Privacy, Security Proposals Advance

Tiger Team Recommendations Gain Round One Approval
Privacy, Security Proposals Advance
The Health IT Policy Committee has approved a long list of recommendations from its Privacy and Security Tiger Team that now will be considered for federal rules and regulations. Among them is a plan to require participants in Stage 2 of the HITECH Act's electronic health record incentive program to verify how they are keeping stored data secure, such as through encryption.

Deven McGraw, co-chair of the tiger team, stressed at the committee's Wednesday meeting that this EHR incentive requirement would reinforce the HIPAA security rule and would not require the use of encryption in all cases. The team hopes that by calling attention to the issue of protecting stored data in the incentive program's Stage 2 meaningful use requirements, it can "make a dent in the number of organizations that have to report breaches of data," said McGraw, director of the health privacy project at the Center for Democracy & Technology. She pointed out that many of the incidents on the Department of Health and Human Services' Office for Civil Rights' list of major health information breaches have involved the loss or theft of unencrypted devices or media.

When a breach is publicized in the news media, "it damages the public's confidence" in electronic health records and related systems, said Paul Egerman, a software entrepreneur who co-chairs the tiger team. "A lot of these breaches happen because people aren't paying attention to some of the things they're supposed to be doing."

HIPAA Requirements

Encryption of data at rest as well as data in motion is an "addressable" requirement under the HIPAA security rule, not an explicit mandate. That means that if an organization determines that encryption is not "reasonable and appropriate," it can choose to document another method of protection.

Under the recommendation approved by the committee Wednesday, hospitals and physicians participating in Stage 2 of the EHR incentive program would have to specifically attest to how they have addressed the HIPAA security rule requirement for protecting data at rest, whether it's stored in data centers or on mobile devices or media. As in Stage 1, they also would have to conduct a risk assessment and take action to mitigate any risks identified.

The HIT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT, plans to unveil its latest draft of Stage 2 meaningful use requirements for the EHR incentive program at its May 11 meeting and finalize the criteria by June 8. HHS is slated to issue a proposed rule for Stage 2 by year's end.

Authentication, Audit Trails and More

Among the many other tiger team recommendations that the HIT Policy Committee approved Wednesday were proposals that call for:
  • Spelling out security and privacy guidelines for patient portals used to access electronic health records. (Federal authorities are considering requiring portals for Stage 2 of the incentive program.) These guidelines address authenticating patients' identities with at least a user name and password; using audit trails to track portal use; identifying the sources of all data accessible in the portal; and providing a way for a user to securely download their health information to a third party, such as a personal health record provider. EHR software certified for Stage 2 also should include the capability to detect and block programmatic attacks or attacks from a known, but unauthorized person, the tiger team said.
  • Requiring the use of at least two-factor authentication for organizations using the Nationwide Health Information Network standards to exchange information. For more sensitive, higher-risk transactions, "an additional authentication of greater strength, subsequent to an initial authentication, may be required," the tiger team stated.
  • Requiring healthcare organizations to use digital certificates when exchanging information as part of Stage 2 of the EHR incentive program. Also, two-factor authentication would be required for e-prescribing of controlled substances, as already is required under a Drug Enforcement Administration rule.
  • Creating standard formats for data fields that are used for matching patients to the right records. The HIT Standards Committee will work on creating these formats.

To view the complete recommendations, click on "Privacy and Security TT Recommendations" on the HIT Policy Committee's April 13 meeting materials.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.