The proposed federal fiscal 2014 budget calls for a 28 percent increase to support further development of health IT initiatives while taking over where HITECH funding stops (ending in fiscal year 2013). The Office for Civil Rights’ (ONC) funding will jump from $61 million annually, flat through 2012-13, to $78 million in 2014 to support several ongoing programs devised to explore security issues seen in the industry, including encryption, mobile security and EHR patient safety.
More than $14 million will go toward the Stage 2 Meaningful Use Incentive Program, which doles out federal money to health providers and physicians that have not only implemented an electronic health record (EHR) system within their organization, but have also demonstrated that the use of the system meets markers to measure the effectiveness of the system (i.e.; implementing a patient portal and monitoring usage to demonstrate patient interactivity). The ONC estimates that 65 percent of hospitals and primary care physicians will have at least basic EHRs, thus fueling the need to keep the incentive program operating.
Some of the latest changes in the program include a new focus on patient safety, regarding the risks of misdiagnosis or otherwise that may be a life-or-death issue with the use of new health technology. Another focus is on enhanced privacy and security protections, including a primary emphasis on encryption and securing mobile devices; two somewhat ambiguous issues that have arisen due to the BYOD (Bring Your Own Device) movement and the problem of unsecured health data.
Read our Mobile Security white paper for tips on securing mobile applications and devices, or read 2013 State of HIPAA Encryption & Authentication for Healthcare for more on encryption. Encryption is considered best practice for securing protected health information, and satisfies the Access Control (§ 164.312(a)(1)) and Transmission Security (§ 164.312(e)(1)) standards of the HIPAA Security Rule – implement a mechanism to encrypt and decrypt electronic protected health information (ePHI).
Encryption for data at rest and in transit is very strongly recommended. When transmitting PHI, encrypted data should be sent over an encrypted connection for ultimate security. When using encryption for PHI, one should follow the NIST (National Institute of Standards and Technology) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices standards for encryption. (Find out more in this HIPAA Compliant Hosting white paper).
The largest part of the federal health IT budget, $26 million, will go toward developing “standards that support an interoperable and secure health IT infrastructure”, according to the 2014 budget plan. Part of that is to support the ONC Health IT Certification Plan, which provides clear criteria for developing vendor products that support the healthcare industry.
The criteria allow them to determine if their EHR systems meet security standards and technical requirements under Meaningful Use programs, and also places them on the Certified Health IT Product List (CHPL), a public website that lists the products. Note to health IT Software as a Service (SaaS) and other app developers – making the list could both help ensure patient data safety and support business growth (win-win).
Join our Security and Privacy Concerns with Patient Portals webinar today at 2PM ET to learn about how to minimize risk while deploying an electronic patient portal.
For more on the latest federal changes in health IT, read these related articles:
Ensuring Business Associate Compliance: Are You Doing Your Due Diligence?
HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules
How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers