Risk Assessment Help on the WayGuidance in the Works, But Advisers Call for More
Meanwhile, a federal advisory group has urged the Department of Health and Human Services to offer far more guidance on a variety of information security issues.
The new risk assessment assistance is necessary for smaller organizations that are attempting to qualify for the HITECH Act electronic health record incentive program, says Joy Pritts, chief privacy officer at ONC, a unit within HHS. To qualify for Stage 1 of the EHR incentives, organizations must conduct a risk analysis, as already required under the HIPAA Security Rule, and take action to mitigate any risks identified. Pritts acknowledged in a meeting of the Health IT Policy Committee last week that this task is challenging for those organizations that lack experience and resources.
In addition to the new guidance, ONC also will offer a series of 15-minute online "training modules" on a variety of topics, including "security 101," risk analysis tips, questions to ask IT vendors and how to provide emergency backup protection for EHRs.
"We're trying to raise the level of awareness and comfort with healthcare security," Pritts told the committee.
Lack of Guidance Highlighted
The new training assistance for smaller providers was highlighted at the same meeting where the HIT Policy Committee voted to urge HHS to make a concerted effort to provide much more guidance to hospitals and clinics on security issues, going far beyond advice on risk assessments.
Deven McGraw, co-chair of the Privacy and Security Tiger Team, which makes recommendations to the committee, lamented that relatively few organizations were even aware that the HHS Office for Civil Rights had published guidance on risk assessments back in 2010. Thus, the team called on HHS to step up efforts to make organizations aware of the guidance it already offers, and then offer far more guidance on a variety of security issues (see: HIPAA Security Rule Guidance Sought).
The HIT Policy Committee, which advises HHS, endorsed the team's recommendation that HHS should "have a consistent and dynamic process for updating security policies and for the rapid dissemination of new rules and guidance."
The committee, acting on a Tiger Team recommendation, called on HHS to conduct a detailed gap analysis comparing the HIPAA Security Rule to other, more updated, security frameworks.
For example, the National Institute of Standards and Technology updates guidance for compliance with the Federal Information Security Management Act through its 800-53 special publication every two years. Although FISMA only applies to federal agencies, many private sector organizations use the updated 800-53 guidance. Both 800-53 and the ISO (International Organization for Standardization) 270001 standards are much more detailed than the Health Insurance Portability and Accountability Act's Security Rule, according to the team. For example, while 800-53 and ISO both describe network external boundary protections, the HIPAA Security Rule does not specifically require boundary controls.
The HIT Policy Committee is urging HHS to make the gap analysis an ongoing process as technology evolves. ONC, working with NIST, recently completed a very preliminary gap analysis showing many areas where the HIPAA Security Rule fails to address topics addressed in other frameworks.
A more detailed gap analysis would be a good starting point for "creating a very consistent and dynamic process to update policies and disseminate rules," said Tiger Team Co-Chair Paul Egerman.
A final rule for making modifications to HIPAA, as mandated under the HITECH Act, is long overdue. The HHS Office for Civil Rights has indicated it will be released as part of an omnibus package of regulations, which will also include the final HIPAA breach notification rule, in the weeks ahead.
Other Privacy Projects
At the Dec. 7 HIT Policy Committee meeting, Pritts also pointed out that her office is coordinating a number of other projects. Those include:
- A privacy and security consumer attitudes survey. The survey, which ONC hopes to conduct annually for five years, will measure how public attitudes about the sharing of patient information, such as through health information exchanges, change over time. Results of the survey would help regulators make decisions on policies and programs.
- A mobile health privacy and security research project. This effort will involve holding 24 focus groups to identify consumer attitudes and preferences regarding using mobile devices to receive health information via text messaging, e-mail and applications. An HHS task force earlier identified privacy and security as key issues that must be addressed before texting and other options can be used to help improve healthcare communication.
- A data segmentation privacy initiative. This ongoing project will conduct pilots to test ways to segment information within electronic health records, such as, for example, to restrict who can view mental health records. Results should be available by next summer. More information is available at a website for the project.
- An e-consent trial project. This 18-month effort will culminate with pilot projects at hospitals, clinics and other organizations participating in the Western New York Health Information Exchange. It's designed to investigate ways to enable patients to give their electronic consent for the sharing of their data via health information exchanges, ultimately identifying best practices.