HITPC: Update on query, MU Stage 3 security requirements

Despite previous requests for more thoughtful discussion, the Privacy & Tiger Team re-affirmed its previous conclusions about nontargeted queries to the Health IT Policy Committee during its Aug. 7 meeting.

Chair Deven McGraw said the group concluded that no additional policy is needed at this time for nontargeted queries. Following up on the request for more information, the group held a virtual hearing in which eight providers with existing models shared their experience.

Four key themes emerged: access to each network is controlled and limited to members who have executed some sort of participant agreement; each network provides patients with some choice—most are opt out but some are opt in; for sensitive data, most depend on the data partner to withhold data requiring additional consent; and many networks have role-based access levels for participants. All of the hearing participants conduct audits of access and disclosures and none do an override of patient consent, McGraw said.

Some hearing participants expressed concerns about having federal policy potentially disrupting the arrangements they had carefully implemented, she said. “However, most expressed a desire for some guidance and common agreement terms that would help facilitate network-to-network exchange and additional guidance on how to handle sensitive data.”

“The previous recommendations, initially considered in the context of targeted query, also apply to nontargeted query,” McGraw said. “We considered whether additional policies were needed for nontargeted queries and found through testimony that networks are taking great care and effort in crafting polices and operations that worked for their particular communities which reaffirms our previous statement that existing recommendations on meaningful choice and target query are sufficient to address nontargeted query. We reserve the option to revisit these recommendations in the future as conditions change.”

McGraw also presented the Tiger Team’s update regarding security risk assessment for Meaningful Use (MU) Stage 3. A subgroup will discuss what, if any, security risk issues should be subject to MU attestation in Stage 3. The prevailing course, however, is that “instead of selecting additional HIPAA security rule provisions for emphasis in Stage 3, “we want to improve accountability for complying with the existing MU security measures—in particular, the requirement to perform a security risk analysis and correct the identified deficiencies.”

Security risk analysis still doesn’t have a “sufficient spotlight” on it, McGraw said. It’s not really being done or done correctly. “We need to strengthen beyond mere attestation the way we emphasize the need to do a security risk analysis, to document that analysis and what you learned and to correct the deficiencies you identified in the analysis consistent with the HIPAA security rule.”

To that end, she said the Tiger Team has recommendations for strengthening the existing requirement, including emphasizing that when an entity attests to having conducted or reviewed a security risk analysis with respect to its certified EHR tech, the entity is attesting to compliance with the HIPAA security rule with respect to such analysis.

To achieve compliance with this objective, entities must:

• Conduct a security risk analysis or review an existing risk analysis and
• Document the results of the risk analysis or review, including the actions taken or scheduled actions to be taken to correct deficiencies

The team also has discussed an additional accountability measure of requiring identification of the people responsible for conducting and documenting the risk analysis. This wouldn’t be to “throw someone under the bus” but to establish accountability and force some thought about who is most appropriate for this responsibility, McGraw said.

The team hopes to link attestation to specific MU objectives rather than present it as a single, stand-alone measure.

McGraw also said that the team recommends that the Centers for Medicare & Medicaid Services provide additional education, such as frequently asked questions regarding expectations and the importance of conducting and documenting security risk analyses and correcting deficiencies. She said audits have found that when providers are asked about documentation, it doesn’t exist. FAQs should be expanded to discuss the availability of third-party assessment tools and services, checklists and other resources.

A committee member asked McGraw about the potential expansion of querying that would cross preexisting trust relationships that were so hard to earn and maintain and how organizations would deal with that. She countered that “our policies address what is possible to address today.”

Farzad Mostashari, MD, ScM, national coordinator of health IT, said the debate sounds “a lot like the conversations about standards. Once you start to go outside your local market, those standards are implemented slightly differently, and meaningful choice is not enough. Tell us exactly how to do it if you want it to be truly transferrable. Start with a broad framework and create more detailed standards that help you reduce but not eliminate the need for rework.” Eventually, he said, we’ll get implementation guidance, validation, testing tools and a certification process that gets us closer to “plug-and-play.” “We don’t have a ‘plug and play’ policy and it may be a while before we get there.”

Despite the debate, the committee approved the recommendations.