What Happens When Data Security Requirements Overlap?

The fact that the privacy and security workgroup of the federal Health IT Policy Committee has now recommended that providers encrypt any personally identifiable patient information whenever they share data with others, even when a third-party health information exchange is not involved, is an interesting development.

The workgroup is asking leaders at Health and Human Services to make the policy for data encryption relatively quite firm, in the context of the new, tougher, HIPAA privacy and security rules.

This to me is another example of an ideal that ends up getting tested in the real world. In theory, of course, there’s no question that patients must be protected from potential exposure due to carelessness around data-sharing. What will be interesting will be to see how all the permutations of these kinds of issues end up playing out over time, and across the multiple contexts of the set of challenges around meaningful use, the more stringent demands of the new HIPAA requirements, and a number of other intersecting policy, regulatory and process challenges in the field.

My concern is that CIOs, and at least equally, clinical informaticists, will find themselves nearly hamstrung by overlapping challenges and requirements, all of which come out of well-intended objectives or initiatives. Yet the risks to patient privacy and security are real. Somewhere in there, a balance will emerge over time in terms of how to handle and manage all these different challenges; but for the time being, I don’t know of anyone who has a magic-bullet solution to any of this.