The enhanced set of protections finalized in the omnibus HIPAA privacy and security rule released Jan.17 now becomes the new baseline for anyone who handles health information. It doesn’t change meaningful use requirements, but combined, the two may drive more providers to protect patient data, according to privacy and security experts.
The clear and comprehensive view of privacy, security and enforcement that comprise the final rule today was missing at the dawn of the meaningful use program as physicians and hospitals began to adopt electronic health records (EHRs).
To make up for that, some privacy and security experts were inclined to believe the meaningful use rule should include additional protections.
Meaningful use became a vehicle that had the potential to do more because there wasn’t clarity in the privacy rule for everybody, McGraw said. On the other hand, getting providers to implement EHRs in a meaningful way is a voluntary program.
In meaningful use Stage 2, providers have two security requirements: Perform a security risk assessment and attest to that and explicitly address encryption, said Lisa Gallagher, director of privacy and security for HIMSS.
To protect consumers in an era of growing exchange of health information, the final rule is by and large what was in the draft rule, including patient rights to access their own data.
The increased enforcement in the final rule, including audits, increased penalties and the expansion to business associates to comply like covered entities, along with the surge in reported data breaches may send a message to the industry that it’s time to comply.
There is a growing acceptance of the importance to getting to the level of security that most other industries have adopted as a matter of course.
Security professionals, however, don’t exist throughout much of the healthcare provider community, which is significantly made up of small practices. As a result, they’re highly dependent upon their vendors to tell them what to do, and that partly adds to the challenge.
It’s difficult for the healthcare industry to step up when it’s largely run by people who are amateurs in security. And that’s not going to change -- doctors are trained to take care of patients, not to take care of data, but we need them to take care of data.