Despite assurances from federal officials that the move to electronic health records and a nationwide health information network would be accompanied by stronger protections for patient information--that indeed, the great HIT experiment could not work without consumers being confident that their records would be safe--privacy and security simply have not topped the agenda.

Someone in the government likely will take issue with that assertion. I look forward to publishing a forthcoming reply. But I hope the reply addresses the sorry state of health I.T. security as the era of meaningful use becomes real, and the lost year that 2010 was in terms of increasing the protection of health information. Consider:

On July 8, 2010, the Department of Health and Human Services' Office for Civil Rights released a proposed rule to strengthen provisions of the HIPAA privacy, security and enforcement rules. On Dec. 20, 2010, HHS announced via its semi-annual regulatory agenda that a final rule would come this month. Then on Feb. 21, Adam Greene, senior health IT and privacy advisor in OCR, told a HIMSS11 audience that the privacy, security, enforcement and breach notification rules would arrive "in 2011."

On July 30, 2010, OCR "temporarily" pulled a final breach notification rule it had developed but not yet published because of industry pressure the rule wasn't strong enough. That rule apparently is arriving in conjunction with tightened security and privacy rules, "in 2011."

On Feb. 9, 2011, a proposed rule to govern disclosures of health information was sent to the Office of Management and Budget for final review before publication. It's still sitting there.

On Dec. 10, 2010, National Health I.T. Coordinator David Blumenthal, M.D., detailed ONC's 2010 achievements in a posting on his "Coordinator's Corner" blog. He rightly touted establishment of the temporary EHR certification program, final rules for the meaningful use program and Stage 1 standards and certification criteria, and ONC's Certified Health I.T. Product List. He didn't highlight privacy and security achievements.

On Jan. 3, 2011, registration opened for the electronic health records meaningful use incentive payments program. On Jan. 5, 2011, the first Medicaid meaningful use incentive payments were made. On Jan. 13, 2011, in a blog titled "EHR Adoption Set to Soar," Blumenthal wrote, "Rest assured there are also regulations in place to make sure that information stored in an EHR is protected."

He actually said that...

Meanwhile, since September 2009, more than 220 breaches of unencrypted protected health information affecting 500 or more patients have been reported to OCR under the breach notification law, along with more than 14,000--yes, 14,000--smaller breaches.

And those numbers don't count breaches where no notification is given because an organization has determined that no harm has or will occur from its breach because the government actually lets the offending organization make that decision. Really, you can't make this stuff up.

In April 2011, attestation for the Medicare meaningful use program begins. Meaningful use will be in full swing, as real as real can be, and without the protections to patient information that were promised to accompany the government's $27 billion to lure providers to accelerate adoption of health I.T.

I don't want to suggest that privacy and security are being totally neglected as federal officials and stakeholder advisory committees figure out the road to a nationwide health information network.

ONC's Privacy & Security Tiger Team of industry stakeholders is looking into a range of issues. But the team's work originally was expected to be complete in the fall of 2010.

To start meaningful use without the promised enhanced privacy and security rules just seems inexcusable. No one had to wait on Tiger Team recommendations to push through the rules mandated under the HITECH Act. If the Tiger Team comes up with better solutions, the rules can be amended.

If anyone in the government would like to defend this, I'd love to hear it.

Joe Goedert is News Editor at Health Data Management. He can be reached at


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access