Tuesday, March 31, 2009

The Impact of the Privacy Provisions in ARRA

I was recently asked to comment about the resources needed to comply with the Privacy Provisions in the Stimulus Bill.

Here is a brief analysis from my Security Team:

ARRA has a provision that requires covered entities keep a list of all data disclosures to third parties and provide a comprehensive audit log to patients upon request. This tracking of third party data exchange is not currently part of HIPAA requirements and will require significant enhancement to our auditing systems, our patient services reporting tools, and our personal health records which give patient access to their own audit trails.

Based on at least one interpretation of ARRA, the covered entity must take responsibility for patient notification when third parties improperly disclose patient information. There does seem to be some variation in interpretation in this area.

ARRA specifies that disclosure of a record containing a name and medical information (John Smith, Hematocrit 37) is considered a breach. Massachusetts requires the name and at least one other identifiable piece of information (John Smith, 5/23/1962, Hematocrit 37). This could have significant implications since even simple audit logs could be considered restricted/confidential information.

ARRA provides some definition about the actual notification methods required. In breaches where the contact information of more then 10 individuals is not known the covered entity must post the breach on their web site. If the breach is of more the 500 records the covered entity must make a public disclosure to “prominent” media outlets. Prior to this the only obligation was to contact the individuals directly.

ARRA also includes some language that requires covered entities limit the amount and type of information shared with providers to be the minimum required for the business need. It also requires that if patients pay for services out of pocket that covered entities provide a way for the individual to request that no information relative to the treatment be transmitted to any provider.

Privacy is foundational and we certainly cannot argue with the need to keep information confidential per patient preferences. However, some of these provisions, such as the "out of pocket" clause will be extremely challenging to implement.

Over the next few months, HITSP is working on standards which will support these ARRA provisions, including web services using XACML, WS*, and TLS.

As HITSP moves to create a service oriented architecture, we will enhance our existing TN900 Technical Note to include services that could be used to document consent, apply privacy policies and consent to data flows, and transmit the minimum necessary data to authorized clinician via a workflow similar to that I described in a previous blog entry about patient privacy preferences.

The privacy provisions in ARRA will serve as a catalyst to improve the policies and technologies protecting confidentiality. This work, although expensive and time consuming, is required for patients to trust EHRs and Healthcare Information Exchanges.


Ahier said...

"You need to buy an umbrella"
As far as John's comments, I am concerned that privacy could take a back seat with the rush to EHR, particularly in smaller practices. Don't get me wrong, I am strongly in favor of increased adoption, but we do need to be careful especially in how the issue is framed. There are already many false assumptions and perceptions in the general public.

Anonymous said...

beth israel instead of using computers to help patients, believes they are a tool to obtain an advantage of control over patients they otherwise would not have and the man writing this article's main real job

prove me wrong

Tom Mariner said...


If John's committee succeeds in forming clear, unambiguous, national definitions, whether rational or not, we have a chance. If there is a scintilla of doubt about a meaning, the legal profession will do their jobs as officers of the court and pounce. The real-world examples of the differences in what data is included emphasizes the impossibility a software developer and medical provider would face.

This one issue could cost more than the entire Healthcare IT effort and therefore sink the amazing good that it can do before it gets started. But if one knows about an Achilles Heel, one can construct a proper shoe.