The Office of the National Coordinator for Health Information Technology (ONC) is proposing to conduct a nationwide survey regarding consumer attitudes toward the privacy and security aspects of electronic health records (EHR) and electronic health information exchange, according to a notice in last Thursday’s Federal Register.

ONC’s plan is to use computer-assisted telephone interviews

By Anna Kraus

As we reported previously, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently issued two reports that highlight continuing concerns over how best to ensure the privacy and security of electronic health information.  Earlier this week, we provided more detail on the OIG’s report regarding CMS oversight of the HIPAA Security Rule.

On May 16, 2011 the OIG released a second report relating to federal data security standards, Audit of Information Technology Security Included in Health Information Technology  Standards. In this report, the OIG expressed concern that federal health information technology (HIT) standards do not include general information technology (IT) security controls.  Instead, HIT standards focus primarily on application controls which apply within an IT system and can be circumvented in the absence of strong general security controls.  The audit recommended that that the Office of the National Coordinator for Health Information Technology (ONC) take the following steps:

  • Include general security controls in HIT standards;
  • Provide guidance to the health industry and the medical community regarding the value of general IT security as well as general IT security standards and best practices; and
  • Cooperate with the Centers for Medicare & Medicaid Services (CMS) and the HHS Office for Civil Rights (OCR) to require general IT security controls where appropriate.


Continue Reading OIG Urges Inclusion of General IT Security Controls in HIT Standards

By Anna Kraus

Last week, the Office of Inspector General (OIG) within the Department of Health and Human Services (HHS) issued two audit reports regarding federally mandated data security measures for health information.  Both reports are highly critical of HHS’s efforts to protect the security of electronic health information.

In the first report, available here