• United States



38 government agencies to collect, share Americans’ electronic health records

Dec 10, 20146 mins
Data and Information SecurityHealthcare IndustryMicrosoft

Why does the Bureau of Prisons need access to the health records of non-felon Americans? It is just one of 38 agencies slated to collect, share and use Americans' health records under the new Federal Health IT Strategic Plan.

While I’m a big fan of NASA, why the heck does NASA need access to my health records? It is one of the agencies listed under “participating federal departments and agencies” that are slated to help collect, share, and use electronic health information, according to the recently released “Federal Health IT Strategic Plan 2015-2020” draft (pdf). A better question… why the heck does the Bureau of Prisons need to access the health records of non-felons?

When the new plan was released, National Coordinator Karen DeSalvo, MD, MPH, MSc said, “I am incredibly grateful for the participation of over thirty-five federal entities who worked in concert to develop this Plan, demonstrating the widespread interest across the government to digitize the health experience for every American.”

Although there are 37 bullet points listed under “participating federal departments and agencies,” one of those, Department of Justice (DOJ) and Bureau of Prisons (BOP)  actually has two listing under the same bullet point. After separating them, there are 38 federal departments or agencies slated to share your health information.

  1. Administration for Children & Families (ACF)
  2. Administration for Community Living (ACL)
  3. Agency for Healthcare Research and Quality (AHRQ)
  4. Centers for Disease Control and Prevention (CDC)
  5. Centers for Medicare & Medicaid Services (CMS)
  6. Department of Agriculture (USDA)
  7. Department of Defense (DOD)
  8. Department of Education (DOE)
  9. Department of Justice (DOJ)
  10. Bureau of Prisons (BOP)
  11. Department of Labor (DOL)
  12. Department of Veterans Affairs (VA)
  13. Federal Communications Commission (FCC)
  14. Federal Health Architecture (FHA)
  15. Federal Trade Commission (FTC)
  16. Food and Drug Administration (FDA)
  17. Health Resources and Services Administration (HRSA)
  18. HHS Assistant Secretary for Financial Resources (ASFR)
  19. HHS Assistant Secretary for Health (OASH)
  20. HHS Assistant Secretary for Legislation (ASL)
  21. HHS Assistant Secretary for Planning and Evaluation (ASPE)
  22. HHS Assistant Secretary for Preparedness and Response (ASPR)
  23. HHS Office of the National Coordinator for Health Information Technology (ONC)
  24. HHS Office for Civil Rights (OCR)
  25. HHS Office of the Chief Information Officer (OCIO)
  26. HHS Office of the Chief Technology Officer (CTO)
  27. HHS Office of the General Counsel (OGC)
  28. HHS Office of Minority Health (OMH)
  29. HHS Office of the Secretary (OS)
  30. Indian Health Service (IHS)
  31. National Aeronautics and Space Administration (NASA)
  32. National Institutes of Health (NIH)
  33. National Institute of Standards and Technology (NIST)
  34. National Science Foundation (NSF)
  35. Networking and Information Technology Research and Development (NITRD)
  36. Office of Personnel Management (OPM)
  37. Social Security Administration (SSA)
  38. Substance Abuse and Mental Health Services Administration (SAMHSA)

At least the NSA, FBI and CIA are not on the list…

Federal agencies will collaborate with one another and with state, local, tribal, and private stakeholders to:

Federal agencies collaboration for federal health it strategic plan HealthIT

The plan lists a series of three-year and six-year goals, further broken down into objectives.

Federal health IT goals HealthIT

According to DeSalvo, the goal of sharing health information “aligns with the Nationwide Interoperability Roadmap, a parallel activity led by ONC. The Roadmap is guiding interoperability solutions based on five key building blocks: core technical standards and functions; certification to support adoption and optimization of health IT products and services; privacy and security protections for health information; a supportive business, clinical, cultural, and regulatory environment; and rules of engagement and governance of health information exchange.”

HealthAnalytics explained, “To help strengthen healthcare delivery as a whole, the ONC and other agencies will work to improve clinical services centered around population health management and raise healthcare quality and delivery to provide safe, effective, patient-centered care.”

The new Federal Health IT and Strategic plan states, “The privacy and security of protected health information is a top priority of the federal government, and the government will continue to pursue efforts that ensure confidence and trust for individuals and their families, caregivers, providers, and others.” It might help boost confidence if federal agencies would stop being named in OIG reports as having poor security; it also doesn’t help that there are no guarantees that agencies, providers, or third-parties won’t get hacked.

There have long been plans to move medical records to an electronic format for data sharing, but privacy issues are one of the legal barriers that have “hindered” the plan for sharing Electronic Health Records (EHR). BioMed Central broke down the barriers into the following categories: technical, motivation, economic, political, legal and ethical. Under legal barriers and protection of privacy, it states:

Public health agencies have the mandate and authority to collect private data from the population governed by the Health Insurance Portability and Accountability Act (HIPAA) in the US or similar legislation in other countries. A clear distinction between data containing personal identifiers and fully anonymous data may not always be possible, leading to restrictive policies on all types of data due to privacy concerns. Aggregated data without personal identifiers may not be sufficiently detailed for certain applications. Existing tools and standards for the de-identification of personal identifiers such as statistical data masking may not be known or available in many contexts.

But surely HIPPA implies that the agencies will collect, share and use our anonymized and fully de-identified health records? Back in 2009, the CDT explained how that is not necessarily the case. In “Privacy As An Enabler, Not An Impediment: Building Trust Into Health Information Exchange,” the CDT wrote:

HIPAA’s protections do not extend to “deidentified” health information. Thus, covered entities may provide deidentified data to third parties for uses such as research and business intelligence without regard to HIPAA. In turn, these entities may use these data as they wish, subject only to the terms of any applicable contractual provisions (or state laws that might apply). If a third party then reidentifies these data—for example, by using information in its possession or available in a public database—the reidentified personal health information would not be subject to HIPAA. It could be used for any purpose unless the entity holding the reidentified data was a covered entity.

Since “a number of researchers have documented how easy it is to reidentify deidentified data,” it seemed wise to search the Federal Health IT Strategic Plan for “opt” as in how to opt-out; but there were no results for that.

Public comments on the newly proposed Federal Health IT Strategic Plan (pdf) can be posted here until February 6, 2015. The plan states, “Based on this feedback, the federal government will release a final version of the updated Plan in 2015.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.