Last Monday night, I boarded a “red
eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security
Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car,and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The WhiteHouse. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conferenceballroom.The room was packed with 400+ attendees
literally standing room only until the conference organizers couldarrange for more chairs to be brought in. The congregation included providers, government policy-makers,healthcare lawyers, academics, vendors, and consultants. From the start of the conference at 9AM Tuesdaymorning to well after 4PM Wednesday afternoon, there was a sense of purpose in the air. Healthcare ITtransformation is well underway and IT security will play a major role in whether or not we, collectively,succeed as an industry, as a major part of the U.S. economy and as a country.While I gained a wealth of information and education from this conference, I want to summarize a few of the
most important “take
away” items here.
The development of Stage 2 “meaningful use” requirements is well underway.
Security will remain a keyfocus. New providers will be expected to conduct a HIPAA security risk analysis (SRA) and Stage 1 qualifiers
will be ask to “update and re
assess” the previous SRA they completed in order to meet Stage 1 attestation.
While still likely stopping short of mandating encryption, Stage 2 meaningful use will also “shine a spotlight”
on the security of data at rest, according to Deven McGraw, co-
Chair of the HIT Policy Committee “Tiger Team” and Director of the Health Privacy Project at the Center for Democracy and Technology.
- A batch of final regulations dealing with healthcare privacy and security issues will be issued in one
“Omnibus” package to be released this year and likely within months, if not within weeks. This will include:
HITECH Act modifications to the HIPAA privacy, security and enforcement rules.
The final version of the breach notification rule, replacing the current interim version.
Formalizing privacy provisions under the Genetic Information Nondiscrimination Act that forbids use of genetic information for insurance underwriting and categorizes such use as a violation of both privacyand non-discrimination regulations.
WEB PHONE EMAIL