The Security Scrutinizer with Howard Anderson

A Security Checklist Worth Reading

Deven McGraw's Congressional Testimony Offers Timely Insights
A Security Checklist Worth Reading

In her written testimony prepared for a Sept. 30 hearing of the U.S. House Subcommittee on Technology and Innovation, privacy advocate Deven McGraw spelled out a list of priorities.

McGraw, director of the health privacy project at the Center for Democracy & Technology, also made good use of her five minutes of verbal testimony before the panel, hammering home an important message: HIPAA and the HITECH Act lack strong enough security requirements.

Her testimony should be required reading for anyone involved in preparing healthcare laws and regulations, and for anyone who cares about the issues. 

While the standards for EHR software certified for the HITECH incentive program require the applications to include a long list of security functions, such as encryption and the ability to create an audit trail, the HITECH rules and HIPAA stop short of mandating actual use of these functions, McGraw pointed out.

"We're not being terribly clear with providers about using these functionalities," she told subcommittee members. "That's a major deficiency."

In her written testimony, McGraw noted that those receiving EHR incentive payments under the HITECH Act are required to "perform a security risk assessment and respond to any deficiencies discovered, but this falls short of a clear requirement to implement or have a plan for implementing the (security) functionalities required for EHR (software) certification. The Center for Democracy and Technology is continuing to advocate with regulators for strengthened security requirements."

McGraw's written testimony also pinpoints other key unresolved issues, including the need for:

  • Stronger standards to ensure that de-identified data used for research and other purposes cannot be re-identified;
  • Federal guidelines to protect personal health records;
  • Stronger enforcement of HIPAA, including banning those with significant violations from the federal EHR incentive program;
  • Tougher limits on business associates' access, use and disclosure of data "to only what is reasonably necessary to perform the contracted services;"
  • Further tightening of rules regarding use of patient data for marketing.

McGraw serves as co-chair of the privacy and security tiger team that's advising regulators. The team recently issued recommendations on several issues, including obtaining patient consent to exchange their information. And it's now working on several additional security issues.

Her Congressional testimony, which covers many, but not all, of the critical security issues, should be required reading for anyone involved in preparing healthcare laws and regulations -- and for anyone who cares about the issues.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.