Confidentiality Coalition Congressional Hill Briefing Provides Overview of Health Information Privacy and Security
The Confidentiality Coalition hosted a briefing for Congressional staff that provided a basic education on the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA is a federal law created to improve the efficiency and effectiveness of the healthcare system by standardizing the electronic exchange of administrative and financial information. Two experts joined Tina Grande, senior vice president of policy at Healthcare Leadership Council and chair of the Confidentiality Coalition, to discuss what information is covered under HIPAA.
Faith Knight Myers, McKesson’s privacy officer and vice president of global privacy, explained HIPAA’s Privacy Rule. She stated that HIPAA is meant to create a balance between protecting privacy and allowing health data to flow where it is needed. HIPAA is actually considered a basic level of protection, and states are free to create privacy requirements more stringent than HIPAA. Myers also clarified that de-indentified data is not subject to HIPAA and can be used for research. She described the “minimum necessary rule” as limiting the use of protected health information (PHI) to the minimum amount necessary to accomplish a purpose. Her presentation went into great detail and her slides can be found here.
Jennings Aske, vice president and Chief Information Security Officer at NewYork-Presbyterian Hospital, spoke about the Security Rule. He pointed out that the medical workforce has become more mobile, thus increasing the risk for potential security threats. He also noted that healthcare data is disproportionately affected by data security incidents, as it is considered more valuable on the black market than credit cards. The HIPAA Security Rule protects electronic PHI while allowing adoption of technologies that improves quality and efficiency. There is tension between the integrity and availability of health data, for instance a patient being able to access their records versus the risk of hacking. Aske stated that administrative, physical, and technical safeguards are required to protect health data, and guidelines exist to help. His presentation is available here.