[Med-privacy] debate
peter marshall
pwm@comcast.net
Thu, 6 Sep 2007 14:43:20 -0700
--Apple-Mail-15-354403253
Content-Type: multipart/alternative;
boundary=Apple-Mail-16-354403253
--Apple-Mail-16-354403253
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
--Apple-Mail-16-354403253
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
charset=US-ASCII
<fontfamily><param>Geneva</param><smaller><smaller>
</smaller></smaller></fontfamily>
--Apple-Mail-16-354403253--
--Apple-Mail-15-354403253
Content-Transfer-Encoding: base64
Content-Type: image/gif;
x-unix-mode=0666;
name="spacer.gif"
Content-Disposition: inline;
filename=spacer.gif
R0lGODlhAQABAIAAAP///wAAACH5BAEUAAAALAAAAAABAAEAAAICRAEAOw==
--Apple-Mail-15-354403253
Content-Type: multipart/alternative;
boundary=Apple-Mail-17-354403254
--Apple-Mail-17-354403254
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=WINDOWS-1252;
format=flowed
The Health Care Privacy Debate Heats Up
By Kirk J. Nahra
September 2007 | Privacy in Focus
While Congress and many others continue to discuss whether the current=20=
enforcement approach to health care privacy is appropriate, a broader=20
debate is emerging about the suitability of the existing privacy rules=20=
in today's evolving health care information environment. Several key=20
recent developments make this debate=A0more interesting and more=20
active=97leading to the realistic possibility that new privacy rules for=20=
the health care industry (and for many others who use health care=20
information) will be imposed in the near future. Key=A0questions will be=20=
whether any new=A0rules target unregulated participants in emerging=20
health information exchange systems or whether changes will seek to=20
further regulate the entire health care=A0industry.
Electronic Health Information Exchanges Drive the Debate
Much of the current debate is being driven by the development of local,=20=
state, regional and perhaps national health information exchanges.=20
The=A0Bush administration's push to develop a fully interoperable health=20=
information exchange by the year 2014 is focusing attention on whether=20=
this new integrated environment requires a=A0new set of health care=20
privacy rules=97at least for this setting. While many groups and =
entities=20
are=A0examining the privacy and security=A0issues presented by health=20
information exchanges, two groups stand out=97each having issued=20
important recommendations.
The AHIC Confidentiality, Privacy and Security Workgroup
The Confidentiality, Privacy and Security Workgroup of the American=20
Health Information Community (AHIC) is one of the potentially=20
influential groups dealing with health information exchange privacy and=20=
security issues. AHIC is a federal advisory body chartered in 2005 to=20
make recommendations to the Secretary of Health and Human Services on=20
how to accelerate the development and adoption of health information=20
technology. The=A0workgroup was formed in May 2006; its members include=20=
representatives of both public and private entities. I=A0chair this=20
workgroup. We are tasked with making recommendations for privacy and=20
security rules in this integrated environment. Recently, the CPS=20
Workgroup issued two key recommendations that relate to how these rules=20=
should move forward.
The first recommendation, adopted by AHIC in its June 12, 2007 meeting,=20=
provides that:
All persons and entities, excluding=A0consumers, that participate=20
directly in, or comprise, an electronic health information exchange=20
network, through which individually identifiable health information is=20=
stored, compiled, transmitted, modified, or accessed should be required=20=
to meet enforceable privacy and security criteria at least equivalent=20
to any relevant HIPAA requirements.
This recommendation focuses on one of the key differences between this=20=
health information exchange environment and the original HIPAA=20
environment, a recognition that significant participants in health=20
information exchanges are not covered, either not at all or not=20
appropriately, by the current HIPAA rules.=A0=A0Primarily,=A0this=20
recommendation would have an impact=A0on:
=95 Health care providers who are not covered entities =
because they do=20
not bill electronically for their=A0services;
=95 Personal health records providers who provide services =
directly to=20
patients, and therefore typically are not covered by the HIPAA rules at=20=
all; and
=95 Regional Health Information Organizations (RHIOs) and =
other=20
"networks" that play a central role in these efforts, and typically=20
are, at most, considered "business=A0associates" under the HIPAA rules.
Our workgroup was concerned that these players are central to the=20
operation of health information exchanges, and are important elements=20
of emerging health information technologies, but, due to the odd quirks=20=
in how the HIPAA rules were adopted (focusing on health care=20
portability and electronic transactions), are not subject to the=20
existing privacy and security rules. This recommendation is designed to=20=
bring within the regulated community such participants in the exchange=20=
of health care information.
Our second recent recommendation was designed to create a "level=20
playing field" for all participants in these exchanges.=20
The=A0recommendation is as follows:
Furthermore, any person or entity that functions as a Business=20
Associate (as described in 45 CFR =A7160.103) and participates directly=20=
in, or comprises, an electronic health information exchange network=20
should be required to meet enforceable privacy and security criteria at=20=
least equivalent to any relevant HIPAA requirements, independent of=20
those established by contractual arrangements (such as a Business=20
Associate Agreement as provided for in HIPAA).
This recommendation would convert all of these participants into=20
directly regulated "covered entities." Our=A0workgroup believed that=20
different enforcement standards (e.g., potential civil and criminal=20
fines vs. breach of contract) were not appropriate, and that all=20
participants in these exchanges should face the same rules and=20
enforcement possibilities. This suggestion is clearly not an attack on=20=
the HIPAA requirements themselves (although some workgroup members=20
believe HIPAA doesn't work appropriately). Instead, this recommendation=20=
recognizes that neither "industry standards" nor "best practices" nor=20
voluntary compliance are sufficient. This is not a recommendation to=20
turn all HIPAA business associates into covered entities=97our=20
recommendation relates only to entities that participate directly in=20
health information exchange networks, and would not affect the=20
multitudes of entities that provide services to health care companies=20
without participating in these networks.
This approved CPS Workgroup recommendation also is only a first=20
step=97next we will be tackling two additional issues. First, we will be=20=
looking at what constitutes a "relevant" HIPAA requirement for=20
particular "direct participants" in a health information exchange=20
network. Clearly, some persons or entities may have an appropriate=20
reason for not needing to meet a particular requirement. The most=20
obvious example involves the information exchange networks themselves,=20=
which typically have no relationship with an individual patient and=20
therefore (such as health care clearinghouses under the current HIPAA=20
rules) have little reason to provide a privacy notice directly=20
to=A0individuals.
Second, we will be looking at what, if any, additional confidentiality,=20=
privacy or security protections may be needed beyond those already=20
contained in the HIPAA Privacy and Security Rules. Simply translated,=20
our question will be, "Is the HIPAA standard 'good enough' in this=20
context?" We will be focusing our attention on whether today's=20
environment for these information exchanges is materially different=20
from the "HIPAA environment" (recognizing the difficulties posed by=20
determining exactly what the HIPAA environment is) to justify new rules=20=
for these health information exchanges.
National Committee on Vital Health Statistics
Following closely on the heels of the CPS Workgroup recommendations,=20
the National Committee on Vital and Health Statistics issued its own=20
set of recommendations, on a generally similar topic. The NCVHS=20
recommendations focused on both the HIPAA standards and the scope of=20
coverage under the HIPAA rules.
NCVHS raised "a significant concern=A0. .=A0.=A0that=A0many of the new =
entities=20
essential=A0to the operation of the Nationwide Health Information =
Network=20
(NHIN) fall outside HIPAA's statutory definition of 'covered entity.'"=20=
These include a wide variety of entities that may or may not be=20
business associates (along with a wide range of non-covered health care=20=
providers). NCVHS concluded that "business associate arrangements are=20
not sufficiently robust to protect the privacy and security of all=20
individually identifiable health information." Accordingly, the NCVHS=20
made the following recommendation (which is entirely consistent with=20
the CPS Workgroup recommendation):
HHS and the Congress should move expeditiously to establish laws and=20
regulations that will ensure that all entities that create, compile,=20
store, transmit or use personally identifiable health information are=20
covered by a federal privacy law. This is necessary to assure the=20
public that the NHIN, and all of its components, are deserving of=20
their=A0trust.
Accordingly, the workgroup and NCVHS recommendations, taken together,=20
raise the need for the integrated health information exchange=A0community=20=
to develop new privacy and security laws that ensure that the full=20
range of entities participating in these networks all face the same=20
rules=A0concerning their use and disclosure of health information.=20
These=A0recommendations recognize certain changes in the health care=20
landscape arising from these integrated networks, and the necessity of=20=
ensuring that health care information is protected by a uniform=20
standard, without some of the artificial=A0lines drawn by the current=20
HIPAA rules.
Potential New Legislation
The next key development, however, takes the concepts embodied in these=20=
recommendations to a far broader level. Specifically, Senators Kennedy=20=
(D-MA) and Leahy (D-VT) have introduced new legislation (S. 1814)=20
designed to revamp, almost from scratch, the entire landscape of health=20=
care privacy laws. The bill responds to the premise that "fear of a=20
loss of privacy cannot be allowed to deter Americans from seeking=20
medical treatment." Without any particular focus on health information=20=
exchanges, this proposal virtually tosses out the HIPAA rules, in favor=20=
of a far more restrictive regulatory structure with significantly=20
enhanced risks and penalties for health care companies.
Among the most substantial components of the Kennedy-Leahy bill=A0are:
=95 Elimination of the Office of Civil Rights as an =
enforcement agency,=20
in favor of a new Office of Health Information Privacy;
=95 Creation of an extensive new notice requirement, =
including a new=20
variety of "opt-out" rights;
=95 Requirement that companies publicly identify their =
agents=20
and=A0subcontractors;
=95 Creation of new "informed consent" procedures, even for =
treatment=20
and payment uses and=A0disclosures;
=95 Requirement for authorizations for a wide variety of =
other=20
disclosures (where none is required today), particularly health care=20
operations;
=95 Expansion of civil and criminal penalties;
=95 Authorization for enforcement by State attorneys =
general; and
=95 Creation of a private right of action for individuals.
This legislative proposal faces a significant uphill battle. While=20
questions persist about the current enforcement approach to the health=20=
care privacy rules, no actual events have indicated a need for new=20
regulatory requirements governing the wide range of practices covered=20
by health care privacy rules today. In fact, particularly in the=20
private sector, the health care privacy rules seem to be working=20
remarkably well. While security breaches are a daily occurrence in many=20=
industries, the health care industry has faced only modest problems,=20
almost all of them related to "security" rather than privacy, and most=20=
on a relatively small scale (other than the prominent breach concerning=20=
the federal Department of Veterans Affairs). Accordingly, the new=20
proposed legislation presents the certainty of disrupting existing=20
operations and creating enormous new costs for the health care=20
industry, without any demonstrated problem that justifies forcing=20
such=A0change.
Conclusion
The renewed debate over health care privacy is just beginning. Clearly,=20=
a consensus is emerging that some new rules for the health information=20=
exchange environment are needed, mainly to ensure that all participants=20=
are subject to a consistent set of legal requirements. There is no=20
consensus on whether these new rules should be tougher than HIPAA;=20
moreover, no consensus whatsoever exists that the HIPAA rules are not=20
"good enough" for the rest of the health care industry. No set of facts=20=
to date clearly demonstrates that companies currently covered by HIPAA=20=
are ignoring their responsibilities or that personal privacy in the=20
health care environment is not appropriately protected. Accordingly,=20
while the Kennedy-Leahy bill clearly signals the start of an important=20=
debate,=A0it=A0seems to be a significant=A0overreaction=A0that would =
create=20
disruption and expense, without any clearly demonstrated need.
--Apple-Mail-17-354403254
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
charset=WINDOWS-1252
<=
fontfamily><param>Helvetica</param><color><param>0000,6F6F,7D7D</param><sm=
aller><smaller>The
Health Care Privacy Debate Heats =
Up</smaller></smaller></color><smaller><smaller>
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>
By <color><param>0000,6F6F,7D7D</param>Kirk J. Nahra</color>
September 2007 |=20
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>Privacy
in
=
Focus</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><sm=
aller><smaller>=20
While Congress and many others continue to discuss whether the current
enforcement approach to health care privacy is appropriate, a broader
debate is emerging about the suitability of the existing privacy rules
in today's evolving health care information environment. Several key
recent developments make this debate=A0more interesting and more
active=97leading to the realistic possibility that new privacy rules for
the health care industry (and for many others who use health care
information) will be imposed in the near future. Key=A0questions will be
whether any new=A0rules target unregulated participants in emerging
health information exchange systems or whether changes will seek to
further regulate the entire health care=A0industry.
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>Electronic
Health Information Exchanges Drive the Debate
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>Much
of the current debate is being driven by the development of local,
state, regional and perhaps national health information exchanges.
The=A0Bush administration's push to develop a fully interoperable health
information exchange by the year 2014 is focusing attention on whether
this new integrated environment requires a=A0new set of health care
privacy rules=97at least for this setting. While many groups and
entities are=A0examining the privacy and security=A0issues presented by
health information exchanges, two groups stand out=97each having issued
important recommendations.
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>The
AHIC Confidentiality, Privacy and Security Workgroup=20
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>The
Confidentiality, Privacy and Security Workgroup of the American Health
Information Community (AHIC) is one of the potentially influential
groups dealing with health information exchange privacy and security
issues. AHIC is a federal advisory body chartered in 2005 to make
recommendations to the Secretary of Health and Human Services on how
to accelerate the development and adoption of health information
technology. The=A0workgroup was formed in May 2006; its members include
representatives of both public and private entities. I=A0chair this
workgroup. We are tasked with making recommendations for privacy and
security rules in this integrated environment. Recently, the CPS
Workgroup issued two key recommendations that relate to how these
rules should move forward.
The first recommendation, adopted by AHIC in its June 12, 2007
meeting, provides that:=20
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>All
persons and entities, excluding=A0consumers, that participate directly
in, or comprise, an electronic health information exchange network,
through which individually identifiable health information is stored,
compiled, transmitted, modified, or accessed should be required to
meet enforceable privacy and security criteria at least equivalent to
any relevant HIPAA requirements.=20
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>This
recommendation focuses on one of the key differences between this
health information exchange environment and the original HIPAA
environment, a recognition that significant participants in health
information exchanges are not covered, either not at all or not
appropriately, by the current HIPAA rules.=A0=A0Primarily,=A0this
recommendation would have an impact=A0on:
=95 Health care providers who are not covered entities =
because they do
not bill electronically for their=A0services;
=95 Personal health records providers who provide services =
directly to
patients, and therefore typically are not covered by the HIPAA rules
at all; and
=95 Regional Health Information Organizations (RHIOs) and =
other
"networks" that play a central role in these efforts, and typically
are, at most, considered "business=A0associates" under the HIPAA rules.
Our workgroup was concerned that these players are central to the
operation of health information exchanges, and are important elements
of emerging health information technologies, but, due to the odd
quirks in how the HIPAA rules were adopted (focusing on health care
portability and electronic transactions), are not subject to the
existing privacy and security rules. This recommendation is designed
to bring within the regulated community such participants in the
exchange of health care information.
Our second recent recommendation was designed to create a "level
playing field" for all participants in these exchanges.
The=A0recommendation is as follows:=20
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>Furthermore,
any person or entity that functions as a Business Associate (as
described in 45 CFR =A7160.103) and participates directly in, or
comprises, an electronic health information exchange network should be
required to meet enforceable privacy and security criteria at least
equivalent to any relevant HIPAA requirements, independent of those
established by contractual arrangements (such as a Business Associate
Agreement as provided for in HIPAA).
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>This
recommendation would convert all of these participants into directly
regulated "covered entities." Our=A0workgroup believed that different
enforcement standards (e.g., potential civil and criminal fines vs.
breach of contract) were not appropriate, and that all participants in
these exchanges should face the same rules and enforcement
possibilities. This suggestion is clearly not an attack on the HIPAA
requirements themselves (although some workgroup members believe HIPAA
doesn't work appropriately). Instead, this recommendation recognizes
that neither "industry standards" nor "best practices" nor voluntary
compliance are sufficient. This is not a recommendation to turn all
HIPAA business associates into covered entities=97our recommendation
relates only to entities that participate directly in health
information exchange networks, and would not affect the multitudes of
entities that provide services to health care companies without
participating in these networks.
This approved CPS Workgroup recommendation also is only a first
step=97next we will be tackling two additional issues. First, we will be
looking at what constitutes a "relevant" HIPAA requirement for
particular "direct participants" in a health information exchange
network. Clearly, some persons or entities may have an appropriate
reason for not needing to meet a particular requirement. The most
obvious example involves the information exchange networks themselves,
which typically have no relationship with an individual patient and
therefore (such as health care clearinghouses under the current HIPAA
rules) have little reason to provide a privacy notice directly
to=A0individuals.
Second, we will be looking at what, if any, additional
confidentiality, privacy or security protections may be needed beyond
those already contained in the HIPAA Privacy and Security Rules.
Simply translated, our question will be, "Is the HIPAA standard 'good
enough' in this context?" We will be focusing our attention on whether
today's environment for these information exchanges is materially
different from the "HIPAA environment" (recognizing the difficulties
posed by determining exactly what the HIPAA environment is) to justify
new rules for these health information exchanges.
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>National
Committee on Vital Health Statistics
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>Following
closely on the heels of the CPS Workgroup recommendations, the
National Committee on Vital and Health Statistics issued its own set
of recommendations, on a generally similar topic. The NCVHS
recommendations focused on both the HIPAA standards and the scope of
coverage under the HIPAA rules.
NCVHS raised "a significant concern=A0. .=A0.=A0that=A0many of the new
entities essential=A0to the operation of the Nationwide Health
Information Network (NHIN) fall outside HIPAA's statutory definition
of 'covered entity.'" These include a wide variety of entities that
may or may not be business associates (along with a wide range of
non-covered health care providers). NCVHS concluded that "business
associate arrangements are not sufficiently robust to protect the
privacy and security of all individually identifiable health
information." Accordingly, the NCVHS made the following recommendation
(which is entirely consistent with the CPS Workgroup recommendation):
HHS and the Congress should move expeditiously to establish laws and
regulations that will ensure that all entities that create, compile,
store, transmit or use personally identifiable health information are
covered by a federal privacy law. This is necessary to assure the
public that the NHIN, and all of its components, are deserving of
their=A0trust.
Accordingly, the workgroup and NCVHS recommendations, taken together,
raise the need for the integrated health information
exchange=A0community to develop new privacy and security laws that
ensure that the full range of entities participating in these networks
all face the same rules=A0concerning their use and disclosure of health
information. These=A0recommendations recognize certain changes in the
health care landscape arising from these integrated networks, and the
necessity of ensuring that health care information is protected by a
uniform standard, without some of the artificial=A0lines drawn by the
current HIPAA rules.=20
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>Potential
New Legislation=20
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>The
next key development, however, takes the concepts embodied in these
recommendations to a far broader level. Specifically, Senators Kennedy
(D-MA) and Leahy (D-VT) have introduced new legislation (S. 1814)
designed to revamp, almost from scratch, the entire landscape of
health care privacy laws. The bill responds to the premise that "fear
of a loss of privacy cannot be allowed to deter Americans from seeking
medical treatment." Without any particular focus on health information
exchanges, this proposal virtually tosses out the HIPAA rules, in
favor of a far more restrictive regulatory structure with
significantly enhanced risks and penalties for health care companies.
Among the most substantial components of the Kennedy-Leahy bill=A0are:
=95 Elimination of the Office of Civil Rights as an =
enforcement
agency, in favor of a new Office of Health Information Privacy;
=95 Creation of an extensive new notice requirement, =
including a new
variety of "opt-out" rights;
=95 Requirement that companies publicly identify their =
agents
and=A0subcontractors;
=95 Creation of new "informed consent" procedures, even for =
treatment
and payment uses and=A0disclosures;
=95 Requirement for authorizations for a wide variety of =
other
disclosures (where none is required today), particularly health care
operations;
=95 Expansion of civil and criminal penalties;
=95 Authorization for enforcement by State attorneys =
general; and
=95 Creation of a private right of action for individuals.
This legislative proposal faces a significant uphill battle. While
questions persist about the current enforcement approach to the health
care privacy rules, no actual events have indicated a need for new
regulatory requirements governing the wide range of practices covered
by health care privacy rules today. In fact, particularly in the
private sector, the health care privacy rules seem to be working
remarkably well. While security breaches are a daily occurrence in
many industries, the health care industry has faced only modest
problems, almost all of them related to "security" rather than
privacy, and most on a relatively small scale (other than the
prominent breach concerning the federal Department of Veterans
Affairs). Accordingly, the new proposed legislation presents the
certainty of disrupting existing operations and creating enormous new
costs for the health care industry, without any demonstrated problem
that justifies forcing such=A0change.
=
</smaller></smaller></fontfamily><fontfamily><param>Helvetica</param><smal=
ler><smaller>Conclusion
=
</smaller></smaller></fontfamily><fontfamily><param>Geneva</param><smaller=
><smaller>The
renewed debate over health care privacy is just beginning. Clearly, a
consensus is emerging that some new rules for the health information
exchange environment are needed, mainly to ensure that all
participants are subject to a consistent set of legal requirements.
There is no consensus on whether these new rules should be tougher
than HIPAA; moreover, no consensus whatsoever exists that the HIPAA
rules are not "good enough" for the rest of the health care industry.
No set of facts to date clearly demonstrates that companies currently
covered by HIPAA are ignoring their responsibilities or that personal
privacy in the health care environment is not appropriately protected.
Accordingly, while the Kennedy-Leahy bill clearly signals the start of
an important debate,=A0it=A0seems to be a significant=A0overreaction=A0tha=
t
would create disruption and expense, without any clearly demonstrated
need.
</smaller></smaller></fontfamily>=
--Apple-Mail-17-354403254--
--Apple-Mail-15-354403253--