Witnesses at a House Oversight and Government Reform subcommittee hearing June 19 on the privacy of health information differed on almost every aspect of the issue, including whether existing privacy laws are adequate and whether the Health and Human Services Department is doing enough to enforce the law.
Representatives of the Government Accountability Office told the Information Policy, Census and National Archives Subcommittee that HHS lacks a strategy for managing its privacy policy initiatives and developing a comprehensive approach to the issue.
Valerie Melvin, director of human capital and management information systems issues at GAO, said Dr. Robert Kolodner, national coordinator for health information technology at HHS, told her at a meeting last week that he would develop such a strategy but offered no specifics about when or how he would do so.
Steven Engelhardt, a spokesman for Subcommittee Chairman Rep. William Lacy Clay (D-Mo.), said the lawmaker plans to introduce privacy legislation probably in the next month. Engelhardt said he could not predict the nature of the bill but that it would be influenced by what was said at the hearing.
Mary Grealy, president of the Healthcare Leadership Council, a coalition of chief executives from the health care industry, urged adoption of a national standard for protecting the privacy of health care information and said the Health Insurance Portability and Accountability Act of 1996 could serve that purpose. She acknowledged that HIPAA might need some tweaking but cautioned against a wholesale revision of the law.
Bryon Pickard, president of the American Health Information Management Association, said lawmakers should strengthen and expand HIPAA to protect personal health records and information maintained by other organizations not currently covered by the law.
“Health information privacy protections must follow personal health information, or PHI, no matter where it resides,” Pickard said. “Uniform, universal protections for PHI should apply across all jurisdictions in order to facilitate understanding and compliance.”
Although Grealy and Pickard would like to see state laws on the privacy of health information pre-empted by a federal law, “the wrong sort of pre-emption would repeal many existing privacy protections,” said Peter Swire, a law professor at Ohio State University who led the writing of the HIPAA rules during the Clinton administration. Swire also said he has “serious concerns about the lack of enforcement from HHS” of those rules.
HHS gives HIPAA violators an opportunity to change their ways before making an effort to impose penalties or criminal sanctions, Swire said. The department has referred 400 cases to the Justice Department for prosecution, and when it does so, it stops its own enforcement activity, he added. Meanwhile, Justice has prosecuted few, if any, of the cases.
However, Grealy said most HIPAA violations are simply misunderstandings of what is required under the law.
Swire said he was also critical of HHS for deciding not to make public the results of its nationwide review of health information privacy laws and rules, which vary from state to state.
Government Health IT presents Liesa Jo Jenkins, executive director of CareSpark, in this recent eSeminar, where she shared her experiences and insight into building a health information exchange that enhances community health, rewards regional collaboration and drives economic progress.
