Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange observed that both HIPAA and CMIA are based on Fair Information Practice Principles (FIPs), a set of comprehensive guidelines that govern the way healthcare providers and related organizations collect, use, and safeguard personal information.
In general, these principles permit healthcare providers to exchange information for treatment, payment, and certain administrative activities without receiving specific authorization from patients. Providers need specific authorization, however, if the information is used in research or the sale of identifiable health information. FIPs also require health groups such as hospitals, health plans, and pharmacies to implement reasonable safeguards to protect electronic health data.
However, the policy brief, which was supported by a grant from the California HealthCare Foundation, based in Oakland, Calif., claims that gaps exist in the current laws that govern patient health information, and these laws don't address all of the objectives outlined in the FIPs.
[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security. ]
Like many states across the country, California's healthcare system is developing new platforms for the exchange of patient data, including health information exchanges (HIEs), personal health records, and new technologies like tablets and smartphones.
In this environment, the authors recommend several steps to further safeguard patient health information, including calling for all business entities that access, use, and disclose personal health information to be held responsible for adhering to legal obligations to protect health data. The document also urges policymakers to enforce and strengthen existing federal and state laws that provide health privacy and security protections.
"There needs to be a culture of enforcement at all levels; we are not just looking at governmental enforcement. I think the providers should look at enforcement themselves and that will create a culture of compliance," Mark Savage, senior attorney for Consumers Union, told InformationWeek Healthcare. "Providers should be asking themselves, 'should we take the time to train our employees? When we discover that an unauthorized employee has actually opened up the health files of a celebrity, should we terminate the employment of that person?'"
The document also laments the fact that current laws have not kept pace with new technology and data exchange models that have recently emerged. "Today, federal coverage under HIPAA is limited to traditional healthcare system entities (e.g., providers and insurers) and their contractors (business associates)," the policy brief states.
According to Savage, who co-authored the policy brief, personal health records are a good example of HIPAA's limitations. "Patients are providing information through Web-based access to personal health records, so they are trying to actually contribute to the management of their health data and to make it available to their provider. But in that particular situation, the online-based personal health record is not a HIPPA covered entity," Savage explained in an interview with InformationWeek Healthcare. To meet new security challenges, the brief recommends that laws protecting electronic health data such as the HIPAA Security Rule be reassessed to ensure that they address new security challenges and incorporate technological innovations such as encryption.
The document also notes that while California lawmakers recently extended the CMIA's scope, the law is still "unclear whether these expansions suffice to provide comprehensive protections for consumers and patients regardless of which entity is accessing their information."
The policy brief also recommends:
--Strengthening the rules on the use of personal health information for marketing purposes.
--Improving clarity on how entities should comply with existing and new health privacy laws. These recommendations will reduce the uncertainties associated with sharing information lawfully, and should instill greater confidence in exchanging patient information to improve individual and population health.
--Standards for de-identifying health data should remain robust, and policymakers should establish penalties for inappropriate or unauthorized re-identification.
Finally, the report urges more emphasis on data-sharing models that support decentralization and local control. These models are preferred over duplicate databases. According to the brief, duplication and centralization of data increase security risks and privacy violations.
Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)