Grading Obama on PrivacyAdvocacy Group Sizes Up Administration's Performance
The report includes some jabs at the White House's medical privacy policies this year.
In its 2009 report card, the research and advocacy group gave the administration an A- grade on medical privacy, thanks to the passage of the HITECH Act, which it called "one of the best privacy laws in years."
With millions of patient records moving online, we think the White House needs to show more effort.
But in its 2010 assessment, EPIC says, "Implementation of the privacy provisions in the 2009 law have slowed." In particular, the report card, which offered a grade of B, blasted the White House for planning to endorse a "weak" final version of the HITECH breach notification rule, but backing off.
As we reported earlier, the Department of Health and Human Services, which submitted a final version of the breach notification rule for administrative review May 14, withdrew it in July pending "further consideration." HHS offered a cryptic explanation, saying it needed more time "to allow for further consideration, given the department's experience to date in administering the regulations."
But many privacy experts were quick to speculate that HHS was reconsidering the "harm standard" that was part of the interim final version of the breach notification rule. That provision allows healthcare organizations and their business associates to conduct a risk assessment to determine whether a particular data security breach presents "significant risk" and thus needs to be reported.
As pointed out in an earlier blog, the harm standard provision creates a gray area in the law. And we agree with consumer advocates, and certain members of Congress, who argue that the harm standard needs to be replaced by clear-cut, black-and-white guidance on what must be reported.
"With millions of patient records moving online, we think the White House needs to show more effort," the 2010 EPIC report card states. "This has been a strong subject for the administration in the past. It can be so again."
HHS has missed several HITECH Act-mandated deadlines for privacy-related regulations this year. But the Act gave authorities only a year to finish a lengthy to-do list. Let's hope the next few months see final action on pending matters, including a strengthened breach notification rule.
CybersecurityIn the cybersecurity arena, EPIC gave the Obama Administration a grade of B for the second year in a row.
"For 2010, we see a continued effort by the administration to safeguard privacy rights for Internet users, but we also note the growing influence of the NSA (National Security Agency)," EPIC observes. "The NSA director was named head of Cyber Command and has recently signed an agreement with the Department of Homeland Security that transfers new powers to the intelligence agency."
EPIC calls on the White House to be "more transparent about the role of the NSA in cybersecurity," adding that "releasing key documents about the NSA's cybersecurity authority would be a good start."
Civil LibertiesIn the civil liberties arena, EPIC gave the Administration a D, criticizing the White House for aggressively asserting the "state secrets doctrine" and subjecting air travelers to "unconstitutional body searches in airports."
"Incredibly, the White House allowed the President's Civil Liberties and Privacy Oversight Board to languish," EPIC states. "Even the Bush Administration made this a priority."
On consumer privacy, the Administration earned a C grade from EPIC, which charged that the Federal Trade Commission "has been unable or unwilling to pursue any significant privacy investigations. The agency has become a black hole for privacy complaints that earlier commissions routinely pursued."
The report adds: "The White House offers little support for privacy efforts in Congress. Meanwhile, public concerns about identity theft, security breaches and online profiling are on the rise."
So what do you think? Is the report card spot-on? Too harsh? Too mild? We'd like to hear from you.