iHealthBeat Perspectives Article: “HHS Holds Keys to Next Generation of Health Information Privacy”

CDT published an article in iHealthBeat yesterday, calling on the U.S. Dept. of Health and Human Services (HHS) to take charge on privacy issues. In the iHealthBeat article, CDT points out that HHS should take full advantage of the opportunities before it to establish strong rules in favor of privacy and meaningful enforcement. CDT also urges HHS to enhance communication and coordination on privacy issues within its subagencies and other federal agencies.

The American Recovery and Re-investment Act of 2009 (ARRA) makes a significant taxpayer investment in health information technology (health IT). A new generation of improved privacy protection is critical to preserve patient trust in a system of digitized health records. In ARRA, Congress provides HHS with numerous opportunities to strengthen privacy in health care, such as through rulemakings and staff appointments. There is some evidence of improvement in both the coordination and regulation areas. For example, the HIPAA Privacy and Security Rules were previously enforced by two different offices within HHS, but both are now enforced through the Office of Civil Rights (OCR). HHS should grab this opportunity to ensure better compliance and enforcement with the Privacy and Security Rules. To do so, OCR will have to coordinate closely with the HHS Office of the National Coordinator (ONC), which oversees the national strategy for the electronic health information exchange.

In the area of regulation, HHS took some positive steps forward in its recent breach notification rulemaking. HHS granted an exemption to notification of data breaches in instances where the data was protected through strong encryption or destruction standards, but HHS declined to extend the same exemption to limited data sets. However, HHS also included a “harm standard” which allows health care companies to decide for themselves whether to notify patients of a breach if they determine the breach does not pose a ‘significant risk’ of financial, reputational or other harm to patients. This harm standard undermines the incentives for health care companies to encrypt data in the first place. (See CDT’s recent blog post on the HHS harm standard for more information.) As the iHealthBeat article points out, there are still a lot of chances for HHS to establish and implement patient-oriented health privacy rules. Through ARRA, Congress laid the groundwork for effective system-wide stewardship of patient data – but this promise will not be realized without strong leadership from HHS.