Editor’s Note: The final rule is available here.
From: GovernmentHealthIT
Mary Mosquera
The enhanced set of protections finalized in the omnibus HIPAA privacy and security rule now becomes the new baseline for anyone who handles health information.
It doesn’t change meaningful use requirements, but combined, the two may drive more providers to protect patient data, according to privacy and security experts.
The clear and comprehensive view of privacy, security and enforcement that comprise the final rule now was missing at the dawn of the meaningful use program as physicians and hospitals began to adopt electronic health records (EHRs).
To make up for that, some privacy and security experts were inclined to think that the meaningful use rule should include additional protections, according to Deven McGraw, director of health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee.
“Meaningful use is meant to incentivize behavior above an expected baseline. The privacy rule should be the baseline, and not a set of additional hoops that only people who are getting federal incentive dollars should have to jump through,” she said.
Meaningful use became a vehicle that had the potential to do more because there wasn’t clarity in the privacy rule for everybody, McGraw said. On the other hand, getting providers to implement EHRs in a meaningful way is a voluntary program.
“There is a lot that we are asking of people for meaningful use. To sort of load up additional privacy and security regulations on that is problematic for a lot of reasons. For one, it would only reach a certain population, and it might tip the scale for providers not to participate. The reality is that the privacy rule should be required of everyone,” she said.
In meaningful use stage 2, providers have two security requirements: Perform a security risk assessment and attest to that and explicitly address encryption, said Lisa Gallagher, director of privacy and security for HIMSS.
“Those things are not affected by any changes in HIPAA. The security rule remains structurally the same. It’s risk-based,” she said.
Leave a Reply