Sufficient confidentiality needs to be assured before a nationwide system will be ready for implementation
Several weeks ago, Paul Feldman, the cochairman of a Department of Health and Human Services advisory group on technology, handed in his resignation and headed for the door. On the way out, he and a colleague at the Health Privacy Project delivered a warning.
"We have determined," wrote Feldman and Janlori Goldman, the executive director of the Health Privacy Project, that the group has "not made substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network."
Feldman's abrupt departure from an arm of HHS's American Health Information Community was just the latest in a series of stinging accusations that the Bush administration and officials at HHS have been lax — some say negligent — about creating and enforcing the kind of privacy and security policies that are essential if the government is serious about setting up a fully effective nationwide health information network.
Not walking the walk?
The most politically damning critique hit at the beginning of February, when lawmakers released a GAO report that concluded that the Bush administration had never matched its rhetoric on a national health information with policies that would ensure privacy.
The government investigators concluded that in the three years since President Bush issued a mandate outlining a goal to create an national health information network (NHIN), HHS never "defined an overall approach for integrating its various privacy-related initiatives and addressing key privacy issues."
A host of privacy experts and advocates have been heralding these barbs as a long-needed prod for an administration that's been better about spelling out a vision of a future interconnected health care world than defining the regulatory framework on privacy and security that will be needed to make it work.
Supporters of the administration's approach, though, say that much of this recent bout of criticism is overblown and premature. It takes time to develop new federal policies, they say. Meanwhile, even some of the administration's harshest critics say that key officials are offering a few signs that the recent charges may signal a change of attitude.
Feldman's committee was looking at new ways to extend privacy to electronic health records that aren't covered by HIPAA and considering what measures might be needed to make up for limitations of the federal statute. However, critics also contend that HHS's limp approach to privacy protection has been underscored by its unwillingness to use any of the penalties outlined under HIPAA for anyone who has violated the federal statute.
"There have been more than 25,000 HIPAA complaints and not a single civil monetary penalty has been assessed against anyone," says Mark Rothstein, JD, chairman of the subcommittee on privacy and confidentiality of the National Committee on Vital and Health Statistics, another adviser to HHS. "There have been a handful of criminal prosecutions for stolen information, but not one of those stemmed from referrals from HHS."
"The NHIN has to include a vigorous enforcement," adds Rothstein, a professor of medicine at the University of Louisville and director of the Institute for Bioethics, Health, and Law. "Without enforcement we're sending the wrong message to everyone. We're saying they don't have to take this stuff seriously." The worst that can happen to anyone now, he says, is that they get called in by the HHS for a scolding.
HIPAA's privacy and security rules are limited to health plans, health clearinghouses, and providers that submit electronic claims. In just the last few months, big employers like Wal-Mart have begun to aggressively set up electronic health record systems for workers and providers are establishing regional and local alliances.
Many privacy and security issues on non-HIPAA-covered health records have been ignored by regulators, Rothstein warned a Senate subcommittee recently.
There's been no decision on an opt-out provision for people who might not want their health records in the nationwide health information network; no progress in determining whether individuals should have control over the health information that does become a part of the NHIN; no progress on defining possible levels of access based on the need to know; and no push past HIPAA to extend privacy protections.
"HHS has not made any discernible progress on developing policies in regard to any of these foundational issues," Rothstein testified in February. The four contractors picked by HHS to develop proposals for the NHIN haven't even been encouraged by the HHS to adopt privacy enhancing technology.
HHS insists that it is moving full speed ahead on privacy and security.
Susan McAndrew, deputy director of health information privacy in HHS's Office of Civil Rights, responds that "We've actually been able to achieve voluntary compliance in over 4,000 investigated cases that have led to corrective action and resulted in systemic change. I think that the absence of civil monetary penalties speaks well of the industry's willingness to work with us."
For the lawyer Kirk Nahra, agreeing to cochair the HHS advisory committee with Feldman was a chance to address two big-picture issues regarding the privacy and security of electronic health records: focusing on elements not covered by HIPAA and finding where the regulations simply weren't good enough to do what is needed. They began meeting last summer, says Nahra, and he's perplexed why anyone would think that is nearly enough time to achieve significant progress.
Not the first time
"These are really hard questions," adds Nahra. "I think what's happening in reality is that you have a business environment that is moving much faster than the ability of the government to develop rules for it. And that, by the way, is not the first time that's happened."
Nahra also doesn't believe that HHS made a bad decision in choosing not to apply civil and criminal penalties against people accused of violating HIPAA.
"When the rules first went into effect, it went a long way to eliminating irrational fear," says Nahra. "It allowed the system to continue to proceed. There was a lot of concern that information flow would stop, that doctors would stop talking to other doctors."
Now, he adds, HHS's supportive approach has a neutral effect — neither positive nor negative.
"I'm hopeful," says Rothstein. "I think HHS is talking about more initiatives on privacy. Even if they turned on the jets, it would take weeks or months before we had something. But I do sense a greater recognition that privacy issues are important."
The consequence of continued inaction, he adds, could be catastrophic for the NHIN as well as for many people's personal health.
"If patients feel that nobody is going to protect their privacy — if they have substance abuse, go to an STD clinic, or get treated for mental health and could be stigmatized, they're more likely to stop going to a doctor and they're going to get worse. You can't operate a health care system unless patients have absolute trust in the confidentiality of the information they reveal."