Federal lawmakers on Thursday said that HHS is not acting fast enough to implement privacy protections in its health information technology initiatives and that the department has moved too slowly to keep pace with pending legislation.
During a congressional hearing yesterday that coincided with a government report critical of HHS' privacy policies, Sen. Daniel Akaka (D-Hawaii) said that although he supports health IT efforts, he remains concerned about the low level of privacy protections built into HHS' plan to develop an interconnected health information network.
In his opening statement, Akaka cited recent breaches in key privacy protections, including the loss of a Veterans Affairs Department laptop computer, that have put sensitive medical information at risk. "Our personal health information must not be subject to these same failings," he said, adding that privacy and security "should never be an afterthought."
According to national polls, a majority of Americans said they are concerned that lax electronic security could lead to their private health information being exposed and potentially used against them, Akaka said. "This fear is understandable," he added.
The Government Accountability Office also on Thursday said it wants HHS to "define and implement" an overall privacy game plan that includes key principles addressing differences in states' laws, the amount of health information that could be released and the individual's ability to access and amend their own records.
The implementation of new technology has moved ahead of the development of privacy and security policies under the federal government's current health IT efforts -- a move that could prove difficult and costly to reverse, the GAO said.
In its report, the GAO said it wants HHS to establish tangible milestones and measures that ensure that personal health records and the overall exchange of health information will be properly secure and protected.
"While progress has been made initiating these efforts, much work remains before they are completed and the outcomes of the various efforts are integrated," said David Powner, GAO's director of IT management issues.
HHS officials said they disagree with the GAO recommendation. In written comments, HHS steered the GAO to its "comprehensive and integrated approach for ensuring the privacy and security of health information" initiatives, according to the report.
In 2005, HHS awarded several health IT contracts that include requirements for addressing privacy of personal health information. A year later, the department contracted for regional health information exchanges in 33 states and Puerto Rico as a way to field test organization-level privacy and security-related policies, according to the report. The American Health Information Community also has a work group dedicated to privacy and security policy.
"HHS has established and is pursuing (a) deliberative, comprehensive and integrated approach to ensure the privacy and security of health information within a nationwide health IT infrastructure," Robert Kolodner, interim national coordinator for health IT under HHS, told lawmakers. "Safeguarding personal health information is essential to our national strategy for health IT – and a strategy devoid of measures to ensure privacy and security would neither advance our interests nor those of the American people."
Kolodner countered the GAO report, citing more than eight HHS and ONCHIT initiatives designed to ensure that electronic records and other health IT components are safe and secure at the local, state and federal levels. To the more pointed GAO recommendation that HHS develop a set of measurable "milestones" to mark their progress, Kolodner said that at this point, the milestones are "at a very high level" and many are still unknown.
"Privacy is important," Kolodner said. "We need to make sure that we advance as deliberately and quickly as we can."
But the pace may not be quick enough for some lawmakers. Sen. George Voinovich (R-Ohio) told Kolodner that critical health IT legislation had been put on hold because HHS could not issue certain regulations fast enough. "I don't want to see this delayed because you're not doing the job you're supposed to be doing," he said.
Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine, said he agrees with the GAO's findings. "It is fair to conclude that health privacy has not received adequate attention at HHS, that prior efforts have lacked coordination and focused on the wrong issues, and that a sense of urgency is lacking," he said.
What do you think? Write us with your comments at href="mailto:[email protected]">[email protected]
href="mailto:[email protected]">[email protected]. Please
include your name, title and hometown.