For The Record Q & A With John Klimek, RPh
FTR: What are the effects of the new HIPAA laws contained in the HITECH Act?
Klimek: HITECH makes significant changes to HIPAA by defining “business associate” more broadly, making business associates directly accountable under the statute, augmenting enforcement provisions, and increasing limitations on the use of personal health information (PHI). HITECH also imposes new disclosure accounting obligations for electronic health records and new breach notification requirements for unauthorized disclosures.
FTR: Do you have any concerns about the new requirements?
Klimek: Compliance is a problem partly due to the number of organizational stakeholders involved: legal, management, healthcare professionals, information technology, etc. It is people and process intensive and does not lend itself readily to a technology-based solution, despite the fact that technology will play a key role in addressing the challenge.
FTR: Do the requirements fail to address anything?
Klimek: The key issue that is not addressed is that PHRs are not included in this provision. PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose, and possibly even sell an individual’s health information outside of the HIPAA and HITECH regulations.
This problem underscores a larger issue: PHRs are not regulated by HIPAA and only regulated by HITECH insofar as the Federal Trade Commission’s (FTC) interim rule requires certain breach notification procedures. However, the interim rule does not define the appropriate use or disclosure of health information by PHR vendors. The only exception to this is when the PHR vendor offers PHR services to patients through the patient’s relationship with a covered entity, as is the case in Google Health’s partnership with the Cleveland Clinic.
However, Google Health and Microsoft HealthVault have been courting individuals—outside of their relationship with providers or health plans—to sign up and upload information to their servers. Therefore, it presently appears that most individuals desiring the advantages of PHRs must take Google and Microsoft at their word when they promise to protect an individual’s health information.
FTR: Where are healthcare organizations most vulnerable to HIPAA violations?
Klimek: Group health plans (and the employers and administrators operating them) need to be aware of these new rules and how they impact the administration of the plans. The following are just a few of the key areas in which health organizations need to start taking action immediately in order to prevent violation:
• Reviewing how PHI in their possession is secured. Although the regulations do not require the encryption or destruction of PHI, many covered entities are voluntarily choosing to secure their PHI by such methods to the extent feasible in order to limit or avoid application of the notice rules.
• Updating written HIPAA procedures to include procedures for complying with the new notice requirements (and other changes in the HIPAA rules imposed by HITECH), including sample notices, procedures to maintain current contact information for plan participants (which may avoid the need for a public notice of a breach), obtaining participant consent to e-mail notification, and maintaining a breach log for annual submission to Health & Human Services (HHS).
• Revising training materials to include the new notice requirements (and other changes in the HIPAA rules imposed by HITECH) and improving “refresher” training for individuals who handle PHI.
• Reviewing business associate relationships to determine whether the business associate is the agent of the covered entity or an independent contractor, which may impact the time in which the covered entity has to distribute a required notice.
• Revising business associate agreements as necessary to determine how the notice obligations will be implemented (eg, to whom at the covered entity the business associate will give notice of a breach).
FTR: Do you foresee additional changes being made to HIPAA privacy and security rules at some point?
Klimek: We should expect to see additional changes. The FTC and HHS are required by HITECH (Section 13424(b)) to develop more specific recommendations and report their findings to members of Congress by February 17, 2010. One of the issues that the FTC and HHS are required to address is the security and privacy requirements applied to PHR vendors. If Congress fails to enact legislation to regulate the use and disclosure of PHI by PHR vendors or HHS fails to do the same through regulation, it could spell disaster for the adoption of PHRs.
If such a scenario were to occur, the Obama administration’s multibillion-dollar health IT vision would be forced to either ignore the privacy issues of a Wild West-style PHR marketplace, abandon the patient-centered approach to care offered by PHRs, or rectify the mistakes of HITECH in much the same way that HITECH rectified the short sightedness of HIPAA—by waiting years to pass additional legislation that is, at least in its protection of privacy, more hi-tech.
FTR: Should all healthcare organizations have a HIPAA security officer?
Klimek: Health organizations often assign privacy responsibilities to their CIO (chief information officer). The risk of doing this is that privacy may be perceived as a technology-only issue. Addressing privacy is truly a business issue and must be integrated into and addressed by all areas of the organization, including each business practice, and within all processing systems. Ideally, the privacy office should be a single entity, reporting directly to the chief executive officer, with communication and integration into all areas of the company.