Monday, January 25, 2016
What of HIPAA without MU?
By: Susan Pretnar, President KeySys Health, LLC
Turns out folks jumped the gun recently, celebrating the imminent demise of Meaningful Use. Many probably hoped that meant HIPAA Security could simply go back to sleep. Karen DeSalvo, National Coordinator for Health Information Technology, quickly clarified remarks made by CMS Acting Administrator, Andy Slavitt, assuring the healthcare industry that MU is not going away any time soon. In truth, even if MU (or the HITECH Act itself) were to be sunset, HIPAA endures.
Because most healthcare organizations routinely address HIPAA Privacy concerns, the potential for data leaks due to poorly implemented HIPAA Security controls dwarf privacy breach risks in the rapidly expanding digital healthcare world. If statically accurate, the vast majority of hospitals and physician practices are now utilizing electronic medical records. Even if they hate their EHR applications, they aren’t going back to paper. Laptops, smartphones, and tablets, plus 7 x 24 access, are de rigueur. Even so, lack of attention or outright resistance to safeguarding networks and devices, or the data on them, is also common.
Apparently, MU is going to morph into a program more focused on interoperability and patient outcomes. One wonders exactly what ‘data’ will be used to support improvements in outcomes. If the data already defined by MU or PQRS is not sufficient, what other ingredients need to be added to measure improvement, and who must add them? A serious problem with any measurement is the industry’s notorious failure to resolve 2 critical standards: the patient identifier, and the definitive composition and definition of the clinical medical record. Without a consensus for these key data components, sharing and merging of longitudinal patient information is still way over the horizon.
Barriers are aplenty in the effort to achieve interoperability and better health outcomes. Why is HIPAA so important to this discussion? We are steadily and rapidly increasing our reliance on electronically created, stored and transmitted protected health information. The choice seems to be spending money to secure it, or spending even more money to defend why it got away.