Consumer Advocates Assess HITECH

Sizing Up Stage 2 Privacy Provisions

By , September 6, 2012.
Consumer Advocates Assess HITECH

Consumer advocates are praising provisions in the meaningful use rule for Stage 2 of the HITECH Act electronic health record incentive program that require giving patients online access to their records (see: HITECH Stage 2 Rules: An Analysis ).

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

But one advocate would have liked the rule for Stage 2, which starts in 2014, to include a requirement that healthcare organizations provide patients with alerts about protecting the privacy of their data when they download it.

Other Stage 2 criteria that consumer advocates are pleased about include:

  • A meaningful use rule provision requiring healthcare providers to assess the use of encryption for stored information;
  • A provision in the EHR software certification rule that requires the software to automatically encrypt patient information stored on end-user devices;
  • Another provision in the certification rule that requires an "activity history log" accessible to patients online that tracks who has viewed, downloaded or transmitted health information via a portal.

Access to Information

The meaningful use rule, which spells out what hospitals and physicians must do to qualify for additional incentives in Stage 2 of the program, requires these providers to have 5 percent of patients view, download or transmit to third parties their health data within a 90-day reporting period (see: HITECH Stage 2 Rules Unveiled).

While consumer advocates acknowledge that 5 percent is a low threshold - down from 10 percent in the proposed version of the rule, they believe the small target could actually achieve big results. That's because the promotion by healthcare providers to get just 5 percent of their patients viewing, downloading and transmitting their health data electronically will likely eventually lead to many more patients using these capabilities in a portal.

"You have to overshoot your target to make your target," says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology.

Consumer advocates contend that giving patients easier access to their information can help them to better manage their healthcare, which could lead to improved treatment outcomes.

Ensuring that EHR software enables patients to access records and provides them with an accounting of viewing activity via the patient portal "boosts confidence and transparency," says Christine Bechtel, vice president of National Partnership for Women and Families. By having access to their records, patients will gain trust about the accuracy of the information, she says. And tracking who has accessed records via a patient portal will provide reassurance about privacy.

Meanwhile, the two encryption provisions address the most common cause of major health data breaches - the loss or theft of unencrypted computing devices or storage media. "This is not a 100 percent solution, but it's a step in the right direction," McGraw says. "

Still, the rule doesn't address the encryption of health information that's stored outside of an EHR system, including on personally owned devices, she notes. "If it's not considered part of the EHR, it's not required to be encrypted," she says.

Missing Elements

Regulators missed an opportunity to help ensure patient privacy when downloading records, Bechtel contends.

The Markle Foundation's Connecting for Health group had advocated privacy alerts that would appear on portals or elsewhere when patients sign in to view, download, or transmit data.

"The No. 1 thing that will be important moving forward is when patients download their records, they need to see a message to be reminded about being careful when sending, storing or viewing their records," Bechtel says.

But the Office of the National Coordinator for Health IT ultimately decided against including such alerts in the software certification rule.

McGraw, co-chair of Privacy and Security Tiger Team, which advises ONC, says the team determined that the alerts didn't fit as an EHR certification requirement. "It's more of a best practice, not a technical standard," she says. Providers and software vendors, however, have the flexibility of including a patient notice on their portals, she notes.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anthem Attribution to China: Useful?

A new report details new clues suggesting that the massive data breach involving health insurer...

Latest Tweets and Mentions

ARTICLE Anthem Attribution to China: Useful?

A new report details new clues suggesting that the massive data breach involving health insurer...

The ISMG Network