Security Task Force: A Cure for Inertia?Observers hope new federal group takes quick policy action
The rules and regulations called for under the HITECH Act that were due in February but are not yet available include, among many others:
- Several modifications of the HIPAA privacy rule to add far more details;
- Guidance on "technical safeguards to carry out security;
- Privacy and security guidelines for personal health records controlled by patients.
In addition, the Act called for creation of a rule by this month describing how to inform patients about who has viewed their records.
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health Information Technology, recently announced formation of the task force, which she said is designed to centralize and intensify ongoing, highly fragmented efforts to define policies. ONC makes policy recommendations to the Department of Health and Human Services.
Pritts and other ONC executives so far are declining to reveal any details about the task force's membership or agenda. But many observers agree with Pritts' strategy of creating a "tiger team" that will address issues "on an expedited basis" with the support of dedicated full-time ONC staff.
A Focal Point
"There needed to be a focal point for privacy and security issues and a group that could move faster," says John Glaser, CIO at Partners HealthCare, Boston. Glaser recently completed serving as a part-time adviser to ONC.
"It's an attempt to pull all the threads together to create one major, coordinated effort," adds Steve Findlay, senior health policy analyst at Consumers Union, Washington.
ONC, headed by David Blumenthal, M.D., is leading the effort to carry out various mandates of the HITECH Act, including federal incentive payments for electronic health records as well as funding for health information exchanges.
Too Many Tentacles?
Until now, two workgroups on privacy and security were advising two committees, which were making recommendations to Blumenthal. Plus, other committees, such as those working on aspects of health information exchange, also were tackling privacy and security issues.
In addition, officials in the Department of Health and Human Services, HHS' Office for Civil Rights, the Department of Veterans Affairs, the Department of Defense and other agencies were all addressing various aspects of healthcare privacy and security.
"I don't even know all the tentacles of all this activity in the government," says Findlay, who serves as co-chair of one of the ONC privacy/security workgroups. He's hopeful that the new task force will help coordinate all the various initiatives and make some rapid conclusions on healthcare policies that all units of the government can immediately use.
Findlay says he's uncertain about the long-term role of the two privacy/security workgroups advising ONC. "They'll probably continue, but with some very specific tasks in mind," he says.
It's About Time
Observers portray the formation of the task force as long overdue.
Kate Borten, president of The Marblehead Group, says that "a big stumbling block" to advancing the cause of electronic records and information exchange is easing consumer's concern about the privacy of their information.
Citing concerns about privacy and security issues getting bogged down in the government bureaucracy, Borten says, "Anything that has the potential for helping move these issues along is welcome news."
Findlay sounds a similar theme: "The issues of security and privacy are of such high importance, that it didn't make sense to have all these efforts going on rather than one coordinated effort."
"The better coordinated that those different agencies are, the more beneficial it will be," adds security specialist Rebecca Herold, owner of Rebecca Herold & Associates.
Findlay predicts that one of the priorities for the task force will be to fine-tune the privacy and security details in three revised, near-final regulations, which HHS expects to release this month.
Back in March, Blumenthal predicted that updated versions of three draft regulations, taking into account comments received, would be issued by the end of spring. Those are:
- A rule defining how to demonstrate "meaningful use" of EHRs to qualify for federal EHR incentives under the HITECH Act;
- A rule setting standards for certified EHR software that qualifies for the incentive program;
- A rule that creates the EHR certification program.
Need for Education on the Basics
Herold and Borten urge federal regulators to reinvigorate their efforts to educate healthcare organizations and their business associates about the basics of protecting the privacy and security of patient information.
"The most pressing need is education," Borten says, citing recently reported breaches that show the same mistakes, such as failing to encrypt information on laptops, are being repeated over and over again.
"HHS needs to be much more proactive in putting information out there," Herold adds. Too many recent announcements about pending federal regulations have failed to make it clear that organizations should be working on privacy policies immediately, rather than waiting for final rules, she stresses.
And now that states have received HITECH funding for health information exchanges and regional extension centers are being launched to educate physicians and others about electronic health records, "we need specificity" on privacy and security guidelines that must be followed, Glaser adds.