The Government Accountability Office last week released a report accusing the U.S. Department of Health & Human Services (HHS) of not properly safeguarding the security of personal health information (PHI) derived from electronic prescribing (e-Rx) data. The same report criticizes the HHS Office for Civil Rights (OCR) for not fully enforcing privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS was required to instruct covered entities how to de-identify electronic e-Rx data, when that data is used for reasons other than direct patient care, no later than Feb. 2010. Due to "competing priorities,” however, HHS has yet to offer such guidance.
The GOA report argued, “Until the guidance is issued, increased risk exists that covered entities are not properly implementing the standards set forth by federal regulations for de- identifying protected health information.”
HHS and the OCR responded that existing regulations provide adequate safeguards for patient PHI: “Covered entities have been operating under these existing de-identification standards for almost 10 years, and it has not been OCR's experience in administering the Privacy Rule that the standards have been the subject of significant or frequent compliance issues by covered entities.”
The GAO nevertheless recommended that HHS issue de-identification guidance and establish a plan for a sustained audit capability.
Tags: Health IT