The Privacy and Security requirements of the recently released Meaningful Use NPRM and Certification IFR have received a lot of attention due to their lack of definition. I joined in on the Jan 22 ONC Privacy & Security Workgroup meeting to discuss which topics the workgroup will comment on and send to the HIT Policy Committee. The topics included risk assessments, the phrase “implement security updates as necessary”, HIPAA investigations, privacy and data transparency, and “consumer preference”.
- Risk assessments – There is still a lot of concern about the lack of clarity surrounding risk assessments. The ONC will need to ensure that education on risk assessments is available, especially targeted at small providers. Most organizations currently think they are HIPAA compliant, but few would feel comfortable if the government performed a HIPAA audit, because there is no guidance as to what the government would audit against. Guidance is needed on the “intended outcomes” of MU Security objective and greater transparency, such as Audit Program Compliance Guidelines, is needed on the audit process that will be used. It is unlikely that any guidance will be available by the time the final rulings are released. Large organizations commonly perform internal or 3rd party security/privacy audits, but this is rare (and not feasible) among smaller providers. Many of the comments related to this topic will not change the objective but how the ONC responds to the need for additional information.
- “Implement security updates as necessary” – The term “updates” is both a technology (i.e. software update) and business process (i.e. modify password policy) term, and its intended meaning (whether one or the other or both) should be clearly stated. Time requirements were discussed, such as software security patches must be updated within 90 days of release, but this was thrown out due to complications of implementing updates, especially in enterprise settings.
- HIPAA Investigations – ~5k HIPAA investigations are currently underway. Unclear if these are ~5k different hospitals, individual doctors, multiple investigations per entity, etc. Unclear if an open investigation will prevent an eligible professional or hospital from receiving incentive payments. The “expected” length and cost of investigations will be important to allow providers to make informed decisions. Unclear which HIPAA investigation types are relevant to MU.
- Privacy and Data Transparency – No objectives or measures for privacy and data transparency are present in Stage 1. The Committee wants to propose these for Stage 2. “Accounting of disclosures” is included in Stage 1 and is already required by HIPAA. The connection between the security/certification piece and the MU/privacy piece is weak. For example, the capability to prevent many breaches is a part of certified EHR, but there are no objectives or measures to guide providers in the use of these certification criteria.
- “Consumer-preference” – Also referred to as “patient-choice” requirements, consent management, or access control. There was some disagreement as to what the proper language was to discuss patient preference. Dixie Baker, who is also involved in the Security Standards Workgroup, posted a presentation (available on the ONC website), to address Access Control and its relation to privacy. There is no IFR criteria for access control to help entities manage the patient consent requirement with which they must comply. This discussion was cut short due to time and will probably be completed in private conversation.
Refer to my previous post to join in on future workgroup meetings: https://singularityblog.wordpress.com/2010/01/11/upcoming-hit-policy-standards-committees-workgroup-meetings/