Addressing Privacy in EHR IncentivesAdvocacy Group Calls for Specifics in HITECH Criteria
The proposed criteria for stage 2 of the program, as drafted by the Health IT Policy Committee, a federal advisory body, contain no new privacy and security requirements. The committee indicated it's still considering whether to add criteria based on the ongoing recommendations of its Privacy and Security Tiger Team.
To qualify for Stage 1 of the HITECH EHR incentive program, which kicked off in January, hospitals and clinics must conduct a risk analysis and take steps to mitigate identified risks. That's the only privacy or security requirement for Stage 1.
Privacy Concerns"The public cares very deeply about privacy, and failure to protect privacy will impair adoption of HIT systems and data exchanges," says Deborah Peel, founder and chair of Patient Privacy Rights, in commenting on the lack of specifics in the proposed Stage 2 requirements. In her letter, she urges federal authorities to address "the public's expectation of individual control over health information and make robust data privacy, consent and segmentation a reality."
Peel argues that the "meaningful use" criteria for the EHR incentive program should require the use of EHRs that offer patients "the ability to control who can see and use personal health information and the ability to segment information so they can selectively share information. Segmentation is essential to protect sensitive information, but also is absolutely critical for patient safety, so that erroneous health information can be kept from disclosure."
In its comments on the proposed EHR incentive criteria for Stage 2, the Healthcare Information and Management Systems Society calls on the HIT Committee's meaningful use workgroup to work closely with the tiger team to establish objectives "that address practical and achievable solutions" for privacy and security issues. HIMSS did not make any specific recommendations on the issues.
And the Smart Card Alliance calls for requiring "strong, multi-factor authentication" in Stage 2 "to adequately protect identities, networks and information systems."
The HIT committee will hold a series of public meetings this spring to fine-tune its proposals, which ultimately will be reviewed by the Office of the National Coordinator for Health IT and the Department of Health and Human Services. Requirements for Stage 2 are due by the end of this year.
Privacy RecommendationsThe Privacy and Security Tiger Team's various recommendations are likely to be accommodated in several pending rules and regulations, including the EHR incentive program criteria, says Doug Fridsma, M.D., director of the ONC's office of interoperability and standards (See: ONC's Fridsma on Security for HIEs).
Last year, the tiger team presented recommendations for how and when to obtain patient consent for the exchange of their electronic health records. It also recommended that all organizations involved in any type of health information exchange should be required to have digital certificates to authenticate their identities.
The tiger team recently made recommendations on how best to match patients to the right electronic health records when information is exchanged among organizations. Its next project involves developing recommendations for authenticating the identity of physicians accessing information across a network as well as authenticating patients who want to access records via a portal, says Deven McGraw, co-chair (See: Tiger Team's Deven McGraw on Next Steps).
Meanwhile, a new workgroup is reviewing a presidential council's call for creating a universal exchange language and requiring its use for future stages of the EHR incentive program. Under the proposal, individual data elements within EHRs would be tagged with descriptive information, such as patient consent to exchange the data.