On December 30, 2009, the Centers for Medicare & Medicaid Services (CMS) issued the Proposed Rule (PR) on the Electronic Health Record Incentive Program. At the same time, the Office of the National Coordinator of Health Information Technology issued the Interim Final Rule (IFR) on Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology. These two Rules together provide an initial view into the approach that the Department of Health and Human Services is taking toward ensuring that health information technology will provide privacy and security protections to individuals’ sensitive health information.

In its IFR, ONC has made it clear that the use of Certified EHR Technology does not change the existing compliance requirements under the HIPAA Privacy and Security Rules. The CMS PR reiterates this point by stating that compliance with HIPAA Privacy and Security Rules is required for all Covered Entities, regardless of whether they participate in EHR Incentive Program. The CMS PR then proposes the performance of a risk analysis, required under 45 CFR 164.308(a)(1), and implementation of needed security updates as the measure for Stage 1 of achieving Meaningful Use under Stage 1 of the Incentive Program. This risk analysis does not require Covered Entities to do anything new or additional — they are already subject to the requirement to perform risk analysis and secure data. In effect, their current activities simply “count” toward meeting Stage 1 requirements for obtaining health-IT related incentive payments.

In its IFR, ONC adopts six Privacy and Security Standards for Certified Health IT. Of these, three explicitly require knowledge of the user’s identity and what actions the user took. This is good news for patients — knowing who has had access to one’s health information is an important part of Fair Information Practices. However, ONC’s proposed set of standards is incomplete because it does not include any indication of the level of assurance for the identities of users, whose names or IDs appear in the logs. The Technical Safeguards under the HIPAA Security Rule require each user to have a unique ID (45 CFR 164.312(a)(2)(i)) and to verify identity claims of persons or entities seeking access to PHI (45 CFR164.312(d)). A standard for strong authentication would increase consumer confidence that PHI is protected from unauthorized access, and that if something goes wrong, Covered Entities have the tools and information to deal with the problem. In the current risk environment, ONC should not accept anything less.