Monitoring Regulatory ProgressAdvisory Bodies Making Headway on Privacy, Security Issues
Of course, we don't know for sure if the advisers' recommendations will survive in the final version of regulations enacted by the Department of Health and Human Services. But there are some encouraging signs, including action that the Health IT Policy Committee took June 8 (see: Privacy Protection Steps Advance).
The committee recommended some preliminary "meaningful use" criteria for stage two of the HITECH Act electronic health records incentive program, including a requirement that participants verify how they're protecting stored information.
We'd still like to see more definitive mandates for the use of encryption, at least in certain cases, such as for data stored on mobile devices.
This "meaningful use" requirement on data storage would reinforce the HIPAA Security Rule, but it would not require the use of encryption in all cases. The Privacy and Security Tiger Team, which came up with the proposal, hopes that by calling attention to the issue of protecting stored data in the incentive program's stage two meaningful use requirements, it can "make a dent in the number of organizations that have to report breaches of data," said Deven McGraw, tiger team co-chair.
The proposed requirement that recipients of EHR incentive dollars verify how they are protecting stored data is a nice start. But ultimately, we'd still like to see more definitive mandates for the use of encryption, at least in certain cases, such as for data stored on mobile devices.
Authentication IssuesThe HIT Policy Committee also recommended that all organizations participating in the Nationwide Health Information Network initiative should use digital certificates that meet authentication standards already required for federal agencies. That way, anyone exchanging information using the NwHIN "brand" can use just one certificate to share information, whether the recipient is a federal agency or a doctor down the block.
The committee advises HHS' Office of the National Coordinator for Health IT. ONC is working on a governance rule spelling out guidelines for participants in the NwHIN (see: Revised NHIN Governance Plan Advances). The certificate guidelines, originally drafted by the tiger team, would be included in that long overdue rule, which HHS will issue, hopefully, within the next few months.
McGraw noted at the June 8 HIT Policy Committee meeting that the tiger team would like the committee to consider a stage three EHR incentive program requirement that mandates compliance with the NwHIN governance policies once they're completed. Many of the tiger team's long list of recommendations ultimately could wind up in that governance rule.
It's certainly a good idea to include the tiger team's many recommendations for protecting privacy during health information exchange in the EHR incentive program rules as well as the NwHIN rule. That way, their importance will be greatly reinforced.
Meanwhile, the HIT Standards Committee soon will review a number of other tiger team recommendations for the EHR incentive program criteria, including authentication and audit trail standards for portals that patients can use to access their electronic health records. Hopefully those provisions, as well, will find their way into the final regulations.
By the way, HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year's end, with a final rule due by mid-2012.