Also included in providers' meaningful-use criteria under the program is a requirement that providers must attest that they have conducted a data security risk assessment. It was already a requirement under the Health Insurance Portability and Accountability Act that providers conduct risk assessments, but it wasn't getting done, Pritts noted.
“We could tell by looking at the breach reports, it was one of the areas that really needed to be addressed,” she said.
Providers must inform the Office for Civil Rights at HHS of health data breaches, one of numerous privacy and security requirements of the HITECH provisions of the American Recovery and Reinvestment Act of 2009, which also created the chief privacy officer position.
By adding a risk assessment attestation requirement to the meaningful criteria, the feds reinforced, and highlighted, that it needed to be done.
“If you draft a reg, you've done part of your job,” Pritts said. “It's also part of the government's job to communicate that out to the stakeholders.”
Pritts was a privacy lawyer and associate professor at the Georgetown University Health Policy Institute on Feb. 18, 2010 when she named ONC's first chief privacy officer.
For many privacy advocates, patient consent—that is, the ability of a patient to control the exchange or use of his or her medical records—is the sine qua non of privacy.
Consent is one of the five totemic Fair Information Practices Principles of 1973 on which many privacy rules around the world are based. Consent is the definition of privacy according to a report by the National Center for Vital and Health Statistics that studied healthcare information privacy in the digital age and made recommendations about it to HHS. Patient consent would have been required for disclosure of patient information for treatment, payment and other healthcare operations had the initial final privacy rule under the HIPAA gone into effect. That rule was pre-empted by HHS in 2002, replacing consent with HHS's authorization to disclose patient information without consent for those uses.
Since then, the restoration of patient consent has been a key objective in a trench war fought by privacy advocates. The latest battle ground over consent is the federal rule governing the records of many drug and alcohol abuse patients called 42 CFR Part 2. More stringent that HIPAA, it requires a patient's prior consent be given before their treatment records are disclosed, even for treatment or payment.
ONC—with Pritts' involvement—oversaw multiple pilot programs to test various policies and technologies for consent management of these treatment records as well as other sensitive information similarly impacted by state privacy laws.