Security, Privacy and 'Meaningful Use'EHR Adopters Must Not Overlook HIPAA Requirements
In an interview (complete transcript below), McLendon points out that the "meaningful use" requirements for earning the Medicare and Medicaid EHR incentive payments created under the HITECH Act specifically address security, but not privacy issues. He stresses, however, that "meaningful users" should not overlook they still have to demonstrate compliance with the HIPAA privacy rule as well.
McLendon advises hospitals and clinics seeking to earn EHR incentive payments to:
- Demand that EHR software vendors spell out how they will offer the security capabilities required under the software certification criteria.
- Ask EHR vendors that remotely host applications using the cloud computing model to provide thorough documentation of their security protocols, tools and audit logging.
- Ask vendors remotely hosting EHRs how data is stored and protected and who has access to the data.
- Take steps to make sure protected health information from EHRs doesn't find its way onto social networks.
McLendon, a former hospital medical records director, is the founder of Health Information Xperts. The company provides consulting on a wide variety of electronic health records issues, including strategies for achieving meaningful use of certified EHRs. The firm also offers strategic planning, project management and clinical operational transformation.
HOWARD ANDERSON: Soon, many hospitals and clinics will be applying for electronic health records incentive payments from Medicaid and Medicare under the HITECH Act. What are the key steps they need to take in the areas of privacy and security as they prepare to prove that they are actually meaningful users of EHRs and thus qualify for the payments?
KELLY MCLENDON: Well, to start with, there is a criterion that says, "Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities." Diving into the meaningful use criteria further, all hospitals or eligible professionals are asked to conduct or review a security risk analysis and implement updates as necessary and correct identified security deficiencies as a part of its risk management process.
There are plenty of documents, including some from the Department of Health and Human Services, that will advise on this type of risk analysis. There is no defined methodology; you're free to use whatever you feel is appropriate. But there is plenty of guidance out there. So, I think, for security analysis, there is quite a bit of documentation, and you'll certainly have to attest, as a part of the core set of meaningful use criteria, that these security risk analyses have been managed as a part of your EHR project.
Now, privacy is a little different. Privacy and security are, in fact, different areas, but very interrelated. But there are no meaningful use criteria for privacy, per se. But we do know, of course, that HIPAA applies to all entities in the United States, as do appropriate state regulations. So anyone interested in applying for meaningful use incentives will have to meet the security meaningful use criteria, but they are also going to have to meet HIPAA, as well as their associated state regulations, for privacy. So, it's quite a handful, and it does mean, really, that you need to have an effective privacy officer and privacy compliance program, and security officer and security compliance program.
Of course, a small physicians' office...is not going to have different people providing privacy officer and security officer functionalities; they're going to have those wrapped into an officer manager, or another individual. And that's OK, as long as those areas are covered and thought about. What we like to see in the privacy world is adequate review of your privacy policies and procedures; make sure you have up-to-date forms. It's probably a good idea to understand who your attorney would be, if you're going to have to use them for any privacy needs.
ANDERSON: To have their software certified for the incentive program, EHR vendors must offer a long list of security capabilities. The meaningful use rule, however, doesn't require use of any specific technologies, other than, as you described it, assessing risk, and making sure those risks are addressed somehow. Nevertheless, what questions should those shopping for an electronic health records system ask vendors about their security capabilities?
MCLENDON: Well, absolutely there are many more certification criteria than meaningful use criteria for security, and the way I would approach this is if you have an existing vendor, you are going to ask your vendor to provide you with details of how they are going to meet the certification criteria for security. And, if you have prospective vendors, and you haven't selected your EHR vendor yet, then I would suggest that the same question applies: How are you going to meet certification criteria for security? That's one of your key qualifying criteria that you are going to use to judge vendors' performance in your vendor selection process.
So we want the vendors to be literate enough with the certification criteria that when an existing user or potential user comes to them and asks about how they will meet the certification criteria for security, the vendor is able to produce the list of certification criteria and then turn around and explain their methodology and plans for meeting that criteria, what versions will they be using, what third-party tools, all of that....
We know that the temporary certification and then the permanent EHR software certification programs (for the Medicare/Medicaid incentives) will have all of the criteria well-published and in list form that you can work over with your vendors. The key point there is the vendors themselves need to be aware of this and be driving the process of being certified; it's not up to the users to achieve that certification.
ANDERSON: When it comes to cloud computing, what additional potential security risks are involved when a healthcare organization uses a remotely hosted electronic health records system? And, as a result, are there extra questions that should be posed to those vendors?
MCLENDON: As far as cloud computing is concerned, that actually adds elements of risk into the security mix. There certainly are usable, workable security scenarios for cloud computing. And some of the most recent large vendor cloud computing platforms that have come around probably have some brand new security capabilities -- and risks.
What we are typically seeing with cloud computing is security risks that revolve around not having primary direct control of the servers, the hardware and software platforms, and relying on the vendors and third parties to manage the security processes. We also find that in the clouds, it gets much harder to document exactly what the platforms are and exactly what the security procedures and policies are that are associated with them. So it does add an element of complexity, and I would suggest that any hospital or eligible professional that was interested in using a cloud or software-as-a-service type software solution would want to take extra time to understand the documentation surrounding the security protocols, tools, audit logging, and so forth, that are going to go along with the clouds.
We are also worried about things like storage management: Where is the data stored, or how is it stored? What kind of hierarchies are stored? How many copies? Who has access? You're not going to know that stuff in detail, but you're going to have to ask those questions, and try to get the best answers that you can. That's what, I think, concerns us the most: What we have seen to date has been not well-versed answers to some of those questions, that they have been a little more nebulous, almost cloud-like in the answers themselves.
So you're going to have to be careful with that, because it adds elements of risk that you have to manage. Again, it doesn't mean you cannot use those types of platforms or architectures, but you must be careful and take some extra time to document them well.
ANDERSON: Finally, as more organizations use social networks, including Facebook and Twitter and others, for marketing and educational purposes, it raises some new potential privacy and security issues. Do you think healthcare organizations should be crafting specific policies on the use of social networks, and what are the essential components of such a policy?
MCLENDON: Certainly, if you're going to use the social networks, you're going to have to write policies about them. If you're using the media for marketing and education...keep protected health information out of the mix, and keep it separate. We certainly don't want to see PHI accessible on Facebook or Twitter or any other social networks. We want to keep the PHI well, well away from that....
In your policies, you want to actually keep your PHI out of the social networks, and also limit it on e-mail, which has the potential for abuse. PHI could escape from e-mail into the wider social network, so you do want to watch for that. You also have to, as a part of our privacy, be cognizant that it may not be possible to easily manage watching the social networks because there are so many permutations and connections there. But, if you get complaints that PHI is now being found inside a social network, what are your corrective actions, your remediation processes? All that has to be dealt with in policies and procedures.