Healthcare IT transformation is well underway and IT security will play a major role in whether or not we, collectively, succeed as an industry, as a major part of the U.S. economy and as a country. While I gained a wealth of information and education from this conference, I want to summarize a few of the most important “take-away” items here.

1. Building Assurance through HIPAA Security,
Washington D.C., May 10th-11th
Last Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security
Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car,
and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White
House. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conference
ballroom.
The room was packed with 400+ attendees – literally standing room only until the conference organizers could
arrange for more chairs to be brought in. The congregation included providers, government policy-makers,
healthcare lawyers, academics, vendors, and consultants. From the start of the conference at 9AM Tuesday
morning to well after 4PM Wednesday afternoon, there was a sense of purpose in the air. Healthcare IT
transformation is well underway and IT security will play a major role in whether or not we, collectively,
succeed as an industry, as a major part of the U.S. economy and as a country.
While I gained a wealth of information and education from this conference, I want to summarize a few of the
most important “take-away” items here.
- The development of Stage 2 “meaningful use” requirements is well underway. Security will remain a key
focus. New providers will be expected to conduct a HIPAA security risk analysis (SRA) and Stage 1 qualifiers
will be ask to “update and re-assess” the previous SRA they completed in order to meet Stage 1 attestation.
- While still likely stopping short of mandating encryption, Stage 2 meaningful use will also “shine a spotlight”
on the security of data at rest, according to Deven McGraw, co-Chair of the HIT Policy Committee “Tiger
Team” and Director of the Health Privacy Project at the Center for Democracy and Technology.
- A batch of final regulations dealing with healthcare privacy and security issues will be issued in one
“Omnibus” package to be released this year and likely within months, if not within weeks. This will include:
 HITECH Act modifications to the HIPAA privacy, security and enforcement rules.
 The final version of the breach notification rule, replacing the current interim version.
 Formalizing privacy provisions under the Genetic Information Nondiscrimination Act that forbids use of
genetic information for insurance underwriting and categorizes such use as a violation of both privacy
and non-discrimination regulations.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

2. - Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR) called
the HIPAA security risk analysis provision a foundational element of HITECH, along with updating the SRA
regularly and implementing reasonable and appropriate safeguards.
- Ms. McAndrew further confirmed and clarified that business associates and their subcontractors will have the
same obligations as covered entities under the HIPAA Security Rule and therefore must conduct their own
HIPAA security risk assessments. Within 12 months from the issuance of the Omnibus NPRM, business
associates will be directly liable for the breach of protected health information (PHI) under HITECH Act
sections 13401 and 13404. She went on to describe this extension of directly liability to business associates “a
sea change” in the regulations.
- Stepped-up enforcement of the HIPAA security and privacy provisions is on the way. Federal enforcement
training of State Attorneys Generals offices was done in Texas this past April, and will be conducted in Atlanta
and Washington D.C. by end or May and in San Francisco in early June.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM