Federal Privacy Officer Offers Insights

What’s the best way to prepare to comply with HITECH Stage 2 privacy and security requirements? Federal privacy officer Joy Pritts advises healthcare organizations to start by conducting a thorough risk assessment.

A risk assessment helps hospitals and physicians “identify potential areas of their administrative, physical and technical environments that are vulnerable and that they may need to mitigate,” says Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.

And risk assessments should focus, in particular, on using encryption to protect data, she stresses in an interview with HealthcareInfoSecurity.

Encryption Critical

The HITECH Act electronic health record incentive program is providing billions of dollars in incentives to hospitals and physicians for using EHRs. The meaningful use rule for Stage 2 of the program, which starts in 2014, specifically requires that hospitals and physicians conduct a risk analysis that addresses “the encryption/security of data stored in CEHRT [certified electronic health records technology]” (see: HITECH Stage 2 Rules Unveiled).

The HIPAA Security Rule already requires a risk assessment, but stops short of an explicit encryption mandate. And the Stage 2 rules don’t alter the HIPAA requirements, Pritts notes.

But Pritts is a champion for the widespread use of encryption as more records are automated. “If you lose data, it can have a devastating impact not only on care delivery, but trust,” she says. “It’s essential that it’s protected.”

Provider organizations that choose to use an alternative to encryption to protect data must carefully document their decision, Pritts stresses.

Software Standards

The Stage 2 software certification rule, which sets standards for EHRs that qualify for the program, requires that the software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

This encryption requirement “gives healthcare providers a tool” to make sure stored data is protected, Pritts stresses.

In the interview, Pritts also explains why:

• The Stage 2 rules emphasize encrypting data at rest.
• Federal officials determined that it was premature to mandate the use of specific authentication technologies in Stage 2;
• The Stage 2 meaningful use rule stresses the importance of giving patients secure access to their records;

Pritts joined ONC, a unit of the Department of Health and Human Services, in 2010 as the office’s first chief privacy officer. In that role, Pritts provides advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC’s privacy and security programs under HITECH. Pritts also works closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues. Before joining ONC, Pritts held a joint appointment as a senior scholar with the O’Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute, Georgetown University.

By Marianne Kolbasuk McGee, September 4, 2012.  Source: HeathCare Info Security