First of two parts...
Last week, the Government Accountability Office issued a mild rebuke to HHS over its handling of privacy and security issues while the department leads the federal effort to promote development of a national healthcare information network.
Reaction to the GAO report within the privacy community was far more strident. In fact, both HHS and the GAO were zinged with criticism.
The 52-page GAO report, issued Thursday, was the focus of discussion the following day in Washington at a meeting of the Senate subcommittee on federal government management, the federal workforce and the Senate Committee on Homeland Security and Governmental Affairs.
The report criticized HHS for failing to establish “milestones” to measure progress in development of privacy protections and for not having a person or organization in charge of coordinating federal privacy policy initiatives. HHS disagreed with the GAO’s findings in a written rebuttal.
Mark Rothstein is director of the institute of bioethics, health policy and law at the University of Louisville (Ky.) School of Medicine. Rank his criticism of HHS on the milder side of the spectrum among the privacy experts contacted for this story.
Rothstein, in a telephone interview, did not take a whack at the GAO directly, noting only that its report was “much more polite than I was,” during his testimony before the subcommittee chaired by Sen. Daniel Akaka, D-Hawaii. Rothstein said he recommended that Congress withhold funding for the national healthcare network until HHS “makes significant progress on protecting privacy.”
“The private sector is not waiting,” Rothstein said. It is “racing ahead” to develop personal health record systems, databases and other healthcare exchange mechanisms. “Much of the stuff is not subject to HIPAA and if they (HHS) wait any longer, the horse will be out of the barn.”
In today’s environment, he said, “HIPAA is totally ineffective. It was designed for purposes that were very narrow. There are scores of providers that are not covered entities and scores of others who get PHI (protected healthcare information) and are not covered entities, including employers. We need a privacy regime that is commensurate with that scope and nobody is moving on it.”
He stopped short of accusing HHS of intentional foot-dragging, but suggested the department might be slow moving, or even a bit squeamish, about opening what will surely be a contentious debate.
“I assume, and I have no reason to think otherwise, that they’re acting in good faith,” he said. “Maybe they don’t have the sense of urgency, but there are some issues that need to be decided now. They have sort of nibbled around the edges and have not taken up the threshold issues.”
One particularly sore spot for Rothstein is HHS’s apparent disinterest in the recommendations of the National Committee on Vital and Health Statistics. At the government’s request, an NCVHS subcommittee on privacy and security began working on a series of healthcare IT and privacy policy recommendations. After 18 months of meetings and public hearings, on June 22 last year, the NCVHS submitted a six-page report of its findings in the form of a letter to HHS Secretary Mike Leavitt. Rothstein served as chairman of the NCVHS privacy subcommittee.
Read the report.
“There are 26 recommendations that the NCVHS made and they (HHS) have taken up none of them,” Rothstein said. “David Brailer (the former head of the Office of the National Coordinator for Health Information Technology at HHS) asked us in the end of 2004 to take a look at that. It took all of 2005 and half of 2006 to hold hearings and come up with that report and it’s been sitting there (with Leavitt at HHS) for six months. These are very complex and contentious issues. We found that out in our hearings. I would have loved to have avoided some of the contentious issues, but we did not have the option, and neither do they, of shelving some of the things that are really hard.”
Rothstein said Congress appears to be getting the message.
“I certainly think that the members of the subcommittee and perhaps the full committee are getting a sense that time is of the essence, and that we need to do more on privacy, and that the department has really lagged behind.”
Higher up the vituperative scale was the response to the GAO report from Deborah Peel, an Austin, Texas, psychiatrist and chairwoman of the not-for-profit Patient Privacy Rights Foundation.
Peel said HHS is part of the problem, not the solution, and the GAO report didn’t go nearly far enough in its scope or criticism. “The heart of it is they don’t ever define the term privacy,” Peel said of the GAO, in a written response released Friday.
In its June 2006 report to Leavitt, Peel noted, the NCVHS defined health information privacy as “an individual's right to control the acquisition, uses, or disclosures of his or her identifiable health data."
In the original HIPAA privacy rule, she said, HHS defined the right of privacy as: "the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated.”
Either definition of privacy works for her, Peel said, but by not settling on one, the GAO can “accept at face value that HHS is working hard on defending privacy, which enables them to omit the cause of the privacy problem.”
And that cause, according to Peel, is HHS itself.
