HHS Sets New Health Tech Privacy Rules

Published March 1, 2009

The U.S. Department of Health and Human Services has implemented new privacy principles for the exchange of electronic health information. Analysts say this is a good move so long as compliance remains voluntary and individuals’ privacy is respected.

Imposed in the closing days of the Bush administration, the guidelines are called the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. Then-HHS Secretary Mike Leavitt said he hoped the principles would guide the actions of all health care-related entities that participate in health information technology (health IT) networks.

HHS’s Office of Civil Rights also published new “privacy rule guidance” to comply with the Health Insurance Portability and Accountability Act (HIPAA) as part of a “toolkit” for implementing the new principles.

Experts Applaud Policy

“These are worthwhile qualifications of HIPAA security rules,” said Dave Miller, chief security officer of Detroit-based Covisint Corp., a subsidiary of Compuware in Durham, North Carolina.

“The privacy rules were written before the wide adoption of electronic health records,” Miller said. “Their focus was just on the access to data, focusing on people talking about things. They didn’t deal well with the security of millions of health care records. This helps from a privacy standpoint.”

Miller said many privacy standards were already in place outside the health care arena. In many fields, the federal government’s measurement standards agency, the National Institute of Standards and Technology (NIST), makes rules the government then adopts for companies that do business with the government.

“A lot of private organizations then would use these as default privacy standards [for nongovernment work],” Miller said.

Calling for Care

Legislation can be beneficial in aiding privacy protections—if it doesn’t go too far, Miller added.

“You do need some legislation,” Miller said. “It should reference government best practices as defined by NIST.”

However, the legislation shouldn’t mandate these practices, Miller said, because making them optional enables companies to develop privacy practices most appropriate for their particular industries.

Another factor, according to Steve Titch, a telecom analyst for the Reason Foundation in Los Angeles, is that “people just don’t trust the government.”

“The biggest stumbling block to improving health IT is the rightful concerns about privacy,” Titch said. “The government is among the worst when it comes to keeping records safe. It loses laptops. The feds lost the Veteran’s Administration records. It happened to ‘Joe the Plumber,’ too. A Democratic [official in Ohio] looked at his records in an attempt to get some dirt on him. So there’s not a lot of trust there.”

Restricting Personal Info Flow

Titch said another issue in protecting health records is the desire of health care firms to be “co-owners” of the data, while consumers don’t want health care companies to have any more personal information than they need to perform their services.

“Trust is a big factor with the government and a secondary factor with the insurance agencies,” Titch said. “The government has to send a message that unauthorized access of information is subject to a severe penalty. Loss of data should have serious consequences.

“The government has to show a willingness to enforce the rules,” Titch added. “So far [the government] has been very lax in the protection of the data. The government has to build some real trust.”

Phil Britt ([email protected]) writes from South Holland, Illinois.