Stage II/III Meaningful Use: Privacy/Security Measures? – Your Opportunity for Input

When the ONC HIT Policy Committee (HITPC) put out its draft measures for the next stages of meaningful use for comment in February 2011, many in the healthcare community were abuzz about the fact that there were NO measures listed for privacy/security.  The document stated that additional privacy and security objectives were “under consideration via the HITPC’s Privacy & Security Tiger Team.”

Since that time, the Privacy and Security Tiger Team, a joint team made up of members of the HIT Policy and HIT Standards Committees, has considered and provided recommended measures, which have been accepted by the HITPC. The HITPC’s recommendations will be forwarded to CMS, which is responsible for drafting the Notice of Proposed Rulemaking (NPRM) outlining the next stages of MU measures by the end of this calendar year.

Currently, HIMSS Committees and Task Forces are discussing the opportunity to give feedback to CMS directly via a letter.  The question is:

“What measures, if any, for privacy and security should be included in Stage II and/or Stage III?”

* Respond to this blog post, or email via at lgallagher@himss.org, to give us your opinion! *

Background – the following is intended to summarize and provide insight into the input HIMSS has received thus far.  It does not represent HIMSS opinion at this point.

1. The P&S Tiger Team recommendations for MU stage II P&S measures were presented at a recent HITPC meeting [1].
2. HIMSS members are divided on whether there should be ANY new measures.

• AGAINST new measures – the arguments here include:

1)      New measures could be prohibitive – that is, that new measures could be difficult to meet and may cause some organizations to fail to meet Stage II or III,

2)      Overlapping regulatory structures could undermine compliance – that is, that creating measures that are similar to existing HIPAA regulatory requirements may cause confusion, differing interpretations and/or odd incentive structures.

IN FAVOR OF new measures  – that is, security controls should continue to be identified and clarified that ensure the appropriate level of data protection is achieved at each stage.  Examples of new measures proposed include:

1)      Risk Assessment – while this is a Stage I measure, it could be included with additional specificity,

2)      Authentication – should be included for access to EHR data through a Health Information Exchange(HIE) and Patient Portal data,

3)      Encryption – of data at rest. This is not required by HIPAA (it is an “addressable” control). Due to the large number of reported breaches that are attributable to loss/theft of devices housing unencrypted data, this could be required at later stages, thus shining an additional spotlight on this particular security control.

1. Additional Topic – Patient Consent – HIMSS is aware that ONC is studying how to incorporate “consent” at later MU stages.  HIMSS members have differing views on this concept.

IN FAVOR OF including consent – this argument is related to the policy principle “Individual Choice” provided by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information that “individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.[2]”  The argument is that if one accepts this principle, it can and should be implemented through “consent.”

• AGAINST including consent – among the arguments we hear:

1)      Patients do not have an unfettered right to determine use of their data - Defenders of the basic structure of the HIPAA rules explain that in opting to receive care, a patient impliedly consents to some defined categories of use and disclosure of his or her protected health information so that individual gets quality care. Based on the way the covered entities and business associates do business, this is known as Treatment, Payment and Operations (TPO).  Within this zone of uses, the patient does not need to consent to the user or recipient of the data, nor the technical means or media used.  Protection of the data is handled through security controls.

2)      Consent is difficult and costly to implement – in the areas of policy, procedures and technical implementation. If we define consent to mean “informed consent,” then we may be opening a legal and ethical Pandora’s Box, where physicians become subject to a variety of state-based legal and regulatory requirements.  Many also feel requiring consent will increase the transactions costs for HIEs as they may be responsible for cataloging, tracking and maintaining information on consents.