HHS delivered an early Christmas present today with its announcement that registration for the Medicare and Medicaid electronic health record (EHR) system incentive programs opens on January 3rd. Blumenthal, head of the HHS Office of the National Coordinator for Health Information Technology is urging inter-connectivity for the benefit of patient, providers, payers, employees, the national interest and all mankind.
While visions of sugar plums and super information health highways are dancing in his head, let’s take a moment to reflect on the importance of IT security in this process. Sure, there are provisions in the guidelines (especially for Medicare incentives) requiring providers to attest that they have met “meaningful use” requirements starting in April 2011. One such requirement is that a provider perform a HIPAA Risk Analysis before submitting a stage 1 meaningful use application. That’s a good start. It’s not about just checking the box.
With increased access to patient records stored electronically and shared over data networks comes an increased risk of privacy breach, data theft, or cyber-attack. Don’t forget that the HITECH Act also addressed privacy and security concerns through several provisions that strengthened the civil and criminal enforcement of the HIPAA rules. A scrooge might envision some providers receiving incentives in one hand and paying fines for breaches with the other.
Fulfilling the noble aspirations of the HITECH Act will require implementing and enforcing real IT security. We urge health care providers to hire 3rd party security vendors to conduct their HIPAA Risk Analysis. And to look for vendors with expert penetration testing services, policy/controls expertise and real world experience in the healthcare industry. Deciding to conduct a comprehensive IT security assessment (of which a HIPAA Risk Analysis is just a subset) is the best New Year’s Resolution that you can make.