HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info

August 6, 2009 by Jordan Cohen · 6 Comments
Filed under: EMR, Electronic Medical Records, IT

Photo by Jonathunder

Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA. This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent, at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.

HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL. It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.

HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.

Acronyms of HIPAA & HITECH

Acronym	Phrase	General Definition (see 160.103 for regulatory language)
PHI	Protected Health Information	Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.
CE	Covered Entity	A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of: 1) Health care provider (e.g. physicians) that submit transactions electronically. 2) Health care plans (e.g. HMOs) 3) Health care clearinghouses (which are public or private entities, including a billing service, repricing company, community health management information system, etc… that processes or facilitates the processing of health information received from another entity in nonstandard form into standard form, or from standard form to non-standard form.
BA	Business Associate	Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.
EHR	Electronic Health Record	An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.
PHR	Personal Health Record	An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically focusing on EHRs or PHRs. Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself. To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.

But the times they are a-changin’–sort of.

Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force. But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.

Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals. Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.

Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.

Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.

HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.

The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:

(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-

(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization

The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. Read more

Tags: Add new tag, Electronic Medical Records, EMR, FTC, Google, Health Care Reform, Health Reform, HIPAA, Personal Health Records, PHR, Privacy, Proposed Legislation, The HITECH Act

Kaiser
The Commowealth Fund
- 100 Percent of Primary Care Doctors in Denmark Use Electronic Medical Records
  All primary care doctors in Denmark use electronic medical records and 98 percent have the ability to electronically manage patient care—including ordering prescriptions, drafting notes about patient visits, and sending appointment reminders. In addition, almost all medical communication between primary care doctors, specialists, and hospitals is electroni […]
- Widespread Adoption of Information Technology in Primary Care Physician Offices in Denmark: A Case Study
  Denmark is one of the world's leading countries in the use of health care technology. Virtually all Danish primary care physicians have electronic medical records with full clinical functionality.
- Measurement Framework: Evaluating Efficiency Across Patient-Focused Episodes of Care
  This consensus report lays the groundwork for a measurement framework that evaluates efficiency, and ultimately value, across patient-focused episodes of care. This framework will help key stakeholders move toward a high-performing healthcare system that is patient-centered, focused on quality, mindful of costs, and vigilant against waste.
- The Massachusetts Child Psychiatry Access Project: Supporting Mental Health Treatment in Primary Care
  Massachusetts has successfully demonstrated the Massachusetts Child Psychiatry Access Project, a program that provides timely telephonic psychiatric and clinical guidance to primary care providers treating children with mental health problems. This study looks into the development and implementation of the project.
- Improving Asthma Outcomes in Minority Children: A Randomized, Controlled Trial of Parent Mentors
  This article looks an experimental program in Milwaukee that uses trained parent mentors to help other parents care for their young child's asthma.
RWJF Health Reform News
- Democrats Pare Differences Over Health Overhaul
  Top Democrats say they are resolving disputes over President Barack Obama's health overhaul plan, but they face decisions on subsidizing coverage and are still hunting votes to push the vast package through Congress.
- Democrats Move To Grouping Key Bills
  Democratic leaders said Thursday that they were increasingly inclined to release a final health-care bill that could accomplish two of President Obama's top domestic priorities: guaranteeing coverage to 30 million uninsured Americans and vastly expanding federal aid for college students.
- Democrats Struggle to Finish Health Bill
  House and Senate Democratic leaders struggled Thursday to stitch together pieces of a final health care bill as rank-and-file Democrats demanded more information about the contents of the bill and its cost.
- GOP Tactic in Ads: Scare Thy Rival
  With a final vote drawing near on President Barack Obama's health-care overhaul, Republicans' latest strategy can be neatly summarized: try to scare the daylights out of House Democrats.
- More Health Costs Could Shift to Workers
  Most big employers plan to shift a larger share of health-care costs to their workers next year, according to a survey released Thursday.
NY Times Health Policy
- Dysport Takes On Botox With Aggressive Rebates
  Medicis has started a new marketing campaign that pits its wrinkle-smoother, Dysport, directly against Botox. It makes bioethicists squirm.
- Democrats Struggle to Finish Health Bill
  Rank-and-file House Democrats were frustrated, saying they had received few details about what would be in the legislation.
- Obama Gets Tough on Health Care Fraud
  The president said he would unleash auditors in a crackdown on Medicare and Medicaid waste and fraud, a move to please both liberals and conservatives.
- National Briefing | South: Virginia: Opting to Refuse Health Overhaul
  The state legislature approved a measure that bucks any effort by President Obama and Congress to carry out a national health care overhaul in individual states.
- Parliamentary Hurdle Could Thwart Latest Health Care Overhaul Strategy
  As Democrats considered potential maneuvers, business groups announced plans for a campaign to stop the legislation.
WaPo Health
- A few setbacks and changes in routine to lose 10 pounds
  Me Minus 10 got off to a rocky start two weeks ago: No sooner had I pledged to lose 10 pounds than I got, first, a GI-tract malady and then a wicked head cold (both now resolved). Neither helped me mentally or physically. Nor did learning, upon purchase of a new scale, that I have 12, not 10 poun...
- On health-care reform, Republicans target Democrats' division over reconciliation
  As Republicans work to prevent a health-care bill from reaching President Obama, they are scrambling to exploit divisions between Democrats in the House and the Senate.
- Book review: 'We've Got Issues: Children and Parents in the Age of Medication,' by Judith Warner
  Instead of an epidemic of over-treatment, Warner describes an epidemic of under-treatment of children with mental illness.
- A patient's death prompts a doctor to assess 'Do Not Resuscitate' orders
  The emergency department is always noisy, but sudden screams from a staffer still get attention. The triage nurse is yelling, "Not breathing, had vitals at triage and just croaked," as she runs toward us pushing a wheelchair. In it, a pale, thin man is slumped over and looking gray. I'm the atten...
- Despite what you may have heard, there's no boom in deafness
  When I was growing up, one of my mother's favorite admonitions -- along with "If you keep making that face, it's going to freeze that way" and "Don't sit too close to the television or you're going to need glasses" -- was the classic "Turn that music down, or you'll go deaf."
Boston Globe Health Blog
- Today's Globe
  President Obama?s demand to delete "special deals" in the health care package would eliminate $500 million in extra Medicaid cash for Massachusetts, but Bay State lawmakers say they are confident the state would recoup that and probably more once negotiations...
- State regulators to consider revamp of health insurance rule
  State regulators today said that they will likely overhaul the complex formula they use to determine how many Massachusetts residents face a tax penalty for not having health insurance because spiraling costs are making coverage unaffordable for too many people.The...
- Today's Globe
  In just two years, spending on MRIs, mammograms, and other imaging tests climbed by at least $214 million in Massachusetts, helping to fuel a dramatic rise in the cost of outpatient hospital care.A bill that would ban the sale of...
- Broad Institute director shares prestigious medicine prize
  By Carolyn Y. Johnson, Globe Staff Eric S. Lander, founding director of the Broad Institute of MIT and Harvard, is one of three winners of the Albany Medical Center Prize in Biomedical Research, a $500,000 prize awarded this year for...
- Today's Globe
  A group of Massachusetts mayors, fed up with what they say is legislative inaction on skyrocketing municipal health care costs, has launched a ballot initiative for 2012 aimed at giving cities and towns more flexibility in reducing expensive benefits for...
LA Times Health Blog
- The FDA requires a black-box warning on anti-clotting drug Plavix
  The Food and Drug Administration said Friday that it will require a new black-box warning on the label of the popular anti-clotting drug Plavix to indicate that some patients do not metabolize the drug properly and may receive little benefit...
- ABC News' '20/20' reports on Jani Schofield
  The June 29 L.A. Times story "Jani is at the mercy of her mind," touched off a long-running discussion among Times readers about the need for services for young children with severe mental illness and support for their families. Friday...
- Rodent of the Week: A new understanding of how prostate cancer treatment may backfire
  The very therapy used to treat prostate cancer patients in the early stage of the disease actually promotes the second, more deadly wave of the disease, according to a new study. Men with prostate cancer often take drugs to shut...
Health Affairs Blog
- Rising Individual Market Premiums: Two Competing Narratives
  Anthem Blue Cross of California, the largest health insurance company in California, recently announced plans to increase insurance premiums by as much as 39 percent for people insured in their non-group health insurance plans. This dramatic and unprecedented premium increase has received substantial media attention as well as scrutiny and ire from policymak […]
- Gregg: Use Medicare Cuts To Plug Budget Gap
  Democratic proposals to cut Medicare spending are good policy, said New Hampshire Senator Judd Gregg, the senior Republican on the Senate Budget Committee, at a Health Affairs Media Breakfast this morning. The problem, according to Gregg, is that Democrats want to use the money saved to fund new benefits under health reform legislation, rather than [...]
- Radiation Hazards Illustrate Need For Industry-Wide Safety Response
  Editor’s Note: In addition to Peter Pronovost (photo and biography above), authors of this post include Julius Pham, Assistant Professor, Emergency Medicine, Johns Hopkins University School of Medicine; Sara Singer, Assistant Professor, Harvard School of Public Health, Department of Health Policy and Management, Massachusetts General Hospital; Jerod Loeb […]
- Shock Me, Tube Me, Line Me: An ER Doc Reassesses DNRs
  In “Shock Me, Tube Me, Line Me,” a Narrative Matters essay in the February 2010 issue of Health Affairs, emergency physician Boris Veysman sets forth his own version of an advance directive and challenges common perceptions about care at the end of life. An excerpted version of Veysman’s essay appears in today’s Washington Post Health [...]
- Death Of A Sales Job (A Three Act Ploy)
  With apologies to Arthur Miller … President Obama went back before the cameras again Wednesday, providing yet another recycling of fading rationales for his health reform product that more voters would rather leave on the Capitol Hill store shelves than purchase. But “attention must be paid” whenever the president speaks. He tried to claim t […]
Tags
CEO Compensation Chronic Conditions CMS Cost Control Drug & Device Drug and Device Elderly Electronic Medical Records EMR FDA Fraud and Abuse Government Agencies Governmental Reports Health Care Health Care Reform Health IT Health Law Health Policy Community Health Reform HHS Hospital Finances Industry Sources Lobbyist Max Baucus Medicaid Medical Device Medical Journals Medicare National Newspapers & Media Obama Obama Administration Pharma Physician Compensation Prescription Drugs preventive care Private Insurance Proposed Legislation Public Option Public Plan Quality Improvement Seton Hall Law State Initiatives Think Tanks Tim Greaney Uninsured
Meta

Acronym

Phrase

General Definition (see 160.103 for regulatory language)

PHI

Protected Health Information

Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.

CE

Covered Entity

BA

Business Associate

Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.

EHR

Electronic Health Record

An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.

PHR

Personal Health Record

An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Recent Posts

Best of Blogosphere

Best of Journals

Best of Magazines

Best of Newspapers

Blogs of Note

Health Reform Plans

News Sources

Resources

Scholarship

Wordpress

Categories

Tags

Meta

General Definition
(see 160.103 for regulatory language)