Public-private sector debate on health IT turns to whose security is weakest

Security concerns remain a major sticking point on electronic health records, health IT in general, and greater levels of health information exchange and interoperability among potential public and private sector participants in those exchanges. An article in the Wall Street Journal two weeks ago by Deborah Peel, privacy advocate and founder of the non-profit Patient Privacy Rights, argued that due to the lack of comprehensive privacy, individual consent, and information disclosure controls, medical records simply aren’t secure. The opinion piece, which restates key themes that Peel has been expressing publicly for at least five years, served as fodder for a Fox News commentary that suggested Americans will be reluctant to put their medical data online not just due to the lack of consent and personal control over its disclosure, but because the government will have access to electronic health records. It’s not entirely clear that this is a fair characterization of Peel and other privacy advocates’ position, and it’s certainly a more partisan take that what many insist is an issue that persists regardless of which party is in power.

The tone of the current debate raises another point of contention about whose security is really the most problematic when it comes to protecting health information online. The privacy debate is focused as much on maintaining confidentiality as it is about consent for disclosure or control of data dissemination, so the simple fact that the government’s vision for electronic health records includes widespread interoperability and data exchange among health information systems logically produces an outcome where a given record is potentially accessible to many more parties, be they from government or industry. For all the conservative hand-wringing on this issue, there appear to be just a strong a concern among government agencies about data confidentiality and security measures, but the government’s concerns are about private sector security practices.

Speaking at an AFCEA event on Health IT in Maryland this week, Centers for Medicare and Medicaid Services (CMS) CIO Julie Boughn said that the security measures in place among some of the private sector organizations that seek to exchange data with CMS are so lacking in some cases as to be “almost embarrassing.” CMS is in a position to notice such deficiencies going forward as well, as it will serve as the agency administering the measures for meaningful use under which eligible health providers and professionals will seek to qualify for incentive funding to buy, implement, and use electronic health record technology. Boughn has long maintained that, due to the requirements they must follow under FISMA, federal agencies’ information security is stronger than the equivalent security provisions under the HIPAA Security Rule or other security control standards applicable to private sector health care organizations. She echoed that position again this week, suggesting that organizations seeking to use in nationwide health IT infrastructure and participate in health information exchange initiatives with government agencies will have to follow FISMA just as the agencies do.

It’s hard to reconcile the idea of imposing FISMA on non-government agencies with the complete absence of any references to or incorporation of standards or processes from FISMA in either the Health Information Technology for Clinical and Economic Health (HITECH) Act or in the meaningful use measures, EHR certification criteria, and technical standards proposed to date. Instead, the focus for security and privacy in health IT has been strengthening and otherwise revising provisions in the Health Insurance Portability and Accountability Act (HIPAA), the federal regulations codified under which serve as the basis for the single meaningful use measure for security. It seems the government leaders on health IT and the health care industry are pretty closely aligned on using the provisions of both the HIPAA Security and Privacy Rules, so it will be interesting to see if more of the FISMA framework makes its way into the overall health IT picture.