The enhanced set of protections finalized in the omnibus HIPAA privacy and security rule released Jan.17 now becomes the new baseline for anyone who handles health information. It doesn’t change meaningful use requirements, but combined, the two may drive more providers to protect patient data, according to privacy and security experts.
The clear and comprehensive view of privacy, security and enforcement that comprise the final rule today was missing at the dawn of the meaningful use program as physicians and hospitals began to adopt electronic health records (EHRs).
[See also: HHS makes 'sweeping' changes to HIPAA.]
To make up for that, some privacy and security experts were inclined to believe the meaningful use rule should include additional protections, according to Deven McGraw, director of health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee.
“Meaningful use is meant to incentivize behavior above an expected baseline,” she said. “The privacy rule should be the baseline, and not a set of additional hoops that only people who are getting federal incentive dollars should have to jump through.”
Meaningful use became a vehicle that had the potential to do more because there wasn’t clarity in the privacy rule for everybody, McGraw said. On the other hand, getting providers to implement EHRs in a meaningful way is a voluntary program.
“There is a lot that we are asking of people for meaningful use. To sort of load up additional privacy and security regulations on that is problematic for a lot of reasons. For one, it would only reach a certain population, and it might tip the scale for providers not to participate. The reality is that the privacy rule should be required of everyone.”
In meaningful use Stage 2, providers have two security requirements: Perform a security risk assessment and attest to that and explicitly address encryption, said Lisa Gallagher, director of privacy and security for HIMSS. “Those things are not affected by any changes in HIPAA,” she said. “The security rule remains structurally the same. It’s risk-based.”
To protect consumers in an era of growing exchange of health information, the final rule is by and large what was in the draft rule, including patient rights to access their own data, but “it’s definitely moving in that direction,” Gallagher said.
[See also: New HIPAA rule seen as tougher.]
The increased enforcement in the final rule, including audits, increased penalties and the expansion to business associates to comply like covered entities, along with the surge in reported data breaches may send a message to the industry that it’s time to comply.
According to the most recent HIMSS survey, “we did see an uptick in the number of organizations doing a risk assessment,” Gallagher said.
The combination of the “tone set by the draft rule and the changes to the enforcement rule, along with having it required in meaningful use” may push more providers to conduct a risk assessment.