The Obama Administration's broad-reaching economic stimulus legislation includes an extensive series of new proposals to expand the reach of electronic health records. As part of this package, the Administration also has proposed sweeping changes to the overall health care privacy structure. Many of these proposals have little or nothing to do specifically with electronic records. Others appear to contradict (at least in part) the idea of providing incentives to use electronic health records, by creating new regulatory obligations for entities that use them. Other provisions present the Department of Health and Human Services (HHS) with a wide range of new rulemaking and guidance obligations and challenges. Taken together, this package of proposals, if enacted, would dramatically alter the overall health care privacy landscape, for both health care companies and their business partners.
The Economic "Stimulus" Connection
The health care community has been moving on its own initiative towards expanded use of electronic health care records, and a variety of new businesses are entering the health care marketplace to provide electronic health care services (including personal health records provided directly to consumers). Simultaneously, Congress and various regulatory agencies (along with numerous interest groups and other advisory organizations) have been evaluating the need for new privacy and security standards in this broader electronic environment. So far, this debate has produced no consensus. Some groups believe strongly that this electronic age is sufficiently new and different that wide-ranging new privacy standards are needed. Some of these groups—as well as other interest groups—are using this opportunity as an avenue to revisit the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules, independent of any impact from electronic health records. Others are saying that this "new" environment isn't really anything more than a broadening of current operations that already are covered in full by the relevant rules.
The Obama Administration proposal tries to formalize and organize the progress towards a broader range of electronic health records. The Administration has made clear that an expanded use of electronic health records is a key element both in stimulating the economy and improving the overall health care system. For example, in a December 6, 2008 radio address, then President-elect Obama focused on the benefits to the overall economy of electronic medical records and more efficient health information technology. In this address, Obama said:
We must also ensure that our hospitals are connected to each other through the Internet. That is why the economic recovery plan I'm proposing will help modernize our health care system—and that won't just save jobs; it will save lives. We will make sure that every doctor's office and hospital in this country is using cutting-edge technology and electronic medical records so that we can cut red tape, prevent medical mistakes and help save billions of dollars each year.
(A transcript of this address is available at http://change.gov/newsroom/entry/the_key_parts_of_the_jobs_plan/).
This idea was reiterated generally during the Inaugural Address, when President Obama said, "We will restore science to its rightful place and wield technology's wonders to raise health care's quality and lower its costs."
With this idea taking a high priority in the early days of the new Administration, the proposal focuses on four key elements:
- Promotion of electronic health records through formalization of the role of the Office of the National Coordinator for Health Information Technology;
- Creation of appropriate standards for health information technology;
- Grant and loan programs to encourage broader use of health information technology; and
- Medicare and Medicaid payment incentives for health care providers to adopt electronic health records.
These four elements are designed, on both a short-and long-term basis, to motivate health care providers to utilize electronic health records and to ensure that the development and implementation of these records proceeds in an efficient and organized fashion.
While the goal of electronic records is to "cut red tape, prevent medical mistakes and help save billions of dollars each year," there is a substantial debate as to whether the privacy and security proposals will benefit or impede achievement of these goals. In fact, The New York Times reported that "President-elect Barack Obama's plan to link up doctors and hospitals with new information technology, as part of an ambitious job-creation program, is imperiled by a bitter, seemingly intractable dispute over how to protect the privacy of electronic medical records." See "Privacy Issue Complicates Push to Link Medical Data," The New York Times (January 17, 2009), available at www.nytimes.com/2009/01/18/us/politics/18health.html.
The Obama privacy proposals cover a wide range of topics. Several proposals are linked to electronic health records, and impose specific new or additional obligations if a business uses electronic records. Many other proposals seemingly have nothing at all to do with electronic health records, or no obvious connection to any specific issue raised by these records. Still other proposals require HHS to develop new rules or issue new studies about the impact of certain activities on the overall health care privacy regime.
What Are the Key Proposals?
A Federal Breach Notification Proposal for the Health CareIndustry
While Congress to date has been unable to agree on a general federal standard for notification of security breaches, this health care proposal creates a new notification standard for the health care industry—whether the breach has anything to do with an electronic health record or not. While there clearly are open questions, this proposal is far broader than any relevant state notification law (by applying to breaches involving any kind of personal information held by health care companies), without including any "risk of harm" threshold. Accordingly, this proposal (if enacted) will impose a more demanding threshold for notification for health care companies than applies in any other industry.
Expansion of Rules to Business Associates
Perhaps the broadest overall impact will flow from a series of proposals that essentially extend full compliance responsibility for the HIPAA Privacy and Security Rules to the business associate category -- all of the companies that provide services to the health care industry. Today, these vendors must sign a contract with their health care client that extends certain HIPAA provisions by contract to the business associate. The new proposals will obligate these business associates by law to follow all HIPAA provisions, rather than just the handful that are required to be included within the business associate contracts. Again, this provision seems to be unrelated (specifically) to electronic health records. It clearly extends HIPAA coverage to all business associates, whether they have anything to do with electronic health records or not. While this proposal will create additional legal obligations for these business associates, it also may create significant inefficiencies by requiring that all current business associate contracts (numbering in the tens of thousands across the country) be renegotiated.
Restrictions on Sharing Health Care Information for Self-Pay Situations
One of the odder provisions permits individuals to request that their health care provider not disclose information to an insurer for payment or health care operations purposes if the patient has paid for the service out of pocket. Again, this is not limited to any kind of electronic health record. Moreover, this provision seems designed to permit individuals to hide information from their insurer, which appears to do little more than encourage or facilitate fraud or other inappropriate activity by the patient.
"Limited Data Sets" and "Minimum Necessary"
A second peculiar provision involves a requirement for HIPAA-covered entities to examine "to the extent practicable" whether a "limited data set" can be used for the disclosure of health care information. A limited data set is, essentially, health care information that has been almost (but not quite) de-identified. The premise of the proposal—one that is subject to substantial question—is that most disclosures of health care information do not focus on any particular person or do not have anything to do with treatment or payment of a particular individual.
In addition, this provision reiterates that covered entities, if they cannot use a "limited data set," must follow the "minimum necessary" rule (which is already in place today). As a corollary, however, the proposal requires HHS to develop minimum necessary guidance in the future. The premise of this proposal seems to be that there is a "one size fits all" "minimum necessary" standard that will be used for all specific treatment or payment purposes, regardless of the situation or the company involved. While it is very hard to see how this proposal will work, HHS has 18 months from enactment of this proposal to identify and create its guidance.
The Accounting Rule
One of the least-used provisions of the current HIPAA rule is the individual right to an accounting—that is, to a listing of certain identified disclosures of health care information. Across the country, and across all sectors of the health care industry, few individuals have taken advantage of this "individual right" created by the HIPAA rule. The Obama proposal expands this right for individuals—and creates new obligations for health care companies that use an electronic health record. If a company uses an electronic health care record, it now will have to track for accounting reasons all disclosures of information for treatment, payment and health care operations purposes. This will be a significant expansion of the overall burden on health care companies—but only if they use an electronic health record. While the proposal (in the standards section) seems to dictate that electronic health records in the future have the technological capability to track these disclosures, absent a clear match between these undeveloped and future standards and this accounting obligation, this proposal could create substantial new burdens for health care companies that adopt electronic health records.
Access to Electronic Health Records Information
Like the accounting provision, the proposal also expands the individual right of access, but again, only if the health care company uses an electronic health record. While this access provision is more limited and less burdensome than the accounting provision, it is another example of imposing new obligations on companies that accept the incentives to create and use electronic health records.
Health Care Operations
One of the key areas of concern for "privacy advocates" involves uses and disclosures in the health care operations area. These proposals—permitted under the HIPAA rule through implied consent—typically involve the administrative operations of a health care business. These operations cover a wide range of activities—including quality control, licensing and credentialing, underwriting, health care fraud investigations and others. There have been a variety of provisions designed to restrict the health care operations disclosures that can be made without consent. Some of the previous proposals (from Congress in 2008) were much more severe than the Administration's proposal. The current proposal permits a rulemaking that could dramatically change the concept of health care operations and require authorization (not consent, but the more formal authorization process) for certain specified kinds of health care operations. Again, this will be a significant challenge for HHS in the rulemaking context, and is a proposal that could dramatically alter the landscape for health care privacy. Moreover, again, this proposal has nothing specifically to do with electronic health care records at all.
The proposal also creates new restrictions on what are considered "marketing" communications under the HIPAA Privacy Rule. For the most part, this provision dictates that a health care company cannot make a marketing communication where it receives "direct or indirect" remuneration for the communication, absent specific authorization from an individual. Because marketing communications are defined very broadly (to include any communication that encourages a recipient to purchase or use the product or service that is the subject of the communication), there is a concern that the new restrictions will not only affect true "marketing" communications, but also a variety of other health-related communications that are designed to promote wellness or other strong public policy goals.
There are significant changes to the overall enforcement environment for the HIPAA Privacy and Security Rules. First, the provisions increase substantially the penalties that are available to address violations of the rules. Some of these new penalty amounts may be provided as compensation to "harmed" individuals in the future. Second, the proposal permits state Attorneys General (AGs) to enforce the provisions of the HIPAA rules. While this enforcement is limited in meaningful ways (mainly in terms of amounts that can be sought by the state AGs), this approach creates realistic risks of differing standards and inconsistent action across multiple states, under a single set of federal rules. Third, the proposal permits new enforcement against individuals employed by health care entities when they violate the rules. This proposal "corrects" what many saw as an oversight in the current process that made it difficult to prosecute individuals.
Personal Health Records Issues
While there are various other provisions, the last important piece of the proposal involves the one area where there are clear "gaps" in today's structure—that is, in the rules related to certain entities that provide personal health records to individuals, many of which are not covered by specific health care privacy rules today. Unlike many of the proposals discussed above, this "gap" is created (at least in part) by developments in the industry related to certain kinds of electronic records. However, while these entities are "more closely" linked to electronic records than many of the other provisions, the Obama proposal does not deal directly with these entities. Instead, it essentially creates certain "temporary" standards for notifying individuals in the event of a security breach affecting a personal health record, and dictates a future rulemaking proceeding to define the obligations that should be imposed on personal health records vendors.
The Obama proposals create significant incentives for an expanded use of electronic health records, as well as important new procedures that will increase the likelihood that these records can be used to improve health care and decrease costs. At the same time, however, many of the privacy proposals are either counter-productive to achieving these goals or impose new restrictions in areas having nothing to do with electronic health records.
Because of the linkage between these privacy provisions and the economic stimulus package, it is increasingly likely that there will be a broad new set of health care privacy obligations in play in the near future. Health care companies and their business partners will need to begin evaluating the impact of these new proposals quickly. We can expect that this evaluation will require an effort that, while not as substantial as the full implementation of the HIPAA rules, still must address significant new compliance obligations and operational changes for most health care companies in the very near future, coupled with the certainty of more aggressive enforcement.