EHR Security in the SpotlightInspector General Reports Stir Up Debate
This week's reports from the Department of Health and Human Services' Office of the Inspector General call for ramping up enforcement of the HIPAA Security Rule and including more security requirements in the HITECH Act electronic health record incentive program (see: Watchdog Hits HHS on Records Security).
Although the specifics in the two reports are drawing widely varying reactions, one thing is clear: The reports already are stirring up a lively discussion of what steps should be taken to protect EHRs (see: Watchdog Reports: Security Catalysts?). And we're certainly glad this critical issue is in the spotlight once again.
More needs to be done to make sure organizations that create EHRs are keeping them secure.
The Department of Health and Human Services' Office for Civil Rights has requested additional funding for its HIPAA security rule enforcement efforts and its investigations of breaches. Perhaps Congress will take note of the concerns raised in the new reports and provide OCR with the money it needs to ensure that patient information is adequately protected. But given pressures to reduce the deficit, winning additional funding won't be easy.
The HITECH Act mandated that OCR launch a HIPAA compliance audit program, which is long overdue. OCR soon plans to test one potential model for the HIPAA audits in a pilot project. But the audit program won't do much good unless it's adequately funded and features more than a handful of annual audits.
The inspector general chastised the Office of the National Coordinator for Health Information Technology, another HHS unit, for not including general security controls in its criteria for stage one of the HITECH Act electronic health record incentive program.
While some say these types of controls could be included in requirements for future stages of the program, others suggest that it would be better to beef up the HIPAA security rule's requirements and provide detailed guidance to those who must comply.
A Coordinated Security StrategyDeven McGraw, co-chair of the Privacy & Security Tiger Team that's advising ONC, says the inspector general's reports failed to highlight "the need for a coordinated security strategy coming out of HHS, if not the White House. ... The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the reports."
Farzad Mostashari, the new head of ONC, pointed out in a recent interview that the White House last year appointed an interagency task force on privacy and security, including representatives of ONC, the HHS Office for Civil Rights and several other agencies. The group is continuing to work on ensuring a consistent approach to health information privacy and security, he says.
Well, the time has come for that group, or perhaps a new Congressional panel or another advisory body, to devise a creative, coordinated strategy for using rules, regulations, enforcement and education to ensure patient records are protected.
One of the inspector general's reports contained horror stories about security shortfalls at seven hospitals that were audited a while back. The inspector general used the findings to illustrate a key point: More needs to be done to make sure organizations that create EHRs are keeping them secure.
A new push by the Obama administration for a collaborative approach to tackling this issue would help.
Meanwhile, the administration is tackling the issue of data breaches outside of healthcare with its proposal for a national breach notification law that would supersede state laws (see: Breach Notification Proposal Lacks Teeth). Under that plan, the HITECH Act breach notification rule would continue to apply to healthcare organizations.