Federal law aimed at ensuring electronic health information remains secure might not be strong enough to do the job, privacy and patient advocacy groups are arguing.
A primary goal of the Health Insurance Portability and Accountability Act of 1996 was to encourage electronic transactions among healthcare plans, doctors and hospitals while keeping patients’ medical records private, but based on the experiences of other businesses, where confidential information often has fallen prey to computer hackers, the groups worry the law’s protections may not be satisfactory.
“Simply put, we don’t think the legal protection under HIPAA is sufficient for the technological development planned — we’re not opposed to the technology, but we feel there should be more safeguards when (transmitting) some medical information,” Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C., told United Press International.
“There have been any number of security breaches in the financial services sector this year, and we know these problems are causing huge harm to consumers — as well as a huge cost to the economy,” Rotenberg said. “It’s clear from data about the rise in identity theft over the last five years that there are big privacy concerns.”
Another group already has sued the federal government over the issue. Citizens for Health — located in Minneapolis, but represented by Washington lawyer James Pyles — has a lawsuit pending in which they argue the new regulations could allow personal health information to be disclosed routinely without notice and without a patient’s consent.
“When the Bush administration first came into office. it agreed with the regulations to protect privacy, but less than a year later it reversed its position,” Jim Turner, the group’s chairman, told UPI. “In changing the regulations, the government allowed some 1.5 million people (to access) people’s medical records — a whole batch of health workers, insurance workers and suppliers were allowed … to read the records.”
The suit by Citizens for Health claims such open access is unconstitutional, based on the patient’s right to keep medical records private, Turner said.
“The trouble is that with the change in regulations, HIPAA has no teeth. If a person complains to the Department of Health and Human Services, nothing happens,” he said.
David Lynch, vice president of marketing at Apani, a network security software provider in Napa Valley, Calif., told UPI that hospitals seem unenthusiastic so far about implementing HIPAA. He also noted that the healthcare business faces its own unique set of problems where records privacy is concerned.
For example, Lynch said, if a bank or credit-card company has a data breach and confidential information is lost, the customer will make his or her own decision whether to sever ties with that company, regardless of whether the government takes action against the firm.
“However, there is a difference in the healthcare world, there are less options,” he said. “If your doctor had a data breach, you are limited by your health insurance by which doctors and hospitals you can choose — it’s not like getting another credit card company.”
Lynch noted that so much information flows via the Internet — a public network — that even a casual observer could pick-up sensitive information. “You’ve got to protect the information, such as having it encrypted,” Lynch added.