Recent progress toward developing electronic medical records and personal health records has generated an enormous amount of debate about whether new privacy and security rules are necessary for this new electronic environment. Aside from the almost constant release of "policy" perspectives on these issues (by groups including the Markle Foundation, the Center for Democracy and Technology and the Confidentiality, Privacy and Security Work Group that I chair), business developments in the personal health records marketplace (intensified by the recent release of the Google Health personal health record system) have focused attention on the critical balance between health care benefits promised by electronic records and related privacy and security concerns. This debate over privacy and security has focused on (1) new players in this environment that are not "covered entities" under the HIPAA rules and (2) whether the new environment inherently changes the dynamics of the health information marketplace so that the current rules (primarily HIPAA and a wide range of applicable state laws) are not sufficient.
Now, in the context of pending legislation designed to encourage the use of health information technology, we are starting to see the first concrete proposals for developing new privacy rules. While some of these ideas advance the ongoing debate, others suggest a disturbing trend toward ad hoc piecemeal revisions to the mainstream health care privacy rules. The debate about new privacy rules clearly needs to take place, but tampering with the HIPAA environment in a piecemeal manner is not the most effective way to solve whatever problems may exist within this new environment. Moreover, these amendments use the opportunity of legislation affecting electronic health records to propose changes that are essentially unrelated to the main issues targeted by the legislation. In addition, several proposals reflect virtually no understanding of the currently applicable HIPAA principles, and contemplate changes that are either unnecessary, entirely duplicative or virtually incomprehensible.
The Wired for Health Care Quality Act
The legislation at issue—the Wired for Health Care Quality Act, S. 1693, sponsored by Senator Edward Kennedy (D-MA)—seeks to "enhance the adoption of a nationwide interoperable health information technology system and to improve the quality and reduce the costs of health care in the United States." The bill was cleared by the Senate Health, Education, Labor and Pensions Committee almost a year ago, but has been held up by Senator Patrick Leahy (D-VT), Chair of the Judiciary Committee, due to his concerns about the appropriateness of the privacy protections in the bill. Now, recent reports indicate that new language, drafted by Senator Leahy, has been agreed to by the key Senators involved in this debate, allowing this legislation to move forward in the Senate. Moreover, additional public reports now suggest that these proposals will be subject to hearings in the near future, followed by consideration on the Senate floor. (Obviously, Senator Kennedy's recently diagnosed illness creates a wild card further clouding predictions about this legislation.)
HHS Secretary Responsibilities
The proposal includes a number of areas where the Health and Human Services (HHS) Secretary would be required to take specific actions or make recommendations to Congress about future changes.
First, the bill would require the Secretary of HHS to develop "recommendations for privacy and security protections for personal health records." Essentially, the proposal defines personal health care records (PHRs) to mean health care records "primarily intended to be used or managed by or for the benefit of the individual," which are offered by an entity that is not a covered entity under the HIPAA rules. This proposal—while challenging for the HHS Secretary—reflects the consistent concern that PHRs often are offered to consumers by entities that are not covered by HIPAA (such as Google, Microsoft, WebMD and Revolution Health), therefore raising the possibility that there are no privacy and security "rules" that must be followed by these companies in offering personal health records to individual consumers. (Presumably, the privacy promises made by these entities can be enforced by the Federal Trade Commission.) This proposal is consistent with recommendations made by the HHS Confidentiality, Privacy and Security Work Group and the National Committee on Vital and Health Statistics, both of which have recognized the "gaps" in the current regulatory structure for these entities.
Second, the proposal also would require the HHS Secretary to develop a "model summary notice of privacy practices" for all notices that are provided under the HIPAA Privacy Rule. Apparently, Senator Leahy's view is that the HIPAA Privacy Rule causes covered entities to produce notices that are difficult for consumers to understand, and that a mandated summary would be useful.
Third, perhaps as a means of strengthening the overall HIPAA enforcement approach, the HHS Secretary would be required to submit a report to Congress each year concerning the enforcement actions taken by HHS in connection with the HIPAA Privacy Rule, detailing specific steps taken in response to complaints. As a corollary to this report, the proposed legislation also requires the GAO to conduct a study on the effectiveness of HHS' efforts to enforce the HIPAA rules.
Broader HIPAA Changes
Beyond this set of HHS obligations, the legislation also would make several changes to the general HIPAA Privacy Rule. While perhaps none of these changes is by itself particularly significant, these proposals both have little to do with the control issues addressed by the Wired for Health Care Quality Act and reflect an unfortunate tendency to make ad hoc tweaks to the Privacy Rule, without consideration of the broader health care privacy context. They also reflect a disturbing lack of knowledge about the HIPAA Privacy Rule itself.
"Authorizations" and Marketing
The most publicized provision of the legislation has involved a modest proposed change to the marketing provisions of the HIPAA Privacy Rule. While "marketing" concerns drive a lot of the HIPAA commentary by "privacy advocates," marketing has not been a topic that has generated a significant number of complaints to the HHS Office of Civil Rights. Nonetheless, without much explanation, the proposal would modify the definitions under the marketing provisions to require HIPAA patient "authorizations" in certain situations where they are not required today. Specifically, the language requires an authorization in connection with "an arrangement whereby a covered entity, in exchange for direct or indirect remuneration, makes a communication to an individual to recommend or direct value-added health-related products or services not directly related to that individual's health." The Leahy press release on this topic stated that this provision was designed to "eliminate loopholes under the HIPAA Privacy Rule that currently allow certain healthcare providers to use or disclose patient health records for marketing purposes."
While the language of the legislation is somewhat ambiguous, it is clear that the actual wording is both unnecessary in some circumstances and confusing. For example, the Privacy Rule today permits the use of patient information to send marketing communications about certain "value-added" and "health-related" services, without the need for patient permission. If the communication is about a product or service that is not "health-related," the Privacy Rule today requires an authorization. So, the legislative language about "not directly related to that individual's health" is unnecessary, unless the language is somehow drawing a puzzling distinction between "health-related" and "directly related to an individual's health." For the remainder of the language, it is hard to tell how the change responds to the concern expressed by Senator Leahy. Today, a health care provider, for example, can send a communication to a patient offering a "value-added" health-related product or service. To qualify, the "value-added" must be something that is of specific value to an individual as a patient of the provider. Therefore, if doctors are giving medical advice on obesity, and have negotiated a special rate at a fitness center or diet clinic for their patients, the doctors are allowed to communicate that opportunity to the patients. A doctor is not permitted to hand a list of patients over to the fitness center so that the fitness center can do its own marketing. Here, under this proposal, if there is some "remuneration" to the provider (such as the fitness center paying for the doctor's mailing), the patient would have to give authorization before such a communication can be made. While it is clear that this language would restrict some communications that can be made today, it is hard to identify a strong public policy basis for restricting these particular communications.
Three other significant changes to the HIPAA Privacy Rule are being proposed. First, in connection with the HIPAA "access" right, where individuals can request copies of their health care records, the proposal requires that, for electronic records, HIPAA-covered entities must make this information available electronically and in an electronic form.
Next, in connection with a section entitled "transparency," the bill requires HIPAA "covered entities," when contracting with a vendor that is not covered by the HIPAA Privacy Rule, whether "offshore" or not, to:
- Take reasonable steps to select and retain third-party service providers capable of maintaining appropriate safeguards for the security, privacy and integrity of protected health information; and
- Require by contract that such service providers implement and maintain appropriate measures designed to meet the requirements (imposed on covered entities).
While some legitimate questions have been raised about offshore service providers, it is hard to read this language and believe that the drafters have taken into account the existing HIPAA business associate provisions. Arguably, there is no "due diligence" obligation imposed by HIPAA. But how is it possible that new legislation would be needed to "require by contract" appropriate privacy protections for vendors, when the HIPAA Privacy Rule already imposes this exact obligation (with significantly more detail) on covered entities when vendors are hired today? Moreover, the legislation then requires the HHS Secretary to "ensure that there is an effective means for enforcing the obligation . . . on any overseas service providers or other providers" not covered by HIPAA, without giving the Secretary any tools whatsoever to do this. This language ignores (or forgets? or never understood?) that the HHS Secretary in fact has no enforcement jurisdiction whatsoever over any business associate, regardless of where the business associate is located, because of the limited jurisdictional reach of the HIPAA rules. Instead, the only option available to the Secretary is to impose enforcement risk on the covered entities if they fail to execute the appropriate contract.
Last, the legislation requires the HHS Secretary to develop standards for notification of individuals in the event that their protected health information has been "lost, stolen, corrupted, used or otherwise transmitted for an unauthorized purpose." Essentially, this language seems to "punt" the notification issue to HHS, much as Congress did with the HIPAA rule itself, because Congress has been unable to agree on a federal security breach notification measure. Moreover, while there has been an ongoing debate in Congress about what kinds of "harms" require notice, this legislation gives no instructions to HHS about whether it should be evaluating only the "identity theft" harms that are the subject of most consumer notification laws today, or whether Congress envisions a broader set of potential harms where notice would be required.
On the whole, while the development and expansion of electronic health care records raises a variety of important privacy and security issues, this proposed legislation is a poorly-thought-out and largely misdirected effort. Apart from the fundamentally flawed nature of much of its language, this proposal starts a disturbing trend of dealing with these issues on an ad hoc basis, requiring covered entities and others to engage in a perhaps endless series of adjustments to their ongoing privacy practices. Congress and the patients of this country would be much better served by a well-thought-out set of reforms designed to respond to specific concerns raised by this new health care environment.
For further information on some of the key privacy and security issues raised by electronic health care records, please see Nahra, "How Health Information Exchange Is Driving a New Health Care Privacy Debate," published in BNA's Privacy & Security Law Report (May 26, 2008) and also available here.