Editor’s Note: For additional information about cyber security requirements for health care data, please see, HIPAA Audit Protocol Lacks Meat.
From: Watchdog Watch
There is debate going on about whether more needs to be done to “address the privacy and security of patients’ health information.” Two watchdogs, Consumers Union and the Center for Democracy and Technology, have issued a policy paper discussing the issue.
In “Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health and Information Exchange,” the NGOs discuss the importance of maintaining the privacy and security of personal health records while allowing for beneficial information sharing. The study states “that there is no inherent tension between protecting privacy and sharing health information for clinical treatment and other appropriate health-related purposes.” Policies and platitudes, however, will do little to protect personal health data or promote “appropriate” sharing of such data.
Instead, protection of patient data while allowing authorized dissemination requires rigorous compliance by all affected parties – including patients – with existing data protection processes, such as those embodied in the Federal Information Security and Management Act, (FISMA).
A recent article on health data privacy concluded that “[t]he Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”
The recent loss of patient data from the M.D. Anderson Cancer Center through theft highlights the fact that data security breaches are often initiated by parties who have little interest in policy nuances.
Effective data security requires resources, not only for hardware and software but also for training, testing, maintenance and monitoring.
If the CU and CDT are serious about promoting protection of patient data, they should focus their efforts on ensuring that all the organizations which have access to the patient data, private and public, also have the funds necessary to secure it. In short, cost-benefit analysis is at the heart of patient privacy protection.
- See Achieving the Right Balance
It’s difficult to create legislation that will “protect” PHI because it is so technology dependent. This was the topic of a recent article I wrote. My vote would be for increased transparency.