The Security Scrutinizer with Howard Anderson

Identifying Privacy Protection Gaps

Report Pinpoints 7 Areas of Concern in Healthcare

Robust electronic health information exchange has the potential to dramatically improve the quality of care by making more complete information about patients more readily available to clinicians when they need it. But unless patient privacy is protected, efforts to ramp up information exchange - as well broaden the use of electronic health records - will be stalled because of the public's lack of trust.

See Also: Live Webinar | Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

Two consumer advocacy groups have issued a brief, well-written report that pinpoints seven gaps in existing privacy protections for healthcare information. I'm hopeful that federal regulatory authorities - as well as healthcare provider organizations and HIE organizers - will take a very close look at this report from Consumers Union and the Center for Democracy & Technology, which highlights critical issues in need of immediate attention.

Laws that protect electronic health data, such as the HIPAA Security Rule, should be reassessed to ensure that they are sufficient to meet new security challenges and to incorporate technological innovation. 

The report, commissioned by the California HealthCare Foundation, says policymakers need to address seven key areas:

  • All entities that access, use and disclose personal health information should be held accountable for complying with legal obligations to protect health data. HIPAA, for example, does not yet cover all types of organizations that might have access to patient information.
  • Enforcement of existing federal and state laws needs to be ramped up to provide accountability for compliance.
  • Laws that protect electronic health data, such as the HIPAA Security Rule, should be reassessed to ensure that they are sufficient to meet new security challenges and to incorporate technological innovation. The report, for example, points out that encryption is not yet consistently used - as shown by many major breach incidents involving lost or stolen unencrypted devices or media. Yet HIPAA doesn't explicitly require encryption.
  • Rules governing how personal health information can be used for marketing purposes should be strengthened.
  • Policymakers need to provide much more clarity on how organizations are expected to comply with existing and new health privacy laws.
  • Policymakers should ensure that standards for de-identifying health data, such as for research purposes, remain robust and should establish penalties for inappropriate or unauthorized re-identification.
  • Data-sharing models should, where possible, use a decentralized and local control approach, rather than using duplicate databases created each time health information is needed for a particular purpose. Such duplication and centralization of data "amplifies the risk of security and privacy violations," the report notes.

Too many so-called "white papers" are academic in nature and difficult to decipher. The two consumer advocacy groups that prepared this new report, "Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange," deserve a great deal of credit for making their points clearly and concisely.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.