Jun

20

HIT Policy Committee - Are Rules the Answer?

The ONC HIT Policy Committee is now contemplating the expansion of standards, potential amendment of rules, adoption of new policies and the like. I applaud the group for starting to ask questions and pointing out that the business of healthcare should drive technology versus the other way around. This unfortunately has been more the case than not over the past few years at the national and state level.

Recently the HIT Policy Committee published questions to ponder or directions that we all should seriously consider heading. Three of those included mandating encryption, limiting the amount of identifiable information included in an e-mail (secure or not) and the adoption of identification/authentication requirements. I believe all worthy of discussion. I would ask for those who are willing to listen to consider where we’ve already been and what is already mandated by existing rules. I’m not a fan of drafting new regulations or amending existing ones if the ones we already have do the trick.

Here are my comments on some of the latest from the HIT Policy Committee…

I think it is important to point out that while the HIPAA Security Rule PHI transmission implementation specification lists encryption as addressable, addressable does not mean optional. It means follow the requirements in the rule, implement an equivalent protection or have a darn good reason and be able to document why the implementation specification will not be implemented (and cost cannot be the primary factor).

A lot has happened on the technology side since the final Security Rule was published in the Federal Register in 2003. At that time encryption was not considered a mature technology. Times have changes... Today there are a number of cost effective encryption applications and appliances on the market that fit the budget of the single physician office all the way up to the multi-state health plan. Also, with a number of solutions there is no interoperability issue - if you have an e-mail box and a browser (no matter the "brand"), the solutions are interoperable.

As I advise my clients, any covered entity and now business associate would be very hard pressed to justify sending PHI over the Internet unencrypted. As far as I'm concerned, encryption is mandated today by the HIPAA security rule given the lack of organizations' ability to justify not implementing an encryption solution for PHI transmitted over the Internet.

While the ONC HIT Policy Committee is recommending any PHI sent over the Internet be encrypted, I would say the HIPAA Security Rule already does that. Also, if a covered entity or business associate is interested in avoiding breach notification, I think it would be very wise to consider implementing an encryption solution that meets the National Institute of Standards and Technology (NIST) encryption standard. Breaches that need to be reported can be very expensive in many ways.

To be absolutely clear that encryption is mandated, the only action necessary would be to amend the HIPAA Security Rule and change the encryption of PHI transmitted across the internet from addressable to required. This is not a significant change and I do not think it really changes today's reality - the inability to adequately demonstrate that encryption of PHI sent over the Internet is not needed or cannot be implemented.

Regarding limits of identifiable health information in e-mail, this is already mandated if the exchange is for payment or healthcare operations (HIPAA Privacy Rule minimum necessary standard). I do agree that, when it comes to treatment, care should be taken regarding what is included in the e-mail message. I'm not sure, though, if a mandate is required or if this is more a matter of education. The most significant challenge at this point is getting providers to encrypt transmissions in the first place. Content restrictions should come next.

The HIT Policy Committee is also interested in imposing standards for identification and authentication. I would recommend the HIT Policy Committee look to already established HISPC, HITSP and other national standards before heading down another path that may duplicate or contradict work that has already been done and tested.

Also, both the HIPAA Privacy and Security Rules require authentication. Again, I believe this is an issue of education and not an area where new rules are required, especially given existing rules already require identification and authentication.

I do compliment the HIT Policy Committee for going where most HIT projects, national and at the state level, have not gone. There has been much attention given to NHIN, RHIOs, HIOs but little attention given to what is referred to as "point to point" communication or direct provider to provider communication. I recommend we make sure we have it right at that level before going too far down the path of establishing broad networks and finding there really is not a significant amount of data flowing across those networks because of a lack of attention to what needs to occur at the organizational level before those organizations tie into even state or regional networks.