I’m writing this as I fly back from a conference held in Washington, DC entitled "Safeguarding Health Information: Building Assurance Through HIPAA Security." The attendees were an interesting mix of tech folks and administrative/regulatory professionals, all hoping to gain insight into the latest priorities and upcoming changes in the HIPAA/HITECH arena. I had the opportunity to meet and learn from some talented people who are very serious about managing the risks associated with clinical information and EHRs. Of course, my primary reason for attending was that I hoped to hear some helpful information straight from the source.
Sue McAndrew, Deputy Director for Health Information Privacy, spoke to the attendees several times. Among other things, she told us that the final rules on HITECH, breach notification, enforcement, GINA and would be issued together in one “big mother” of a regulation. (I think she meant as an “omnibus” regulation,) which would also include issues on research and student immunization. The accounting for disclosures NPRM would be issued separately.
She reinforced that patients have an “absolute right” to an electronic copy of their electronic DRS and to designate a recipient of the transmission of that record. I got up and asked her about that point; specifically, about the concern of small providers who email electronic PHI without encrypting the data, especially because HIPAA Privacy Rule allows providers to honor the patient’s request for email communications (presumably, without difficulty accessing the information), and the HIPAA Security Rule does not mandate encryption where it is reasonable and appropriate. Ms. McAndrew essentially responded (I’m paraphrasing) that the patient’s right to the data was paramount, so where the patient is advised of and knowingly waives the risk of email insecurity, OCR would not find a security violation. At last!
However, encryption is still highly promoted as a safe harbor for breach notification, and the reported breaches so far include loss of unencrypted "data a rest" on missing laptops.
The biggest take-away message, repeated throughout the conference, is the need for covered entities to have "robust" compliance plans. No matter how large or small your organization, you are expected meet these requirements: conduct your risk assessment, address your gaps, prepare policies, monitor, train your staff, keep privacy and security awareness front and center. Even though the details may change, this underlying theme remains the same. Be aware, be prepared.
No comments:
Post a Comment