A Health & Human Services Department advisory panel on privacy and security expressed concerns Monday over the inability of many healthcare providers to perform basic risk assessments of their health information assets, a tenet of the proposed "meaningful use" guidelines just released by the Centers for Medicare and Medicaid Services.
Dixie Baker, a member of the privacy and security workgroup of the Health IT Policy Committee, said she was surprised by a 2009 survey discussed at a recent HHS Health IT Standards Committee meeting that showed that 48 percent of the responding providers, mostly hospitals, performed no risk assessment.
"Up until that testimony, I thought most people were doing a risk assessment and would look at this [rule] and say that that sounds pretty reasonable," said Baker, who is co-chair of the Standard Committee's security workgroup and chief technology officer for health solutions at SAIC.
"The fact is that they are not doing the risk assessment to begin with, which makes me question their capability or motivation to do this measure for meaningful use," she added.
A risk assessment is generally undertaken to identify records that need to be protected, and to understand risks from IT security failures that may damage information confidentiality, integrity, or availability. An assessment might also check the technical capabilities of electronic health record systems to counter those risks.
The ability to perform such an assessment is the only privacy or security requirement providers must meet if they are to qualify for meaningful use of health IT in 2011, the first year providers are eligible for payments under the incentive plan.
However, panelists said, there is little in the meaningful use policy that defines the scope of the required assessment. Instead, the requirement is based loosely on privacy and security rules contained in the Health Insurance Portability and Accountability Act (HIPAA).
Deven McGraw, the chairman of the privacy and security workgroup, said that that while it might be difficult to define the risk assessment requirement by modifying the proposed meaningful use rules, HHS could update HIPAA standards to provide details about what an assessment should entail.
"We have limited ability to cry foul if any recommendations we would send up on the security role were not adopted, because we are not an official recommendation body," said McGraw, who is also director of the health privacy project at the Center for Democracy and Technology.
The policy committee anticipates delivering its full comments to the Office of the National Coordinator for Health IT by March 1, said McGraw.
On another topic, the panel also agreed to security and privacy principles to be incorporated into the work of the Health IT Policy Committee's strategic planning workgroup, which is recommending updates to the strategic plan for health IT that the ONC is required to make.
The privacy and security principles for the plan are drawn from the Nationwide Privacy and Security Framework for Electronic Exchange of the Individually Identifiable Health Information, a 2008 Bush administration policy that includes principles of fair information practices including individual access, openness and transparency, and choice.
Although the document was written before the American Recovery and Reinvestment Act (ARRA), "there is nothing in here that ARRA changes," McGraw said.
