Encryption should be mandatory for one-on-one exchanges between providers regarding treatments, a privacy/security workgroup for the Office of the National Coordinator for Health Information Technology (ONC) reported last week.
During its May 19 meeting, a workgroup from the monthly HIT Policy Committee suggested that those exchanges include:
- Encryption (no ability for facilitator to access content)
- Encryption ideally should be required when potential for transmitted data to be exposed (mandated through meaningful use/certification criteria or HIPAA Security Rule modification)
- Limits on identifiable (or potentially identifiable) information in the message
- Identification and authentication
"When information is exposed in transmission, it ought to be encrypted," Deven McGraw of the Center for Democracy and Technology and a privacy/security workgroup member said in the meeting last week. "I think we need to be specific where we can."
The Department of Health and Human Services' (HHS) interim final rule on breach notification creates a "safe harbor" for unsecured protected health information (PHI) that is encrypted by certain standards. In other words, covered entities and business associates (BAs) do not need to notify individuals on breaches involving such encrypted PHI.
However, though there is a "strong bias" of encryption through the HIPAA laws, it is not mandatory, McGraw said.
"HIPAA–love it or hate it, it still didn't envision the infrastructure we have created today, and we need to build on what we have," McGraw said.
The workgroup provides input to the Health IT Committee as it sets the ground rules for the criteria of "meaningful use" of EHRs.
On December 30, CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) released two anxiously-awaited regulations providing both the definition of "meaningful use" for EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians.
Currently, the ONC interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology," requires that EHR systems be capable of encryption.
However, it does not mandate encryption.
Final rules on the ONC interim final rule and CMS proposed rules are expected this spring. However, the interim final rule is in effect today.
The privacy/security workforce also recommended the establishment of ironclad policies.
"We need specific policies, as well as technology requirements, to govern all forms of electronic health information exchange," the group reported. It also says the industry should:
- Implement the Nationwide Privacy and Security Framework principles
- Ideally, make sure work take place before, or at least in conjunction with, technology standards work
- Implement policy and not make it
- Fill gaps in current law
- Address "facilitator" access to identifiable information
- Implement constraints on collection, access, and use of identifiable data
- Implement constraints on data retention and re-use
- Implement security requirements
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.