Will New Congress Alter HITECH Plans?

EHR Incentives Likely Safe, But Privacy Regs Will Be Scrutinized

By , November 5, 2010.
Will New Congress Alter HITECH Plans? (Page 2 of 2)


See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

The administration is charged with getting these regulations right and meeting Congressional intent," says Roberts of HIMSS. "Privacy and security are key issues that both political parties are interested in. As a result, Congress will scrutinize the emerging HITECH regulations and consider introducing legislation to fix any rules that don't meet their expectations for carrying out the HITECH mandates, he adds.

Rode says that if hospitals or other constituencies are unhappy with any of the regulations, "they may go back to the new Congress for a fix."

Several members of Congress have already expressed their displeasure with the harm standard in the interim final breach notification rule. Regulators recently pulled the proposed final version of the rule for revisions that are still pending. The harm standard enables healthcare organizations to conduct a risk assessment to determine whether a breach poses a great enough risk of harm to merit reporting it to those affected, as well as federal authorities.

"What might happen is that the administration may feel it necessary to concede to Congress this point in the interest of cooperation and have HHS revise the final rule to remove the offending provision," says security expert Mac McMillan, CEO of Cynergistek.

Breach Notification

But McMillan says a key concern is whether the proposed national breach notification law, known as the Data Security and Breach Notification Act of 2010, will apply to healthcare.

"Healthcare groups have lobbied that because HITECH already provides a breach notification requirement, this new law should not apply to healthcare," he says. "But if Congress feels the harm standard is not consistent with their intent, they might just rethink whether the new law should apply to healthcare. The penalties under that law are more severe than HITECH. So hopefully, due consideration will be given to these decisions."

The HHS Office for Civil Rights has published a list of nearly 190 major health information breaches dating back to September 2009, as required under the HITECH Act. "We all know that those are just the tip of the iceberg," McMillan says. "So relaxing or delaying anything that would serve to address privacy and security would not be favorably viewed."

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cyber-Attacks Target Energy Firms

The Trojan "Laziok" targets energy firms throughout the Middle East, India, the U.S. and the U.K.,...

Latest Tweets and Mentions

ARTICLE Cyber-Attacks Target Energy Firms

The Trojan "Laziok" targets energy firms throughout the Middle East, India, the U.S. and the U.K.,...

The ISMG Network