Is HIPAA enough?

The federally chartered Health IT Policy Committee met Friday, and a recording of the entire meeting is posted on HHS' website, so even if you missed the meeting, just click and you'll have it.

Samantha Burch, director of healthcare policy and research at the Federation of American Hospitals, spoke during the public comment period at the tail end of the meeting about the work of the committee's privacy and security tiger team. The tiger team is hustling to get its recommendations to the full Health IT Policy Committee, which is to advise the Office of the National Coordinator for Health Information Technology.

ONC, in turn, will no doubt advise HHS' Office for Civil Rights on changes to the privacy law under the Health Insurance Portability and Accountability Act of 1996. The HIPAA amendments are in the Health Information Technology for Economic and Clinical Health section of the American Recovery and Reinvestment Act of 2009.

Burch said the federation was concerned about "discussions that are taking place in the tiger team about potential areas for recommendations that may be outside of the scope of the authority that was given to HHS by Congress in the HITECH law."

She cited an example: tiger team deliberations on "informed consent for treatment, payment and operations and other exchanges outside of HIPAA that seem to be on the table for potential recommendations."

"Consent was not required under HITECH, and it's not required for treatment, payments and other operations under HIPAA, so this is a concern," Burch said. "As you know, HIPAA was strengthened under HITECH, and rulemaking is under way by the Office for Civil Rights to implement those modifications, and we do not believe that meaningful use is the appropriate vehicle for rewriting HIPAA, which is already a stringent federal law that providers go to great lengths" to comply with, she added.

While I'm sure many providers are working to comply with HIPAA, its inherent stringency is in dispute.

Our story "Holes in the fence?" addresses privacy, consent and whether HIPAA is still up to the task of protecting the privacy and security of patient information in the Internet age. There were mixed opinions about the efficacy of HIPAA, particularly since the patient consent requirement for TPO was stripped out by HHS rule makers in 2002.

Deven McGraw, chairwoman of the tiger team and a member of the Health IT Policy Committee, gets Burch's point—but only up to a point.

"I actually understand that healthcare organizations would prefer to have one set of privacy and security rules they have to abide with," McGraw said in a telephone interview. McGraw, a lawyer, is the director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank.

"They certainly have HIPAA already, but I think she was off base suggesting we were out of the bounds of our authority by looking to the levers of meaningful use to encourage providers" to improve their privacy and security efforts, McGraw said.