MaSSSoftech

Privacy and security issues are priorities for the administration when it comes to electronic health records, said government officials and members of a health information technology panel this week.

"Fundamentally, we recognize that meaningful use [of health IT] unquestionably brings in the privacy and security risks to the provider and to the consumers and that effectively addressing these risks is critical to the ultimate objective of furthering the adoption and proliferation" of electronic health records and information exchanges, said Dixie Baker, who leads the privacy and security work group of a health IT standards advisory committee to the Health and Human Services Department.

The Recovery Act provides nearly $20 billion to ensure every American has an e-health record by 2014. Eligible health care providers will be reimbursed for using health IT in a manner outlined in forthcoming federal criteria, including security specifications. Baker's workgroup, which is tasked with recommending such specifications, on Thursday called for keeping disclosures of electronic health information to a minimum, providing an account of all disclosures and allowing consumers to obtain copies of their electronic health records.

"When the HIPAA rules came into being, no health organizations had used wireless let alone cellular phones with a camera built-in," said Baker, an official with technical services firm SAIC. The 1996 Health Insurance Portability and Accountability Act, requires patient confidentiality. But health IT vendors such as Google, Microsoft and data aggregators are exempt from the law.

Members of the work group also recommended periodic reviews of information system configurations to ensure access to patients' e-health records is granted only to relevant personnel. In addition, all personal health information transmitted internally should be encrypted, if there is a chance the data will travel over unsecured wireless or cellular networks.

Baker noted that some of the group's most extensive discussions have centered on encryption, or coding data to render it unintelligible.

All transmissions that leave a health care facility and cross over shared networks also should be encrypted, the members recommended.

Meanwhile on Wednesday, David Blumenthal, national coordinator for health IT, sent the first in a series of e-mail updates to the public on the rollout of initiatives mandated by the Recovery Act.

A footer on the message encouraged readers "to share this information as we work together to enhance the quality, safety and value of care and the health of all Americans through the use of electronic health records and health information technology."

Blumenthal's message acknowledged that widely available e-records will not be beneficial to people unless "we can assure all Americans that their personal health information will remain private and secure when this system exists" and called the establishment of safeguards for privacy "an ongoing priority that influences and guides all of our efforts."

Also on Wednesday, the Obama administration announced privacy safeguards aimed at regulating the entire health IT sector, including entities that HIPAA does not cover.

As part of that announcement, HHS issued new rules that require providers and insurers to notify patients when their electronic health information is breached. They also must alert the media when a breach affects more than 500 people.

In addition, the Federal Trade Commission released companion notification guidelines for personal health records that are handled by groups not covered under HIPAA.

The HHS rules include updated guidance on techniques for encrypting and destroying health information to render it unreadable to unauthorized users. Industries that follow these procedures do not have to notify patients when information is breached.

Under the guidance, which applies to the HHS and FTC rules, if a breach involves information that has been "deidentified" -- or stripped of names, birth dates, ZIP codes and other distinguishing data -- the leak would not be subject to notification requirements. The Center for Democracy and Technology, a civil rights organization, has criticized this exception because of the risk of re-identification. Part of the population can be re-identified when scrubbed information is combined with other data, such as voter registration lists, the group's officials said.