Securing Electronic Health Records

Health-care providers would face tougher standards for documenting how they will secure electronic health record data under recommendations made last week by a Health IT Policy Committee work group.

The committee's privacy and security Tiger Team is discussing how to structure privacy and security rules for EHR meaningful use standards going into effect in 2013. Hospitals and medical professionals are eligible for significant incentives from Medicare and Medicaid when they implement EHRs and demonstrate meaningful use of those electronic records.

The health IT world is working to meet Stage 1 meaningful use standards this year and next. The Tiger Team now is studying privacy and security aspects of the more robust Stage 2 standards being developed for 2013-2014, including for encrypted "data at rest."

The team's latest draft report recommends the following revisions to earlier recommendations:

• Requiring health-care providers to specifically address how they are encrypting data at rest, including for mobile devices such as smartphones and flash drives, and document their encryption functions if audited. Data breaches are "a serious issue that the Tiger Team believes will negatively impact public trust in EHRs if not addressed," the report says.
• As an alternative, requiring medical professionals to demonstrate how their EHRs are meeting all provisions of the HIPAA (Health Insurance Portability and Accountability Act) Security Rule, which also addresses encrypting data at rest. The team notes that the federal Centers for Medicare and Medicaid Services would have to fully support the recommendation for this recommendation to have the intended effect.

The Tiger Team meets again next Monday, as well as May 4 and May 16. The Health IT Policy Committee that it advises will eventually submit final meaningful use recommendations to the Office of the National Coordinator for Health IT. The committee and ONC both fall under the U.S. Department of Health and Human Services.