The U.S. Department of Health and Human Services (HHS) recently posted a blog entry about the final data security principles and framework for the Obama administration’s precision medicine initiative (PMI).
HHS Secretary Sylvia Mathews Burwell and Lisa Monaco, the assistant to the president for homeland security and counterterrorism, bragged in the blog entry about how secure the program will be.
I think the only logical reaction is, “Don’t these folks ever watch ‘Star Trek’? Or at least ‘The Bionic Woman’?”
The precision medicine initiative is supposed to create a giant database of at least 1 million Americans’ health and genetic information. This is presumably so the FBI has an easier time figuring out who used which cup. But in theory, this is so doctors have an easier time tailoring medical treatment to fit each patient’s genetic profile.
The HHS Office for Civil Rights supported the effort in February. OCR decreed that patients must be able to get access to any medical records within 30 days, for a modest fee. Apparently the 30-day limit applies whether a family doctor has records from 2015 in a file cabinet in Chicago, or an insurer has records from 1950 in salt caves in Siberia.
HHS OCR also imposes painful “civil monetary penalties” (fines) on insurers, health care providers and other Health Insurance Portability and Accountability Act (HIPAA) covered entities that violate HIPAA data security rules. The entities may have to pay fines if they get hacked (as if we haven’t all been hacked) or if they keep paper records in some kind of unsecure environment in which the records might actually be useful.
On the one hand, protecting the patients’ privacy seems like a worthy goal.
On the other hand, advancing medical research seems like a worthy goal. Maybe helping the FBI expand its DNA profile library is also a worthy goal.
On the third hand, the idea of creating a giant PMI database and, at the same time, making patient health data security a top priority seems fanciful.
If we have to choose, it seems as if we ought to let medical researchers have the information they need, set data security standards strict enough to slow the hackers down a bit, and then plan for what we do when the information is hacked. Because, of course, it will be.
Have you Liked us on Facebook?