There was pushback on privacy and patient consent at Friday's Health IT Policy Committee meeting—specifically on the work still under way by the committee's privacy and security work group, or tiger team.
Don't go further than HIPAA: FAH exec
"The federation has concerns with some of the discussions that are taking place in the tiger team that may be outside of the scope of HIPAA," Samantha Burch, director
healthcare policy and research for the Federation of American Hospitals, said during the public-comment portion of the meeting.
The Health Insurance Portability and Accountability Act of 1996 is the primary federal law regulating the privacy and security of personally identifiable patient information. Burch reminded committee members that patient consent was not required for treatment, payment and other healthcare operations—terms defined under HIPAA.
The federation's concern, Burch said, was whether the tiger team was seeking to use the meaningful-use criteria and the incentive and eventual penalty provisions of the health IT incentive program created under the American Recovery and Reinvestment Act of 2009 to reopen and re-litigate settled consent policy.
"We're saying you shouldn't go further in the incentive program than what is required in the federal rule," Burch said.
Patient consent was required for treatment, payment and other healthcare operations in the initial privacy rule released by HHS in 2000, but consent was replaced in a 2002 HHS rewrite of the rule with "regulatory permission" for disclosure of patient information without consent.
The 2002 revision has remained controversial between privacy advocates and proponents of the secondary use of patient information, with some questioning whether HIPAA remains adequate for privacy protection in the Internet age.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.