HITECH Stage 2 Rules: An Analysis

Experts Sort Through Privacy, Security Provisions
HITECH Stage 2 Rules: An Analysis

Some privacy and security experts that have dug into the 1,446 pages of final rules for Stage 2 of the HITECH electronic health record incentive program say they are mostly pleased with provisions included to protect patient data (see: HITECH Stage 2 Rules Unveiled).

See Also: Roadmap for Identity Management in the Modern Organization

Both rules are hefty - 474 pages for the electronic health record software certification criteria rule and 672 pages for the meaningful use requirements. And each contains key provisions related to data security.

The most notable security provision, experts say, is the software certification rule requirement that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

The requirement is significant, given that 54 percent of the largest health information breaches since 2009 have involved the loss or theft of unencrypted computing devices or storage media, according to the official breach tally from the Department of Health and Human Services' Office for Civil Rights.

"Requiring encryption by default for end-point devices is a sound security control and will help to ensure the growing numbers of breaches caused by loss or theft of these types of devices will be prevented," says Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates.

"By making the encryption transparent and automatic to the end-user, it will ultimately improve protection of patient information," she says. "If you leave it up to each of the millions of physicians, nurses and other healthcare workers to do the encryption themselves, recent history shows that the encryption will simply not be done in millions of endpoints."

Mac McMillan, CEO of the IT security consulting firm CynergisTek, says the software certification encryption provision is just one small step in the right direction. The provision "helps a little, at least with EHR encryption, but it doesn't cover other systems that contain PHI [protected health information] once you're disconnected from the EHR," he notes. That means healthcare providers still will need to be vigilant in ensuring that PHI is protected in all applications where it resides, he adds.

Risk Assessment

In another encryption provision for Stage 2, the meaningful use rule requires that participants conduct a risk assessment that specifically addresses "the encryption/security of data stored in CEHRT [certified electronic health records technology]." The rule also requires providers to "implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process." But it does not explicitly mandate encryption.

Regulators included this requirement, which shines a spotlight on requirements that already exist within the HIPAA security rule, in hopes of improving the protection of stored information.

McMillan applauds the provision because it helps increase awareness that "you will be responsible for the decisions you make" on whether to encrypt stored PHI beyond the encryption that occurs by default through EHRs.

Similarly, Herold says calling attention to the need to consider encryption of stored data is a good idea.

"I know from seeing many inadequate risk assessment methodologies ... that including an explicit requirement to check for encryption is good and will make covered entities and business associates think twice before simply deciding that they don't want to invest in encryption."

Bill Spooner, CIO at Sharp HealthCare in San Diego, says encrypting data at rest shouldn't be too tricky for healthcare providers.

"The challenges will be around gaining support from those who view technologies like encrypted thumb drives as inconvenient, and ensuring that we have closed any potential detours around the requirement," he says. "The focus on end-user device encryption is quite sensible, as loss of such devices has been the most common cause of breaches to date."

Patient Data Access

Among the final provisions getting a mixed reaction are the meaningful use requirements for hitting a threshold for patients securely accessing their information, such as through a portal with appropriate protections.

The rule requires that 5 percent of all patients who are discharged from the inpatient or emergency department of a hospital view, download or transmit to a third party their information during the EHR reporting period for Stage 2. For physicians, the requirement is that 5 percent of patients take the same action within four days of an office visit. The proposed version of the rule, issued earlier this year, had set a 10 percent threshold for hospitals and physicians.

In addition to the patient record access requirement, another of the original proposed rule's "most ambitious and controversial measures" deals with referral transactions, says Adam Greene, a partner at the law firm Davis, Wright Tremaine, who formerly worked at the Office for Civil Rights.

The proposed rule would have required that providers, for 10 percent of transfers and referrals, transmit a summary of care record to a recipient with no organizational affiliation and using a different EHR vendor than the sender, Greene says. The final rule, however, drops the specific percentage threshold and instead requires a provider to only send one referral to a recipient that uses different EHR technology than the sender or conduct a successful test, he notes.

The revised provisions on patients accessing their records and on transferring records for referrals "represent strong, continued commitment to the privacy and security issues of improved patient access and secure electronic health information exchange, but recognize that substantial challenges remain in these areas," Greene says. "In the preamble, HHS makes clear that it will continue to focus on health information exchange and interoperability as it moves toward Stage 3."

Meeting the Requirement

But Spooner of Sharp HealthCare says that even the reduced requirement for patient access to information could prove difficult to meet.

"I am not thrilled with the accountability for 5 percent of my patients accessing their data online," Spooner says. "I wonder when the [regulators] last sat through a busy Saturday evening in an emergency room and thought 'I can't wait to get home and look up my information online'."

Spooner calls including hospital emergency room patients in the data access requirement "worrisome," adding: "These are occasional visits, many by patients without a regular doctor or insurance coverage. It will be a challenge to bring them back to our portals [to access information]," he says.

McMillan, however, does not believe that healthcare providers will find it difficult to get 5 percent of patients to access their data online. "I don't subscribe to the 'patients don't want access [argument]," he says. "When you look at what's happening online in other industries, people shop, bank," he says. "My 82-year-old mother goes online for her and my father's prescriptions."

Dan Rode, vice president of advocacy and policy at the American Health Information Management Association, contends that some healthcare providers are concerned about the potential for being held responsible for breaches caused by patients once they download their information.

"Providers are concerned that individuals themselves might release their information by accident," Rode says. "A patient might send their information to Facebook; providers don't want to be responsible for something like that."

Data Exchange Standards Lacking

The meaningful use rule includes a signal that more regulations related to health information exchange, which presumably would address privacy and security, could be on the way in Stage 3 if the industry fails to make adequate progress with standards-based information exchange, McMillan, the consultant, points out.

The rule states, "...As we look toward meaningful use Stage 3, we will monitor the ease with which EPs [eligible providers], eligible hospitals, and CAHs [critical access hospitals] engage in electronic exchange, especially across different vendors' EHRs." The rule notes that if HHS does not see sufficient progress for standards-based exchange goals being met, "we will ... consider other policies to strengthen the interoperability requirements included in meaningful use as well as consider other policies and regulations."

To exchange data efficiently and securely, "the real issues are interoperability, compatibility, and standards," McMillan says.

A Nationwide Health Information Governance Rule, now in the works, would set voluntary standards for data exchange.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network