The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who want a say in how protected health information (PHI) is safeguarded, shared, and otherwise handled.
This group met on April 12, 2007 to discuss personal health records and personal health exchanges along with the effectiveness of HIPAA.
They created a draft policy that would require all persons and entities that store, compile, transmit, or access electronic PHI to meet all the HIPAA requirements if it is adopted by the HHS. Currently the only organizations that must follow HIPAA are covered entities (CEs); healthcare providers, healthcare insurers/payers, and healthcare clearinghouses.
Business associates (BAs; generally those businesses that handle PHI in some way for CEs) are currently not directly covered by HIPAA, but CEs must have contracts in place specifying the safeguards the BAs must follow.
The HHS Secretary, Michael O. Leavitt, has stated in various speeches and reports his opposition to such a plan, indicating that making such changes woud upset the years of regulatory work already done and delay the goal to establish a nationwide health information network by 2014.
I personally think it is a good idea to make safeguarding PHI requirements applicable to any organization that handles PHI. And, in addition to this, it would be good to expand this to all personally identifiable information (PII), and move the enforcement oversight from the HHS, which is has been completely ineffective so far, and move it to the much more proactive Federal Trade Commission (FTC).
http://www.ftc.gov
Yes…then the U.S. would finally have one comprehensive PII protection law being enforced by an agency that is proactive.
Why do I always get an image of Barney Fife in my mind when I think of the HHS and HIPAA enforcement…and them having only one bullet for their enforcement gun that they can never use?
Tags: awareness and training, CMS, government, HHS, HIPAA, Information Security, IT compliance, OCR, patient privacy, PHI, PII, policies and procedures, privacy, privacy rule, security rule