Risk
6/27/2012
10:08 AM
50%
50%

Healthcare Patient Data Laws Outdated: Consumers Union

Laws covering privacy and security of health data haven't kept pace with changes in health IT, report from Consumers Union and Center for Democracy and Technology says.

9 Health IT Tools Patients Should Understand
9 Health IT Tools Patients Should Understand
(click image for larger view and for slideshow)
Neither the Health Insurance Portability and Accountability Act (HIPAA) nor California's Confidentiality of Medical Information Act (CMIA) do enough to address the privacy and security of patients' health information. That's the conclusion of the Consumers Union and the Center for Democracy & Technology, as outlined in their recently released policy brief.

Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange observed that both HIPAA and CMIA are based on Fair Information Practice Principles (FIPs), a set of comprehensive guidelines that govern the way healthcare providers and related organizations collect, use, and safeguard personal information.

In general, these principles permit healthcare providers to exchange information for treatment, payment, and certain administrative activities without receiving specific authorization from patients. Providers need specific authorization, however, if the information is used in research or the sale of identifiable health information. FIPs also require health groups such as hospitals, health plans, and pharmacies to implement reasonable safeguards to protect electronic health data.

However, the policy brief, which was supported by a grant from the California HealthCare Foundation, based in Oakland, Calif., claims that gaps exist in the current laws that govern patient health information, and these laws don't address all of the objectives outlined in the FIPs.

[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security. ]

Like many states across the country, California's healthcare system is developing new platforms for the exchange of patient data, including health information exchanges (HIEs), personal health records, and new technologies like tablets and smartphones.

In this environment, the authors recommend several steps to further safeguard patient health information, including calling for all business entities that access, use, and disclose personal health information to be held responsible for adhering to legal obligations to protect health data. The document also urges policymakers to enforce and strengthen existing federal and state laws that provide health privacy and security protections.

"There needs to be a culture of enforcement at all levels; we are not just looking at governmental enforcement. I think the providers should look at enforcement themselves and that will create a culture of compliance," Mark Savage, senior attorney for Consumers Union, told InformationWeek Healthcare. "Providers should be asking themselves, 'should we take the time to train our employees? When we discover that an unauthorized employee has actually opened up the health files of a celebrity, should we terminate the employment of that person?'"

The document also laments the fact that current laws have not kept pace with new technology and data exchange models that have recently emerged. "Today, federal coverage under HIPAA is limited to traditional healthcare system entities (e.g., providers and insurers) and their contractors (business associates)," the policy brief states.

According to Savage, who co-authored the policy brief, personal health records are a good example of HIPAA's limitations. "Patients are providing information through Web-based access to personal health records, so they are trying to actually contribute to the management of their health data and to make it available to their provider. But in that particular situation, the online-based personal health record is not a HIPPA covered entity," Savage explained in an interview with InformationWeek Healthcare. To meet new security challenges, the brief recommends that laws protecting electronic health data such as the HIPAA Security Rule be reassessed to ensure that they address new security challenges and incorporate technological innovations such as encryption.

The document also notes that while California lawmakers recently extended the CMIA's scope, the law is still "unclear whether these expansions suffice to provide comprehensive protections for consumers and patients regardless of which entity is accessing their information."

The policy brief also recommends:

--Strengthening the rules on the use of personal health information for marketing purposes.

--Improving clarity on how entities should comply with existing and new health privacy laws. These recommendations will reduce the uncertainties associated with sharing information lawfully, and should instill greater confidence in exchanging patient information to improve individual and population health.

--Standards for de-identifying health data should remain robust, and policymakers should establish penalties for inappropriate or unauthorized re-identification.

Finally, the report urges more emphasis on data-sharing models that support decentralization and local control. These models are preferred over duplicate databases. According to the brief, duplication and centralization of data increase security risks and privacy violations.

Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DPRUITT000
50%
50%
DPRUITT000,
User Rank: Apprentice
6/27/2012 | 7:39:43 PM
re: Healthcare Patient Data Laws Outdated: Consumers Union
Every new patient is asked by doctors to read and sign the Notice of Privacy Practices, or commonly called the "HIPAA form." Did you know that it makes no difference to anyone whether you sign the form or not?

Why not save healthcare and taxpayer dollars by just handing patients disposable NoPP forms and ask them to read it before recycling - instead of creating millions of paper trails daily that are meaningless because, as I said, it makes no difference to anyone whether the form is signed or not.

Even when the requirement was written, it was meant to trick Americans. The HIPAA form is an expensive federal ruse.

D. Kellus Pruitt DDS
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.