Last Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car, and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White House. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conference ballroom.
The room was packed with 400+ attendees – literally standing room only until the conference organizers could arrange for more chairs to be brought in. The congregation included providers, government policy-makers, healthcare lawyers, academics, vendors, and consultants. From the start of the conference at 9AM Tuesday morning to well after 4PM Wednesday afternoon, there was a sense of purpose in the air. Healthcare IT transformation is well underway and IT security will play a major role in whether or not we, collectively, succeed as an industry, as a major part of the U.S. economy and as a country.
While I gained a wealth of information and education from this conference, I want to summarize a few of the most important “take-away” items here.
– The development of Stage 2 “meaningful use” requirements is well underway. Security will remain a key focus. New providers will be expected to conduct a HIPAA security risk analysis (SRA) and Stage 1 qualifiers will be ask to “update and re-assess” the previous SRA they completed in order to meet Stage 1 attestation.
– While still likely stopping short of mandating encryption, Stage 2 meaningful use will also “shine a spotlight” on the security of data at rest, according to Deven McGraw, co-Chair of the HIT Policy Committee “Tiger Team” and Director of the Health Privacy Project at the Center for Democracy and Technology.
– A batch of final regulations dealing with healthcare privacy and security issues will be issued in one “Omnibus” package to be released this year and likely within months, if not within weeks. This will include:
- HITECH Act modifications to the HIPAA privacy, security and enforcement rules.
- The final version of the breach notification rule, replacing the current interim version.
- Formalizing privacy provisions under the Genetic Information Nondiscrimination Act that forbids use of genetic information for insurance underwriting and categorizes such use as a violation of both privacy and non-discrimination regulations.
– Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR) called the HIPAA security risk analysis provision a foundational element of HITECH, along with updating the SRA regularly and implementing reasonable and appropriate safeguards.
– Ms. McAndrew further confirmed and clarified that business associates and their subcontractors will have the same obligations as covered entities under the HIPAA Security Rule and therefore must conduct their own HIPAA security risk assessments. Within 12 months from the issuance of the Omnibus NPRM, business associates will be directly liable for the breach of protected health information (PHI) under HITECH Act sections 13401 and 13404. She went on to describe this extension of directly liability to business associates “a sea change” in the regulations.
– Stepped-up enforcement of the HIPAA security and privacy provisions is on the way. Federal enforcement training of State Attorneys Generals offices was done in Texas this past April, and will be conducted in Atlanta and Washington D.C. by end or May and in San Francisco in early June.