« National Rountable: Medical Banking & The Health Data Ecosystem - Engineering A Revolution in Revenue Cycle Management | Main | Next Steps for Moving the Industry Forward »
Deven McGraw on the Great Privacy Debate: Impact of ARRA 2009
Health Privacy Project at Center for Democracy and Technology
- Health IT and electronic health information exchange have tremendous potential to improve health care quality, reduce costs, and empower consumers
- The public wants health IT – but also has significant privacy concerns
- Failure to build foundation of trust is an obstacle to achieving greater health information exchange
Health Privacy Project at CDT
- For years there was no progress on resolving the privacy and security issues raised by e-health
- Project’s aim: Develop and promote workable privacy and security policy solutions for personal health information
Evolution of Federal Privacy Protections
-
1996 – Enactment of Health Insurance Portability and Accountability Act (HIPAA)
- Congress gives itself 3 years to enact privacy legislation
-
Rulemaking
- 1999 – Proposed rules
- 2000 – Final rule
- 2002 – Regulatory changes
- 2003 – Effective for most
Era of Health Information Technology
-
Health IT bills stalled in 108th &109th
- Privacy was framed as the obstacle – but it wasn’t the only issue
-
Legislation moved furthest in 110th – but economic woes stalled progress
ARRA (Title XIII- HITECH)
- Broke the privacy "logjam"
- Most significant change to the healthcare privacy and security environment since the original HIPAA privacy rule
- Not a change to everything about HIPAA – but some significant changes that will need to be addressed by many entities handling health care information
- Most provisions require further regulatory clarification
Privacy and Security Provisions – Overview
- Substantive changes to HIPAA statutory provisions and privacy and security regulations
- Enhanced enforcement of HIPAA
- Provisions to address health information held by some entities not covered by HIPAA
- Misc: Administration/Studies/Reports/Educational Initiatives
Substantive HIPAA Changes
-
Breach notification requirement
- Definition of breach
- Safe harbor for “protected” data
- Detailed requirements re: timing and content of notice; how provided to individual and HHS
- Business Associates must notify covered entities Strengthened individual right to restrict disclosures to health plans for payment and operations
- Secretary guidance on minimum necessary
- Use of limited data set where possible in interim
- Discloser determines minimum necessary Minimum necessary still does not apply to treatment
- Requirement applies after standard and regulations are developed
- Phased in over time
- Covers only 3 years Change with respect to how business associates comply
- Can direct record to another entity or individual (PHR) Changes to definition of marketing
- Limited right to use information for marketing if the communication is paid for by an outside entity
- Exceptions for treatment communications and communications about current drugs and biologics Opt-out for fundraising communications
- Public health
- Research
- Treatment of an individual
- Sale of a facility/business
- Payments to business associates
- Copies to individuals
- Designated by Secretary in regulations
Accounting for disclosure requirements for entities using electronic health records
Patient right of electronic access
BA contracts required for RHIOs – and PHRs in some instances
Prohibition on “sale” of health records or protected health information
Exceptions
HIPAA Enforcement
Business Associates accountable to authorities for compliance with some HIPAA privacy and security rules (+ new provisions)Application of HIPAA criminal provisions to individuals
Ability to civilly enforce where violation qualifies as criminal but no criminal penalties pursued
Requirement to impose civil penalties in cases of willful neglect
- Corrective action may still be pursued for lesser offenses
Distribution of % of civil penalties to individuals (penalties also go to OCR)
State AG civil enforcement
Secretary required to do periodic audits
Provisions for Entities not Covered by HIPAA
Temporary breach notification provisions for PHR vendors and internet applications- Breach definition
- Same safe harbor for protected information
- Enforced by FTC
- Which agency should regulate?
- Timeframe for regulations (no specific authority to regulate)
Misc. (Administration/Studies/Reports/Educational Initiatives)
- Strengthened authority for ONC
- New advisory committees on policy and standards
- OCR public education initiative on uses of PHI and individual rights under HIPAA
- Privacy Officers in each HHS region
- Chief Privacy Officer within ONC - Not charged with HIPAA enforcement/oversight
Misc. (Studies/Reports/Educational Initiatives)
- Studies/Reports by HHS Secretary
- Annual report on enforcement
- Study on implementation of the de-identification requirements
- Study of HIPAA definition of psychotherapy notes with respect to inclusion of test data and materials used for evaluative purposes
- GAO Studies:
- Methodology for providing individuals with a % of civil monetary penalties
- Report on best practices for disclosure of PHI for treatment purposes
- Report on Impact of ARRA provisions on health care costs and adoption of EHRs
March 12, 2009 in A Bank-Driven eHealth Ecosystem, Medical Banking Institute, Medical Consumerism | Permalink
TrackBack
TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d83451ce7b69e2011168f034e6970c
Listed below are links to weblogs that reference Deven McGraw on the Great Privacy Debate: Impact of ARRA 2009:
Comments
Great site this and I am really pleased to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :)
Posted by: Estuabacups | Apr 4, 2009 5:05:48 AM
The comments to this entry are closed.