HIT security panel troubled by risk assessment void
By Mary Mosquera
Tuesday, January 12, 2010
A Health & Human Services Department advisory panel
on privacy and security expressed concerns Monday over the inability of many
healthcare providers to perform basic risk assessments of their health information assets, a tenet of the proposed “meaningful use” guidelines just released by the Centers for Medicare and Medicaid Services.
Dixie Baker, a member of the privacy and security
workgroup of the Health IT Policy Committee, said she was surprised by a 2009
survey discussed at a recent HHS Health IT Standards Committee meeting that
showed that 48 percent of the responding providers, mostly hospitals, performed
no risk assessment.
“Up until
that testimony, I thought most people were doing a risk assessment and would
look at this [rule] and say that that sounds pretty reasonable,” said Baker,
who is co-chair of the Standard Committee’s security workgroup and chief
technology officer for health solutions at SAIC.
“The fact is that they are not doing the risk assessment
to begin with, which makes me question their capability or motivation to do
this measure for meaningful use,” she added.
A risk
assessment is generally undertaken to identify records that need to be
protected, and to understand risks from IT security failures that may damage
information confidentiality, integrity, or availability. An assessment might
also check the technical capabilities of electronic health record systems to counter those risks.
The
ability to perform such an assessment is the only privacy or security
requirement providers must meet if they are to qualify for meaningful use of
health IT in 2011, the first year providers are eligible for payments under the
incentive plan.
However,
panelists said, there is little in the meaningful use policy that defines the
scope of the required assessment. Instead, the requirement is based loosely on privacy and
security rules contained in the Health Insurance Portability and Accountability
Act (HIPAA).
Deven McGraw, the chairman of the privacy and security
workgroup, said that that while it might be difficult to define the risk
assessment requirement by modifying the proposed meaningful use rules, HHS could update
HIPAA standards to provide details about what an assessment should entail.
“We have limited ability to cry foul if any
recommendations we would send up on the security role were not adopted, because
we are not an official recommendation body,” said McGraw, who is also director
of the health privacy project at the Center for Democracy and Technology.
The policy committee anticipates delivering its full
comments to the Office of the National Coordinator for Health IT by March 1,
said McGraw.
On
another topic, the panel also agreed to security and privacy principles to be
incorporated into the work of the Health IT Policy Committee’s strategic
planning workgroup, which is recommending updates to the strategic plan for
health IT that the ONC is required to make.
The
privacy and security principles for the plan are drawn from the Nationwide
Privacy and Security Framework for Electronic Exchange of the Individually
Identifiable Health Information, a 2008 Bush administration policy that
includes principles of fair information practices including individual access,
openness and transparency, and choice.
Although
the document was written before the American Recovery and Reinvestment Act
(ARRA), “there is nothing in here that ARRA changes,” McGraw said.
