[Med-privacy] legislation: privacy provisions

[Marshall Peter]

Health Care Privacy Legislation Advancing Quickly=97Companies Can Expect=20=

Significant Changes to the Privacy Landscape
By Kirk J. Nahra
February 2009 | Privacy In Focus

The Obama Administration's broad-reaching economic stimulus legislation=20=

includes an extensive series of new proposals to expand the reach of=20
electronic health records. As part of this package, the Administration=20=

also has proposed sweeping changes to the overall health care privacy=20
structure. Many of these proposals have little or nothing to do=20
specifically with electronic records. Others appear to contradict (at=20
least in part) the idea of providing incentives to use electronic=20
health records, by creating new regulatory obligations for entities=20
that use them. Other provisions present the Department of Health and=20
Human Services (HHS) with a wide range of new rulemaking and guidance=20
obligations and challenges. Taken together, this package of proposals,=20=

if enacted, would dramatically alter the overall health care privacy=20
landscape, for both health care companies and their business partners.

The Economic "Stimulus" Connection
The health care community has been moving on its own initiative towards=20=

expanded use of electronic health care records, and a variety of new=20
businesses are entering the health care marketplace to provide=20
electronic health care services (including personal health records=20
provided directly to consumers). Simultaneously, Congress and various=20
regulatory agencies (along with numerous interest groups and other=20
advisory organizations) have been evaluating the need for new privacy=20
and security standards in this broader electronic environment. So far,=20=

this debate has produced no consensus. Some groups believe strongly=20
that this electronic age is sufficiently new and different that=20
wide-ranging new privacy standards are needed. Some of these groups=97as=20=

well as other interest groups=97are using this opportunity as an avenue=20=

to revisit the Health Insurance Portability and Accountability Act=20
(HIPAA) Privacy and Security rules, independent of any impact from=20
electronic health records. Others are saying that this "new"=20
environment isn't really anything more than a broadening of current=20
operations that already are covered in full by the relevant rules.

The Obama Administration proposal tries to formalize and organize the=20
progress towards a broader range of electronic health records. The=20
Administration has made clear that an expanded use of electronic health=20=

records is a key element both in stimulating the economy and improving=20=

the overall health care system. For example, in a December 6, 2008=20
radio address, then President-elect Obama focused on the benefits to=20
the overall economy of electronic medical records and more efficient=20
health information technology. In this address, Obama said:

We must also ensure that our hospitals are connected to each other=20
through the Internet. That is why the economic recovery plan I'm=20
proposing will help modernize our health care system=97and that won't=20
just save jobs; it will save lives. We will make sure that every=20
doctor's office and hospital in this country is using cutting-edge=20
technology and electronic medical records so that we can cut red tape,=20=

prevent medical mistakes and help save billions of dollars each year.

(A transcript of this address is available at=20
http://change.gov/newsroom/entry/the_key_parts_of_the_jobs_plan/).

This idea was reiterated generally during the Inaugural Address, when=20
President Obama said, "We will restore science to its rightful place=20
and wield technology's wonders to raise health care's quality and lower=20=

its costs."

With this idea taking a high priority in the early days of the new=20
Administration, the proposal focuses on four key elements:

     * Promotion of electronic health records through formalization of=20=

the role of the Office of the National Coordinator for Health=20
Information Technology;
     * Creation of appropriate standards for health information=20
technology;
     * Grant and loan programs to encourage broader use of health=20
information technology; and
     * Medicare and Medicaid payment incentives for health care=20
providers to adopt electronic health records.

These four elements are designed, on both a short-and long-term basis,=20=

to motivate health care providers to utilize electronic health records=20=

and to ensure that the development and implementation of these records=20=

proceeds in an efficient and organized fashion.

Privacy Provisions
While the goal of electronic records is to "cut red tape, prevent=20
medical mistakes and help save billions of dollars each year," there is=20=

a substantial debate as to whether the privacy and security proposals=20
will benefit or impede achievement of these goals. In fact, The New=20
York Times reported that "President-elect Barack Obama's plan to link=20
up doctors and hospitals with new information technology, as part of an=20=

ambitious job-creation program, is imperiled by a bitter, seemingly=20
intractable dispute over how to protect the privacy of electronic=20
medical records." See "Privacy Issue Complicates Push to Link Medical=20
Data," The New York Times (January 17, 2009), available at=20
www.nytimes.com/2009/01/18/us/politics/18health.html.

The Obama privacy proposals cover a wide range of topics. Several=20
proposals are linked to electronic health records, and impose specific=20=

new or additional obligations if a business uses electronic records.=20
Many other proposals seemingly have nothing at all to do with=20
electronic health records, or no obvious connection to any specific=20
issue raised by these records. Still other proposals require HHS to=20
develop new rules or issue new studies about the impact of certain=20
activities on the overall health care privacy regime.

What Are the Key Proposals?

A Federal Breach Notification Proposal for the Health CareIndustry
While Congress to date has been unable to agree on a general federal=20
standard for notification of security breaches, this health care=20
proposal creates a new notification standard for the health care=20
industry=97whether the breach has anything to do with an electronic=20
health record or not. While there clearly are open questions, this=20
proposal is far broader than any relevant state notification law (by=20
applying to breaches involving any kind of personal information held by=20=

health care companies), without including any "risk of harm" threshold.=20=

Accordingly, this proposal (if enacted) will impose a more demanding=20
threshold for notification for health care companies than applies in=20
any other industry.

Expansion of Rules to Business Associates
Perhaps the broadest overall impact will flow from a series of=20
proposals that essentially extend full compliance responsibility for=20
the HIPAA Privacy and Security Rules to the business associate category=20=

-- all of the companies that provide services to the health care=20
industry. Today, these vendors must sign a contract with their health=20
care client that extends certain HIPAA provisions by contract to the=20
business associate. The new proposals will obligate these business=20
associates by law to follow all HIPAA provisions, rather than just the=20=

handful that are required to be included within the business associate=20=

contracts. Again, this provision seems to be unrelated (specifically)=20
to electronic health records. It clearly extends HIPAA coverage to all=20=

business associates, whether they have anything to do with electronic=20
health records or not. While this proposal will create additional legal=20=

obligations for these business associates, it also may create=20
significant inefficiencies by requiring that all current business=20
associate contracts (numbering in the tens of thousands across the=20
country) be renegotiated.

Restrictions on Sharing Health Care Information for Self-Pay Situations
One of the odder provisions permits individuals to request that their=20
health care provider not disclose information to an insurer for payment=20=

or health care operations purposes if the patient has paid for the=20
service out of pocket. Again, this is not limited to any kind of=20
electronic health record. Moreover, this provision seems designed to=20
permit individuals to hide information from their insurer, which=20
appears to do little more than encourage or facilitate fraud or other=20
inappropriate activity by the patient.

"Limited Data Sets" and "Minimum Necessary"
A second peculiar provision involves a requirement for HIPAA-covered=20
entities to examine "to the extent practicable" whether a "limited data=20=

set" can be used for the disclosure of health care information. A=20
limited data set is, essentially, health care information that has been=20=

almost (but not quite) de-identified. The premise of the proposal=97one=20=

that is subject to substantial question=97is that most disclosures of=20
health care information do not focus on any particular person or do not=20=

have anything to do with treatment or payment of a particular=20
individual.

In addition, this provision reiterates that covered entities, if they=20
cannot use a "limited data set," must follow the "minimum necessary"=20
rule (which is already in place today). As a corollary, however, the=20
proposal requires HHS to develop minimum necessary guidance in the=20
future. The premise of this proposal seems to be that there is a "one=20
size fits all" "minimum necessary" standard that will be used for all=20
specific treatment or payment purposes, regardless of the situation or=20=

the company involved. While it is very hard to see how this proposal=20
will work, HHS has 18 months from enactment of this proposal to=20
identify and create its guidance.

The Accounting Rule
One of the least-used provisions of the current HIPAA rule is the=20
individual right to an accounting=97that is, to a listing of certain=20
identified disclosures of health care information. Across the country,=20=

and across all sectors of the health care industry, few individuals=20
have taken advantage of this "individual right" created by the HIPAA=20
rule. The Obama proposal expands this right for individuals=97and =
creates=20
new obligations for health care companies that use an electronic health=20=

record. If a company uses an electronic health care record, it now will=20=

have to track for accounting reasons all disclosures of information for=20=

treatment, payment and health care operations purposes. This will be a=20=

significant expansion of the overall burden on health care=20
companies=97but only if they use an electronic health record. While the=20=

proposal (in the standards section) seems to dictate that electronic=20
health records in the future have the technological capability to track=20=

these disclosures, absent a clear match between these undeveloped and=20
future standards and this accounting obligation, this proposal could=20
create substantial new burdens for health care companies that adopt=20
electronic health records.

Access to Electronic Health Records Information
Like the accounting provision, the proposal also expands the individual=20=

right of access, but again, only if the health care company uses an=20
electronic health record. While this access provision is more limited=20
and less burdensome than the accounting provision, it is another=20
example of imposing new obligations on companies that accept the=20
incentives to create and use electronic health records.

Health Care Operations
One of the key areas of concern for "privacy advocates" involves uses=20
and disclosures in the health care operations area. These=20
proposals=97permitted under the HIPAA rule through implied=20
consent=97typically involve the administrative operations of a health=20
care business. These operations cover a wide range of=20
activities=97including quality control, licensing and credentialing,=20
underwriting, health care fraud investigations and others. There have=20
been a variety of provisions designed to restrict the health care=20
operations disclosures that can be made without consent. Some of the=20
previous proposals (from Congress in 2008) were much more severe than=20
the Administration's proposal. The current proposal permits a=20
rulemaking that could dramatically change the concept of health care=20
operations and require authorization (not consent, but the more formal=20=

authorization process) for certain specified kinds of health care=20
operations. Again, this will be a significant challenge for HHS in the=20=

rulemaking context, and is a proposal that could dramatically alter the=20=

landscape for health care privacy. Moreover, again, this proposal has=20
nothing specifically to do with electronic health care records at all.

Marketing Provisions
The proposal also creates new restrictions on what are considered=20
"marketing" communications under the HIPAA Privacy Rule. For the most=20
part, this provision dictates that a health care company cannot make a=20=

marketing communication where it receives "direct or indirect"=20
remuneration for the communication, absent specific authorization from=20=

an individual. Because marketing communications are defined very=20
broadly (to include any communication that encourages a recipient to=20
purchase or use the product or service that is the subject of the=20
communication), there is a concern that the new restrictions will not=20
only affect true "marketing" communications, but also a variety of=20
other health-related communications that are designed to promote=20
wellness or other strong public policy goals.

Enforcement
There are significant changes to the overall enforcement environment=20
for the HIPAA Privacy and Security Rules. First, the provisions=20
increase substantially the penalties that are available to address=20
violations of the rules. Some of these new penalty amounts may be=20
provided as compensation to "harmed" individuals in the future. Second,=20=

the proposal permits state Attorneys General (AGs) to enforce the=20
provisions of the HIPAA rules. While this enforcement is limited in=20
meaningful ways (mainly in terms of amounts that can be sought by the=20
state AGs), this approach creates realistic risks of differing=20
standards and inconsistent action across multiple states, under a=20
single set of federal rules. Third, the proposal permits new=20
enforcement against individuals employed by health care entities when=20
they violate the rules. This proposal "corrects" what many saw as an=20
oversight in the current process that made it difficult to prosecute=20
individuals.

Personal Health Records Issues
While there are various other provisions, the last important piece of=20
the proposal involves the one area where there are clear "gaps" in=20
today's structure=97that is, in the rules related to certain entities=20
that provide personal health records to individuals, many of which are=20=

not covered by specific health care privacy rules today. Unlike many of=20=

the proposals discussed above, this "gap" is created (at least in part)=20=

by developments in the industry related to certain kinds of electronic=20=

records. However, while these entities are "more closely" linked to=20
electronic records than many of the other provisions, the Obama=20
proposal does not deal directly with these entities. Instead, it=20
essentially creates certain "temporary" standards for notifying=20
individuals in the event of a security breach affecting a personal=20
health record, and dictates a future rulemaking proceeding to define=20
the obligations that should be imposed on personal health records=20
vendors.

Conclusions
The Obama proposals create significant incentives for an expanded use=20
of electronic health records, as well as important new procedures that=20=

will increase the likelihood that these records can be used to improve=20=

health care and decrease costs. At the same time, however, many of the=20=

privacy proposals are either counter-productive to achieving these=20
goals or impose new restrictions in areas having nothing to do with=20
electronic health records.

Because of the linkage between these privacy provisions and the=20
economic stimulus package, it is increasingly likely that there will be=20=

a broad new set of health care privacy obligations in play in the near=20=

future. Health care companies and their business partners will need to=20=

begin evaluating the impact of these new proposals quickly. We can=20
expect that this evaluation will require an effort that, while not as=20
substantial as the full implementation of the HIPAA rules, still must=20
address significant new compliance obligations and operational changes=20=

for most health care companies in the very near future, coupled with=20
the certainty of more aggressive enforcement.