HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info

Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA.  This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent,  at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.

HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music  for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL.  It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.

HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.

Acronyms of HIPAA & HITECH

Acronym	Phrase	General Definition (see 160.103 for regulatory language)
PHI	Protected Health Information	Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.
CE	Covered Entity	A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of: 1) Health care provider (e.g. physicians) that submit transactions electronically. 2) Health care plans (e.g. HMOs) 3) Health care clearinghouses (which are public or private entities, including a billing service, repricing company, community health management information system, etc… that processes or facilitates the processing of health information received from another entity in nonstandard form into standard form, or from standard form to non-standard form.
BA	Business Associate	Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.
EHR	Electronic Health Record	An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.
PHR	Personal Health Record	An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically  focusing on EHRs or PHRs.  Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself.   To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.

But the times they are a-changin’–sort of.

Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force.  But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.

Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals.  Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.

Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.

Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.

HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.

The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:

(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-

(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization

The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. Read more

Dr. David Blumenthal: National Health Care Information Technology Coordinator

President Obama has appointed Dr. David Blumenthal as the National Health Care Information Technology Coordinator. Dr. Blumenthal is a former Harvard Medical School Professor who, as reported by Kaiser.org, “has conducted a number of studies related to health care IT” and has “served as director of the Institute for Health Policy at the Massachusetts General Hospital/Partners HealthCare System and as a senior adviser to President Obama during his campaign.”

As National Health Care IT Coordinator, Dr. Blumenthal can be expected to play a large role in the direction of how the 19 billion dollars apportioned for Health IT in the recently enacted stimulus package will be spent.

Dana Blankenhorn over at ZDNet Healthcare has written a short and interesting post on Dr. Blumenthal. Among other things worth noting in the post, Blankenthorn writes that Blumenthal has been quoted as “saying IT grants should go to inner-city and rural hospitals, as well as small practices, while most health IT money should go to incentives for improving the quality of care.”

As for the choice of Dr. Blumenthal, Blankenhorn writes

The good news is he’s a policy expert and not a vendor. The bad news is he’s a policy expert and not a technologist. He is a renowned health IT advocate who knows his way around bureaucracies but he is not a geek.

This means Blumenthal has not expressed a view on open source vs. proprietary software. He also hasn’t gotten his hands dirty in the health IT trenches.

Having said that, one might hope that Dr. Blumenthal is familiar with the work of  Professors Sharona Hoffman & Andy Podgurski.

Electronic Medical Records: How to Prevent the Creation of a Costly High-Tech Tower of Babel

Steve Lohr of The New York Times has written an article, “How to Make Electronic Medical Records a Reality” (a follow-up to “Health Care That Puts a Computer on the Team” 12/26/08) that it is well worth taking the few minutes requisite to read it.

Professors Sharona Hoffman & Andy Podgurski have published an article in the Harvard Journal of Law & Technology that should be on Obama’s nightstand. “Finding a Cure: The Case for Regulation and Oversight of Electronic Health Records” will take more than a few minutes to read, but for those charged with the responsibility of making the prospect of Electronic Medical Records a reality, it should be required reading–because, as the authors point out, we simply cannot afford to get this wrong:

The benefits of EHR systems will outweigh their risks only if these systems are developed and maintained with rigorous adherence to the best software engineering and medical informatics practices and if the various EHR systems can easily share information with each other. Regulatory intervention is needed to ensure that these goals are achieved. Once EHR systems are fully implemented, they become essential to proper patient care, and their failure is likely to endanger patient welfare.

The Journal article is essentially a map, designed to point out hazardous terrain and harness the resources at hand to effectuate a comprehensive Electronic Health Record system– and, through interoperability and regulated standards, to prevent the creation of a costly high-tech Tower of Babel. As the authors remind us, in this territory, malfunction and miscommunication can be deadly–and the concerns of the market are not necessarily coextensive with the common weal.

For those of us who have an interest in the subject, and are convinced that it is essential to have a comprehensive guide (if not a blueprint) for “how to get this right” — take heart–it’s here, and I highly recommend you take the time to read it–and then pass it on and up until it reaches that nightstand, if it’s not already there.

How to Make Electronic Medical Records a Reality

The NY Times article depicts the paucity of EMR use at present (17%) in terms of  ”market failure,” and points out that U.S. Government guidance and investment in growing (”jump-starting”) industry and technology is not novel. Lohr writes:

…computer technology and the industry really flowered in the United States. That happened in no small part because the federal government nurtured the market with heavy investment, mainly by the Defense Department, and by choosing standards, like the Cobol programming language.

Today, Washington is about to embark on another ambitious government-guided effort to jump-start a market — in electronic health records. The program provides a textbook look at the economic and engineering challenges of technology adoption.

Lohr correctly points to the chasm which exists in EMR usage between large practices and small, and the failure of the market to incentivize further usage by doctors in these smaller practices. Lohr states:

These larger groups have the scale to invest in information technology, and they are often insurers as well as providers, so they benefit directly from the cost savings. Yet these large groups are the exceptions in American health care. Three-fourths of the nation’s doctors practice in small offices, with 10 doctors or fewer. For most of them, an investment in digital health records looks like a cost for which they are not reimbursed.

It is that “market failure,” says Lohr that the Obama plan seeks to address. To that end, the legislation which has devoted $19 Billion towards this “jumpstart,” “calls for incentive payments of more than $40,000 spread over a few years for a physician who buys and uses electronic health records.”

The legislation also requires that this payment to doctors be in exchange for “meaningful use,” but thus far the term has been left undefined.

We addressed both of these concerns on this blog in mid-January in response to a post on Health Affairs by Dr. David Brailer, Chairman of Health Evolution Partners, a health care investment fund. Read more

LoJacking Grandma and “Reality Mining,” or “Daddy, What was Anonymity?”

Mark Heftler, a geriatric care manager who is slated to begin study at Seton Hall Law in the Fall, has written an interesting article on RFID (Radio Frequency Identification) and its potential usage as a means of  early diagnosis of dementia among the elderly. Researchers at the University of South Florida have developed and tested an RFID technology which assesses the walking patterns of those which it monitors.

By monitoring the movements of the elderly within geriatric facilities, “the researchers hope to be able to diagnose the onset Alzheimer’s in their patients. Sudden veers, long pauses, and a tendency to wander are all indicators of dementia.”

As MIT’s Technology Review notes, “Drugs that are currently available can only slow the progression of related diseases, so the earlier dementia is caught, the better a patient’s treatment will be.”

Technology Review also notes, “In particular, dementia increases the risk of injury caused by a fall… ‘That’s a huge problem for assisted-living facilities,’” said  William Kearns, an assistant professor who researches aging and mental health at USF.

Not Just Grandma

Although one can readily see the positive cost/benefit and quality of life implications of warding off the falls of the elderly, as Frank Pasquale recently noted on both this blog and Concurring Opinions, the proliferation of “personal” electronic data is not without its danger.

The Technology Review article provides a link to another article which points out that RFID technology is also being harnessed to gather social networking information through what is referred to as “reality mining,”

“…a field that Tanzee­m Choudhury pioneered as a PhD student at the MIT Media Lab. Working at Intel after graduation, she created a pager-size sensor pack–loaded with software plus microphones, accelerometers, and other data-gatherin­g devices–to collect and analyze data about human interactions and activity. For instance, by processing verbal utterances, she can identify the most influential people in a social network.

Now an assistant professor of computer science at Dartmouth, Choudhury is conducting experiments with the sensor-laden iPhone. Within a few years, she says, simple versions of her software could be available for cell phones.”

Prolegomena to Prononymity: What’s the Worst that Can Happen?

America needs electronic medical records (EMR). There are plenty of reasons why we are so far behind other nations in consolidating medical data: lack of strong central leadership on the issue, unwarranted faith in markets to produce solutions, and overwhelmed medical professionals who have little if any slack time to put a new system into place. Even as President Obama pushes for investment in EMR, privacy concerns are also slowing down progress:

Lawmakers, caught in a crossfire of lobbying by the health care industry and consumer groups, have been unable to agree on privacy safeguards that would allow patients to control the use of their medical records. . . . The data in medical records has great potential commercial value. Several companies, for example, buy and sell huge amounts of data on the prescribing habits of doctors, and the information has proved invaluable to pharmaceutical sales representatives.

“Health I.T. without privacy is an excellent way for companies to establish a gold mine of information that can be used to increase profits, promote expensive drugs, cherry-pick patients who are cheaper to insure and market directly to consumers,” said Dr. Deborah C. Peel, coordinator of the Coalition for Patient Privacy, which includes the American Civil Liberties Union among its members.

Health IT turns out to be one many areas where a drive for prononymity–that is, the de-anonymizing of records of on- and off-line life–is running up against a wall of wary citizens and consumers. In the health field, I think that resistance is only going to end if we have a robust “backstop” of health care in place so that citizens don’t have to worry about losing all coverage if a digital dossier presents them as a bad risk. (Medicaid as presently constituted does not count.) Far from overwhelming the health care system with pent-up demand, universal health coverage may be a prerequisite for generating support for the type of EMR that will provide us all with far better care.

A trend to prononymity in general should be matched with greater commitment to assuring that it won’t result in particularly harsh results. For example, people should not be denied a job for being identifiable as a Democrat in a blog post, whatever Monica Goodling thinks. Nor should doctor’s notes about a patient’s dark thoughts come back to haunt the patient when she or he applies for medical insurance. And if they do, there should be a genuine insurer of last resort available–not the patchwork of Medicaid and charity care that presently leave so many uninsured people falling through the cracks.

That’s one reason why I advocate the development of a Fair Reputation Reporting Act, which would allow individuals to know the documentary basis of certain key adverse decisions. I summarize the proposal here:

Reputation regulation has become essential because traditional restrictions on data flows inadequately constrain decisionmakers and important intermediaries (including search engines and bulletin boards). . . . Persistent and searchable databases now feed unprecedented amounts of poorly vetted information into vital decisions about employment, credit, and insurance. Rumors about a person’s sexual orientation (or experiences), health status, incompetence, or nastiness can percolate in blogs and message boards.

Even if the First Amendment and anonymity protect the authors of such rumors, affected individuals deserve to know whether certain important decisionmakers rely on them. In limited cases, the intermediary source of the information should also provide the target of a derogatory posting with the opportunity to annotate it. A Fair Reputation Reporting Act would empower individuals to know the basis of adverse employment, credit, and insurance decisions-and to go to their source (and the source of their salience) to demand some relief from digital scarlet letters.

In summary, privacy concerns are only likely to die down if individuals know either 1) that the consequences of a privacy breach are not likely to be severe or 2) that they can find out instances of the improper use of data. In the health care context in the US, neither qualifier holds: the individual insurance market routinely denies care to individuals on the basis of pre-existing conditions, and individuals have little sense of exactly how such determinations are made. Prononymity needs to work both ways: if our health conditions are to be the subject of increasing availability, so too must the decision-making processes that could use that data to our detriment become more transparent.

PS: Market mavens may promote a “Google Health Search” as the optimal solution here. If this 800 pound gorilla can get all the publishers in line to settle their copyright claims, perhaps it has some chance at bringing the medical industry to heel; however, the political power of doctors and insurers dwarfs that of publishers. The concentration of that much data in one company should also provoke some worries.

Dr. David Brailer and Electronic Medical Records: Perhaps the Chairman Doth Protest Too Much

Dr. David J. Brailer, appointed by President Bush in 2004 as the first National Coordinator for Health Information Technology, has written an article for Health Affairs worth reading. Dr. Brailer notes that President-elect Obama “has pledged $50 billion to bring health information tools into widespread use (which is $49,950,000 more than President Bush gave me to spend).” (Note: as the present budget for the office of National Coordinator is a little more than $66 million, I believe Dr. Brailer meant to say that the budget during his tenure was roughly $50 million, which would make Obama’s $50 billion $49,950,000,000 more. Apparently, I’m not the only one confused by billions).

Having said that, Dr. Brailer has some suggestions worth noting, not the least of which is that ensuring structural compatibility and integration of data systems are paramount necessities which will require more than just “hiring the geek squad.” He states

Setting up an electronic health record is a complex task, requiring data integration, clinical algorithms and complex software customization. Likewise, helping physicians and other health care workers learn to work with electronic tools is more than point-and-click training. Electronic health records change the very nature of health care work - clinical decision-making, communications, documentation and learning. Our national transition to digital medicine requires a large supply of specialists - upwards of 50,000 people, including physicians, nurses and pharmacists - who understand both clinical medicine and information technology. It takes years to train these people, and they are already in short supply, so now is the time to start.

I have no contention with the assertion that “setting up an electronic health record is a complex task,” and surely, at the end of a $50 billion investment no one wants to look up to see a Med e-record Tower of Babel. But Dr. Brailer’s assertion that “helping physicians and other health care workers learn to work with electronic tools is more than point-and-click training” is somewhat at odds with recent articles in The NY Times, one of which shows what an electronic medical record looks like and explains how pertinent and potentially life saving information “is just a few clicks away.”

Dr. Brailer also states that we need to address what he characterizes as

…the growing chasm between the physicians and hospitals that have electronic records and those that do not. Most large and urban hospitals as well as larger physician practices are far along in using electronic health records. Rural hospitals, nursing homes and small physician practices lag far behind. They face many barriers, but foremost among them is the lack of capital to purchase and implement information tools.

Dr. Brailer states that “Sales pipelines and hospital and physician budgets show that electronic health record purchases have slowed, indicating that the market wave has gone as far as it can. Now is the time for government incentives to help along those who do not have these systems.”

But Brailer wants to incentivize the “use” of electronic medical records much in the way that Congress has done so regarding “electronic prescribing.” He states: “Medicare pays physicians a 2% bonus for using eprescribing on appropriate patients starting in 2009, and this incentive converts to a 3% penalty for those who do not eprescribe in 2013.”

Of course, Brailer is right to make the distinction between “purchase” and “use.” No one wants to subsidize a high tech, dust gathering coat rack. He makes the point that “We should not incent physicians and hospitals simply to purchase electronic records. We get no benefit when a physician or hospital buys an electronic record. What we should do is reward the use of these tools as part of a patient’s care.”

What he fails to address, however, in this incremental ROI “pay for use” approach is what he characterizes as the “foremost barrier” to those “Rural hospitals, nursing homes and small physician practices” on the other side of e-med record chasm: initial capital outlay.

Considering the financial difficulties of many hospitals-and the chilled credit markets- it is somewhat difficult to envision how the gradual return on investment through “pay for use” will offer great affect for those medical service providers who, at present, have a “lack of capital to purchase and implement information tools.” It is not, however, hard to envision how such a continuous “pay for use” incentive would benefit those larger providers who have already implemented electronic medical record systems.

Additional payments each time they used what they have already invested in would, no doubt, provide an additional dividend which these typically larger providers would greatly appreciate. It is not at all clear, however, that such a program, requiring significant investments of capital-which may well not be available at this time-will lessen the “chasm” by any great measure.

The New York Times has reported that

For most doctors, who work in small practices, an investment in electronic health records looks simply like a cost for which they will not be reimbursed. That is why policy experts say any government financial incentives to use electronic records - matching grants or other subsidies - should be focused on practices with 10 or fewer doctors, which still account for three-fourths of all doctors in this country. Only about 17 percent of the nation’s physicians are using computerized patient records, according to a government-sponsored survey published in The New England Journal Of Medicine.

The Times also reports that those who are presently using electronic medical records tend to be part of larger health care organizations.

No longer the National Coordinator for Health Information Technology, Dr. Brailer is now the Chairman of Health Evolution Partners; it is a health care investment fund:

“Health Evolution Partners invests in the world’s leading health care companies. We seek out companies that are driving critical shifts in how health care is financed, organized and delivered.”

….We use these assets to help our portfolio companies:

• Build strategies with unusually high potential
• Navigate and mitigate business, policy and regulatory risks
• Develop and shape the market for their products and services
• Enhance the growth and returns for their shareholders

Electronic Medical Records: What They Look Like, What They Can Do

The Obama administration has stated that the institution of electronic medical records will play a role in its forthcoming efforts to reform health care in the United States. According to the NY Times, “During the campaign, Mr. Obama vowed to spend $50 billion over five years to spur the adoption of electronic health records and said recently that a program to accelerate their use would be part of his stimulus package.” Max Baucus, Senate Finance Committee Chairman, has stated that the stimulus package will likely include grants and tax breaks for doctors and hospitals to invest in health IT. The Washington Post has reported that its sources “cited $10 billion as a potential figure for health IT in the stimulus package.” In addition, CMS has modified its Medicaid and Medicare reimbursement payments to include a 2% incentive to encourage hospitals to upgrade their records systems with health IT and a 2% penalty within two years for hospitals that do not adopt health IT.

The NY Times has run an article featuring the use, efficacy, and potential of electronic medical records. The article also features an example of what an electronic medical record looks like.

For a number of reasons, the article is well worth a read. Find it here.

e-Prescriptions Increase as Medicare Incentive is About to Take Effect

The AP reports that in “December 2007, 35,000 doctors were writing at least some paperless prescriptions, according to SureScripts-RxHub, which tracks the drugstore network.
The 2008 count isn’t finished yet, but SureScripts estimates that number has doubled to more than 70,000. Moreover, the volume of prescriptions filled electronically grew about 15 percent a month since August, faster than the 5 percent to 8 percent monthly increase seen earlier in the year - presumably as doctors geared up for the Medicare incentive.” Read more here.