A new Congress and a new president could mark a return to healthcare privacy protections rolled back by the Bush administration, with maybe a few new, more stringent federal protections added for good measure.
The economic stimulus legislation released last week by the House Ways and Means Committee is one harbinger of change. Another is the appointment by President Barack Obama of an Indiana University law professor, who is an outspoken critic of legal opinions by Bush administration lawyers, to a key position of legal adviser within the Justice Department.
According to news reports, Obama spent part of his first morning on the job huddled with economic and political advisers, going over plans to revive the flagging economy. Key elements of those plans will require federal legislation, with the 328-page Ways and Means draft of the American Recovery and Reinvestment Act of 2009which includes provisions for revenue measures, unemployment and healthlikely to serve as one of the foundational bills from which the final stimulus package will emerge.
The bill contains sections on federal support for the use of healthcare information technology as well as 51 pages on health information privacy.
To date, there are at least 43 states that followed the lead set by California that require individuals be notified in the event their personally identifiable informationsuch as combinations of their name and date of birth, address and Social Security numberare released either by error or a willful breach of record system security, according to a recent report funded by HHS on medical identity theft.
The Ways and Means bill would create a federal law requiring notification to occur within 60 days of discovery of a breach specifically related to health information. The local news media must be notified if the breach involves more than 500 residents of a state or jurisdiction served by that media as well as notification of the breach being sent to the HHS secretary immediately. Notification of all breaches of less than 500 must be logged and must be sent to the secretary by covered entities annually. Posting shall be delayed if a law enforcement official determines that notification undermines a criminal investigation or might cause damage to national security.
Another section of the proposed law would create regional privacy education officers under HHS. It mandates that the Civil Rights Office at HHS must come up with a national privacy education program within one year of passage of the law. It also requires HHS to come up with guidance to healthcare data handlers on what forms of data encryption are most effective.
When the privacy rule to the Health Insurance Portability and Accountability Act was released by HHS in the waning days of the Clinton administration in late 2000, it contained the requirement that patient consent be obtained for the sharing of patient information for treatment, payment and other healthcare operations. But by 2002, HHS under then-Secretary Tommy Thompson issued a revision to the rule that privacy advocates say turned HIPAA on its head, granting the Bush administrations authorization for the sharing of protected health information for treatment, payment and even the broadly defined other healthcare operations without patient consent.
A section of the legislation apparently proposes to restore a form of the patient-consent requirement. A covered group must comply with a request not to disclose its PHI if the disclosure is to a health plan for purposes of carrying out payment or healthcare operations (and is not for purposes of carrying out treatment), or if the patient asks to restrict disclosure for a healthcare item or service and the provider has been paid out of pocket in full.
The proposed law also says an individual shall have the right to receive an accounting of disclosures of their protected healthcare information, or PHI, going back three years from the date of the request. The disclosure requirement, however, is limited to the covered organization or a business associate of a covered group, which, presumably, leaves the covered organization not liable to account for disclosures of a business associate of a business associate, for example.
The proposed law also attempts to address the confusion as to the scope of the HIPAA minimum necessary disclosure limit on the exchange of protected healthcare information by requiring HHS to issue an official guidance within 18 months of passage.
In addition, the proposed law also would prohibit the sale or receipt, directly or indirectly, of remuneration by a covered entity or the business associate of one, in exchange for electronic health records or PHI of an individual without that individuals authorization. Such authorization would specify whether the persons information could be resold. The provision appears to take dead aim at the shadowy practice of certain EHR system vendors of paying or otherwise compensating providers for the data obtained from their patients and reselling it to data-miners or other buyers.
Former Indiana University law professor Dawn Johnsen, who headed the Legal Counsel Office at the Justice Department for a portion of the Clinton years in the White House, is awaiting confirmation by the Senate for her appointment as deputy attorney general and the head of the legal office for Obama. Johnsen has been a strident critic of the offices operation under the Bush regime, and has specifically criticized the legal work of Steven Bradbury, acting head of the Legal Counsel Office during Bushs final years in office.
In the summer of 2005, Bradbury wrote in a legal opinion that criminal penalties under HIPAA applied only to covered entities. It came at a time when federal prosecutors already had obtained the convictions of two HIPAA violators, according to Justice Department sources, including the conviction and sentencing, with Justice Department fanfare, of Richard Gibson, a phlebotomist employed by a Seattle cancer hospital who purloined personal identifying information of a hospitalized cancer patient and used it to go on a shopping spree with fraudulently obtained credit cards in that patients name. The Bradbury opinion may have let data-miners and other users, holders or transmitters of healthcare information, including, potentially, national intelligence services, off the legal hook.
Privacy advocate Pam Dixon said the pending legislation represents a step in the right direction and said she was specifically pleased with a section that could render at least a part of the Bradbury opinion moot without any need for revision by Johnsen.
I think there is some good stuff in there, Dixon said. That particular piece that nullifies that ridiculous Legal Counsel Office opinion, that part is good.
Well, it appears to do so at least in part. The pertinent language clarifies that the civil and criminal penalty provisions in the HIPAA statutewhich call for prison sentences of up to five years for the most egregious violatorshall apply to the business associate of a covered organization in the same manner as to covered groups themselves. The legislation leaves intact the definition of a business associate, however, which doesnt solve the problem that, like covered organizations, most business associates are corporations, and a prosecutor cant put a corporation behind bars.
Whether any or all of the privacy provisions survive the sausage-making of the legislative process also remains to be seen.
Robert Tennant, senior policy adviser for the Medical Group Management Association, says the organization has submitted letters to key legislators opposing some of the proposed privacy changes that he says would represent onerous disincentives to health IT adoption.
One was the requirement to provide patients with an accounting of all disclosures of their protected health information.
If you had an EHR, you would have to account for all disclosures for all payment, treatment and other healthcare operations, Tennant said. Even in very sophisticated medical practices, they house the administrative and clinical data in different systems. It would be extremely costly to compile all this information, and there is the question of what value will this be to the patient. It would just cause a lot of burden.
The restoration of the patient-consent requirement is also problematic, Tennant said.
The benchmarking, pay-for-performance, all those things would be put in jeopardy because youd have to go back and get authorization from the patient. You cant just have a blanket disclosure; youd have to go back and get the signature every single time. That cant be good for the patient.
Obviously, were strong proponents of privacy, Tennant said. What we dont want is the regulations to be so onerous that it actually impedes the provision of patient care.