HIPAA pri­vacy pro­tec­tions are be­ing tested

Modern Healthcare - - Front Page -

Is the pri­mary fed­eral pri­vacy law up to the task of pro­tect­ing pa­tient in­for­ma­tion in the 21st cen­tury?

It’s a ques­tion we put to opin­ion lead­ers in the le­gal, re­search, pol­icy, ethics, provider and technology fields within the health­care pri­vacy com­mu­nity. It comes as hos­pi­tals and of­fice-based physi­cians ramp up adop­tion of elec­tronic health-record sys­tems and join in­for­ma­tion ex­changes to qual­ify for their share of the $27 bil­lion in fed­eral in­for­ma­tion technology sub­sidy pay­ments avail­able un­der the Amer­i­can Re­cov­ery and Rein­vest­ment Act of 2009, also known as the stim­u­lus law.

The key fed­eral pri­vacy law, the Health In­sur- ance Porta­bil­ity and Ac­count­abil­ity Act, was passed in 1996, an era in which the pub­lic In­ter­net still was in its in­fancy.

HIPAA iden­ti­fied providers, pay­ers and clear­ing­houses as the pri­mary claims-cre­at­ing and -han­dling or­ga­ni­za­tions and sin­gled them out as “cov­ered en­ti­ties” un­der the law, mean­ing they are re­quired to com­ply with the law’s man­dates on data trans­ac­tion stan­dards and se­cu­rity. The HIPAA pri­vacy pro­tec­tion scheme cen­tered on them as well.

Thus, what we’ll call the HIPAA par­a­digm sought to pro­tect pa­tient pri­vacy mainly by plac­ing a reg­u­la­tory fence around this spe­cial class of or­ga­ni­za­tions and in­di­vid­u­als. Busi­nesses that han­dled some of the data-pro­cess­ing tasks for cov­ered en­ti­ties were ex­empt from di­rect li­a­bil­ity for pri­vacy vi­o­la­tions, but were con­trac­tu­ally roped into the scheme through busi­ness as­so­ci­ate agree­ments with the cov­ered en­ti­ties.

This reg­u­la­tory par­a­digm con­tin­ues to this day, with some mod­i­fi­ca­tions Congress en­acted last year as part of the stim­u­lus law, such as mak­ing busi­ness as­so­ci­ates li­able un­der HIPAA for pri­vacy vi­o­la­tions. By ex­tend­ing di­rect li­a­bil­ity to busi­ness as­so­ci­ates, in ef­fect, the stim­u­lus law moved the HIPAA reg­u­la­tory fence out a bit, but kept cov­ered en­ti­ties in the cen­ter of the en­clo­sure.

Keep­ing it safe?

Fed­eral of­fi­cials have spo­ken of­ten about the “foun­da­tional” im­por­tance of pri­vacy and se­cu­rity. The ar­gu­ment goes like this: If pa­tients don’t trust that their in­for­ma­tion will be kept safe, then they won’t agree to have their in­for­ma­tion stored or shared on IT sys­tems, so the po­ten­tial qual­ity and safety and cost im­prove­ments af­forded by those sys­tems—and the govern­ment’s in­vest­ments in them—will come to naught.

David Blu­men­thal, head of the Of­fice of the Na­tional Co­or­di­na­tor for Health In­for­ma­tion Technology at HHS, said as much when he ad­dressed an Aug. 4 meet­ing in Washington hosted by the Sub­stance Abuse and Mental Health Ser­vices Ad­min­is­tra­tion, part of HHS.

Of the many health IT ac­tiv­i­ties un­der­taken by his of­fice, Blu­men­thal said, “none is more im­por­tant than the is­sue that we’re talk­ing about to­day, gener­i­cally, and that is pri­vacy and se­cu­rity of health­care in­for­ma­tion.”

“We work within the HIPAA frame­work, and

Lubran: Con­sent rule helps peo­ple to feel like they’re in con­trol.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.