is encrypted and doesn't mean that there's not information going elsewhere. You should also start talking to vendors about what this is going to mean from a hardware standpoint. Is this going to have particular performance issues with respect to the devices? Because encryption is not a light application; encryption of the device is not something that can be done remotely. It's something that is going to utilize the device's resources. So you never want to be in the situation where you've adopted the new meaningful use Stage 2 EHR certified software, but all your laptops are now failing.
BCBS Tennessee Case
ANDERSON: The HHS Office for Civil Rights recently announced a resolution agreement with BlueCross BlueShield of Tennessee tied to a breach that affected about a million people. This settlement called for $1.5 million payment plus an extensive corrective action plan. What lessons can be learned from this action by OCR and the details of the corrective action plan?
GREENE: I think the first lesson, which hopefully is not too surprising, is that large breaches have consequences. We've seen a multitude of consequences. We've seen reputational damage. We've seen the fact that you could be on the so-called "wall of shame" indefinitely, but we're also seeing that if you lose the records of 1 million individuals, or possibly significantly less, you should be prepared for a thorough OCR investigation and the possibility of a settlement or fine. It's worth noting that if you download the full information from the breach websites where they have information about what breaches have occurred, they have case summaries up there and those case summaries usually equate to closed cases. You'll notice there are not too many closed cases with respect to the particularly large breaches, so it will be interesting to see how this plays out. I think it's indicative that OCR is taking those large breaches very seriously.
ANDERSON: Is there anything from that particular incident that offers food for thought on preventive steps people should be taking?
GREENE: Certainly. Data should be a top priority, not a last consideration. So when moving facilities, it appears that they [BlueCross Blue Shield] essentially moved everything out of the facility except for the records of over a million patients and that seemed to be kind of a lower priority with respect to their movement out of the facility. One lesson learned is don't leave the data behind. The data should be one of your top priorities. Another lesson is physical safeguards are important, but they're not a substitute for other safeguards necessarily. The resolution agreement indicated that there were biometric locks, magnetic locks. Many people may be scratching their heads saying what more physical safeguards could you have? Well, physical safeguards are great for protecting hardware, but when it comes to protecting the data itself there's no substitute necessarily for encryption of the data as a back-up because for every physical safeguard, there's going to be someone who has keys to that lock and there's also going to be opportunity potentially to get around almost any physical safeguards. You would be amazed sometimes what a crowbar can do.
ANDERSON: Do you think we'll see a number of other similar resolution agreements for major breaches, self-reported under the breach notification rule, in the next year or so?
GREENE: Yes, I think we will. Whether it will necessarily be in the next year is hard to say. On average it has taken about two years between the start of an investigation and a settlement agreement, so a lot of people were of the opinion that they weren't going after breaches. But it was simply a matter of time. ... Now, literally it's more than two years past [since the HIPAA breach notification rule took effect] and we've seen the first settlement, so there may be a pipeline out there of large breaches that may lead to settlement and we may see some of those over the next year and we may continue to see those steadily in years to come.