Governance & Risk Management , Privacy
Tying Up Loose Ends for Health Data Privacy, SecurityWhat's Inside Appropriations Bill for HHS Efforts?
As the year wraps up, regulators and legislators have been busy tying up some "loose ends" related to health data security and privacy before the start of 2020. In case you've been busy with your own year-end to-do list, here are some of the recent developments you might have missed.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
You've most likely heard that Congress and the White House last week agreed on a bipartisan spending bill to avert another government shutdown. But what's hidden inside that appropriations bill as it relates to health data privacy and security?
No Funding for National Patient IDs
Despite the House of Representatives earlier this year approving proposed budget legislation that would have dropped the 20-year-long ban on the Department of Health and Human Services funding a unique patient identifier, the appropriations bill approved by the Senate and signed into law by President Trump last week does not lift the long ban after all.
Many healthcare and health IT industry groups have long been urging Congress to lift the ban so that an identifier could be developed and used to help match patients with the correct electronic health information from multiple sources to improve care quality and patient safety. But privacy advocates have also long warned that a national identifier could lead to inappropriate exposure of sensitive information.
Originally, HIPAA, which was enacted in 1996, required the creation of patient identifiers and other uniform standards for electronic data transmission to improve the reliability of health information.
But Congress subsequently banned HHS from expending funds to develop a unique patient identifier system, mainly because of privacy concerns. Since that ban was first enacted in 1999, Congress has repeatedly included wording in annual HHS appropriation bills to uphold the restriction.
Both Sides Now
But the final budget bill for 2020 seems to try to appease both sides of the argument, a least a bit.
The spending bill includes an "explanatory statement" directing HHS "to continue to provide technical assistance to private-sector-led initiatives to develop a coordinated national strategy that will promote patient safety by accurately identifying patients to their health information."
That explanatory statement also directs HHS' Office of the National Coordinator for Health IT to study "technological and operational methods that improve identification of patients."
Something for Everyone?
Some proponents for lifting the funding ban aren't totally disappointed in the bill, while even some privacy advocates applaud the continuation of the ban.
"Congress' direction for HHS to study ways to improve patient matching, which can include a unique patient identifier, is yet another important step in our efforts to ensure that patients are accurately and easily matched to their data as they receive care across disparate providers and others in the healthcare system," said Russell Branzell, president and CEO of the College of Health Information Management Executives in a statement last week. CHIME - whose 3,200 members include CIOs and CISOs - has been lobbying Congress for years to lift the ban.
Meanwhile, some privacy advocates are happy to see the ban linger yet another year.
"The federal unique patient identifier would be the final nail in the coffin of patient privacy rights," said Twila Brase, president of privacy advocacy group Citizens' Council for Healthcare Freedom in a statement praising the bill's provision leaving the ban intact.
"If the national patient ID was implemented, it would allow all medical records from womb to tomb, to be linked together into a highly-accessible national medical-records system," CCHF contends.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says he feels a bit more hopeful that the ban will eventually be lifted.
"I wish that I could say that I was surprised, but I've learned never to doubt the likelihood of the status quo remaining in place," he notes. "I remain optimistic that this year reflects progress towards establishing a unique patient ID that can improve patient matching and patient safety in a manner that appropriately addresses privacy concerns."
But Clyde Hewitt, executive advisor at security consultancy CynergisTek says the continued ban is a significant setback, no matter what.
"The operational impact of the ban will impede the data sharing goal as it constrains positive identification of patients whose data is stored in disparate systems," he says.
"Safeguarding health information privacy and security is an ever increasing challenge."
—Adam Greene, Davis Wright Tremaine
For example, it was recent revealed by HHS that technical errors in Blue Button 2.0 - an application programming interface used by CMS and the Department of Veterans Affairs to share patient health data - potentially exposed 10,000 patients' data to the wrong patients, he notes.
"We can only imagine the situation getting more challenging, technically speaking, as hundreds or thousands of developers will be adopting interface standards that leave room for interpretation."
OCR and ONC Funding
The appropriations bill also provides essentially flat funding for two important HHS agencies - the Office for Civil Rights, which enforces HIPAA, and the Office of the National Coordinator for Health IT, which oversees standards and policies in the development of a national health IT infrastructure supporting secure health information exchange.
While flat budgets might not on the surface be a reason to celebrate, the two agencies are actually fortunate because they escaped deep cuts that had been proposed earlier this year by the Trump administration.
In the end, the 2020 funding bill provides OCR with a budget of nearly $38.8 million and ONC with nearly $60.4 million (see President's Proposed 2020 Budget: Impact on Cybersecurity).
"I am encouraged that ONC and OCR's budgets were not cut," Greene says. "Safeguarding health information privacy and security is an ever increasing challenge. We need HHS to issue guidance on evolving issues, ranging from navigating social media to increased connectivity between covered entities and non-HIPAA-covered apps," he notes.
"OCR and ONC have very limited staffs to tackle a backlog of needed guidance. Budget cuts only would have compounded their challenge."
Watch Dog Findings
In addition to the appropriations budget being signed into law, watchdogs in other areas of government in recent days also issued their own reports spotlighting where tax payers' money has been allocated related to health IT.
A new HHS Office of Inspector General report issued on Dec. 16 shows that the Centers for Medicare and Medicaid Services made an estimated $93.6 million in incorrect Medicare electronic health records incentive payments to acute-care hospitals from January 2013 to September 2017.
What's the silver lining in this? OIG says that the inappropriate payments to those hospital are less than 1 percent of $10.8 billion in total incentive payments made to hospitals under the HITECH Act since 2011 when they first became eligible for financial incentives for meeting a long laundry list of EHR "meaningful use" requirements, including some involving data security and privacy.
Also, rather than potentially fraudulent meaningful use attestations by hospitals, most of the inappropriate payments made by HHS were due to administrative errors, OIG says.
For instance, OIG writes that incorrect net incentive payments occurred because "the Medicare administrative contractors did not review the supporting documentation for all hospitals to identify errors in the hospitals' cost-report numbers used to calculate the incentive payments, and CMS did not include labor and delivery services in the incentive payment calculations, which resulted in hospitals receiving inflated incentive payments."
HHS OIG Plans
In addition to releasing the report on HITECH payments to hospitals, HHS OIG has been busy updating its list of reports planned for 2020.
Among those studies slated in the new year, OIG's updated workplan notes that it will perform an "audit of Centers for Disease Control and Prevention's cybersecurity controls over the vaccine adverse event reporting system."
FERPA and HIPAA Guidance
Finally, although Greene notes that HHS OCR has a long list of awaited HIPAA-related guidance materials still on its to-do list, HHS OCR and the Department of Education Office for Civil Rights on Dec. 19 jointly issued updated guidance about complying with the Family Educational Rights and Privacy Act and HIPAA.
The new clarifications and examples in the guidance address issues including:
- When protected health information or personally identifiable information from an education record can be shared with the parent of an adult student;
- What options family members of an adult student have under HIPAA if they are concerned about the student's mental health and the student does not agree to disclosures of their PHI;
- Whether HIPAA allows a covered healthcare provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor's parents;
- When PHI or PII can be shared about a student who presents a danger to self or others.
"It remains challenging for schools, students, parents, and providers to navigate the intersection of HIPAA and FERPA," attorney Greene notes. "This can lead to life-or-death issues, with schools and providers fearful of communicating about mental health issues because of the two laws. I am glad that HHS and the Department of Education updated this guidance, further providing clarification on how to appropriately navigate the laws."
So, what else would you like to see privacy and security regulators cross off their to-do lists last minute, before 2019 is in the history books?