With more medical data reaching patients through mobile devices, the Department of Health and Human Services is ramping up its efforts to require that the information be encrypted or otherwise protected from prying.
HHS is expected to issue the next set of rules in its three-step process to guard against unauthorized use of information by the end of the summer. These rules, for which comments were accepted February-April, are designed to ensure that devices like mobile phones, tablets and laptops which process patient information automatically encrypt that data. In addition, the rules are expected to encompass the use of the medical information by outside entities such as billing agencies.
In its proposed rule, HHS said that recent breaches of medical information have involved the loss or theft of the devices which contain sensitive patient information, necessitating the rule. The new rule incudes broader individual rights and stronger protections when third parties like insurers, coders and billing entities handle individual health information.
Under the proposed rule “current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information,” said Rachel Seeger, HHS office of Civil Rights.
The proposed rule would expand the medical privacy act known as HIPPA (Health Insurance Portability and Accountability Act) by requiring business associates of medical offices to be under the same privacy rules as the actual medical provider. It also would expand individual right to get at their information electronically and restrict certain types of disclosures of their personal health information.
“Most of us have security in our smart phones, we just don’t know how to use it,” said Peter Ashkenaz, spokesman for the Office of the National Coordinator for Health IT. “It’s not that difficult to encrypt information.”
In its most recent report to Congress about breaches of medical information, the Office of Civil Rights of HHS said theft was reported as the most common cause of large breach incidents. “Among the 45 breaches that affected 500 or more individuals, 27 incidents involved thefts of paper records or electronic media, affecting approximately 1,468,578 individuals,” the report said.
Sometimes that theft is intentional, sometimes not, but the new rules are designed to protect the information even it if is stolen.
“Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured,” the notice of proposed rulemaking for “Stage 2 Meaningful Use” of electronic data said.
Dr. Farzad Mostashari, National Coordinator for Health Information Technology, wrote in a recent blog posting that doctors and other medical professionals are adapting quickly to electronic heath records but more needs to be done to ease the transition to electronics and to protect privacy at the same time.
“While more work certainly needs to be done, today’s data shows that most physicians are satisfied with their EHRs and believe that their systems provide tangible benefits for patients today. This will only increase as physicians become more skilled at using their systems and systems continue to evolve to support additional capabilities,” he wrote.