Healthcare Patient Data Laws Outdated: Consumers Union

Laws covering privacy and security of health data havent kept pace with changes in health IT, report from Consumers Union and Center for Democracy and Technology says.

9 Health IT Tools Patients Should Understand (click image for larger view and for slideshow)
Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Californias Confidentiality of Medical Information Act (CMIA) do enough to address the privacy and security of patients health information. Thats the conclusion of the Consumers Union and the Center for Democracy & Technology, as outlined in their recently released policy brief.
Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange
observed that both HIPAA and CMIA are based on Fair Information Practice Principles (FIPs), a set of comprehensive guidelines that govern the way healthcare providers and related organizations collect, use, and safeguard personal information.
In general, these principles permit healthcare providers to exchange information for treatment, payment, and certain administrative activities without receiving specific authorization from patients. Providers need specific authorization, however, if the information is used in research or the sale of identifiable health information. FIPs also require health groups such as hospitals, health plans, and pharmacies to implement reasonable safeguards to protect electronic health data.
However, the policy brief, which was supported by a grant from the California HealthCare Foundation, based in Oakland, Calif., claims that gaps exist in the current laws that govern patient health information, and these laws dont address all of the objectives outlined in the FIPs.
[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see
7 Tools To Tighten Healthcare Data Security
. ]
Like many states across the country, Californias healthcare system is developing new platforms for the exchange of patient data, including health information exchanges (HIEs), personal health records, and new technologies like tablets and smartphones.
In this environment, the authors recommend several steps to further safeguard
patient health information
, including calling for all business entities that access, use, and disclose personal health information to be held responsible for adhering to legal obligations to protect health data. The document also urges policymakers to enforce and strengthen existing federal and state laws that provide health privacy and security protections.
There needs to be a culture of enforcement at all levels; we are not just looking at governmental enforcement. I think the providers should look at enforcement themselves and that will create a culture of compliance, Mark Savage, senior attorney for Consumers Union, told
InformationWeek Healthcare.
Providers should be asking themselves, should we take the time to train our employees? When we discover that an unauthorized employee has actually opened up the health files of a celebrity, should we terminate the employment of that person?
The document also laments the fact that current laws have not kept pace with new technology and data exchange models that have recently emerged. Today, federal coverage under HIPAA is limited to traditional healthcare system entities (e.g., providers and insurers) and their contractors (business associates), the policy brief states.
According to Savage, who co-authored the policy brief, personal health records are a good example of HIPAAs limitations. Patients are providing information through Web-based access to personal health records, so they are trying to actually contribute to the management of their health data and to make it available to their provider. But in that particular situation, the online-based personal health record is not a HIPPA covered entity, Savage explained in an interview with
InformationWeek Healthcare.
To meet new security challenges, the brief recommends that laws protecting electronic health data such as the HIPAA Security Rule be reassessed to ensure that they address new security challenges and incorporate technological innovations such as
encryption
.
The document also notes that while California lawmakers recently extended the CMIAs scope, the law is still unclear whether these expansions suffice to provide comprehensive protections for consumers and patients regardless of which entity is accessing their information.
The policy brief also recommends:
--Strengthening the rules on the use of personal health information for marketing purposes.
--Improving clarity on how entities should comply with existing and new health privacy laws. These recommendations will reduce the uncertainties associated with sharing information lawfully, and should instill greater confidence in exchanging patient information to improve individual and population health.
--Standards for de-identifying health data should remain robust, and policymakers should establish penalties for inappropriate or unauthorized re-identification.
Finally, the report urges more emphasis on data-sharing models that support decentralization and local control. These models are preferred over duplicate databases. According to the brief, duplication and centralization of data increase security risks and privacy violations.
Get the new, all-digital
Healthcare CIO 25
issue of InformationWeek Healthcare. Its our second annual honor roll of the health IT leaders driving healthcares transformation. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Healthcare Patient Data Laws Outdated: Consumers Union