We posted an overview earlier this week of the recent O'Neill Institute Legal Solutions in Health Reform symposium. Now we want to talk about the legal framework around Health information technology.
The good news is that personal health information is becoming more accessible to patients and providers via technology. That's also the bad news. Americans are comfortable with credit card and banking information traveling in cyberspace, but they are anxious about medical information hackery and thievery. This fear is reinforced when they read, for instance, about hackers demanding ransom after they claim to have deleted millions of patient records used by pharmacists on a Virginia web site. Indeed, the new Health Information Czar himself, David Blumenthal, recently acknowledged that privacy remains an impediment. (Also, the FTC published its proposed rule on notification of breaches of electronic health information,
Enter the lawyers who wrote and commented on privacy for the O'Neill Institute Legal Solutions in Health Reform. At least they seem convinced that privacy protections can be put in place to quell fears so we can move on with adoption of health information technology systems.
Deven McGraw, author of the O'Neill paper, has been at the forefront of this issue for quite some time. At the forum, McGraw maintained that the HIPAA privacy rule goes a long way to protect health information. Rather than amending HIPAA, she called for more education about the law and much more vigorous enforcement. She was so pro-HIPAA that she suggested that the federal statute should preempt state privacy laws to reduce the confusion (even though state laws may be stricter) and remove legal obstacles at the state level to exchanging health information across state lines.
She did note that we do need to protect privacy of personal health records, which are owned by patients and offered by entities that aren't covered under HIPAA. Instead of expanding HIPAA, though, she suggested that an agency, like the FTC, which already regulates personal health record companies, should take this on.
Purvee Kempf, majority counsel on the House Energy and Commerce Committee, agreed that we shouldn't expand HIPAA to cover non-HIPAA entities; that would raise all sorts of problems about their authority to use and disclose personal health information. But existing law does require a few tweaks to make clear what was OK and not OK. The American Recovery and Reinvestment Act (aka the stimulus package) did clarify some of the rules. For example:
NOT OK: Selling personal health information is illegal, as is using it for certain types of marketing and fundraising.
OK: Making an audit trail so that people can know where their health information is, and who sees it.
Kempf emphasized that patients expect providers to take care of their health information for them so privacy safeguards should be built in, rather than having consumers "trigger" them. Kempf did disagree with McGraw about state preemption issue, arguing that while state law variation can be administratively complex, it can also be tougher and that states often respond to breaches more quickly than the federal government..
Marcy Wilder an attorney at Hogan & Hartson who played a major role in developing the HIPAA privacy rule in the Clinton Administration, noted that stakeholders are far more sophisticated today but it's still easier to talk about Health IT than to do it. She also thinks the privacy issue, for all the attention it gets, may be less of a barrier to wider Health IT adoption than the lack of a business case for providers, and the fact that we still don't have an interoperable system that's easy to use. There is no "I-pod" for e-prescribing and no "Amazon" for electronic medical records.
Wilder's solutions: First, keep it simple. HIPAA's original privacy rule, for instance—the Notice of Privacy Practices—was a good idea, but it reads like a mortgage document and is used mostly as a liability protection device. People should be able to understand the language.
Second, don't let the privacy debate obscure the goals of HIT: to decrease costs and improve the quality of health. Explore the ways that privacy rules DO prohibit the exchange of information, explore what types of uses are being inhibited. We should use de-identified personal health data when possible, but people say that data is never truly de-identified. So, now what? A more granular conversation is necessary.
Coming soon: does Congress have the Constitutional authority to force Americans to purchase insurance?
Join the Conversation
Please log in below through Disqus, Twitter or Facebook to participate in the conversation. Your email address, which is required for a Disqus account, will not be publicly displayed. If you sign in with Twitter or Facebook, you have the option of publishing your comments in those streams as well.