HITECH Act's promise of data security not yet realized


The HITECH Act (.pdf) was intended to enable electronic health record innovation and adoption by plugging the data privacy holes left by the Health Information Portability and Accountability Act, or HIPAA. But according to testimony during a Nov. 9 Senate Judiciary subcommittee hearing, very few requirements have been implemented since the HITECH Act became law as part of the American Recovery and Reinvestment Act in 2009.

"Actual progress has been excruciatingly slow," Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, told the subcommittee on privacy, technology and the law.

"We need the regs. We need the regs. We need the regs...I don't understand why this takes so long," added McGraw.

The HITECH Act aims to increase patient and provider trust in the confidentiality of sensitive health information, but some revisions may be necessary in order to enact real change, said Leon Rodriguez, director of the Health and Human Services Department's office of civil rights.

Under HITECH, there is no longer a hard requirement that a covered entity be given a chance to implement corrective action before HHS penalizes it, said Rodriguez. As a result, penalties are given quickly and are more expensive, but they are not necessarily forcing remediation, he added.   

The Federal Trade Commission is the enforcement authority for personal health record vendors, under HITECH--creating an enforcement gap due to FTC's focus on contracts, not privacy, said McGraw. FTC can only penalize a personal health record vendor if the company says it won't release or share users' medical information and does. However, if a PHR vendor does not make that promise or states in fine print that it can share patients' medical information, the FTC can't do anything because it's not a breach of contract or violation of the terms of agreement, said McGraw.

McGraw also highlighted what she considers a growing area of concern: technology providers that don't fall within the health IT category but still host health information. End users are revealing more and more sensitive health information through their internet searches and over social networks.

Sen. Al Franken (D-Minn), chairman of the subcommittee, said he would consider legislation to augment HITECH by requiring the encryption of health data--something panelists said is extremely rare among health IT companies at this point--and requiring health data security rules to be applied to a broader segment of vendors.

For more:
- go to the hearing page (includes archived webcast and prepared testimonies)

Related Articles:
IOM pushes for creation of new, HHS-funded health IT agency
Big data in health IT requires new definition of 'research,' says federal advisory committee