Where does HIPAA go? Wherever it wants.

The GAO just issued another assessment of HHS's and ONCHIT's progress in identifying and addressing key HIPAA and other health IT related privacy issues, and developing an overall approach to HIT privacy. The federales — not known for nimbleness — have made significant progress, but have not yet fully addressed all of the issues on this front tagged by GAO in its Febuary 2007 HIT report. In GAO-speak:

We recommended that this overall approach include (1) identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles in HIPAA are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of our recommendation, and it has taken important steps in addressing the two other parts. Nevertheless, these steps have fallen short of fully implementing our recommendation because they do not include a process for ensuring that all key privacy principles and challenges will be fully and adequately addressed. In the absence of such a process, HHS may not be effectively positioned to ensure that health IT initiatives achieve comprehensive privacy protection within a nationwide health information network.

This assessment may, in fact, be too kind. The federales' June 2008 HIT strategic plan, though full of privacy and security objectives, strategies and compliance, has been critiqued by some observers as being somewhat out of touch with reality. There's a lot further to go.

In related privacy news, HHS released some HIPAA FAQs this week — two information sheets, one directed at consumers and one at providers. No new information there, but perhaps they will be useful in eliminating basic HIPAA confusion in some quarters. HIPAA should no longer the universal excuse for being unable to provide information to or about a patient, or to agree to a particular provision while negotiating a deal (though it's still proffered as an excuse sometimes, as is Stark and Sarbanes-Oxley, usually more because a party to a negotiation just doesn't want to agree to a particular contract term and is seeking to hang their hat on some external factor).

Moving from HIPAA privacy to HIPAA security: Another recent development is the release of a new health informatics information security management standard by the ISO. Quoth the press release:

ISO 27799:2008 applies to health information in all its aspects – whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it. The standard specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their size and circumstances.

It remains for someone better-versed in the technical end of things than I am to assess whether ISO compliance and HIPAA compliance could dovetail neatly in a manner that may yield more reliable protections for health information security, or whether this ISO standard will be a wrench thrown in the works of evolving HIPAA security rule compliance.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting