According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.” Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers.
According to Schmidt, “[o]ne-person physician offices have to be part of this system. They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.” The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs). This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.
Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation. Indeed, some have argued that one of the goals of the Act, i.e., the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.
To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles. This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process. As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address). There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.