The enhanced set of protections finalized in the omnibus HIPAA privacy and security rule released Jan.17 now becomes the new baseline for anyone who handles health information. It doesn’t change meaningful use requirements, but combined, the two may drive more providers to protect patient data, according to privacy and security experts.
The clear and comprehensive view of privacy, security and enforcement that comprise the final rule today was missing at the dawn of the meaningful use program as physicians and hospitals began to adopt electronic health records (EHRs).
[See also: HHS makes 'sweeping' changes to HIPAA.]
To make up for that, some privacy and security experts were inclined to believe the meaningful use rule should include additional protections, according to Deven McGraw, director of health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee.
“Meaningful use is meant to incentivize behavior above an expected baseline,” she said. “The privacy rule should be the baseline, and not a set of additional hoops that only people who are getting federal incentive dollars should have to jump through.”
Meaningful use became a vehicle that had the potential to do more because there wasn’t clarity in the privacy rule for everybody, McGraw said. On the other hand, getting providers to implement EHRs in a meaningful way is a voluntary program.
“There is a lot that we are asking of people for meaningful use. To sort of load up additional privacy and security regulations on that is problematic for a lot of reasons. For one, it would only reach a certain population, and it might tip the scale for providers not to participate. The reality is that the privacy rule should be required of everyone.”
In meaningful use Stage 2, providers have two security requirements: Perform a security risk assessment and attest to that and explicitly address encryption, said Lisa Gallagher, director of privacy and security for HIMSS. “Those things are not affected by any changes in HIPAA,” she said. “The security rule remains structurally the same. It’s risk-based.”
To protect consumers in an era of growing exchange of health information, the final rule is by and large what was in the draft rule, including patient rights to access their own data, but “it’s definitely moving in that direction,” Gallagher said.
[See also: New HIPAA rule seen as tougher.]
The increased enforcement in the final rule, including audits, increased penalties and the expansion to business associates to comply like covered entities, along with the surge in reported data breaches may send a message to the industry that it’s time to comply.
According to the most recent HIMSS survey, “we did see an uptick in the number of organizations doing a risk assessment,” Gallagher said.
The combination of the “tone set by the draft rule and the changes to the enforcement rule, along with having it required in meaningful use” may push more providers to conduct a risk assessment.
“If they want to do the attestation, they have to do the risk assessment. So you have both of those lining up together,” she said.
McGraw said the final omnibus rule is “a good start” for protecting patients in an era of more health information exchange.
The more that breach notifications occur and reports show how costly they are to the institutions that experience them, “the more we’re going to see entities encrypt data, mostly data at rest and then most certainly the protocols for exchange to encrypt data in transit,” McGraw said.
There is a growing acceptance of the importance to getting to the level of security that most other industries have adopted as a matter of course.
Security professionals, however, don’t exist throughout much of the healthcare provider community, which is significantly made up of small practices. As a result, “they’re highly dependent upon their vendors to tell them what to do, and that partly adds to the challenge,” she said.
It’s difficult for the healthcare industry to step up “when it’s largely run by people who are amateurs in security. And that’s not going to change,” she added. “Doctors are trained to take care of patients, not to take care of data, but we need them to take care of data.”