[Med-privacy] more re: Congress

[peter marshall]

  Medical Privacy Moves Forward in Congress
=======================================================================

The House of Representatives recently adopted the American Recovery and
Reinvestment Act of 2009 which included strong privacy provisions for
the proposed medical health network under Subtitle - D. The last
amended Senate version of the bill also included similar provision. The
House Stimulus Bill amends the Public Health Service Act and the Social
Security Act by adding key definitions. Definitions of "breach,"
"personal health records" and "protected health information" were
clarified. Title 30 of the bill sets up the Office of the National
Coordinator for Health Information Technology with the Department of
Health and Human Services. The National Coordinator is to update the
existing Federal Health IT Strategic Plan to include specific objectives
and milestones.

These objectives include the incorporation of privacy and security
protections for the electronic exchange of individual's identifiable
health information; implementation of security methods to ensure
appropriate authorization and electronic authentication of health
information; specifying technologies for rendering health information
unusable, unreadable, or indecipherable; and strategies to enhance the
use of health information technology in improving the quality of health
care.

The privacy protections also include timeliness and methods of breach
notifications; application of privacy provisions and penalties to
business associates of covered entities; and the restriction on the
sale of medical data. Periodic audits also ensure that covered entities
and business associates adhere to privacy requirements.

The bill mandates the National Coordinator to submit reports to the
legislature on various issues including additional funding or authority,
implementation and impact assessment. The bill also directs the
appointment of a Chief Privacy Officer of the Office of the National
Coordinator to advise on privacy, security, and data stewardship of
electronic health information and coordinate with other agencies and
their personnel.

The Health Information Technology Policy Committee is also established
by the bill to make policy recommendations to the National Coordinator
relating to the implementation of a nationwide health information
technology infrastructure permitting use and exchange of health
information. The Committee is charged with recommending where the
standards, specification and certifications are needed in the realm of
electronic exchange of health information. The areas where the
Committee are required to consider include (1) technologies that
protect the medical privacy and promote security in electronic health
records; (2) a nationwide health information technology infrastructure
that allows accurate electronic exchange of medical information;
(3) the utilization of certified electronic health record;
(4) technologies that renders medical information unusable, unreadable
or indecipherable to unauthorized individuals during network or
physical transmission.

The HIT Standards Committee, set up by the statute, is assigned the
task of recommending to the National Coordinator standards,
implementation specifications and certification criteria. The duties of
the Standards Committee includes standards development, acting as a
forum, and provisions for public inputs. The HIT Standards Committee
recommendations will also have to be published. The bill also goes on
to apply the process of adoption of endorsed standards and specifically
exempts private entities.

Sections of the bill also mandate that agencies promoting quality and
efficient health care in Federal government or sponsored health care
programs to agree that all health care providers and similar entities
utilizes health information technology systems and meet the standards
and specifications adopted under the bill.

The American Recovery and Reinvestment Act of 2009 imposes the
condition that the funds can be appropriated only if the investments or
funds are for products permitting complete and accurate electronic
exchange and use of medical information including standards for
security, privacy, and quality improvement functions that have been
adopted by the Office of the National Coordinator. These provisions
have also been approved in the Senate. Patient Privacy Rights supported
the legislation.

The American Recovery and Reinvestment Act of 2009:
       http://thomas.loc.gov/cgi-bin/bdquery/z?d111:h.r.00001:

Subtitle D - Privacy:
       http://epic.org/privacy/pdf/subtitleDPrivacy.pdf

Encryption requirements under the statute:
       http://epic.org/privacy/pdf/MarkeyAmendment.pdf

Patient Privacy Rights:
       http://www.patientprivacyrights.org/

Senator Leahy's statement on medical privacy:
       http://leahy.senate.gov/press/200901/012709a.html