Although the federal government has done a good job drafting proposed rules to govern the security of all electronic health data, some regulations, especially those governing audit trails, need clarification. That's the early reaction of some industry observers who are developing detailed comments on the proposed rules for the U.S. Department of Health and Human Services.
The department proposed the security rules--required under the Health Insurance Portability and Accountability Act of 1996--on August 12 and will accept comment through October 13 before drafting final rules (see September issue, page 12).
HHS has succeeded in telling the industry what it must do to protect electronic health data without forcing it to use specific technologies to protect the data, observers say.
"The rules are reasonable because they are scalable and technology neutral," says William Miaoulis, information security officer for the University of Alabama Health System, Birmingham.
"The approach is appropriate and doesn't limit us to technology that might be obsolete by implementation time," adds Chuck Meyer, informatics standards liaison for HBO & Co., Atlanta.
Enough time?
But with final rules expected in early 1999 and effective two years later (three years for very small health plans), the industry may not have enough time to complete implementation, especially as it straggles with the year 2000 problem.
"Two years is too quick to have ultimate security in health care," Miaoulis says. "The banking industry took longer than that to have security."
Extending the security regulations' effective date to three years after publication of final rules would give the industry enough time to comply, says Shannah Koss, government and health care program manager for IBM Corp., Armonk, N.Y.
While the security rules pertain to health care providers, payers and claims processors, a lot of the technical work will fall on information systems vendors, Miaoulis says. Unfortunately, he adds, vendors "haven't cared a lick about audit trails and other security features."
Meyer responds that HBOC and other major vendors are aware of the security rules and are taking the necessary steps. "Many providers expect their vendors to take care of things like this. But if your vendor is small, they may not be aware of it, and you may have to get involved."
But the workload doesn't fall solely on vendors, Miaoulis warns. "Some health institutions started years ago on security," he says. "But many have lots of work to do."
While applauding a thoughtful approach from HHS, a first read of the proposed rules raises some concerns that the department needs to address in the final rules, some observers say. For example, the rules require the use of audit trails, but don't specify how extensive the trails should be to determine who has had access to what types of information.
Most audit trails are "exception" trails--they flag inappropriate or suspect access to information, Koss of IBM says. Capturing too much data on who is accessing what types of health information could endanger patient privacy, she adds.
For instance, in a paper environment, a consulting physician signs in at the records department and gets access to records of the patient on whom he is being asked to consult. But audit trails in an electronic environment can track that a physician pulled up specific records, or the trails can track that he searched among specific records, then identify which records he pulled up and examined. "If you have to capture which records he looked at, then the audit trail shows the view of the record he looked at," Koss says. "For audit purposes, someone else has to look at that record. The record now is more vulnerable because it has been duplicated."
Encryption concerns
The requirement that information transmitted over the Internet be encrypted also is a concern because that might involve technology that isn't widely used in health care today, Koss says.
For example, if the Internet is used to transmit health information in a store-and-forward environment between organizations, that involves encryption with a public-private key system. That requires the organizations transmitting and receiving the information to use the same key system, which requires use of a digital certification authority.
"The infrastructure for assigning these keys doesn't exist today in health care," Koss says.
Other areas that observers want HHS to take a close look at before drafting final rules include:
* Extending the security requirements to faxed data.
* Clarifying who will enforce civil penalties for intentional misuse of health identifiers.
* Clarifying pre-emption of state laws. Rules pertaining to digital signatures would preempt state laws, but many of the other rules may not.
* Making the regulations less bureaucratic for small provider organizations by, for instance, recognizing that the smallest physician practices don't need to develop training manuals.
* Giving small provider organizations the same additional year to comply that small payers are given.
Комментариев нет:
Отправить комментарий