Evolving Privacy, Security Regulations Complicate Health IT

The evolving patchwork of privacy and security regulations is making the difficult job of creating health information exchanges (HIEs) even tougher, according to a panel of experts at the New Jersey and Delaware Healthcare Information and Management Systems Society (HIMSS) fall event held this week in Atlantic City.

"Privacy and security laws are right now being reinvented, reinterpreted, stretched, morphed, and developed," said attorney Helen Oscislawski. Those changes are happening at the federal level, where the Department of Health and Human Services (HHS) HIT Policy Committee's Privacy and Security Tiger team is crafting recommendations that may appear in Stages 2 and 3 of meaningful use, as well as on state levels. "We are in the thick of it right now," she added.

The Tiger team is also looking at patient consent and de-identification of data, and will continue that examination through February, according to Lisa Gallagher, senior director, privacy and security at HIMSS. But despite the Tiger team's work, she said, the industry doesn't know much about what upcoming meaningful use stages will require.

In addition to watching Health Information Technology for Economic and Clinical Health (HITECH) related developments, HIE organizers need to monitor what HHS does around the breach notification final rule. Earlier this year, it pulled that rule back when privacy advocates balked at a "harm clause" which would have let healthcare providers determine if any harm had been caused to the affected party before disclosing a breach. Many healthcare organizations, concerned about "notification fatigue," had been in favor of the clause.

With the final rule pulled back from the review process, the interim final rule -- which includes the harm clause -- remains in effect until a new final rule is proffered, something Gallagher doesn't expect will happen before the November mid-term elections.

"We anticipate that more regulations around the final rule on breach notification will cause a lot of work," said Gallagher. "There will be a significant impact on healthcare organizations and HIEs."

She also warned providers that Congress is looking to ramp up enforcement of HIPAA violations by letting loose state attorneys general on offenders. The Office of Civil Rights, Gallagher said, is looking at compliance monitoring as well.

When it comes to reconciling federal and state law, Oscislawski said the federal government is "sticking to the position" that it will not make federal law override state law in situations where the state law offers greater patient protection. But, as with many privacy and security-related laws, she said, the exceptions are as important as the rules.

One particular exception allows two physicians treating the same patient to transmit data about that patient between them without first gaining consent. The Tiger Team, Oscislawski said, is moving to a more stringent standard that could require consent in cases where PHI is stored in a "central repository" managed by a HIO-HIPAA business-associate agreement for other providers to access in the course of treatment. In such cases, it's possible the HIO and its participating providers may not be permitted to rely on the HIPAA Treatment exception. (Federated provider-to-provider data-exchange models would continue to enjoy the exemption). "This could force in a backdoor way of reinventing healthcare’s workflow for centralized HIE models," she said.

Gallagher said recommendations by the Privacy and Security Tiger team would also place a new, and perhaps untenable, burden on physicians to educate patients about protected health information (PHI). "This would put the physician in the position of governing the consent process, so we really need to monitor the Tiger team and give them feedback. There are ways we can talk to them, even in addition to the public comment functions."

Those developing HIEs must be cognizant of all development in this area, lest the model they create fail to qualify for meaningful use dollars because of a privacy or security violation. Panelists suggested the Office of the National Coordinator for Health Information Technology, HIMSS, and Markle Foundation as good resources for guidance.

Anthony Guerra is the founder and editor of healthsystemCIO.com, a site dedicated to serving the strategic information needs of healthcare CIOs. He can be reached at [email protected].