HEAT Security Blog

HIEs Prepare for Flood of Patient Data, Demanding Privacy Mandates

As health information exchanges (HIEs) prepare for more rigorous data exchange requirements under Stage 2 of the “meaningful use” mandates from Centers of Medicare and Medicaid Services (CMS), they must also be prepared to take more rigorous steps to protect patient privacy and security.

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, healthcare professionals and organizations can qualify for Medicare and Medicaid incentive payments when they adopt certified electronic health record (EHR) technology and use it to demonstrate “meaningful use” of that technology.

The CMS implementation of meaningful use is divided into three stages. In Stage 1 of the program, which spans 2011-2012, healthcare professionals and organizations are required to adopt certified EHR data capture and sharing technology.

In Stage 2, which is set for implementation in 2014 (extended from 2013), healthcare professionals and organizations must implement advanced clinical processes in using EHR, and, in Stage 3 (2016), must demonstrate improved healthcare outcomes from their use of EHR.

According to the CMS final rule, Stage 2 meaningful use “will include rigorous expectations for health information exchange, including more demanding requirements for eprescribing and incorporating structured laboratory results and the expectation that providers will electronically transmit patient care summaries to support transitions in care across unaffiliated providers, settings and EHR systems. Increasingly robust expectations for health information exchange in stage two and stage three will support and make real the goal that information follows the patient.”

What implications do these requirements have for HIEs? No doubt, the “rigorous expectations” for health information exchange will put pressure on HIEs to process and share huge quantities of medical information in real-time and securely.

But there is often a trade-off between the availability and confidentiality of data. To process that amount of data in real-time, centralization of the data is crucial. But as centralizing increases, sequestering and securing confidential data often declines. In addition, the size of the dataset can make implementing security and privacy controls unwieldy.

Private HIEs are subject to Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules as well as possible penalties for failing to adhere to the rules. Government-backed HIEs are subjected to new federal guidelines on protecting patient privacy and security.

These guidelines stress the importance of encrypting patient information, either through encrypting the information before exchanging it or establishing encrypted channels for the data to flow through; using two-factor authentication; educating patients about information exchange; and offering patients access to their records compiled from multiple sources.

Endpoint security solutions can help HIEs handle the increased information exchange requirements expected in Stage 2, while complying with HIPAA rules and federal guidelines. These require not only that HIEs protect sensitive patient data but also that they be able to share that data in a timely manner with healthcare organizations and patients who request access.

Endpoint security solutions that will enable HIEs to comply with privacy and security rules while meeting demanding data exchange requirements include firewalls, intrusion detection and prevent systems, network access controls, antivirus software, encryption and authentication technology, and endpoint access controls, including secure remote access for mobile devices.

HIEs should first develop a strategy for deploying integrated endpoint security solutions that address multiple patient privacy and security requirements. In addition, the solution chosen should be scalable so that HIEs can meet the increased health information exchange demands coming under Stage 2 meaningful use.