Privacy Advocates Release Guidelines for E-Records Data Breaches

One of the most important challenges for privacy advocates these days is making sure that our nation's transition to electronic medical records includes ironclad data safeguards along with it.

"The ship has sailed" when it comes to whether we are moving forward with the transition to a completely digitized medical records system. The fact is it will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Just one challenge that must be addressed once such a system is in place is how to deal with a data breach. The New York Times recently pointed out this concern: "with paper records the opportunities for breaches are limited to over-the-shoulder glimpses or the occasional lost or stolen files. But when records are kept and transferred electronically, the potential for abuse can become as vast as the Internet."

As such, The Center for American Progress, the Markle Foundation's Connecting for Health Initiative, the Center for Democracy and Technology, and other signatories have provided a series of guidelines for The Department of Health and Human Services in the event of a medical data breach.

Peter P. Swire, a Senior Fellow at American Progress, summed the challenge up thusly:

The health IT initiative depends on the degree to which patients and consumers trust that health information will be protected from inappropriate use and disclosure. Large, unnecessary data breaches could undermine confidence in health care privacy and security. The new data breach guidelines, therefore, are a crucial way to reduce the number of breaches and build privacy and security effectively into the new health IT infrastructure.

Key report guidelines include:

Support the strong encryption and data destruction standards included in the current guidelines.

Recommend adding to the list of accepted technologies and methodologies a one-way hash function, a technical approach that is particularly useful for comparing population-level data sets without unnecessarily exposing patient data.

Urge HHS not to add the “limited data set” to the list of the technologies and methodologies because that approach does not employ the technical levels of protection achieved through encryption and one-way hashing.

Ask HHS to emphasize that the technologies and methodologies are in addition to the existing requirement to use the minimum amount of data necessary to accomplish a particular purpose.

Recommend that HHS carefully examine unintended and possibly negative consequences of creating an exclusion based on biometric approaches to safeguarding devices that contain personal health information.

Recommend careful study of the existing “de-identification” standard under the Health Insurance Portability and Accountability Act medical privacy rule, and consider whether data currently defined as “de-identified” should remain outside of HIPAA, including with respect to breach notification.

Urge HHS to expressly commit to annually reviewing the data breach guidance and set forth a process for doing so.

Recommend HHS use threat profiles as part of this annual review to evaluate the potential of policies, technologies, and methodologies to protect and secure personal health information.

Click here to download the report.

Read more on implementing health IT from CAP:

A Historic Opportunity: Wedding Health Information Technology to Care Delivery Innovation and Provider Payment Reform