Giving Patients Easy Access to Health Info: A Balancing ActDavid Holtzman of HITprivacy on Regulatory, Industry Challenges Facing Healthcare
As regulators push healthcare entities and technology vendors to provide patients with easier access to their electronic health information, organizations face a delicate balance between compliance and the prevention of potential security breaches, says attorney David Holtzman, founder and principal of consulting firm HITprivacy LLC.
See Also: 2022 Unit 42 Incident Response Report
A top priority for the Department of Health and Human Services - through its HIPAA patient "right of access" initiative and provisions contained within the 21st Century Cures Act - is to ensure that individuals have access to their health information. And that's not just HIPAA-protected information, says Holtzman, "but all of the health information that's maintained by a healthcare organization." Individuals have "the right of access to that information using the least disruptive consumer based technology that's available to them," he says.
But at the same time, that patient access objective, to some extent affects HHS' Office for Civil Rights' regulators and the healthcare sector's compliance mindset, according to Holtzman.
"They have to be careful to not impinge on that priority of allowing individuals access, using third-party technology to health information," he says. They have to make sure that they are adopting appropriate technologies that allow consumers access to all of this health information … but at the same time that they are not creating vulnerabilities that will impact or weaken their information security that protects that same health information from unauthorized disclosure."
In this video interview with Information Security Media Group, Holtzman also discusses:
- The latest HIPAA enforcement trends;
- Top healthcare cybersecurity challenges;
- Government efforts to help improve healthcare sector cybersecurity.
Holtzman previously served on the health information privacy team at the Department of Health and Human Services, Office for Civil Rights and as a consultant at security and privacy consultancy CynergisTek. He has two decades of experience in developing, implementing and evaluating health information privacy and security compliance programs for both government and private sector organizations and is a member of the HHS 405(d) Task Group and the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council.