The U.S. Department of Health and Human Services (HHS) recently posted a blog entry about the final data security principles and framework for the Obama administration’s precision medicine initiative (PMI).
HHS Secretary Sylvia Mathews Burwell and Lisa Monaco, the assistant to the president for homeland security and counterterrorism, bragged in the blog entry about how secure the program will be.
I think the only logical reaction is, “Don’t these folks ever watch ‘Star Trek’? Or at least ‘The Bionic Woman’?”
The precision medicine initiative is supposed to create a giant database of at least 1 million Americans’ health and genetic information. This is presumably so the FBI has an easier time figuring out who used which cup. But in theory, this is so doctors have an easier time tailoring medical treatment to fit each patient’s genetic profile.
The HHS Office for Civil Rights supported the effort in February. OCR decreed that patients must be able to get access to any medical records within 30 days, for a modest fee. Apparently the 30-day limit applies whether a family doctor has records from 2015 in a file cabinet in Chicago, or an insurer has records from 1950 in salt caves in Siberia.
HHS OCR also imposes painful “civil monetary penalties” (fines) on insurers, health care providers and other Health Insurance Portability and Accountability Act (HIPAA) covered entities that violate HIPAA data security rules. The entities may have to pay fines if they get hacked (as if we haven’t all been hacked) or if they keep paper records in some kind of unsecure environment in which the records might actually be useful.
On the one hand, protecting the patients’ privacy seems like a worthy goal.