HIPAA's privacy and security requirements are an important aspect of the Meaningful Use incentive program, especially as the program moves into its more advanced stages, according to Joy Pritts, the Office of the National Coordinator for Health IT's chief privacy officer, who spoke last month at the Sixth Annual HIPAA Summit West in San Francisco.
Pritts said that electronic health record vendors should create easy-to-use privacy and security features that are "baked into the product."
"The easier it is to use, the more likely that people will use it," she said.
Several of the HIPAA privacy and security provisions found in Stage 2 of the Meaningful Use program include:
- The requirements that patient data stored on a device after the use of EHRs must be encrypted. "If all of those lost and stolen devices [on the HHS wall of shame] had been encrypted, the entities would not have had to report the breaches," Pritts said;
- EHRs must have an audit functionality and the capability to create audit reports;
- EHRs must have the ability to amend patient records, one of the requirements of the privacy rule;
- Entities must conduct a risk analysis to determinate security vulnerabilities, which also is a requirement of HIPAA's security rule.
The requirements will be even more stringent for Stage 3 of the program. Some of the HIPAA compliance requirements being considered are multi-factor authentication, whether providers will have to attest that they've trained their staff in security, and what to require regarding audit logs.
"Policy will continue to evolve. As the technology evolves so rapidly, so must the policy," Pritts said.