Last week, the California Office of Health Information Integrity released an online toolkit to help California physicians, hospitals and other health care providers understand and adhere to the HIPAA Security Rule.
The Health Insurance Portability and Accountability Act established national standards for the protection of certain information in electronic health records. The guidelines require EHR users to provide technical and non-technical safeguards to ensure the security of data. The California toolkit, billed as the first of its kind, is designed to be both a primer on the HIPAA Security Rule, as well as a case-specific tool for adherence.
"This is aimed at the small to medium providers in California who may not have their own data management departments," said Cassandra McTaggart, chief of the eHealth Standards Branch of the California Office of Health Information Integrity.
"It's designed as a resource for providers to see -- step-by-step -- how to proceed and then at the end, there's color-coded 'in-compliance' or 'out-of-compliance' indications," McTaggart said.
Mixed Reviews From Privacy Experts
A couple of privacy experts offered mixed reviews of the new tool.
Pam Dixon, founder and executive director of World Privacy Forum in San Diego, said the online toolkit would be more valuable with options for tablets and mobile applications.
"One of the biggest oversights I see immediately is they do not have tablets and they don't have settings for mobile applications," Dixon said. "Physicians and health care enterprises are doing an enormous amount of their work on tablets now and using mobile clinic apps. This toolkit should really make provisions for that."
McTaggart said state officials will be looking into those possibilities.
"We really did just launch it, and those are definitely areas we're going to be looking into," McTaggart said.
Dixon said the toolkit will be valuable "for providers who do not have legal counsel in place and who need to do a first-time risk analysis for the HIPAA Security Rule. It's only security, not privacy and that's another issue," Dixon said. "In that respect this tool is somewhat limited," Dixon added.
Dixon noted that the Healthcare Information and Management Systems Society offers several useful security and privacy toolkits.
Deven McGraw, director of the Health Privacy Project at Center for Democracy & Technology in Washington, D.C., also offered a mixed review of the California toolkit.
"What I like about it is that it's enormously practical and usable by a provider in small practice who doesn't have access to resources or security expertise within their own four walls," McGraw said.
"This will guide them through the process. A hands-on tool like this is much more useful than guidance that is strictly text-based. There's something incredibly appealing about using a tool like this that prompts you and guides you," McGraw said.
"What I'm less than enthusiastic about is the use of algorithms that essentially assign a dollar amount to the potential risks associated with security rules," McGraw said.
"That kind of calculation may very well be beyond the capabilities of small providers and the problem then becomes there's absolutely no guarantee that the user using this tool will be making the right judgment call -- the kind of judgment a regulator might make that has nothing to do with dollar amounts of risk," McGraw said.
"It seems like it's trying to 'mathematize' decisions that may not be best made through math," McGraw said.
Officials at the California Office of Health Information Integrity said assigning dollar amounts to risk assessments is common practice and is supported by recommendations of the National Institute of Standards and Technology Special Publication 800-30 "Risk Management Guide for Information Technology Systems."
"Typically, the use of dollar amounts is to provide information for the impact and cost benefit analysis steps in this type of a risk assessment," state officials wrote in an email responding to questions.
"These amounts are utilized to demonstrate that the costs of implementing safeguards to remediate vulnerability can be justified by the reduction in the level of risk, thus focusing the organization's decision-making and compliance efforts where they are needed the most," state officials said in the email.
'Good Feedback So Far' From Providers
State officials said the online toolkit has gotten mostly positive feedback so far.
"It's only been out there a week so we don't have much to go on yet," McTaggart said, "but we're getting a lot of compliments and a lot of people are saying they will definitely use it. It's very comprehensive and getting all the way through it with an actual case will take a while."
Although the toolkit is designed by California officials for use by California providers, the HIPAA Security Rule is a national regulation and compliance doesn't vary from state to state. Asked if providers in other states can use the California online toolkit, McTaggart said, "It would be great if other states did something similar but we can only speak for California."