With all the focus over the last few weeks in the government health community on the publication of numerous proposed and final rules related to provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act, it’s no surprise that public and private sector industry observers are focused on the impact of these rules for health care organizations, and particularly interested in progress made on health IT security and privacy. Strengthening security and, especially, privacy requirements for an ever more inclusive set of health care entities and their business partners, contractors, and service providers was a major area of emphasis under HITECH, and while there remains much to be done, the recent activity seems to make it more likely that more serious attention to HIPAA enforcement may soon become a reality.
The observers currently weighing in on health IT security and privacy include American Health Information Management Association (AHIMA) president Rita K. Bowen, who in an otherwise fairly well reasoned article appearing online in the Huffington Post yesterday somewhat surprisingly seems to argue that some concerns over security and privacy and electronic health records are overblown, and that security and privacy protections are actually very strong:
“The new generation of electronic health record (EHR) software systems are equipped with multiple security and privacy layers that make it virtually impossible to gain unauthorized access to any single patient record, and are less enticing to hackers than any paper-based record system out there. These same systems must also pass strict government-authorized certification standards that include a long checklist of criteria to ensure that they are compliant with existing HIPAA and security measures.”
As well-intentioned as these statements might be, they rely on assumptions that are not well-supported by available evidence (including the steady stream of health data breaches now posted publicly by HHS) and therefore undermine the credibility of her overall argument. Bowen’s comment about the strong user authorization controls may apply in some cases with some systems to prevent access by unauthorized external attackers, but very few systems provide the sort of fine-grained access control (or logging of read access to patient records) to keep health care insiders from gaining access to any records they want to see. It’s also hard to see how paper file records even in a large practice or facility would provide as attractive a target for personal health data theft as the hundreds of thousands or millions of electronic health records that might be technically accessible through interoperable networks of health records and associated information.
The last point is the most misleading, as in the current health technology environment, vendors are not required to submit their products for testing or otherwise certify the existence or the effectiveness of their security measures, although the EHR system and module certification program under meaningful use is a small step in that direction. Compliance with HIPAA safeguards is mandated by law for HIPAA-covered entities (and soon, thanks to HITECH, for business associates and contractors and subcontractors as well), but actual compliance has been voluntary, with enforcement (in the form of HIPAA audits and, where violations are proven, penalties imposed on violators) limited to those entities about which complaints have been filed with the government. With any luck, the market opportunity for EHR vendors presented by meaningful use incentives will result in most or all of these products undergoing certification, but the certification process is only intended to demonstrate conformance with meaningful use standards and criteria, which fall far short of all the safeguards associated with the HIPAA Security Rule.
One of the consistent challenges with researching and writing about trust is separating the sociological and economic and organizational meanings of the word trust from the everyday uses of the term, whether in business or social contexts or in media usage. A front-page article in the July 13 edition of The Washington Post illustrates this problem nicely. The article reports on the results of a recent opinion poll, conducted by the paper in cooperation with ABC news, that indicates that public confidence in President Obama is at a lower level than previously seen during the current administration. The details of the poll or the article are less interesting for this discussion than the vocabulary used in the article and its headlines, both online and in print. While the online version of the article runs under the headline “Confidence in Obama reaches new low,” in the print edition of the paper the headline for the same story was “6 in 10 Americans lack faith in Obama.” The article uses the words “faith” and “confidence” more or less interchangeably, particularly in interpreting response to a poll question that when asked of respondents was worded as follows: “How much confidence do you have in Obama to make the right decisions for the country’s future — a great deal of confidence, a good amount, just some or none at all?” The word faith does not appear in the text of this or any other question used in the poll, and the word trust appears in just one question, which asked “Which political party do you trust to do a better job handling the economy?”
While common definitions of the word faith include “complete confidence,” “confident belief,” and “complete trust or confidence,” and the word is derived from the latin fides (which means “trust” as well as “faith”), the general connotation of faith as distinct from trust or confidence is the lack of evidence or concrete basis for faith. There is substantial variation in the literature about the meaning of the word trust, but consensus exists that trust must have some basis in knowledge, whether that knowledge is related to observed behavior, actions, character, morality, or some combination of these and similar factors. Perhaps members of the population do lack faith in the president’s leadership, but when asking them about their level of confidence in Obama and his decision-making abilities, their responses should be characterized in terms of confidence as well. Different questions used in the poll asked respondents about their confidence in Congress to make good decisions and about the party they most trust to handle the economy. In this context it seems that trust is used in the sense of an expectation of technical competency (Barber, 1983), as is (presumably) the connotation of confidence in the more general question about Congress’ decision-making ability. This parallel usage of trust and confidence is not so much incorrect as it is unfortunate, inasmuch as it continues a legacy (Deutsch, 1960; Coleman, 1990) of failing to distinguish between confidence and trust, despite admonitions from Mayer, Davis, and Schoorman (1995) and various theoretical bases for making such a distinction (Luhmann, 1988; Das & Teng, 1998).
References:
Balz, D., & Cohen, J. (2010, July 13). 6 in 10 Americans lack faith in Obama. The Washington Post, pp. A1, A6.
Barber, B. (1986). The logic and limits of trust. New Brunswick, NJ: Rutgers University Press.
Coleman, J. S. (1990). Foundations of social theory. Cambridge, MA: Belknap Press.
Das, T. K., & Teng, B.-S. (1998). Between trust and control: Developing confidence in partner cooperation in alliances. The Academy of Management Review, 23(3), 491-512.
Deutsch, M. (1960). The effect of motivational orientation upon trust and suspicion. Human Relations, 13, 123-139.
Luhmann, N. (1988). Familiarity, confidence, trust: Problems and alternatives. In D. Gambetta (Ed.), Trust: Making and breaking cooperative relations (pp. 94-107). Oxford, England: Basil Blackwell.
Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. The Academy of Management Review, 20(3), 709-734.
The Department of Health and Human Services (HHS) today announced the release of final versions of its rule on meaningful use and its electronic health record (EHR) incentive program and associated health IT standards and certification criteria for EHR technology. The two final rules, slated for publication in the Federal Register on July 28, 2010 and available from the Office of the Federal Register’s Public Inspection Desk in the interim, collectively reflect a decision to ease the requirements by which eligible health care providers and professionals will be able to qualify for financial incentives to adopt EHR technology. With respect to security, there is one security-related measure contained in the final version of the rules, but changes in the language of this measure and additional changes in security-related certification criteria and associated standards should make it easier for health care entities to comply with security requirements under meaningful use.
The basic security requirement under meaningful use is the same now as it was when the draft rules were issued last December in a Notice of Proposed Rulemaking: under meaningful use health care entities are required to conduct a risk analysis, following the same requirement that exists in the HIPAA Security Rule (codified at 45 CFR 164.308(a)(1)). In the last six months, in anticipation of Stage 1 meaningful use rules going into effect for 2011 and in advance of more proactive HIPAA security audits planned by the HHS Office for Civil Rights, HHS has provided more detailed guidance on what expectations OCR will have for health care entities with respect to their risk analyses. The core requirement for entities to conduct or review a risk analysis remains a required meaningful use measure in the final rule, but the language of the requirement has been changed so that for the purposes of meaningful use, the risk analysis must address only the certified EHR technology used by the entity. This is a significant reduction in scope compared to the previous wording of the requirement, which essentially incorporated the HIPAA requirement by reference, and therefore applied to all electronic personal health information held by the entity. The meaningful use language was further amended to clarify the meaning of “implement security updates as necessary,” so that the final requirement now reads, “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.” (emphasis added to highlight revisions)
The change in language for the security meaningful use measure should greatly facilitate health care entities’ ability to comply with the requirement, regardless of their current level of proficiency (or HIPAA compliance) in performing risk analyses. The revision not only puts a clear boundary around the systems or technologies that must be addressed in such a risk analysis, but in doing so opens up an opportunity for EHR technology vendors to provide product-specific risk information to the entities that acquire their products. Every entity will still need to consider the use of EHR technology as implemented in their own environment (or as accessed, if they use hosted EHR services), but many of the technology-related risks associated with a given EHR product should be able to be identified in advance.
In addition to the security measure in the meaningful use rules, there are several security-related certification criteria and associated standards that must be followed by EHR vendors seeking certification of their products under meaningful use. Several revisions were made to the certification criteria and standards, and taken collectively these changes should also make it easier for EHR technologies to become certified. These changes include minor re-wording in the language for audit, integrity, and encryption criteria (there were no changes at all to access control, emergency access, and automatic log-off); and the removal of cross-network authentication as a criterion, as well as the corresponding standard for cross-enterprise authentication. ONC also kept the same language on accounting of disclosures, but chose to make this criterion optional for Stage 1, pending further consideration of the issue. Many health care entities have complained that the accounting of disclosures requirement is too burdensome, especially given the changes in the requirement stemming from provisions in the HITECH Act, which removed the exception for treatment, payment, and health care operations. ONC issued a request for information in May on accounting of disclosures, and it seems apparent that it preferred to wait and provide a more thorough review of the requirement and its potential impact, rather than mandating it now under meaningful use.
Lastly, a look at the final privacy and security standards recommended for adoption under meaningful use finds that almost all references to specific technologies have been removed, even those that were cited as examples. The only explicit standards mentioned are the National Institute of Standards and Technology’s FIPS 140-2 for encryption and FIPS 180-3 for secure hashing algorithms, with SHA-1 cited as a minimum strength reference. In general, it seems health IT vendors and EHR implementers will be given a lot of flexibility in meeting technical standards for meaningful use, as seen in the revised standard for encryption and decryption of electronic health information for exchange: “Any encrypted and integrity protected link.”
Among the privacy and security provisions mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act included in the new proposed rules issued last week by the Office of the National Coordinator is a new circumstance under which individuals may request that a HIPAA-covered entity not disclose their personal health information. Under the HIPAA Privacy Rule, individuals already have the right to request that covered entities restrict the use or disclosure of personal health information for purposes including treatment, payment, or health care operations, but covered entities are not required to comply with such requests (45 CFR §164.522). The new provision, contained in §13405(a) of the HITECH Act’s Title D, says that covered entities are required to comply with restrictions on disclosures if requested, but this mandatory compliance is only for disclosure to a health care plan for purposes of payment or health care operations, and only applies to health care products or services that the individual has paid for out of pocket. In simplest terms, if you pay for health care services yourself, you can request (and your provider must honor that request) that your provider not share information about those services with a health care plan.
Such a provision seems intended to allow individuals to manage information about them that health care plans have available, to avoid perceived or actual negative consequences (higher premiums, impact on coverage, etc.) that might result if certain types of treatment were disclosed to them. While the recently enacted Affordable Care Act of 2010 will, by 2014, prevent health insurers from denying coverage due to pre-existing conditions, individuals seeking treatment for certain conditions may have concerns about information related to those conditions being used against them for employment or other contexts, or being forced into high-risk insurance pools with greater costs for coverage. Whether those concerns are valid or not, the new rule regarding restrictions on disclosures to health care plans (which ONC also interprets to apply to business associates of health care plans) clearly provides individuals with discretionary authority to have specific information withheld from health insurers, at least if they have the financial means to pay out of pocket. The existence of this provision in the law also suggests that Congress believes that consumers need the ability to withhold certain information from health care plans in order to maintain favorable relationships between insurer and insured. Where similar issues about consent and partial vs. full medical record information disclosure have been raised in the context of treatment and quality of care, here the logically justifiable complaint from the insurance industry is likely to be that if insurers have incomplete information about the individuals they insure, their risk calculations will be inaccurate — presumably on the low side if people are more likely to withhold information about conditions associated with higher risks and therefore higher premiums.
Implementing such a provision raises practical challenges for health care providers and, to some extent, from health IT vendors offering electronic health records or other tools to support providers in delivering care. One challenge is recording requests for disclosure within medical records to help ensure that such requests are honored. As the ONC Privacy and Security Tiger Team heard during the Consumer Choice Technology Hearing it held on June 29, it is not always a straightforward task to identify all the elements within a health record that may relate to an encounter about which a patient has requested disclosure to be restricted. In particular, not all EHR systems offer the ability to “flag” subsets of a health record with consumer preferences such as consent directives or requests to restrict disclosure. Some health information sharing that occurs to support treatment may result in disclosure contrary to the patient’s wishes if information about the disclosure restriction is not communicated to all providers or other parties that might routinely share information with health care plans. ONC uses an example in the Notice of Proposed Rulemaking (pp. 127-128) of a patient who seeks treatment for a condition, pays out of pocket for treatment, and requests that the provider not disclose information about the condition to the patient’s health care plan. In this case if the course of treatment for the condition includes a prescribe medication, there is a risk that the pharmacy, upon receiving the prescription (electronically or on paper), will contact the health care plan seeking payment, unless the provider’s transmission of the prescription to the pharmacy includes the restriction on disclosure requested by the patient, and the pharmacy has the processes and mechanisms in place to 1) recognize the restricted disclosure request and 2) honor that request. This scenario presumes that the patient intends to pay out of pocket for the prescription medication too.
Today the Office of Management and Budget (OMB) announced that it has completed its review of a set of proposed rules on implementing various privacy, security, and enforcement provisions of the the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Office of the National Coordinator (ONC) released a copy of the Notice of Proposed Rulemaking, which will be published in the Federal Register on July 14. As we noted a few months ago when ONC announced its intentions to address additional HITECH provisions, the new proposed rules cover several very different aspects contained in Subtitle D of the law. The current proposed rules do not address some key provisions in the law for which rules have already been finalized, notably including health data breach notification requirements and stiffer civil penalties for violations of the HIPAA Privacy Rule, or provisions about which ONC is still soliciting public input before drafting new rules, such as changes to accounting of disclosure requirements for HIPAA-covered entities. Provisions the current NPRM does address include:
The proposed rules are subject to a 60-day comment period, starting from the date of publication (anticipated to be next week), so despite the statutory effectiveness date of February 18, 2010 for most of the HITECH provisions, their formal implementation may not take place before the end of the federal fiscal year in September.