HIPAA privacy protections are being tested
Is the primary federal privacy law up to the task of protecting patient information in the 21st century?
It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law.
The key federal privacy law, the Health Insur- ance Portability and Accountability Act, was passed in 1996, an era in which the public Internet still was in its infancy.
HIPAA identified providers, payers and clearinghouses as the primary claims-creating and -handling organizations and singled them out as “covered entities” under the law, meaning they are required to comply with the law’s mandates on data transaction standards and security. The HIPAA privacy protection scheme centered on them as well.
Thus, what we’ll call the HIPAA paradigm sought to protect patient privacy mainly by placing a regulatory fence around this special class of organizations and individuals. Businesses that handled some of the data-processing tasks for covered entities were exempt from direct liability for privacy violations, but were contractually roped into the scheme through business associate agreements with the covered entities.
This regulatory paradigm continues to this day, with some modifications Congress enacted last year as part of the stimulus law, such as making business associates liable under HIPAA for privacy violations. By extending direct liability to business associates, in effect, the stimulus law moved the HIPAA regulatory fence out a bit, but kept covered entities in the center of the enclosure.
Keeping it safe?
Federal officials have spoken often about the “foundational” importance of privacy and security. The argument goes like this: If patients don’t trust that their information will be kept safe, then they won’t agree to have their information stored or shared on IT systems, so the potential quality and safety and cost improvements afforded by those systems—and the government’s investments in them—will come to naught.
David Blumenthal, head of the Office of the National Coordinator for Health Information Technology at HHS, said as much when he addressed an Aug. 4 meeting in Washington hosted by the Substance Abuse and Mental Health Services Administration, part of HHS.
Of the many health IT activities undertaken by his office, Blumenthal said, “none is more important than the issue that we’re talking about today, generically, and that is privacy and security of healthcare information.”
“We work within the HIPAA framework, and
Lubran: Consent rule helps people to feel like they’re in control.