With Integrated Services Facilitated By HIE, Is HIPAA Enough?
By Sarah C. Threnhause Executive Vice President, OPEN MINDS July 1, 2013
The fundamental assumption underlying both integrated care coordination models and integrated service delivery models is that disparate health information about individual consumers is going to land in one place - either at the disposal of the care coordinator and/or the primary are professional (see ONC's New HIE Guidelines Hit The Street all members and Recipe For HIE Success: Consumer Trust Through Security). This new era of shared data is going to be made possible by widespread health information exchange capabilities - the subject of many discussions by our team (see Recipe For HIE Success: Consumer Trust Through Security all members, ONC's New HIE Guidelines Hit The Street all members, and Practical Steps to Building a Sustainable HIE premium members).
But in this new world, what are the consumer protections? The first answer to this is the Health Insurance Portability and Accountability Act (HIPAA). The newest updates to HIPAA, the Privacy, Security, Enforcement, and Breach Notification Rules, govern the use/disclosure of protected health information (PHI) (see HIPAA: The Final Act all members and Feds Release HIPAA ‘Omnibus Rule' all members). Under the new rules, which went live on March 26, patients have the right to a notice of privacy practices, can request restrictions on PHI use, request confidential communications of PHI, request and receive electronic access to PHI, request an amendment to their PHI, and receive a full disclosure of who has had access to their PHI.
When it comes to sharing behavioral health information, organizations must be particularly careful.
The HIPAA privacy rule grants organizations the ability to develop specific consent or restriction policies on sensitive information - such as "HIV/AIDS, mental health, genetic, and/or substance abuse information." The U.S. Department of Health & Human Services' Privacy and Security Toolkit also notes that "the Privacy Rule requires a covered entity to obtain individual authorization prior to a disclosure of psychotherapy notes, even for a disclosure to a health care provider other than the originator of the notes, for treatment purposes" (see Privacy and Security Toolkit: Individual Choice premium members).
While HIPAA provides a great deal of privacy and security protections for individuals, some may still ask - is HIPAA enough? One strength of this updated HIPAA legislation is that it allows patients to see, copy, and correct their personal medical information - writing in iHealthBeat, Deven McGraw, , director of the health privacy project at the Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee, notes that HIPAA's final rules are "a major step forward in creating the comprehensive framework of privacy and security protections necessary to build and maintain public trust in a robust, digital health data ecosystem" (see Final HIPAA Rules a Major Step Forward, but There's More Work To Be Done).
Adding to the chorus of praise for the new rules, Leon Rodriguez, Department of Health and Human Services Office (HHS) for Civil Rights Director, notes that the final rule will allow OCR to "vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates" (see New rule protects patient privacy, secures health information).
But like so much legislation there are dissenting voices. One big critique isn't directed at HIPAA itself, but at the Centers for Medicare & Medicaid Services' (CMS) enforcement of the rules. In 2011, the HHS Office of Inspector General (OIG) Nationwide Rollup Review found that oversight is insufficient to effectively implemented the HIPAA Security Rule (see Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight premium members), stating "CMS had limited assurance that controls were in place and operating as intended to protect ePHI [electronic protected health information], thereby leaving ePHI vulnerable to attack and compromise."
On the other end of the spectrum, an April memo from the Subcommittee on Oversight and Investigations says, "Studies show that some health care providers apply HIPAA regulations overzealously, leaving family members, caregivers, public health and law enforcement hindered in their efforts to get information" (see Does HIPAA Help or Hinder Patient Care and Public Safety? premium members).
The whole issue of individual information privacy (not just in health and human services) is red hot - and likely not to be resolved to anyone's satisfaction. But stay tuned, and we'll keep you updated.