HOMELAND SECURITY OPERATIONS AND USE OF PERSONALLY IDENTIFIABLE HEALTH INFORMATION

Approved by the
IEEE-USA Board of Directors
17 June 2005

The IEEE-USA recognizes that a potentially significant conflict exists between the mission areas of
the Department of Homeland Security (DHS) and the privacy, confidentiality and security protection of personally identifiable health information.

Through Title II of the Homeland Security Act of 2002 (Public Law 104-113), the Department of
Homeland Security's Directorate for Information Analysis and Infrastructure Protection is given
broad authority to "access, receive and analyze" information from federal, state and local government agencies and the private sector, to integrate this information, and to disseminate it to other government and private recipients. With this authority, DHS may request access to medical databases and compile personally identifiable health information. At the same time, under statutory exceptions to the privacy requirements established in HIPAA (Public Law 104-191), doctors and record archives may be asked to turn over personal medical records to DHS without prior patient authorization. IEEE-USA is very concerned that privacy breaches can occur if DHS accesses and absorbs personally identifiable health information contained in public health information databases. We believe DHS authority to access and disseminate personally identifiable health data should be restricted unless adequate controls are put in place to ensure the security and confidentiality of that data.

Accordingly, IEEE-USA recommends that the Department of Homeland Security:

• Establish clear policies for the collection and use of personally identifiable health
  information, whether it is protected under the final Health Insurance Portability and
  Accountability Act of 1996 (HIPAA), or not
• Implement procedures so that personally identifiable health information within their purview is not inadvertently used to discriminate against individuals (e.g., in employment, insurance,
  etc.)
• Establish oversight mechanisms to carefully monitor use of personally identifiable health
  information
• Establish accountability for the use of personally identifiable health information by instituting
  significant penalties for misuse or abuse of that information
• Establish appropriate security processes to maintain data confidentiality, to assure integrity and documentation of access, and to oversee the use of personally identifiable health information.

This statement was developed by IEEE-USA's Medical Technology Policy Committee and represents the considered judgment of a group of U.S. IEEE members with expertise in the subject field. IEEE-USA is an organizational unit of the IEEE. It was created in 1973 to advance the public good and promote the careers and public-policy interests of the more than 220,000 technology professionals who are U.S. members of the IEEE. The IEEE is the world's largest technical professional society. For more information, go to http://www.ieeeusa.org.

BACKGROUND

In November 1998, IEEE-USA issued a policy position statement, titled "Principles for Privacy,
Confidentiality, and Security of Personal Health Information," that dealt with civil liberties and in
using personally identifiable health information. The final HIPAA Privacy Act rules have defined and implemented many of these policies. However, the final HIPAA Privacy Act is limited in scope to personally identifiable health information held by health care providers, health plans and health care clearinghouses. It does not protect health information obtained from other sources.

Specifically, the final HIPAA Privacy Act rule, section 164.508, defines disclosure of protected
health information (PHI) with patient authorization, and section 164.512 lists the circumstances under which PHI may be disclosed to a public health official without authorization. It establishes the role of the Department of Health and Human Services and other health agencies in not only protecting privacy, but also controlling disclosure of PHI to law enforcement agencies for security reasons.  However, monitoring accountability in this circumstance has not been established.

In response to the September 11 (2001) terrorist attack, Congress established the Department of
Homeland Security and charged it with the mission of protecting America from terrorists who may be planning and executing mass destruction attacks in the United States and other security threats.

Also in the aftermath of 9/11, Congress passed the Patriot Act, which expands the investigatory and enforcement powers of several federal agencies. This legislation has worried many observers, who point out that some provisions of the Act may violate civil liberties, and permit use of personally identifiable health information resulting in unintended consequences for the person that information is about. The combination of these two activities requires careful understanding of the need for and nature of protection for personally identifiable health information.
 

IEEE-USA
2001 L Street, N.W., Suite 700
Washington, DC 20036-5104
Phone: 202-785-0017, Fax: 202-785-0835

| Top of Page | Position Statements | Policy Forum | IEEE-USA |

Last Update: 22 June 2005
Staff Contact: Deborah Rudolph