The Regulation Waiting Game
Tiger Team Takes Time Off, Awaiting Regulatory ActionThe Privacy and Security Tiger Team, which advises federal healthcare regulators, likely will not meet again until after a batch of new regulations is released in the first quarter, says co-chair Deven McGraw..
See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care
McGraw, director of the health privacy project at the Center for Democracy & Technology, is hopeful that many of the team's recommendations, which were endorsed by the Health IT Policy Committee, will wind up in three pending regulations that she expects to be unveiled by March. Those include two rules for Stage 2 of the HITECH Act electronic health record incentive program, plus the Nationwide Health Information Network Governance Rule, setting guidelines for health information exchange.
The Tiger Team members decided to "take a breath" and hold off on slating any more meetings until the Department of Health and Human Services actually takes action on the many recommendations the team already has submitted, McGraw says.
"My own view is that we've given HHS a fair amount to chew on," she says. "Without some sort of indication of some movement on the policy recommendations that we've given them, it's very hard to ask our members to meet on a regular basis and deal with more issues."
Nevertheless, McGraw says the team could meet again as soon as March. Among the topics the team could consider this spring, she says, are refinements to the three pending rules as well as privacy and security provisions for Stage 3 EHR incentive guidelines, which are in the early stages of development.
Regulations on the Horizon
On Jan. 19, HHS submitted a proposed electronic health record software certification rule for Stage 2 of the incentive program to the Office of Management and Budget (see: New EHR Incentive Rule Inches Forward). That's the final step before publishing a rule in the Federal Register and soliciting comments. McGraw says that rule could contain some of the Tiger Team's recommendations, including those dealing with authentication of providers and patients.
On Jan. 24, HHS submitted to OMB a companion Stage 2 rule, defining how hospitals and physicians must meaningfully use EHRs to qualify for further incentives (see: Second EHR Incentive Rule Advances). That Stage 2 meaningful use rule could potentially include a Tiger Team recommendation on encryption. The team urged HHS to require, as part of a security risk assessment, that hospitals and physicians verify how they are keeping stored data secure, such as through encryption (see: Privacy, Security Proposals Advance). That recommendation was made in light of a long list of major health information breaches involving the loss or theft of unencrypted devices.
McGraw has been frustrated that HHS has not done more to encourage encryption. For the Stage 1 incentive rules, HHS "flatly rejected an HIT Policy Committee recommendation to more closely tie HIPAA compliance with meaningful use," she notes. "If will be interesting to see if some of that hard line softens a bit in stage 2. Why shouldn't HHS use the incentive program to incentivize good behavior on privacy and security?"
Health Information Exchange
The Tiger Team has made a long list of recommendations designed to protect privacy when health information is exchanged. McGraw expects many of those recommendations will show up in the Nationwide Health Information Network Governance Rule, which she anticipates will be released during the first quarter. But the nature of that rule remains uncertain.
The HIT Policy Committee said the NwHIN rule should "be a voluntary set of policies, services and standards that entities that want to be trusted data sharing partners voluntarily subscribe to," McGraw notes. "But there were questions about whether recipients of federal funds would be required to comply."
As a result, McGraw says, it's unclear whether the NwHIN rule will provide a mix of voluntary and mandatory guidelines. For example, the guidelines potentially could be mandatory for federally funded statewide health information exchanges and hospitals and physicians receiving EHR incentive payments from Medicare and Medicaid.
Meanwhile, the HHS Office for Civil Rights continues work on an omnibus package of regulations containing, for example, the long-overdue HIPAA privacy and security rule modifications as well as a revised version of a HIPAA breach notification rule already in effect. McGraw says it's impossible to predict when the omnibus package will be released, muchless whether it will incorporate any Tiger Team recommendations.