Wednesday, January 23, 2013

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules


On January 17, HHS released the Final Rule entitled: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules

It's 563 pages long and contains 7 themes:

Covered entities must ensure that they obtain satisfactory assurances required by the rules from their business associates, and business associates must do the same with regard to subcontractors, no matter how far 'down the chain' the information flow

Increases penalties to $1.5 million per year

Tightens limitations on the use of patient records for marketing

Prohibits the sale of patient information without a patient's consent.

Provides patients with a right to insist that a provider not share their patient-care records with their insurance company if that care is paid for by the patient out-of-pocket in full.

Requires entities with patient record breaches to assess the likelihood that the information could be accessed in determining whether they must notify individuals of the breach.

Adds patient-safety organizations, health information exchange organizations and e-prescribing gateways to a specific list of HIPAA business associates liable under the rule. It also includes as business associates certain vendors of personal health records, those that provide a PHR to patients “on behalf of a covered entity,” but excludes other PHR providers, such as those working on behalf of consumers.

Much of the final rule is a restatement of requirements in ARRA/HITECH and GINA.   Generally the recommendations are very reasonable.   One challenging aspect of the final rule is the provision that provides patients with a right to insist that a provider not share their patient-care records with their insurance company if that care is paid for by the patient out-of-pocket in full.   At present this will be technically challenging to implement.   For example, if a patient pays for their outpatient treatment in cash and an e-prescription is generated, how do we flag the prescription to ensure it does not flow into a Pharmacy Benefit Management database?   If an inpatient hospitalization is paid in cash, how do we prevent a nurse case manager working for a payer from seeing any data related to that care episode?  Such data segmentation needs metadata around each data element so that data flows can be selectively restricted.   A great goal but definitely a work in process for which no products nor standards exist.

In the workplan for FY13 that I presented at the January HIT Standards Committee meeting, I highlighted the need for our workgroups to study standards supporting data segmentation for privacy, so hopefully we'll close this gap in the next year and have products in the marketplace which support such controls by 2014.

I know that many groups are hard at work analyzing the new rule, so I look forward to their wisdom.   The rule's 563 pages are rich with detail.

1 comment:

Nicholas Orlowski said...

[Regulations]...exclude transmissions when the information exchanged did not exist in electronic form immediately before transmission.

In our case, this is true.

We using an Internet faxing service which accepts documents over HTTPS. Would we need to contact our provider to sign a HIPAA contractor agreement in this case? Furthermore, would we need to contact the phone company which that service uses in the same way?

How far does the 'chain' go?