Healthcare compliance gets boost from national HHS privacy framework

More healthcare compliance resources for midmarket CIOs Personal health records latest concern for CIOs Healthcare CIOs grapple with e-health record adoption Protecting EPHRs to be a concern for healthcare CIOs

New Medicare provisions for digital prescriptions and expanded HIPAA influence, quietly put forth in a Health and Human Services framework earlier this month, mean more organizations will need to grapple with healthcare compliance issues protecting patient information in 2009. The e-prescription program will include incentives in 2009 and begin including disincentives for continued paper use in 2012.

The Health Insurance Portability and Accountability Act (HIPAA) may soon cover not just healthcare organizations but also providers of electronic personal health records (EPHRs), which belong to the patient rather than the medical establishment and are hosted by a number of commercial services. Since 1996, HIPAA has mandated the privacy of patients and the security of medical records, also known as protected health information (PHI).

Legal compliance requirements around EPHRs, however, have applied only to entities like healthcare providers, healthcare insurers and healthcare clearinghouses. The new framework released by the Department of Health and Human Services (HHS) suggests that HIPAA may be soon be extended to other organizations that handle or host EPHRs, such as Microsoft's HealthVault and Google Health.

Securing digital prescriptions

This New Year's Day, Medicare will launch an "e-prescribing incentive plan," offering doctors bonus payments for prescribing medicine electronically. And starting in 2012, Medicare will penalize doctors who continue to write prescriptions on paper.

The program, defined by Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and MIPPA itself mean challenges for CIOs. In an effort to provide guidance, the HHS released on Dec. 15 the National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information [PDF].

HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network, regardless of the specific healthcare compliance requirements applicable to a particular organization. The framework provides policy guidelines and a set of principles but does not enshrine them in a legal directive. Congress may adopt the principles in a codified form if proposed e-health legislation from President-elect Barack Obama's incoming administration passes.

HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network.

Healthcare CIOs who want to stay ahead of potential HIPAA compliance requirements applicable to EPHRs would do well to consider the following suggestions from the Healthcare Information and Management Systems Society:

• Where are the servers storing PHI located? If they are hosted in an external data center, is health data sent outside a hospital encrypted?
• If a hospital allows patients and doctors to use and exchange PHI online, what access controls are in place for authentication?
• If access controls are in place, is multifactor authentication used?
• Content standards that allow interoperability with Google Health or HealthVault are important. Have you chosen a "transport standard" or Continuity of Care Record?

Life as a Healthcare CIO, a blog written Dr. John Halamka, CIO at Harvard Medical School and CareGroup Inc., tracks EPHR developments and asks questions about use and implementation. Halamka commented on the HHS privacy framework on the day of its release, noting with approval that "Secretary Leavitt [had] released the nation's first national privacy framework for personal health records."

2009 is fast approaching. Enjoy celebrating the new year. And then, if you haven't already, start determining how, where and when electronic health records enter, leave and are stored in your network. If you have doctors who might be sending and storing e-prescriptions over a network you administrate, your compliance may depend upon it.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance for the midmarket Compliance management: From virtualization to licensing agreements Data center virtualization: Four steps to compliance SaaS: Navigating the compliance minefield How to scope the liability clause in your software license agreement PCI compliance without costly consultants Software license agreements: Scope is key Compliance regulations: Understanding the dirty dozen IT audits: Five fearless strategies for survival PCI Data Security Standard compliance: Three steps to success SOX compliance doesn't equal business continuity Compliance management for the midmarket What will net neutrality mean for SMBs? At your peril, disaster recovery testing gets short shrift From software prices to EHR security: The latest advice for CIOs Security and risk management in the midmarket A CIO's advice for implementing single sign-on solutions Compliance management: From virtualization to licensing agreements 2008 top 10 technology articles: Social media, Vista, IT salaries Taking electronic records retention management to the next level Data center virtualization: Four steps to compliance When Microsoft shuts you down and other IT horror stories RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.