GOP's HITECH Concerns: An AnalysisA Look at Questions About Privacy, Security
In a new report, a half-dozen GOP senators raise a number of questions about the HITECH Act's electronic health record incentive program, including whether the Department of Health and Human Services is doing enough to safeguard patient data.
"Unfortunately, we have significant concerns with the implementation of the HITECH Act to date, including the lack of data to support the administration's assertions that this taxpayer investment is being appropriately spent and actually achieving the goal of interoperable health IT," the senators say in a letter to HHS accompanying the report.
The report fails to mention that under the HITECH Act program, healthcare providers are required to comply with HIPAA - and that includes conducting a thorough security risk assessment.
Last year, shortly before the presidential election, a number of GOP legislators sent another letter to HHS asking that the meaningful use program be put on hold until tougher standards for secure data exchange and system interoperability were added (see: GOP Legislators Question HITECH Merits).
Missing Some Details
Certainly, there is always room for improvement when it comes to the privacy and security of health data. In their recent report, however, the senators gloss over a number of key steps already taken to protect patient information.
For example, the report, Reboot: Re-Examining the Strategies Needed to Successfully Adopt Health IT, only briefly mentions the HIPAA Omnibus Rule, which went into effect in March. It fails to lay out the potential impact that the rule's ramped-up HIPAA enforcement could play.
"We are concerned the administration has not done enough to protect sensitive patient information in a cost-effective manner," the report states. "Among other problems, regulations related to payments made to providers do not require providers to demonstrate that the technology is secure; consequently, patients' sensitive, personal medical information may be at risk."
But the report fails to mention that under the HITECH Act program, healthcare providers are required to comply with HIPAA - and that includes conducting a thorough security risk assessment.
The report also fails to acknowledge federal auditing programs that investigate privacy and security practices. HHS is conducting random audits to check whether those receiving HITECH funds are meeting all requirements - including HIPAA compliance. Plus, the HHS Office for Civil Rights plans to resume its broader HIPAA compliance auditing effort sometime after September of this year (see: HIPAA Audits: A Status Report).
The report also states: "[HHS] being proactive in addressing privacy and security concerns while minimizing the additional burden on providers is a critical part of ensuring the long-term success of EHRs."
Protecting Patient Data
The bulk of the burden for protecting patient data will always fall on healthcare providers. Hospitals and physicians are the collectors and keepers of patient data. HIPAA, and now HIPAA Omnibus, have laid out a plan for what healthcare organizations should do to protect patient information. And for Stage 2 of the HITECH incentive program, EHR software must, by default, encrypt data stored on end-user devices.
If the senators are serious about ensuring that HHS does all that it can to improve patient data security and privacy, they should take action to ensure that OCR gets enough funding to ramp up its HIPAA enforcement efforts, its breach investigations and its HIPAA compliance audit program. Otherwise, criticism of the HITECH Act incentive program and HHS' privacy and security efforts seems hypocritical, at best.
Legislators also should ditch any ideas about putting the HITECH Act incentive program on hold. Such a halt in the program could lead many hospitals and physicians to slow down their rollout of EHRs and related health IT, stalling automation efforts that could improve the quality of care and cut the nation's healthcare bill. And I fear some, faced with the loss of future rounds of incentive payments, would have to make some painful cuts, including skimping on security for the systems they already have in place (see: Calls for Halting HITECH Misguided).