As the healthcare industry moves toward electronic health records and health information exchange, it becomes even more critical for consumers to be able to trust that their confidential data will be protected, according to Leon Rodriguez, director of the U.S. Department of Health & Human Services' Office for Civil Rights.
Rodriguez, speaking at the American Bar Association's annual Emerging Issues Conference in Miami Feb. 22, noted that only 25 percent of the security breaches that have been reported to HHS have involved paper records. He also stated that the breaches were caused by human errors, such as unauthorized access.
"The failures are not due to technology," he pointed out.
Rodriguez noted that OCR's audit program, created as part of the HITECH Act, found that entities were lax about encrypting data, with many of them not even thinking about doing so. HIPAA's security rule considers encryption to be "addressable," meaning that either the covered entity encrypts the data or opts not to, but documents its rationale for not doing so. The topic, he said, can't simply be ignored.
Rodriguez warned that OCR will be moving to "more impactful" enforcement of HIPAA.
HIPAA's omnibus rule, published Jan. 25, will have a significant impact on EHRs, including requirements to provide electronic copies of electronic records, restricting disclosure to health plans upon request, and new requirements on electronic data repositories.
To learn more:
- read about the ABA Health Law Section's Emerging Issues Conference