HHS prescribes info standards for health care

In a move that would dramatically affect federal and private health care programs nationwide, the Department of Health and Human Services last week proposed new national security standards to protect health care records that are stored or transmitted electronically in the United States.

The proposed electronic security standards, mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), include technical guidance as well as administrative requirements for those who use electronic health information. Under the proposed standards, all health plans— including Medicare, Medicaid and health programs run by the Department of Veterans Affairs and the Indian Health Service— health care providers and health care clearinghouses that maintain or transmit health information electronically will be required to establish appropriate safeguards to ensure that information cannot be improperly accessed or altered and cannot be lost.

HHS' proposal is an effort to force health care providers to secure electronic medical information— something critics say the health industry has neglected. The proposal is not related to HHS' research into creating a health identifier for Americans so that health plans could store individuals' medical information in a central database, so that records could be accessed by any health care provider nationwide. The Clinton administration has said it will not propose patient identifiers, designed to improve the quality of health care, until privacy protections have been put in place.

"The reason for coming out with the proposed rule is because the law tells us we have to," said William Braithwaite, senior adviser on health information policy at HHS. "But as health information is made electronic, we and the administration support very strongly privacy legislation and security regulations, and this is part of that effort."

The proposed security standards, which were published in the Federal Register last week, also include a digital signature standard, which must be followed when a transaction requires that the author or sender of an electronic record be verified.

The standards require "both policy and technology and the administrative force of will to pay attention to these policies and implement these technologies," Braithwaite said. "It's unfortunate that the health care industry has not paid attention to security as other industries have up to this point."

The proposed standards do not dictate the type of technology that must be used because institutions of different sizes will have different security requirements, Braithwaite said.

The standards are based on recommendations from the National Committee on Vital and Health Statistics' Subcommittee on Standards and Security.

Dr. John Lumpkin, chairman of the subcommittee and director of the Illinois Department of Public Health, said the subcommittee's research showed that security of electronic and hard-copy medical records is inadequate.

"Security measures one would expect in other environments, such as banking, don't really exist in the health care setting," Lumpkin said. "What we've found is there were no mature security standards" for securing electronic medical data. Lumpkin estimated that 1 percent to 2 percent of revenue in the health care industry is spent on information systems, compared with 8 percent in most major industries.

The proposed standards should improve the quality of Medicare, Medicaid and other health programs, Lumpkin said.

"It may not make it easier to treat someone, but it protects the well-being of the patient," he said.

Robert Kolodner, associate chief information officer in the VA's Veterans Health Administration, said the agency should not have trouble complying with the standards, which he called an excellent concept. The VA uses digital signatures to secure patient discharge notices, patient progress notes and other records, and operates under the federal privacy act.

But standards would ensure uniformity. "We're looking forward to a more uniform set that will apply to us and to all health providers," he said. "But what is needed in particular are privacy laws and regulations that protect the interest of us as patients."

Many vendors say they have the products that would secure the data, but hospitals and other organizations are reluctant to buy those products because the health care organizations are not required to do so, said Robert Gellman, a privacy consultant in Washington, D.C.

"With the expanding use of electronic transmission of medical claims, there is clearly the need for security," he said. "I keep hearing stories of people transmitting unencrypted medical information over the Internet. We need a rule to tell people you can't do that."

Dr. Mohammad Akhter, executive director of the American Public Health Association, said the standards are a positive development that should not be difficult to implement.

"We believe standards will help because they will improve the quality of data and prevent mistakes from taking place," he said. "But at the same time without having privacy laws in place, the standards [alone] will not generate enough confidence in consumers as electronic medical data is moved from one place to another."

It is unclear how much it would cost institutions to follow the security standards, Gellman said. HHS said in the proposed rule that several state Medicaid agencies have estimated that it would cost $1 million per state to implement all the standards in HIPAA.

The Health Care Financing Administration could not be reached for comment on the proposed rule.

Under the proposed rule, firms that transmit or maintain electronic health information would need to develop a security plan, provide training for employees and secure physical access to records. The security standard calls for a data backup plan, a disaster recovery plan, access authorization, access control, audit controls and trails to track system activity, and data authentication using digital signatures or other technology.

HHS will accept comments on the proposed rule until Oct. 13.