HHS Addresses Privacy, Security Concerns in EHR Program
"It's good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information," said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. "Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they'll be used."
Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. "It will still be up to the eligible provider to implement the security technologies in a reasonable manner," she says.
In all, Borten calls the security standards in the EHR certification program "all good security controls."
"Most are basic and have been required by the security rule since 2005 (like unique user IDs)," she adds. "Some that are 'addressable' in the security rule are required to be built into the EHR technology such as automatic logoff."
Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.
"The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information," Verdugo said in an e-mail to HealthLeaders Media when asked about providers' concerns with privacy and security. "While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- Drug Pricing 'Tantamount to Greed,' Lawmaker Says
- Study Puts Spotlight on Preventing Fall-Related Injuries
- Surgical Checklists Unused in 10% of Hospitals, CMS Data Shows
- CVS Ramps Up Retail Clinics with Provider Affiliations
- Wanted: Nurse PhDs
- The Infection-Busting Treatment Payers Don’t Want to Talk About
- 4 Tectonic Shifts Shaking Up Healthcare
- Contradictory Obamacare Rulings Issued by Appellate Courts
- Doctors Feel Pressure to Accept Risk-based Reimbursement
- As HIPAA Breaches Accelerate, Tools Lag