Tech Firms Ask Congress to Redefine Medical Privacy Rules

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.rollcall.com/news/healthcaregov_hack_raises_medical_privacy_questions-236069-1.html?pos=oplyh

Tech firms, including Amazon.com Inc., are asking Congress to redefine the
rules on medical privacy, saying the potential risks of disclosure should
be weighed again against the potential benefits of wider sharing and easier
access to crucial health data.

Executives of tech companies and health organizations have told the House
Energy and Commerce Committee in recent months that what they consider an
excessively conservative stance on health data privacy is hindering
development of new medical technologies and approaches to treatment, and
also adding costs to already burdened state and federal budgets.

“We, in our effort to protect the patients, are constructing a health care
system that they and we cannot afford, and we’re putting the balance in the
wrong spot,” Joseph M. Smith, a former Johnson & Johnson medical technology
executive who has been involved with venture capital projects, told the
committee in June. “In Congress’ view of trying to protect everyone from
that information, we may be protecting them to death.”

Much of what health researchers and executives seek involves more clear
guidance on what are known as HIPAA privacy regulations. The name reflects
their genesis as an add-on provision to the Health Insurance Portability
and Accountability Act of 1996 (PL 104-191).

Yet, these calls for a new look at HIPAA are coming at a time of marked
concern about the sanctity of consumers’ online accounts — health and
otherwise. House Republicans responded with great concern when the
Department of Health and Human Services this month announced that common
malware had been detected on the website for the federal medical insurance
exchange. No personal information was comprised as a result of this
intrusion on a healthcare.gov test server, HHS has said.

June brought a furor over the revelation of an experiment seeking to alter
the emotional state of about 690,000 of Facebook users. That’s likely to
heighten people’s concern about how data in general is shared online,
especially medical records, said Justin Brookman, director for consumer
privacy at the Center for Democracy & Technology.

“By and large, they don’t expect that they are going to be guinea pigs,” he
said. “When we are talking about health information, people feel even more
strongly about it.”

In May, HHS reported a record HIPAA settlement of $4.8 million in a case
involving New York Presbyterian Hospital and Columbia University and
medical records for about 6,800 people, including laboratory results. The
hospital and Columbia learned of the security lapse when the partner of a
deceased patient found that person’s health information on the Internet.
New York Presbyterian and the university notified HHS of the security
lapse, and there’s been no indication any of that information was ever
accessed or used inappropriately. Still, HHS found their “approach to
guarding data” lacking and levied the record fine.

The complexity of HIPAA regulations and the threat of inadvertently
triggering fines keep many small companies from venturing into projects
that would involve using medical data, Smith said at the Energy and
Commerce meeting in June.

“Once they understand the HIPAA penalties and the machinery involved and
the limitations that imposes on the value that they could create, they
demure,” said Smith, now the chief medical and science officer at the
nonprofit West Health Institute, noting this has an effect on the United
States health system at large. The “innovative spirit” falters when “it
encounters that immovable object that we currently call HIPAA,” he said.

Large companies also are looking for changes in HIPAA. Paul Misener,
Amazon’s vice president for global public policy, in July told Energy and
Commerce that current rules make it difficult to negotiate contracts for
cloud computing services. Congress should direct HHS to provide more clear
guidance on the HIPAA requirements for cloud computing when the host firm
has no way of accessing the encrypted data that would be stored, he said.

The current interpretation “impedes health-care delivery entities from
leveraging cloud services by causing the parties to negotiate a ‘business
associate agreement’ in which virtually all of the terms are inapplicable
because the cloud services provider does not have access to health
information,” Misener said

These complaints about HIPAA have caught the attention of a powerful
lawmaker who is intent on putting forth broad bipartisan health legislation
in the next session of Congress.

“We have heard on numerous occasions that there is a wealth of health data
available, but there are barriers to using it,” House Energy and Commerce
Chairman Fred Upton, R-Mich., told CQ Roll Call in an email last week. “We
are exploring opportunities to break down those barriers, allowing for
greater innovation and advancement, all the while protecting the privacy of
our patients.

A look at HIPAA has been part of what Upton calls his 21st Century Cures
Initiative, which has drawn federal officials, including top Food and Drug
Administration regulators, to sit and publicly hash out ideas with company
executives and patient advocates.

Upton’s lead partner in the project is Diana DeGette, D-Colo., and the
backers so far include two Democrats competing for their party’s top spot
on Energy and Commerce, Frank Pallone Jr. of New Jersey and Anna G. Eshoo
of California.

At the June roundtable, DeGette spoke of the potential need for a new look
at HIPAA. She is also among the lawmakers who have said HIPAA rules may
need to be spelled out more clearly for cases where parents want to help
children suffering from mental illness. Pressure from such communities,
tech firms and mental health advocates almost certainly will put HIPAA on
the agenda for the next Congress.

The challenge with HIPAA is weighing the desire for researchers and
patients to get easier access to medical data, while maintaining proper
safeguards, DeGette told the health officials and tech executives at the
June Energy and Commerce meeting.

“That’s the balance we’ve always been trying to achieve,” DeGette told the
officials of medical firms serving on the roundtable. “It’s sounding like
you all don’t think we really have done that.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!