HIPAA: Congressional and GAO Reports Say HHS Needs To Make Changes To Protect Patient Privacy

According to a congressional testimony report posted February 1, “Private Health Records: Privacy Implications of the Federal Government’s Health Information Technology Initiative,” the Department of Health and Human Services (HHS) needs to do more to address privacy and security concerns connected with the new technology.
Here is an excerpt from the testimony statement of Senator Daniel K. Akaka:

“Over the past few years, we have seen various data mining programs in the federal government that lacked key privacy protections. We also recall the loss of a VA laptop computer and the news of many other federal data breaches that put the personal information of millions of Americans at risk. These incidents reinforce the need to build into any system containing personal information privacy and security protections. Our personal health information must not be subject to these same failings. Privacy and security are critical elements in health IT and should never be an afterthought.”
“That’s why I wrote to OPM in May 2005 seeking information on how federal employee’s health information would be protected under the efforts of OPM and the health insurance carriers. OPM responded that the Health Insurance Portability and Accountability Act (HIPAA) would address these privacy concerns. But while HIPAA is a foundation, HIPAA by itself is not enough. Privacy protections must be built in conjunction with the development of the health IT infrastructure.”

Indeed! Yes, HIPAA provides the legal requirements for protected health information (PHI), which are types of personally identifiable information (PII), safeguards, but a law in and of itself will still not assure privacy and security. Privacy and security must be addressed at every phase, from applications and systems planning all the way through to applications and systems retirement and disposal. Privacy and security must also be built into the environment and work practices of all parts of the enterprise; where ever PII is handled or accessed in any way, safeguards and awareness must exist.
Privacy and security laws must also be enforced.
Senator Akaka also testified:

“To ensure that this was happening, Senator Kennedy and I asked the Government Accountability Office (GAO) to review the efforts of HHS and the National Coordinator to protect personal health information. GAO’s report, which was released this morning, found that while HHS and the National Coordinator have taken steps to study the protection of personal health information, an over-all strategy is needed to:
• identify milestones for integrating privacy into the health IT framework,
• ensure privacy is fully addressed, and
• address key challenges associated with the nationwide exchange of information.
Given the overwhelming evidence of the benefits associated with the expanded use of health IT, as well as the fact that 70 percent of Americans are concerned about the privacy of their health information, I am surprised to learn that HHS objects to this recommendation. It is clear that the health care industry faces challenges in protecting electronic health information given the varying state laws and policies, the entities not covered by HIPAA, and the need to implement adequate security measures. But while more and more companies, providers, and carriers move forward with health IT, I fear that privacy suffers while HHS takes time to decide how to implement privacy protection. HHS must address these issues in a more timely fashion in order to give the private sector guidance on how to move forward with health IT and protect the private health information of all Americans.”

Senator Akaka is spot on. The HHS has not yet applied any penalties or fines for the HIPAA Privacy Rule, with which covered entities (CEs) have had to comply since April 14, 2001, or the HIPAA Security Rule, with CE compliance required since April 21, 2003, DESPITE having received tens of thousands of formal complaints regarding compliance.
I have had some very disheartening conversations with folks in the enforcement office of the Office for Civil Rights (OCR) that is responsible for Privacy Rule compliance and the Centers for Medicare and Medicaid Services (CMS) enforcement responsible for Security Rule compliance; they have basically told me that it would be highly likely that they would actively apply any penalties.
Why? Why not enforce the law? Having a law that CEs know will not be enforced puts privacy and security of PII at different types of risks than if there were no law. The law creates a false sense of security and trust within the public that their privacy is being protected, while the CEs with possession of the PII, knowing there are no penalties being applied for noncompliance, may leaving PII at great risk in many ways by not applying the legally required safeguards.
HHS, why?
A report was also posted on February 1 by the Government Accountability Office (GAO), “Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy
Perhaps this will reveal at least part of the answer.
The GAO provides the following findings:

“HHS is in the early phases of identifying solutions for safeguarding personal health information exchanged through a nationwide health information network and has not yet defined an approach for integrating its various efforts or for fully addressing key privacy principles. For example, milestones for integrating the results of its various privacy-related initiatives and resolving differences and inconsistencies have not been defined, and it has not been determined which entity participating in HHS’s privacy-related activities is responsible for integrating these various initiatives and the extent to which their results will address key privacy principles. Until HHS defines an integration approach and milestones for completing these steps, its overall approach for ensuring the privacy and protection of personal health information exchanged throughout a nationwide network will remain unclear.”

Further disheartening? Indeed. C’mon, work within the government agencies does NOT have to go as slow as molasses; the HHS should step up and show they do not fit the cliches. Look at the FTC; they don’t sit around twiddling their thumbs worrying how to make progress, they actively enforce the multiple laws for which they are responsible.
HIPAA was passed in 1996. 11 years ago. We have had many generations of new technologies emerge, and even come and go, in that time. However, PII is still PII. The concepts for protecting PII are still the same. These issues should have been addressed by the oversight agency, HHS, by now…long before now.
The GAO recommends:

“To increase the likelihood that HHS will meet its strategic goal to protect personal health information, we recommend in our report14 that the Secretary of Health and Human Services define and implement an overall approach for protecting health information as part of the strategic plan called for by the President. This approach should:
1. Identify milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, including the results of its four health IT contracts and recommendations from the NCVHS and AHIC advisory committees.
2. Ensure that key privacy principles in HIPAA are fully addressed.
3. Address key challenges associated with legal and policy issues, disclosure of personal health information, individuals‚Äô rights to request access and amendments to health information, and security measures for protecting health information within a nationwide exchange of health information.”

Sound recommendations, right? Well, apparently too overwhelming for the HHS.

“In commenting on a draft of our report, HHS disagreed with our recommendation and referred to ‚Äúthe department’s comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange.‚Äù However, an overall approach for integrating the department’s various privacy-related initiatives has not been fully defined and implemented. While progress has been made initiating these efforts, much work remains before they are completed and the outcomes of the various efforts are integrated. HHS specifically disagreed with the need to identify milestones and stated that tightly scripted milestones would impede HHS’s processes and preclude stakeholder dialogue on the direction of important policy matters. We disagree and believe that milestones are important for setting targets for implementation and for informing stakeholders of HHS’s plans and goals for protecting personal health information as part of its efforts to achieve nationwide implementation of health IT.
HHS did not comment on the need to identify an entity responsible for the integration of the department’s privacy-related initiatives, nor did it provide information regarding an effort to assign responsibility for this important activity. HHS neither agreed nor disagreed that its approach should address privacy principles and challenges, but stated that the department plans to continue to work toward addressing privacy principles in HIPAA and that our report appropriately highlights efforts to address challenges encountered during electronic health information exchange. HHS stated that the department is committed to ensuring that health information is protected as part of its efforts to achieve nationwide health information exchange.”

Why is the HHS allowed to drag their feet on these recommendations? Why aren’t they told to meet their obligations? Why doesn’t their boss, President Bush, tell them to get off the stick and get some changes made, pronto, to fix these issues?
The concluding paragraph within the GAO report puts it well:

“…without a clearly defined approach that establishes milestones for integrating efforts and fully addresses key privacy principles and the related challenges, it is likely that HHS’s goal to safeguard personal health information as part of its national strategy for health IT will not be met.”

If HHS does not make changes, PII safeguards will “not be met.”
The GAO provided within their report the following information in table form.

Challenges to Exchanging Electronic Health Information Areas
Understanding and resolving legal and policy issues
• Resolving uncertainties regarding the extent of federal privacy protection required of various organizations
• Understanding and resolving data sharing issues introduced by varying state privacy laws and organization-level practices
• Reaching agreements on differing interpretations and applications of the HIPAA privacy and security rules
• Determining liability and enforcing sanctions in case of breaches of confidentiality
Ensuring appropriate disclosure
• Determining the minimum data necessary that can be disclosed in order for requesters to accomplish their intended purposes
• Determining the best way to allow patients to participate in and consent to electronic health information exchange
• Educating consumers about the extent to which their consent to use and disclose health information applies
Ensuring individuals’ rights to request access and amendments to health information
• Ensuring that individuals understand that they have rights to request access and amendments to their own health information
• Ensuring that individuals’ amendments are properly made and tracked across multiple locations
Implementing adequate security measures for protecting health information
• Determining and implementing adequate techniques for authenticating requesters of health information
• Implementing proper access controls and maintaining adequate audit trails for monitoring access to health data
• Protecting data stored on portable devices and transmitted between business partners
Source: GAO analysis of information provided by state-level health information exchange organizations, federal health care providers, and health IT professional associations.”

Yes. These certainly are all challenges.
CISOs and CPOs must also ensure they address these challenges. Many of these are completely off the radars of CISOs and CPOs, but are necessary to ensure privacy. These challenges are basic privacy principles and requirements throughout the world in addition to within HIPAA and other U.S. laws and regulations. This is a good list for CISOs and CPOs to keep front and center so they don’t get overlooked with all the firefighting activities they do throughout the day.

Tags: , , , , , , , , , ,

Leave a Reply