HHS Holds Keys to Next Generation of Health Information Privacy

by Deven McGraw


While lawmakers continue to debate health reform, health IT already is poised to be a major factor in changing how health care is delivered. Recognizing health IT's potential to enhance efficiency and quality of care, Congress made a substantial taxpayer investment in health IT earlier this year through the American Recovery and Reinvestment Act of 2009.

Congress also recognized that digitized health records pose privacy issues that, if left unresolved, can profoundly undermine patient trust in the health care system. Consequently, ARRA devotes significant attention to strengthening the privacy and security of health information.

However, stronger laws are not enough. Effective implementation -- including education, outreach and oversight -- will be needed to embed better privacy and security practices throughout the health care system, particularly as we move into the age of digital health records.

To realize the promise of health IT, we need a new generation of health privacy that can be accomplished best with proactive and consistent privacy leadership from HHS. Specifically, HHS should:

  • Capitalize on opportunities provided in ARRA to strengthen and more effectively implement and enforce privacy and security protections for digital health information;
  • Ensure effective communication and coordination on privacy policy among its subagencies and offices, as well as with other federal agencies; and
  • Serve as an ongoing resource for stakeholders on the law and on effective privacy and security practices.

No Longer Business as Usual

The HIPAA Privacy Rule was based on a model of one-to-one transfer of information among traditional health care entities and their business partners who perform health-related functions on their behalf. The new health information exchange environment funded through ARRA will involve broader access and exchange among multiple entities, often through statewide, regional or national networks. Patients also will have greater opportunities to store and share copies of their health data.

While health IT can improve the quality of health care, it also enhances the risks to privacy, and current laws -- even as improved by ARRA -- do not solve them. Instead, ARRA delegates a number of critical policy choices to HHS in the areas of privacy and security, as well as in health IT infrastructure.

Building a system that effectively leverages health IT to improve care and simultaneously secures public trust requires a deft connection of these somewhat disparate dots. Simply stated, the challenge is daunting -- but it is not unachievable.

The Government Accountability Office regularly criticized the Bush administration for not paying sufficient attention to the privacy issues that arise with the adoption of health IT. HHS officials in the new administration appropriately express concerns about privacy, and there have been some promising developments.

For example, in technical guidance on breach notification issued by HHS last spring, the agency declined to allow entities to be exempt from breach notification if they use a limited data set or protect data only through access controls, instead providing this safe harbor only where strong encryption and destruction controls are used.

However, recent developments suggest that there is room for improvement. In its recently issued interim final breach notification rules for HIPAA-covered entities, HHS adopted an overly broad standard advocated by industry: Notification is required only when the breaching entity determines that the information raises a "significant risk" of causing harm to the individual.

Of particular concern is the considerable authority given to breaching entities to determine if and when a particular breach would cause harm to an individual whose data is unlawfully acquired or disclosed. Privacy and consumer advocates have argued against such a standard for many years, and yet HHS implemented one in an interim final rule with no indication that this crucial point was even under discussion.

Cooperation Crucial Inside, Outside Agency

The time has come for HHS to put some muscle behind its pro-privacy rhetoric. The department needs to establish clear lines of internal authority and oversight on privacy and security issues. These issues need to be prioritized by the HHS Office of the Secretary to ensure effective communication with the White House and the Office of Management and Budget, to identify cross-cutting issues in HHS programs and to ensure appropriate coordination among federal agencies. Depending only on agencies and offices to provide leadership and oversight on privacy and security sends the wrong message about the department's dedication and commitment to this set of issues.

Within HHS, the Office for Civil Rights has historically overseen the HIPAA Privacy Rule and now also enforces the Security Rule. However, the Office of the National Coordinator for Health IT is charged with developing and implementing the national strategy for the widespread adoption of electronic health records and electronic health information exchange.

Moving health care into the digital age demands that privacy move into the digital age as well. Effective privacy and security policies for health IT must incorporate, build on and respond to the latest technological developments. Thus it is essential that ONC and OCR work seamlessly in interpreting and implementing national privacy and security policy. Both OCR and ONC bring considerable expertise to the table, and they will need to collaborate closely in developing policy that responds to the challenges of the digital age.  

ARRA also requires HHS to appoint privacy officers for each of its regions, as well as a chief privacy officer to ONC. ARRA gives scant detail on the job duties for the CPO, meaning that the position only will be effective if HHS empowers the CPO to report directly to the national coordinator and have the authority and resources to pursue a forward-looking privacy strategy, working closely with other HHS agencies. Given the importance of privacy to the adoption of health IT, we also urge HHS not to wait until its statutory deadline of February 2010 to appoint the CPO.

In addition, HHS should better coordinate privacy policy among the lead agencies that establish and implement policies regarding the use of health data, including CMS and the Agency for Healthcare Research and Quality. HHS also needs to work collaboratively with other federal agencies, such as the Federal Trade Commission, which ARRA tasked with developing and overseeing rules for personal health records. HHS and FTC should strive for consistency on the privacy and security policies they implement.

Reduce Uncertainty That Stalls Progress

Building public trust in health IT also will require a greater understanding on the part of patients and industry stakeholders about health privacy law and policy. HHS should provide regular and proactive communication to both industry and consumers about rights under the law, compliance, best practices, and frequently asked questions.

Where uncertainty or misinformation about the law is an obstacle to facilitating the exchange of data that needs to occur to improve our health care system, it should be HHS' job to work to resolve that -- and not just resort to its enforcement role.  

In addition, a proactive role for HHS calls for regular communication with Congress beyond the annual reporting requirements under ARRA. HHS should work with Congress when statutory changes are needed to respond to new developments or to resolve issues that current law doesn't address or addresses ineffectively.

Rubber, Meet Road

Congress has given HHS new tools to be a strong privacy steward for digitized health data. The numerous privacy provisions in ARRA, the rapidly evolving health care system and the serious privacy issues raised by health IT create the "perfect storm" of opportunity for privacy leadership.

Now it's up to HHS to make the most of these conditions and to protect health privacy with a comprehensive framework of safeguards, as well as to go above and beyond the minimum requirements of the law by anticipating and engaging privacy issues on a proactive basis.

Bolstering the legal requirements will do little unless HHS seizes this opportunity with gusto. A stronger commitment by HHS to privacy will create a health care system that is safer, more effective and worthy of patient trust.

to share your thoughts on this article.