Security and Privacy Considerations in Meaningful Use

One of the common and consistent themes at HIMSS (Healthcare Information and Management Systems Society) this year was achieving “Meaningful Use” requirements so that healthcare providers can apply for EHR (Electronic Health Record) stimulus money. The “Meaningful Use” requirements focus on:

  • Improving quality, safety, efficiency, and reduce health disparities
  • Engaging patients and families
  • Improving care coordination
  • Improving population and public health
  • Ensuring adequate privacy and security protections for personal health information

Naturally, my interest is within the last item in the list, and within this post I hope to bring more clarity to a small subset of what clearly is becoming the newest “hot-item” of the healthcare industry. Based on the “Meaningful Use” matrix created by the HIT (Health IT) Policy Committee, here are the security and privacy goals that need to be reached within the next year and a half:



  • Compliance with HIPAA Privacy and Security Rules and state laws
  • Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework


  • Full compliance with HIPAA Privacy and Security Rules
  • An entity under investigation for a HIPAA privacy or security violation cannot achieve meaningful use until the entity is cleared by the investigating authority
  • Conduct or update a security risk assessment and implement security updates as necessary
  • What the above means is that healthcare companies need to conduct (or update an existing) security risk assessment, and implement the appropriate controls to meet HIPAA requirements. However, since conducting risk assessments is technically a part of HIPAA / HITECH compliance, the requirements could be further simplified to say that by the end of 2011, companies need to be HIPAA compliant. One thing that companies really need to address is making sure that HIPAA compliance goes beyond EMR (Electronic Medical Record) applications, and includes the litany of small applications and medical devices that process, store, or transmit PHI. In order to ensure and demonstrate a comprehensive and complete state of compliance, healthcare providers need to make sure that risk assessments take into account all applications and medical devices, and provide clear supporting documentation of implemented controls and regulatory compliance. For additional information, I have provided future 2013 and 2015 objectives below:



  • Use summarized or de-identified data when reporting data for population health purposes (e.g. public health, quality reporting, and research) where appropriate, so that important information is available with minimal privacy risk


  • Provide summarized or de-identified data, when sufficient, to satisfy a data request for population health purposes



  • Provide patients, on request, with an accounting of treatment, payment, and health care operations disclosures
  • Protect sensitive health information to minimize reluctance of patients to seek care because of privacy concerns


  • Provide patients, on request, with a timely accounting of disclosures for treatment, payment, and health care operations, in compliance with applicable law
  • Incorporate and utilize technology to segment sensitive data