[Med-privacy] Improvements and Challenges in Health Privacy Law

[peter marshall]

A Briefing on Public Policy Issues Affecting Civil Liberties Online=20
from=A0the Center for Democracy & Technology

This Policy Post is=20
online:=A0http://www.cdt.org/publications/policyposts/2009/2

Improvements and Challenges in Health Privacy Law

1) Recent Federal Legislation Makes Major Changes in Health Privacy=20
Protection
2) New Law Expands Scope of Federal Health Privacy Protections, Adds=20
New Rights
3) Enforcement Powers Strengthened
4) New Law Faces Implementations Challenges, and Gaps Remain in Health=20=

Privacy Protection
_______________________________________________

1) Recent Federal Legislation Makes Major Changes in Health Privacy=20
Protection

The economic stimulus bill signed by President Obama on February 17=20
included provisions making significant improvements in federal health=20
privacy law.=A0 The changes are complicated and incremental.=A0 They =
build=20
on existing privacy and security rules issued under the Health=20
Insurance Portability and Accountability Act (HIPAA). The new=20
protections do not constitute the comprehensive framework that CDT has=20=

recommended, but they take positive steps in that direction.=A0 CDT will=20=

be working with policymakers and interested stakeholders to ensure that=20=

the changes are implemented in a way that helps break the privacy=20
logjam that has impeded progress on health IT. We will also continue to=20=

work to fill the gaps in the health privacy framework.

The stimulus bill is officially known as the American Recovery and=20
Reinvestment Act of 2009 (ARRA). Title 13 of that legislation, the=20
Health Information Technology or HITECH section, includes $19 billion=20
in funding to support adoption of electronic health records and=20
development of the National Health Information Network begun under the=20=

previous administration.

Survey data shows that Americans are well aware of and eager to reap=20
the benefits of information technology as applied to healthcare (HIT).=A0=20=

A large majority of the public wants electronic access to their=20
personal health information - both for themselves and for their health=20=

care providers - because they believe such access is likely to increase=20=

their quality of care.

At the same time, however, people have significant concerns about the=20
privacy of their medical records, posing the risk that people will not=20=

trust, and therefore will not use, electronic health records systems if=20=

they do not protect privacy and security. These concerns are well=20
founded.=A0 As the repeated reports of both small-scale browsing and=20
large-scale breaches demonstrate, serious vulnerabilities exist now and=20=

could grow with the increasing flow of data.

The HIPAA privacy and security regulations that took effect in 2003=20
were a landmark, but they fell far short of providing adequate=20
protection either in the traditional healthcare arena or for the=20
rapidly evolving e-health environment.=A0 In the past year, CDT's Health=20=

Privacy Project has both outlined a comprehensive health privacy=20
framework and recommended incremental legislative improvements that=20
would move the nation closer to that framework.=A0 ARRA incorporates =
many=20
of CDT's suggestions.

Govtrack.gov online access to privacy provisions in ARRA:=A0=20
http://is.gd/pg9c

CDT has prepared a detailed memo analyzing ARRA's health privacy=20
provisions=A0
http://www.cdt.org/healthprivacy/20090324_ARRAPrivacy.pdf

"Comprehensive Privacy and Security: Critical for Health Information=20
Technology," CDT (May 2008)=20
http://www.cdt.org/healthprivacy/20080514Hpframe.pdf
______________________________________________________

2) New Law Expands Scope of Federal Health Privacy Protections, Adds=20
New Rights

ARRA includes a number of provisions expanding or clarifying the scope=20=

of federal health privacy law.

One important set of changes concerns what are known as "business=20
associates." Under HIPAA, "business associates" contract with HIPAA=20
covered entities to perform particular services or functions on their=20
behalf using protected health information. Before ARRA, business=20
associates were not directly covered by HIPAA and instead were=20
obligated to comply with privacy rules only to the extent required in=20
their contracts with covered entities.=A0 Federal authorities could not=20=

hold business associates accountable for failure to comply with their=20
contracts and could hold covered entities liable for the actions of=20
their contractors only in limited circumstances.

ARRA makes a major change in the treatment of such "business=20
associates." Under ARRA, business associates must abide by nearly all=20
of the HIPAA regulations on data security (Section 13401); must=20
directly comply with all of the new privacy provisions enacted in ARRA=20=

(Section 13404); and can be held directly accountable for failure to=20
comply with any HIPAA Privacy Rule provisions made applicable through=20
their contracts with covered entities (Section 13404).

ARRA also made it clear that HIPAA applies to new forms of=20
organizations that facilitate exchange of personal health information=20
among covered entities.=A0 Prior to ARRA, these state and regional =
health=20
information organizations or health information exchanges (also known=20
as RHIOs or HIEs) might not have been covered by HIPAA privacy and=20
security regulations. ARRA made it clear that RHIOs and HIEs are to be=20=

treated as business associates under HIPAA (Section 13408). As a=20
result, those entities are now required to directly comply with key=20
HIPAA regulatory provisions.

ARRA also improved the rights of individuals to find out who has=20
obtained copies of her records.=A0 The HIPAA Privacy Rule has always=20
included the right to request an "accounting of disclosures" of one's=20
identifiable health information going back for a period of six years=20
prior to the date of the request. The right, however, was limited prior=20=

to the passage of ARRA, since it excluded disclosures for treatment,=20
payment and health care operations.=A0 ARRA changed the federal rule on=20=

accounting for disclosures, requiring a covered entity that maintains=20
electronic health records to account for disclosures for purposes of=20
treatment, payment and business operations for three years prior to the=20=

date of the request (Section 13405).=A0 This provision will apply to =
both=20
covered entities and business associates - which means it will apply to=20=

electronic health information networks like RHIOs and HIEs as well.=A0=20=

Although this provision will not go into effect until a technical=20
standard and regulations have been adopted to properly implement it, it=20=

represents a major change in the transparency of health data uses and=20
flows.

ARRA also established, for the first time under federal law, very=20
strong "breach notification" standards, requiring custodians of health=20=

data to notify individuals when their health records are lost or=20
stolen.=A0 ARRA's national breach notification requirement applies to=20
HIPAA-covered entities, vendors of personal health records services=20
(PHRs) and the third-party applications that are offered to PHR account=20=

holders on vendors' web sites (Sections 13402 and 13407).
____________________________________________________

3) Enforcement Powers Strengthened

In the past, there was very little enforcement of HIPAA.=A0 The Office=20=

for Civil Rights within HHS, charged with enforcing the HIPAA privacy=20
regulations, had not levied a single penalty against a HIPAA-covered=20
entity in the nearly five years since the rules were implemented, even=20=

though that office found numerous violations of the rules. The Justice=20=

Department had levied some penalties under the criminal provisions of=20
the statute, but a 2005 DOJ opinion said that the criminal provisions=20
applied only to covered entities, not to individual employees who=20
improperly accessed, used or disclosed a patient's protected health=20
information.

In ARRA, Congress took a number of steps to strengthen HIPAA=20
enforcement (Sections 13409-13411):

*=A0 =A0 ARRA expressly authorizes state attorneys general to enforce =
HIPAA=20
through civil enforcement actions.
*=A0 =A0 Business associates are now directly responsible for complying=20=

with key HIPAA privacy and security provisions and can be held directly=20=

accountable for any failure to comply.
*=A0 =A0 Civil penalties for HIPAA violations were significantly=20
increased.=A0 Under ARRA, fines of up to $50,000 per violation (with a=20=

maximum of $1.5 million annually for repeated violations of the same=20
requirement) can now be imposed.
*=A0 =A0 HHS is required to impose civil monetary penalties in=20
circumstances where it finds that a HIPAA violation was willful.
*=A0 =A0 The criminal provisions were expressly made applicable to=20
individuals.
*=A0 =A0 The HHS Secretary is now required to conduct periodic audits =
for=20
compliance with the HIPAA Privacy and Security Rules.
______________________________________________________________

4) New Law Faces Implementations Challenges, and Gaps Remain in Health=20=

Privacy Protection

Moving forward to ensure comprehensive protection of health privacy=20
will require a new commitment to enforcement, which has been lacking=20
for far too long, and carefully crafted regulations and other guidance=20=

to flesh out statutory requirements. Several of ARRA's key provisions=20
require rulemaking by the Secretary of HHS to specify details.=A0=20
Successful implementation of the new federal rules will also require=20
industry initiative, standards activity, and legislative oversight.=A0=20=

The Act creates two advisory committees, one on policy and one on=20
standards, to advise the Secretary on implementation issues.=A0 And, of=20=

course, allocating the $19 billion in HIT funding and spending it=20
wisely will require careful attention.

In addition, further legislative improvements will be needed to keep=20
pace with changes in technology and business models.=A0 There remain=20
significant gaps in privacy protection.=A0 For example, while ARRA's=20
extension of key protections to health information exchanges is=20
important, federal law does not give patients the right to control=20
whether or not their information is exchanged through networks like=20
HIEs or RHIOs in the first place.=A0 CDT has concluded that, so long as=20=

the business model and future direction of most RHIOs and HIE networks=20=

remain uncertain, patients should have the protection of an opt-in=20
standard for inclusion of their information in such networks.

In addition, ARRA does not establish privacy rules for personal health=20=

records (PHRs) and other Internet-based services that operate outside=20
the traditional healthcare structure.=A0 In CDT's view, it is not=20
sufficient to merely extend HIPAA to PHRs. Instead, rules need to be=20
crafted that are tailored to the unique issues posed by=20
patient-controlled records.=A0 ARRA requires HHS to work with the =
Federal=20
Trade Commission (FTC) and report to Congress on privacy and security=20
protections that should apply to PHRs.=A0 This report, which must be=20
submitted no later than February 17, 2010, must also consider which=20
agency is best equipped to enforce the recommended protections and a=20
timetable for further regulation.

Also, as amended by ARRA, HIPAA still does not include a private right=20=

of action, leaving individuals dependent on government authorities to=20
vindicate their rights under HIPAA.

Another issue that was not fully resolved in ARRA is the use of data=20
for marketing, which is a major area of consumer concern.=A0 ARRA did=20
attempt to close a "loophole" in the HIPAA Privacy Rule that allowed=20
for personal information to be used without individual authorization to=20=

send health-related marketing communications paid for by outside=20
entities like pharmaceutical companies and device manufacturers.=A0 =
Under=20
ARRA, health-related communications sent by physicians, hospitals,=20
health plans and pharmacies that are paid for by outside companies are=20=

considered to be marketing and require individual authorization.=A0=20
However, ARRA still allows payments for communications where the=20
communication itself falls within HIPAA's broad definition of=20
"treatment" or where the communication is about a prescription the=20
individual is currently taking (as long the amount paid for that=20
communication is "reasonable").=A0 There is considerable confusion about=20=

the scope of these exceptions, or what constitutes a "reasonable" level=20=

of external sponsorship.=A0 To ensure individuals are adequately=20
protected against having their personal health information used for=20
marketing purposes without their authorization, HHS will need to=20
clarify these issues in regulation and further action from Congress may=20=

be needed.=A0 =A0

Policy Post 15.2 Copyright 2009 Center for Democracy and Technology