HHS Addresses Privacy, Security Concerns in EHR Program
"It's good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information," said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. "Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they'll be used."
Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. "It will still be up to the eligible provider to implement the security technologies in a reasonable manner," she says.
In all, Borten calls the security standards in the EHR certification program "all good security controls."
"Most are basic and have been required by the security rule since 2005 (like unique user IDs)," she adds. "Some that are 'addressable' in the security rule are required to be built into the EHR technology such as automatic logoff."
Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.
"The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information," Verdugo said in an e-mail to HealthLeaders Media when asked about providers' concerns with privacy and security. "While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- Hospital Groups Strike Back at Hospital Rating Systems
- The Secret to Physician Engagement? It's Not Better Pay
- AHIP: Enormity of HIX Challenges Sinks In
- Two-Midnight Rule Must be Fixed or Replaced, Say Providers
- 4 Reasons PCMH Principles Aren't Going Away
- Don't Underestimate Emotional Intelligence
- How Succession Planning Boosts Employee Retention Rates
- Evidence-Based Practice and Nursing Research: Avoiding Confusion
- Another SGR Patch Likely, Lawmaker Says
- Yale New Haven Health Partners with Tenet Healthcare in CT