Risk
6/27/2012
10:08 AM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Patient Data Laws Outdated: Consumers Union

Laws covering privacy and security of health data haven't kept pace with changes in health IT, report from Consumers Union and Center for Democracy and Technology says.

9 Health IT Tools Patients Should Understand
9 Health IT Tools Patients Should Understand
(click image for larger view and for slideshow)
Neither the Health Insurance Portability and Accountability Act (HIPAA) nor California's Confidentiality of Medical Information Act (CMIA) do enough to address the privacy and security of patients' health information. That's the conclusion of the Consumers Union and the Center for Democracy & Technology, as outlined in their recently released policy brief.

Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange observed that both HIPAA and CMIA are based on Fair Information Practice Principles (FIPs), a set of comprehensive guidelines that govern the way healthcare providers and related organizations collect, use, and safeguard personal information.

In general, these principles permit healthcare providers to exchange information for treatment, payment, and certain administrative activities without receiving specific authorization from patients. Providers need specific authorization, however, if the information is used in research or the sale of identifiable health information. FIPs also require health groups such as hospitals, health plans, and pharmacies to implement reasonable safeguards to protect electronic health data.

However, the policy brief, which was supported by a grant from the California HealthCare Foundation, based in Oakland, Calif., claims that gaps exist in the current laws that govern patient health information, and these laws don't address all of the objectives outlined in the FIPs.

[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security. ]

Like many states across the country, California's healthcare system is developing new platforms for the exchange of patient data, including health information exchanges (HIEs), personal health records, and new technologies like tablets and smartphones.

In this environment, the authors recommend several steps to further safeguard patient health information, including calling for all business entities that access, use, and disclose personal health information to be held responsible for adhering to legal obligations to protect health data. The document also urges policymakers to enforce and strengthen existing federal and state laws that provide health privacy and security protections.

"There needs to be a culture of enforcement at all levels; we are not just looking at governmental enforcement. I think the providers should look at enforcement themselves and that will create a culture of compliance," Mark Savage, senior attorney for Consumers Union, told InformationWeek Healthcare. "Providers should be asking themselves, 'should we take the time to train our employees? When we discover that an unauthorized employee has actually opened up the health files of a celebrity, should we terminate the employment of that person?'"

The document also laments the fact that current laws have not kept pace with new technology and data exchange models that have recently emerged. "Today, federal coverage under HIPAA is limited to traditional healthcare system entities (e.g., providers and insurers) and their contractors (business associates)," the policy brief states.

According to Savage, who co-authored the policy brief, personal health records are a good example of HIPAA's limitations. "Patients are providing information through Web-based access to personal health records, so they are trying to actually contribute to the management of their health data and to make it available to their provider. But in that particular situation, the online-based personal health record is not a HIPPA covered entity," Savage explained in an interview with InformationWeek Healthcare. To meet new security challenges, the brief recommends that laws protecting electronic health data such as the HIPAA Security Rule be reassessed to ensure that they address new security challenges and incorporate technological innovations such as encryption.

The document also notes that while California lawmakers recently extended the CMIA's scope, the law is still "unclear whether these expansions suffice to provide comprehensive protections for consumers and patients regardless of which entity is accessing their information."

The policy brief also recommends:

--Strengthening the rules on the use of personal health information for marketing purposes.

--Improving clarity on how entities should comply with existing and new health privacy laws. These recommendations will reduce the uncertainties associated with sharing information lawfully, and should instill greater confidence in exchanging patient information to improve individual and population health.

--Standards for de-identifying health data should remain robust, and policymakers should establish penalties for inappropriate or unauthorized re-identification.

Finally, the report urges more emphasis on data-sharing models that support decentralization and local control. These models are preferred over duplicate databases. According to the brief, duplication and centralization of data increase security risks and privacy violations.

Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DPRUITT000
50%
50%
DPRUITT000,
User Rank: Apprentice
6/27/2012 | 7:39:43 PM
re: Healthcare Patient Data Laws Outdated: Consumers Union
Every new patient is asked by doctors to read and sign the Notice of Privacy Practices, or commonly called the "HIPAA form." Did you know that it makes no difference to anyone whether you sign the form or not?

Why not save healthcare and taxpayer dollars by just handing patients disposable NoPP forms and ask them to read it before recycling - instead of creating millions of paper trails daily that are meaningless because, as I said, it makes no difference to anyone whether the form is signed or not.

Even when the requirement was written, it was meant to trick Americans. The HIPAA form is an expensive federal ruse.

D. Kellus Pruitt DDS
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.