At the Healthcare Information Management Systems Society (HIMSS) annual conference on Sunday, ef="/directory/healthcare-information-and-management-systems-society-himss" target="_blank" class="directory-item-link">HIMSS Senior Director of Privacy and Security Lisa Gallagher kicked off an all-day workshop Sunday on how providers can prepare for the potential impact of privacy and security under the get="_blank" class="directory-item-link">American Recovery and Reinvestment Act (ARRA).
The Centers for Medicare and Medicaid Services issued a proposed rule on Jan. 13 that would allow providers to earn incentives for the meaningful use of healthcare IT.
Though the rule has a lot to say about how providers should collect and use health data, the rule says very little about privacy and security other than providers must "conduct a security risk and assessment," Gallagher said.
With so little guidance for now,"basically, we have HIPAA all over again," she said.
Gallagher said CMS will likely expand on the privacy and security provision when the rule is finalized late this spring.
There is talk that CMS may require initially that providers attest through a third party they have conducted a security risk and assessment, Gallagher said.
A breach notification regulation found in ARRA requires HIPAA covered entities and their business associates to notify the Department of Health and Human Services of any breaches affecting the unsecured protected health information of 500 or more people.
The Office of Civil Rights (OCR) began enforcing the rule Feb. 22 and is expected to release more guidance on breach notification soon, according to Joy Jacobsen, privacy and compliance officer for Kansas City-based CareEntrust and a presenter at the workshop.
Jacobsen said organizations should begin now by updating their current business associate contracts, determining a schedule for conducting audits and prepping business associates to focus on privacy and security.
