WASHINGTON, Feb. 13 (UPI) — The government Thursday issued standards health insurers and other entities must abide by to protect the privacy of electronically transmitted health data, but consumer advocates said the provisions would do little to ensure patient confidentiality.
“Overall, these national standards … will make it easier and less costly for the healthcare industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential,” Health and Human Services Secretary Tommy Thompson said in a written statement. “The security standards in particular will help safeguard confidential health information as the industry increasingly relies on computers for processing healthcare transactions.”
The new standards, part of the Health Insurance Portability and Accountability Act of 1996, require health insurance companies, healthcare providers and clearinghouses that handle health data to establish procedures to protect the confidentiality and accessibility of health information maintained or transmitted electronically. This includes developing administrative, physical and technical safeguards to protect the data.
Companies not in compliance with the requirement are subject to a fine of $100 for each violation with a maximum of $25,000 per year, Donald McLeod, spokesman for the Centers for Medicare & Medicaid Services, the agency responsible for enforcing the security standards, told United Press International. Medicare providers that fail to comply also could be excluded from the Medicare program.
“I don’t really see that as enforcement,” Twila Brase, a nurse and president of the patient privacy advocacy group Citizens’ Council on Health Care, in St. Paul, Minn., told UPI. “The enforcement itself isn’t onerous enough to make anybody think twice about violating this.”
Brase said the fines are too small to be a deterrent to large multi-million-dollar insurance companies.
“All the standards that are created at the government level should ensure patients that their rights have been protected,” she said.
The concern is inadequate safeguards on electronic data could result in the release of potentially damaging health information that can be linked to the specific individual, Brase said. There is no requirement for tracking where the data goes, so patients would have no way of knowing if their information has been released, she added.
“Not only can your health plan, your doctor and your clinic … share all this information without your consent and not necessarily tell you where it goes, but once it gets out there to other folks, they’re not even covered by the regulations,” she said.
Health insurers said they supported efforts to protect patients’ confidential information.
“We are strongly supportive of uniform and consistent regulations and enforcement of regulations that protect peoples’ privacy,” Larry Akey, spokesman for the Health Insurance Association of America, told UPI.
“We tend to think privacy advocates’ concerns are overstated” because “there is implied a level of maliciousness on the part of health insurers and healthcare practitioners that we don’t think exists,” Akey said. “Peoples’ healthcare information is extremely personal and we want to do whatever we can to protect that as long as it’s not unnecessarily costly or overly burdensome.”
A source at HHS who spoke on condition of anonymity told UPI the enforcement of these new privacy regulations “is driven at getting (companies) compliant rather than punishing them.” The goal of the program is to make the processing of health insurance claims easier, not fining companies that do not comply with the privacy regulations, the source said.
“A company can get kicked out of Medicare … but there’s no interest in doing this,” the source added. “We’re probably not going to fine them $25,000 if we can work it out.”
Failure to place significant fines on companies and prevent them from leaking health data to outside parties “will change the whole feel and use of the healthcare system in this country,” Brase said.
People will begin to realize they have no control over who has access to their confidential information and will be reluctant to share sensitive information, such as mental health problems, with physicians, she said.
Or patients may decide to pay in cash and not utilize their health insurance in to protect their confidentiality, she said.
Brase also noted the regulations do not apply to the government and if sensitive information reaches governmental agencies they are not bound to protect a patient’s privacy.
“It’s sort of like the emperor’s new clothes,” Brase said. “The government … is trying to tell everyone the emperor has clothes in terms of privacy and protection, but really he has none.”