HITECH Act Stage 3: Security ConcernsCommenters Ask for More HHS Guidance, Clarity
Some healthcare associations, including those representing IT and security leaders, are seeking more clarity from federal regulators about proposed security and privacy requirements for Stage 3 of the HITECH Act "meaningful use" incentive program for electronic health records. Among the concerns raised were issues related to EHR risk assessments and patients' electronic access to their health information.
Stage 3 of the HITECH Act incentive program is slated to begin in 2017 or 2018. Beginning in January 2018, healthcare providers lacking a certified EHR system will begin to face financial penalties.
The concerns cited by the various healthcare associations echoed some of the worries expressed by security and privacy experts shortly after the proposed rules were issued in March (see Analysis: HITECH Stage 2 Security Rules).
May 29 was the deadline for public comment on proposed rulemaking by the Department of Health and Human Services. On March 20, HHS' Centers for Medicare and Medicaid Services issued a notice of proposed rulemaking for Stage 3 of the Medicare and Medicaid EHR incentive program. Meanwhile, HHS' Office of the National Coordinator for Health IT issued a proposed rule spelling out updated requirements for EHR software that qualifies for the incentive program: 2015 Edition Health Information Technology Certification Criteria.
Security Assessment Concerns
Under Stage 3 of the HITECH incentive program, which already has provided nearly $30 billion in incentives to eligible hospitals and healthcare professionals for "meaningfully" using EHRs, these healthcare providers can qualify to receive additional incentives by achieving a proposed new list of objectives. One of those proposed requirements deals with risk assessments.
While healthcare providers are still expected to conduct a broader HIPAA security risk analysis, the Stage 3 proposal states that healthcare providers must conduct an assessment that specifically looks at risks to information maintained by the certified EHR technology.
Here's the language in the HHS proposal, which some commenters found confusing, or even unnecessary, in light of existing HIPAA requirements: "The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in [the certified EHR technology]."
The College of Healthcare Information Management Executives, an association of healthcare CIOs and other IT leaders, in its comments to HHS called the risk assessment proposal "superfluous, given the fact that the HIPAA privacy and security requirements already apply to providers and we see no need to impose any additional requirements through the EHR meaningful use program."
But CHIME added in its comments to HHS: "We understand and agree with the need to protect electronic personal health information. As such, our concern is that providers may be confused over the timing of required assessments or reviews."
To clarify and simplify the objective, CHIME suggested HHS rework the proposal to state that eligible healthcare providers must conduct the security risk analysis upon initial installation of certified EHR technology or upon upgrade to a new edition of certified EHR technology.
CHIMS contends that this clarification "will help providers understand their responsibilities vis-Ã -vis this objective and avoid any possible misunderstanding that reviews be required every time a provider receives a patch or other update to their EHR from a vendor."
Meanwhile, another association of health IT professionals, the Healthcare Information and Systems Management Systems Society, said it generally supports the government's risk assessment proposal, but that more guidance is still needed by many healthcare sector organizations on how to conduct a risk analysis.
"HIMSS observes that providers today likely need to increase the frequency of their security risk analysis," the organization says in its feedback. "However, merely doing the security risk analysis without addressing the risks may not lead to adequate safeguarding of the ePHI. Accordingly, risk management should be done as well, and providers need to be educated on how to manage risk in today's electronic environment."
HIMSS recommends the proposed requirement for Stage 3 be modified "so that providers not only do the security risk analysis, but also address the risks themselves." HIMSS also recommends that providers receive guidance on where to obtain security updates and how to correct deficiencies. "HIMSS recommends that providers need guidance on what an acceptable baseline is for a security risk analysis - without such guidance, some providers may conduct [minimal] security risk analysis, expending only a handful of hours to do such a task."
Some healthcare associations also wrote in their feedback that they were concerned about a Stage 3 proposal regarding providing patients with access electronic access to their records.
Under the HHS proposal, patients may either be provided access to view online, download, and transmit their health information through a patient Web portal or provided access to an application program interface certified by ONC. Those APIs can be used by third-party applications or devices.
In its comments, CHIME says it opposes the API provision. "There is tremendous uncertainty regarding APIs, including potential security and authentication issues, and even whether they will be readily available in [technology] vendor products by 2018."
Similarly, the American Hospital Association wrote in its comments: "Stage 3 proposals, such as relying on third-party applications to access sensitive patient data in EHRs, may be a successful mechanism for the exchange of patient data information, but they raise important questions about patient privacy and information security that must be carefully considered."
An HHS spokesman tells Information Security Media Group that ONC and CMS "are now reconciling and beginning to review all of the comments. We don't yet have a total count of the number of comments, nor have we had time to separate them by issue. We are now beginning the process to get us to the issuance of the final rules, which we expect to be later this summer."