The Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Act era began on February 17, 2010, with a whisper rather than a scream. For most in the health care industry, the date passed without any significant events or any particular consequence. Does this mean that this new era will be no different than the old? Presumably not-although the era is not off to a quick start. What should the health care industry and its business partners be watching in the months ahead?
Breach Notification Issues
One reason that the February date was not especially noticeable is that the biggest single element of the HITECH law-the breach notification provision-kicked in earlier, in September 2009. As of September, companies were obligated to provide notification to individuals in situations where there was a "significant risk of harm" as a result of a breach of unsecured information. The "enforcement" date for this regulation has now passed, and companies face enforcement if they fail to meet the obligations of the Rule. Companies have been struggling with these concepts since the issuance of the Interim Final Rule, and notifications and risk assessments have been taking place across the country. Moreover, the looming uncertainty over the fate of the Rule has created additional confusion as companies struggle to develop appropriate compliance policies.
The Department of Health and Human Services (HHS), which receives notifications in the event of large breaches involving more than 500 people, has posted on its website limited information about reported breaches. This list-available here-includes only the following information:
- The name of the Covered Entity involved in the breach;
- The relevant state(s) for that Covered Entity;
- The approximate number of individuals affected by the breach;
- The date of the breach;
- The "type" of breach (e.g., theft, unauthorized access, loss, other); and
- The "location" of the breached information (e.g., paper records, laptop, portable device).
The posted list includes 13 breaches that occurred in December, six breaches that occurred in January and six in February. HHS presumably will continue to update this information on a regular basis. While health care entities should review this list to evaluate whether it suggests risks that they can address in their overall security program, the limited information provided turns this listing into an exceedingly limited resource-mostly as an educational tool.
Breaches will continue to be a source of significant confusion and concern for the health care industry. Companies are examining an enormous number of potential breaches, large and small, on a very regular basis. Companies will want to continue to improve their overall security practices, learn lessons from the mistakes and experiences of their peers and revise their ongoing risk assessment process to focus attention on those situations where there is a significant risk of harm to affected individuals.
The Lack of a New Rule
Another significant reason why the formal effective date was not especially important is the fact that HHS has (as of the date of this article) not yet issued the primary rule implementing the HITECH provisions. While HHS has issued "interim" rules on breach notification and enforcement, it has not issued a rule-or even a proposed rule-discussing the primary elements of the HITECH law.
In fact, HHS recently issued an "update" about its regulatory efforts, through a posting on its website, stating that:
- It will implement important privacy and security provisions of the HITECH Act through notice and comment rulemaking;
- It has identified the following topics as components of the Rule: business associate liability; new limitations on the sale of protected health information, marketing and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information;
- It has not provided any specifics as to when this Rule would be issued;
- It has indicated that the next step will be a proposed rule, with a notice and comment period, rather than an "interim final rule"; and
- It has hinted that the provisions addressed in this rule will not be effective or subject to mandatory compliance until a future date following the publication of the proposed rule (and presumably following the implementation of a final rule).
The effect of this pronouncement is to significantly delay the timeframe where the new details of the HITECH law will create enforceable obligations for the health care industry. This is obviously a "good news, bad news" situation. The good news is that enforcement by the Office of Civil Rights (OCR) of these new provisions likely is delayed for a significant period of time. However, this does not mean that OCR will not enforce other provisions that are already in effect, using the new enhanced penalties.
The bad news is more complicated. First, while the OCR has primary enforcement authority for HIPAA, it no longer has "exclusive" authority. Instead, the state attorneys general (AGs) now have clear and explicit authority to enforce HIPAA. Moreover, there is no obvious means by which these OCR delays can be imposed on state AGs-meaning that the AGs can act as they choose, based on their views of the provisions of the HITECH law. While the absence of regulations and delayed effective dates may be effective legal defenses, they may not be sufficient to stop a state AG from acting in the first place.
The second piece of "bad news" is that this ongoing uncertainty complicates the business environment for the health care industry (which obviously is facing more than its share of uncertainty these days). Because HHS has not issued a regulation on business associate contracts, companies are forced to enter into these contracts without guidance, meaning that negotiations can be quite complicated and companies cannot have confidence that they will not be forced or encouraged to revise these agreements again after the new rule is issued. On a broader basis, companies also face real challenges in meeting the obligations of the HITECH law-and in designing business processes to meet its requirements. The HITECH law clearly creates some new and significant obligations. It is quite risky for companies to simply "do nothing," awaiting future HHS guidance. Therefore, this extended delay creates a business risk for companies on many significant issues. Companies should be evaluating both what the law requires and where the regulations are likely to go, so that they can make wise business decisions in the months and years ahead.
Other Ongoing Developments
While these regulatory issues percolate, there is a parallel set of initiatives that likely will have a substantial impact on the overall field of health care privacy:
First, HHS recently held a two-day workshop related to the HIPAA "de-identification" standard. This meeting focused on the current standard, and how developments in technology have affected the sufficiency of the rule. (A webcast of the hearings is available here.) As a general matter, while some of the relevant "experts" believe that there are specific possibilities to "loosen" the standard to achieve important policy goals, many of the relevant witnesses focused on the perceived need to tighten this standard, given the technological changes that make it easier for information to be reidentified. The health care industry today uses and discloses de-identified information for a wide variety of purposes. Companies involved in this area will need to pay close attention to how this portion of the rule is modified (if at all) in the future.
Second, the movement towards "meaningful use" of electronic health records continues. Doctors and hospitals will be receiving billions of dollars over the next few years to implement systems of electronic health records. While many important questions remain unanswered, including whether these systems will "work" in any realistic way, the industry and regulators are focused on (a) developing appropriate standards that can be applied across the health care industry; (b) developing a process to evaluate and issue demands for payment; and (c) developing an ongoing plan to implement electronic health records across the country.
Third, and related in part to the expansion of electronic health records, the Office of the National Coordinator for Health Information Technology (ONC) continues to work on an overall plan for electronic health records across the country. ONC's work-beyond the basic incentive payments-is much more complicated. Its challenge is to capitalize on the opportunities presented by the implementation of electronic health records, by developing appropriate rules and policies for a national system to exchange these records. While there are certain benefits to simply having electronic health records, the primary potential benefits stem from the ability to exchange these records in ways that will meet the goals of this program. The challenge for ONC is whether it can develop rules-particularly rules related to privacy and security-hat will maximize achievement of these goals-or ensure that these goals are met at all. ONC has promised to issue a report and recommendation on perhaps the most challenging component of this issue-the question of patient consent for participation in these records. If the goals of these exchanges are to reduce administrative costs, reduce medical errors, increase overall efficiency and permit increased reliance on these records, there is a significant concern that "expanded" patient consent rights will impede or prevent these goals from being achieved (e.g., if patients can pick and choose what goes into their records, will providers be able to rely on these records to make medical judgments?). While this technology presents great possibilities-even the possibility of better care at a cheaper cost-the entire health care industry and the population at large should be considering whether patient consent rules will reduce or eliminate many of these potential benefits.
Last, HHS also announced recently that it will host a conference on May 11-12, 2010, called "Safeguarding Health Information: Building Assurance through HIPAA Security." According to the press release, this conference "will provide a forum to discuss the current HIT security landscape, as well as practical strategies, tips, and techniques for implementing the requirements of the HIPAA Security Rule." Plenary sessions at the conference will include:
- Updates on OCR's administration and enforcement of the HIPAA Security Rule;
- Risk assessments and contingency planning;
- Logging and auditing in a health care context;
- Security of health devices, and security considerations for mobile/wireless technologies and new media in health care;
- Industry panels discussing breach notification rules; and
- The state of compliance with the Security Rule.
So, while we have not yet seen the full effects of the new HIPAA/HITECH era, this certainly is a complicated time for the health care industry, with significant ongoing challenges concerning privacy and security arising at the same time that the industry needs to meet the challenges of broader health care reform.