Identifying Privacy Protection GapsReport Pinpoints 7 Areas of Concern in Healthcare
Robust electronic health information exchange has the potential to dramatically improve the quality of care by making more complete information about patients more readily available to clinicians when they need it. But unless patient privacy is protected, efforts to ramp up information exchange - as well broaden the use of electronic health records - will be stalled because of the public's lack of trust.
Two consumer advocacy groups have issued a brief, well-written report that pinpoints seven gaps in existing privacy protections for healthcare information. I'm hopeful that federal regulatory authorities - as well as healthcare provider organizations and HIE organizers - will take a very close look at this report from Consumers Union and the Center for Democracy & Technology, which highlights critical issues in need of immediate attention.
Laws that protect electronic health data, such as the HIPAA Security Rule, should be reassessed to ensure that they are sufficient to meet new security challenges and to incorporate technological innovation.
The report, commissioned by the California HealthCare Foundation, says policymakers need to address seven key areas:
- All entities that access, use and disclose personal health information should be held accountable for complying with legal obligations to protect health data. HIPAA, for example, does not yet cover all types of organizations that might have access to patient information.
- Enforcement of existing federal and state laws needs to be ramped up to provide accountability for compliance.
- Laws that protect electronic health data, such as the HIPAA Security Rule, should be reassessed to ensure that they are sufficient to meet new security challenges and to incorporate technological innovation. The report, for example, points out that encryption is not yet consistently used - as shown by many major breach incidents involving lost or stolen unencrypted devices or media. Yet HIPAA doesn't explicitly require encryption.
- Rules governing how personal health information can be used for marketing purposes should be strengthened.
- Policymakers need to provide much more clarity on how organizations are expected to comply with existing and new health privacy laws.
- Policymakers should ensure that standards for de-identifying health data, such as for research purposes, remain robust and should establish penalties for inappropriate or unauthorized re-identification.
- Data-sharing models should, where possible, use a decentralized and local control approach, rather than using duplicate databases created each time health information is needed for a particular purpose. Such duplication and centralization of data "amplifies the risk of security and privacy violations," the report notes.
Too many so-called "white papers" are academic in nature and difficult to decipher. The two consumer advocacy groups that prepared this new report, "Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange," deserve a great deal of credit for making their points clearly and concisely.