So-called “conduits” used to move electronic health records are not covered by the recently released federal privacy and security rule, according to an HHS privacy expert. And Google's and Microsoft Corp.'s personal health-record platforms may also be exempt, at least in terms of some of their current and future relationships with healthcare providers, according to the expert.
Privacy rule exempts conduits: HHS lawyer
Adam Greene, a lawyer with HHS' Office for Civil Rights, gave an overview of the new rule July 9 at a meeting of the Privacy and Security Tiger Team of the Health IT Policy Committee.
The 234-page proposed rule, which fleshes out privacy and security provisions of the American Recovery and Reinvestment Act, was released by HHS on July 8. The Health IT Policy Committee, created under the stimulus law, was set up to provide advice to the Office of the National Coordinator for Health Information Technology at HHS.
Greene said organizations that act as “mere conduits” for the electronic transport of protected health information, or PHI—even if the data is not protected by encryption and even if the conduits have “random and infrequent access” to the contents of the medical records—would not be considered “business associates” of provider organizations, health plans or claims clearinghouses, which are so-called “covered entities.” Covered entities and, now, their business associates, are subject to regulation under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
Greene did not specify what companies or organizations HHS deems to be conduits, but the new rule refers to an earlier Office for Civil Rights Web posting that defines them as “the U.S. Postal Service, certain private couriers and their electronic equivalents.” The government previously has sought to limit the liability of telecommunications companies from the scope of the HIPAA privacy rule.
Greene explained the new rule also addresses the stimulus law provision expanding HIPAA liability to all business associates, including those business associates of covered entities that contract with other business associates, which in turn contract with others in a chain of commercial relationships involving the possible exchange, use, retention and manipulation of medical records and data.
The duty to abide by HIPAA “continues to go down the chain as necessary,” Greene said.
Responsibility to patients, however, appears to be a weak link.
Tiger Team member Dixie Baker, a senior vice president and technical fellow at Science Applications International Corp., McLean, Va., a systems integrator and major defense and intelligence service IT contractor, asked what would be her recourse, as a patient, if “down three or four levels my PHI is sold and divulged to people inappropriately?”
“Do I go after the covered entity?” Baker asked, “Or business associate No. 1, or No. 2, 3 or 4?”
“Your recourse would be to file a complaint with” the Office for Civil Rights, which would investigate and determine whether the business associate involved violated the privacy rule, Greene said.
Potentially, he said, the noncompliant party could be fined $50,000 per violation or as much as $1.5 million for repeated violations. Also, under the new law, states' attorneys general can file HIPAA enforcement actions as well, Greene said.
However, since the privacy rule went into effect seven years ago, the Office for Civil Rights has received more than 53,000 privacy complaints. At last report, the Office for Civil Rights has yet to issue a single monetary penalty under the rule against a privacy violator.
The stimulus law also contains a provision seeking to extend HIPAA privacy-rule coverage to vendors of personal health-record systems as business associates of covered entities. But the language of the law says the covered entity must “offer a personal health record to patients as part of its electronic health record.”
Tiger Team member Micky Tripathi, president and CEO of the Massachusetts eHealth Collaborative, asked whether the rule applied to PHR platforms Google Health or HealthVault, developed by Microsoft.
“To the extent they're provided directly to individuals, they are neither covered entities nor business associates,” Greene said. But even if they have contracts with covered entities, they may be a business associate “in some respects, but not in others,” he said.
Green was questioned further by Judith Faulkner, CEO of Epic Systems Corp., an EHR systems vendor based in Verona, Wis. Faulkner asked if a covered entity with an EHR working with one of the PHR vendors on developing interfaces to move data between the two systems, would create a business-associate relationship.
“In a case like that,” Greene said, “we would need to see the facts of a particular situation” to see what extent they're acting on behalf of the covered entity. We expect, especially, as interoperability increases, the expectations would be your PHR is connected to your covered entity, but that would not mean that your PHR is acting on behalf of your covered entity.”
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.