Risk
6/27/2012
10:08 AM
50%
50%

Healthcare Patient Data Laws Outdated: Consumers Union

Laws covering privacy and security of health data haven't kept pace with changes in health IT, report from Consumers Union and Center for Democracy and Technology says.

9 Health IT Tools Patients Should Understand
9 Health IT Tools Patients Should Understand
(click image for larger view and for slideshow)
Neither the Health Insurance Portability and Accountability Act (HIPAA) nor California's Confidentiality of Medical Information Act (CMIA) do enough to address the privacy and security of patients' health information. That's the conclusion of the Consumers Union and the Center for Democracy & Technology, as outlined in their recently released policy brief.

Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange observed that both HIPAA and CMIA are based on Fair Information Practice Principles (FIPs), a set of comprehensive guidelines that govern the way healthcare providers and related organizations collect, use, and safeguard personal information.

In general, these principles permit healthcare providers to exchange information for treatment, payment, and certain administrative activities without receiving specific authorization from patients. Providers need specific authorization, however, if the information is used in research or the sale of identifiable health information. FIPs also require health groups such as hospitals, health plans, and pharmacies to implement reasonable safeguards to protect electronic health data.

However, the policy brief, which was supported by a grant from the California HealthCare Foundation, based in Oakland, Calif., claims that gaps exist in the current laws that govern patient health information, and these laws don't address all of the objectives outlined in the FIPs.

[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security. ]

Like many states across the country, California's healthcare system is developing new platforms for the exchange of patient data, including health information exchanges (HIEs), personal health records, and new technologies like tablets and smartphones.

In this environment, the authors recommend several steps to further safeguard patient health information, including calling for all business entities that access, use, and disclose personal health information to be held responsible for adhering to legal obligations to protect health data. The document also urges policymakers to enforce and strengthen existing federal and state laws that provide health privacy and security protections.

"There needs to be a culture of enforcement at all levels; we are not just looking at governmental enforcement. I think the providers should look at enforcement themselves and that will create a culture of compliance," Mark Savage, senior attorney for Consumers Union, told InformationWeek Healthcare. "Providers should be asking themselves, 'should we take the time to train our employees? When we discover that an unauthorized employee has actually opened up the health files of a celebrity, should we terminate the employment of that person?'"

The document also laments the fact that current laws have not kept pace with new technology and data exchange models that have recently emerged. "Today, federal coverage under HIPAA is limited to traditional healthcare system entities (e.g., providers and insurers) and their contractors (business associates)," the policy brief states.

According to Savage, who co-authored the policy brief, personal health records are a good example of HIPAA's limitations. "Patients are providing information through Web-based access to personal health records, so they are trying to actually contribute to the management of their health data and to make it available to their provider. But in that particular situation, the online-based personal health record is not a HIPPA covered entity," Savage explained in an interview with InformationWeek Healthcare. To meet new security challenges, the brief recommends that laws protecting electronic health data such as the HIPAA Security Rule be reassessed to ensure that they address new security challenges and incorporate technological innovations such as encryption.

The document also notes that while California lawmakers recently extended the CMIA's scope, the law is still "unclear whether these expansions suffice to provide comprehensive protections for consumers and patients regardless of which entity is accessing their information."

The policy brief also recommends:

--Strengthening the rules on the use of personal health information for marketing purposes.

--Improving clarity on how entities should comply with existing and new health privacy laws. These recommendations will reduce the uncertainties associated with sharing information lawfully, and should instill greater confidence in exchanging patient information to improve individual and population health.

--Standards for de-identifying health data should remain robust, and policymakers should establish penalties for inappropriate or unauthorized re-identification.

Finally, the report urges more emphasis on data-sharing models that support decentralization and local control. These models are preferred over duplicate databases. According to the brief, duplication and centralization of data increase security risks and privacy violations.

Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DPRUITT000
50%
50%
DPRUITT000,
User Rank: Apprentice
6/27/2012 | 7:39:43 PM
re: Healthcare Patient Data Laws Outdated: Consumers Union
Every new patient is asked by doctors to read and sign the Notice of Privacy Practices, or commonly called the "HIPAA form." Did you know that it makes no difference to anyone whether you sign the form or not?

Why not save healthcare and taxpayer dollars by just handing patients disposable NoPP forms and ask them to read it before recycling - instead of creating millions of paper trails daily that are meaningless because, as I said, it makes no difference to anyone whether the form is signed or not.

Even when the requirement was written, it was meant to trick Americans. The HIPAA form is an expensive federal ruse.

D. Kellus Pruitt DDS
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?