The trusted source for
healthcare information and
HIPAA Regulatory Alert
Privacy advocates say GAO testimony against HHS too soft
Critics say changes to HIPAA privacy rule have not helped, question its ability to safeguard privacy
The GAO testimony before a House Committee on Oversight and Government Reform subcommittee summarized its January 2007 report to Congress that said HHS still needs to define and implement an overall privacy approach that identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the exchange of health information.
GAO said challenges to exchanging electronic health information exist in four areas:
1. Understanding and resolving legal and policy issues. As health information expands across state lines, GAO said, organizations are challenged with understanding and resolving data-sharing issues introduced by varying state privacy laws. HHS intends to identify the variations in state laws through the privacy and security solutions contract it awarded in 2005, the testimony said.
2. Ensuring appropriate disclosure. Several organizations described issues associated with ensuring appropriate disclosure, such as determining the minimum data necessary that could be disclosed for requestors to accomplish the intended purposes for use of the health information. In June 2006, the National Committee on Vital and Health Statistics recommended that HHS monitor development of different approaches and continue an open, public process to evaluate whether a national policy would be appropriate.
3. Ensuring individuals' rights to request access and amendments to health information to ensure it is correct. GAO said that as the exchange of personal health information expands to include multiple providers and as individuals' health records include increasing amounts of information, keeping track of the origin of specific data and ensuring that incorrect information is corrected and removed could become increasingly difficult. Also, as health information is amended, HIPAA rules require covered entities make reasonable efforts to notify certain providers and other people that previously received the individuals' information.
4. Implementing adequate security measures for protecting health information. Adequate implementation of security measures is another challenge that health information exchange providers must overcome, GAO said.
Department changes its position
While HHS initially disagreed with GAO's recommendation that it define and implement an overall approach for protecting health information, after the report had been out for awhile, the National Coordinator for Health IT agreed with the need for an overall approach to protect health information and said the department was taking steps to address the recommendation.
Also, since the report was issued, HHS said it has undertaken additional activities to address privacy and security concerns. Among those steps, the National Committee on Vital and Health Statistics' Subcommittee on Privacy and Confidentiality is drafting additional recommendations for the secretary of HHS on expanding the HIPAA privacy rule coverage to entities not currently covered; the privacy and security solutions contractor is in the process of analyzing and summarizing 34 states' final assessments of organization-level business practices and summaries of observations and key issues; and HHS awarded a contract on the State Alliance for e-Health, intended to address state-level IT issues.
Responding to GAO's original report, the Health Privacy Project's deputy director, Paul Feldman, resigned as co-chair of the American Health Information Community's Confidentiality, Privacy, and Security Workgroup. "We have determined we are unable to continue given that the workgroup has not made substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network," the group said.
HIPAA privacy has been changed
Likewise, the organization PatientPrivacyRights said while it agreed with GAO on the need for a comprehensive privacy approach, it disagreed with the recommendation that HHS should ensure that key privacy principles in HIPAA are fully addressed. Chairperson Deborah Peel, a psychiatrist, said those making that recommendation wrongly assume that HIPAA still gives Americans the right to privacy.
"The key defect in the [GAO] report," the group said, "stems from the authors' lack of understanding that the 2002 amendments to the HIPAA privacy rule eliminated the patients' right of consent by replacing the consent provisions in the original HIPAA privacy rule with regulatory permission granted to more than 600,000 covered entities to use and disclose personal health information for treatment, payment, and health care operations… Without the right of consent, which ensures patients' right to medical privacy, it is impossible to ensure privacy in a national HIT system."
PatientPrivacyRights called on HHS and Congress to:
"Neither the GAO or HHS can face the obvious fact that since HHS gutted the HIPAA privacy rule, relying on it as the federal standard for privacy, it cannot possibly ensure privacy," Peel said after GAO's testimony. "The GAO and HHS expect Congress and the nation to go along with the pretense that HHS and HIPAA are protecting our privacy when our records are naked for covered entities to see, use, and disclose for virtually any reason. It is almost impossible to conceive of a use of protected health information that would not fall under one of the three categories of treatment, payment, or health care operations, [and thus] covered entities are free to data mine and sell Americans' health records."
And privacy critic James Pyles, a Washington, DC, attorney, said the situation is actually much worse than described by GAO because the report "fails to acknowledge that there is wide consensus about necessary health information privacy protections in constitutional common law, the statutory and common law pertaining to the physician-patient and psychotherapist-patient privilege, and state privacy laws for mental health, HIV/AIDS, genetic, and cancer information."
Don't go back to previous version
Appearing before the subcommittee, Healthcare Leadership Council Executive Director Mary Grealy defended the current amended version of the HIPAA privacy rule, which she said her organization helped shape. The council has 34 members, including a dozen provider organizations and a greater number of pharmaceutical manufacturers and resellers.
"We are concerned that the transition to more widespread use of electronic medical records will prompt a reactive advocacy in some quarters for additional burdensome privacy regulations," she said. "It's important to note that the HIPAA privacy rule, which is already quite restrictive, was spurred by the growth in electronic transactions and contains ample provisions governing the confidentiality of information, electronic or otherwise. It's even more important to recognize that more restrictive rules, such as requiring providers and payers to obtain prior consent to treatment, payment, and health care operations would have a counterproductive and harmful impact on patient care. While HIPAA establishes a federal privacy standard, it permits state variations that are found in thousands of statutes, regulations, common law principles, and advisories."
And American Hospital Association Regulatory Counsel Lawrence Hughes said hospitals favor a national standard on privacy but see the need for a balance between protecting patients' privacy and treatment. "If you returned the privacy rule to its original version," he warned, "there would be significant obstacles to providing good quality care to patients." Hughes also said his association has no complaint about HHS's pace and process.
At the same hearing, the American Health Information Management Association (AHIMA) said Congress should act to expand protections for personal health records, resolve inconsistencies in HIPAA, and pass comprehensive non-discrimination legislation penalizing the intentional misuse of an individual's health information.
Pickard said that while his group wants to see consumer-based personal health records, in addition to standard provider-based electronic health records, this can't happen until the industry resolves important issues including expansion of privacy protections for personal health records, differences between HIPAA "business-associated" and non-covered third-party contractors, and protecting student health information by resolving conflicts that include HIPAA.
(Editor's note: You can download the GAO testimony at www.gao.gov/new.items/d07988t.pdf.)