As of Aug. 3, it has been 1,264 days since the HITECH Act, which broadly expanded the use of EHRs. The act touted enhanced protections for health information, but contained no mandate for data encryption. Stage 1 of meaningful use didn’t require encryption. The final Stage 2 meaningful use rule has been written and should soon be issued; the proposed rule’s language on encryption can charitably be called timid.
There’s still no final rule for the promised HIPAA breach notification, privacy and security enhancements which HITECH proposed. A final rule was sent to the Office of Management and Budget for review in March, with an “extended review” tag affixed to it a couple months later. OMB is within the Executive Office of the President.
It has been 1,046 days since the interim breach notification rule, which did not mandate data encryption, became effective. Under the rule, we know that protected health information for 21 million Americans has been compromised in more than 500 major breaches--and that doesn’t count the 30,000+ smaller breaches. Electronic PHI in the breaches was compromised because data wasn’t encrypted, plain and simple.
Many of the breaches involved Social Security numbers. It has been five years since the Office of Management and Budget, under President George Bush, ordered agencies to reduce unnecessary use of SSNs and six years since the Centers for Medicare and Medicaid Services first explored options. CMS again explored options in 2011, using methodologies the Government Accountability Office recently criticized. But aside from “exploring,” CMS hasn’t done a thing to reduce use of SSNs in the past six years--nearly four of them during President Obama’s watch.
In the Information Age, how can an administration, especially one with a populist bent and a President with a gift for persuasion, not embrace personal privacy as good for the nation, as well as good politics? It comes back to timidity. This administration does not believe it can win a national debate with business interests and some GOP members of Congress who are seeking to weaken privacy laws on protecting individual and business information. And it doesn’t want to raise any issues that could give the opposition any type of ammunition in an election year. But it wasn’t an election year until seven months ago.
Heck, this administration isn’t confident it can win a national debate on just about anything. Time and again, on banking regulation, health care reform, job creation, immigration, civil rights and environmental protection, the administration has fought with one hand behind its back and the other hand giving concessions to an opposition that from day one made clear it wasn’t going to support any legislation generated by the President.
And the administration still lost most of the debates. Maybe the timid bit isn’t working.