HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Where does HIPAA go? Wherever it wants.

September 18, 2008

The GAO just issued another assessment of HHS's and ONCHIT's progress in identifying and addressing key HIPAA and other health IT related privacy issues, and developing an overall approach to HIT privacy.  The federales — not known for nimbleness — have made significant progress, but have not yet fully addressed all of the issues on this front tagged by GAO in its Febuary 2007 HIT report.  In GAO-speak:

We recommended that this overall approach include (1) identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles in HIPAA are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of our recommendation, and it has taken important steps in addressing the two other parts. Nevertheless, these steps have fallen short of fully implementing our recommendation because they do not include a process for ensuring that all key privacy principles and challenges will be fully and adequately addressed. In the absence of such a process, HHS may not be effectively positioned to ensure that health IT initiatives achieve comprehensive privacy protection within a nationwide health information network.

This assessment may, in fact, be too kind.  The federales' June 2008 HIT strategic plan, though full of privacy and security objectives, strategies and compliance, has been critiqued by some observers as being somewhat out of touch with reality.  There's a lot further to go.

In related privacy news, HHS released some HIPAA FAQs this week — two information sheets, one directed at consumers and one at providers.  No new information there, but perhaps they will be useful in eliminating basic HIPAA confusion in some quarters.  HIPAA should no longer the universal excuse for being unable to provide information to or about a patient, or to agree to a particular provision while negotiating a deal (though it's still proffered as an excuse sometimes, as is Stark and Sarbanes-Oxley, usually more because a party to a negotiation just doesn't want to agree to a particular contract term and is seeking to hang their hat on some external factor).

Moving from HIPAA privacy to HIPAA security: Another recent development is the release of a new health informatics information security management standard by the ISO.  Quoth the press release:

ISO 27799:2008 applies to health information in all its aspects – whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it. The standard specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their size and circumstances.

It remains for someone better-versed in the technical end of things than I am to assess whether ISO compliance and HIPAA compliance could dovetail neatly in a manner that may yield more reliable protections for health information security, or whether this ISO standard will be a wrench thrown in the works of evolving HIPAA security rule compliance.

David Harlow
The Harlow Group LLC
He
alth Care Law and Consulting

Related Posts

  • HIPAA compliance = privacy protected?

    A year ago, AHRQ found rampant confusion and mistakes among covered entities trying to comply…

  • HIPAA confusion and solutions

    The current AIS Health Report on Patient Privacy tells us: National Review of HIPAA Compliance…

  • HIPAA faces the music: New OCR Guidance on the HIPAA Privacy Rule and the Electronic Exchange of Health Information

    HIPAA guidance for the world that followed HIPAA (finally): HIEs, PHRs, etc., and how they…

Filed Under: Ehealth, EHR, Health care policy, Health Law, HIPAA, HIT, Privacy

« Health Wonk Review, political convention style
CVS Minute Clinics: First Massachusetts sites open this week »

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]