Overviewi Overview of the US healthcare system
The US healthcare industry remains at a crossroads. The healthcare reform legislation passed under President Barack Obama in 2010, officially called the Patient Protection and Affordable Care Act (ACA) but widely referred to in the United States as 'Obamacare', resulted in significant changes in the US healthcare system. These changes included a dramatic expansion in the number of insured patients, contributing to increased demand for services. Many of these newly insured are covered by the joint state-federal Medicaid programme, which generally covers low-income patients as an entitlement programme, and reimburses at the lowest rates in most markets. However, the ACA has created a number of challenges for the US healthcare system as well, owing to both increased demand driven by newly insured patients and a view by many providers that the rates paid by many payers for healthcare services are inadequate.
After four years of Donald J Trump as US President, the future of the US healthcare system remains uncertain. Trump, a Republican, campaigned on a promise to 'repeal and replace' the ACA legislation. Although his administration's efforts to completely repeal the law failed, his efforts significantly weakened the programme. Most significantly, the tax reform legislation passed at the end of 2017 repealed the 'individual mandate' to purchase health insurance, a cornerstone of the ACA (see Section II.iii). Most recently, in a US Supreme Court case (California v. Texas) the Trump administration argued that the ACA was only constitutional under the taxing power and that because the individual mandate was repealed, the entire legislation is invalid. However, the Court sidestepped the substance of this argument and instead held that the plaintiffs had no standing to bring the case because, as the tax was repealed, they lacked any type of injury.
Despite Trump and Republicans' attempt to weaken if not destroy the programme, the focus of US politics has shifted since the election of President Joe Biden in the 2020 presidential election. Biden was Vice President to Barack Obama, who signed the ACA into law and a vocal supporter of the ACA since its inception. Biden's healthcare platform centres on protecting and expanding the ACA, particularly in furthering the ACA's goal of increasing access to health insurance and affordable healthcare. Biden's platform includes plans to create a public health insurance option like Medicare, provide families with premium tax credits to make coverage more affordable, and double down on high pharmaceutical prices. Within his first 100 days in office, Biden and his administration began rolling back certain Trump-era policies, such as Medicaid waivers granted to states intending to impose work requirements as a condition of Medicaid enrolment, the 'gag rule' restricting grantees of the Title X family planning programme from referring patients to abortion providers, and various restrictive methodologies and procedures of the insurance and exchange enrolment processes.
The debates over the US healthcare system have been further exacerbated by the 2020 coronavirus (covid-19) global pandemic, the greatest challenge the US healthcare system has faced in decades. The US quickly became the covid-19 capital of the world, with the most infected individuals and reported deaths of any country at the time of publication.2 In the US, the covid-19 pandemic took the largest toll on older Americans, resulting in a wave of infections and deaths in nursing homes and long-term care facilities across the country.3 While many dedicated healthcare providers, emergency service personnel, and essential workers quickly engaged in covid-19 relief efforts, the federal government failed to contain the pandemic, and left the 50 states to design their own strategies for containing the virus. State responses varied along political lines, with governors aligned with Trump following his lead of downplaying the virus, and those in 'blue states' adopting more restrictive policies of 'social distancing'.
The devastation from covid-19 is unmatched in the last century, and the federal government's failed response is easily comparable to the HIV/AIDS epidemic of the 1980s.4 At that time, President Ronald Reagan failed to take quick action to respond to the crisis, including failing to provide the Centers for Disease Control and Prevention (CDC), the federal agency charged with protecting the nation's health, with adequate funds to respond to the epidemic, and failing to publicly discuss the disease until four years after its emergence.5 Instead, President Reagan's Administration advanced a narrative of fear and divisiveness, laughing off AIDS as the 'gay plague' and causing Americans across the country to fear homosexual members of their communities.6
Trump's response to covid-19 is equally as disappointing as Reagan's treatment of the AIDS epidemic. Trump quickly branded covid-19 the 'China virus' and the more racist-termed 'Kung Flu', falsely claimed that the disease was under control in the US, refused to wear a protective facial covering, advocated for slowing testing down to reduce evidence of the prevalence of the virus, promoted public gatherings for his campaign and convention without social distancing, and failed to take a strong stance against states' decisions to reopen communities and businesses during the peak of the epidemic. The administrative agencies responding to the crisis under Trump's leadership failed to contain the virus. The CDC failed to take necessary measures to understand covid-19's spread by maintaining control of all diagnostic testing at a time when widespread testing was needed, and by developing faulty test kits.7 Moreover, Trump significantly restricted the CDC's capability to respond to a potential pandemic prior to the covid-19 outbreak by removing CDC officers who had been stationed in China, rendering the US response to covid-19 even more delayed.8
Since Biden has held the presidency, there has been a significant change in the response to the pandemic. In particular, the nationwide rollout of covid-19 vaccination programmes has resulted in decreases in the spread of covid-19 as well as its mortality rate, which has allowed most if not all states to relax restrictions and regain control of the outbreak. However, the full impact of the pandemic has yet to be determined.
Notwithstanding these challenges, prior to the covid-19 pandemic, the US healthcare system experienced a period of sustained growth of approximately 6 per cent per year over the past several years. The authors expect this pattern to resume once the pandemic is under control. This growth has been coupled with a trend towards consolidation in recent years, which has only intensified due to the increasing difficulty for independent hospitals and medical groups to survive. As a result of these trends, healthcare presents an attractive area for investment in the United States. This will further encourage consolidation, along with an increasing acceptance of for-profit buyers and investors by state regulators and local communities. Financial losses by hospitals in 2020 will accelerate this trend.
Another major trend in the US healthcare system is a drive towards value-based care and reducing costs in other ways. This has spurred the development of several alternative payment models, which intend to compensate providers based on the outcomes – or value – of the care they provide, rather than the volume of services. Government and private healthcare payers alike are increasingly turning towards these alternative payment models in an effort to reduce the overall costs associated with healthcare while improving the outcomes associated with such care. This trend has also resulted in increased scrutiny of certain aspects of the healthcare system that are some of the biggest cost drivers, such as drugs, and in novel ways of providing care, such as through telehealth services.
The following sections seek to put the larger healthcare services sector in the United States into context, focusing on these and other broad business and regulatory trends, while also understanding the organisational fundamentals.ii Delivery of healthcare in the United States
Hospitals with inpatient, outpatient and diagnostic capacities are the 'work benches' for the delivery of healthcare in the United States, although the physicians and other professionals who treat patients there are critical parts of the care delivery system as well. Physicians are also sometimes referred to as the 'captains of the ship' in the hospital context, though other non-physician practitioners are gaining prominence in the institutional and community healthcare setting. Non-physician practitioners, sometimes called mid-level practitioners, include nurse practitioners, physician assistants, certified registered nurse anaesthetists, nurse midwives and others. These practitioners are licensed in their respective states by the state professional board, such as the medical board or the nursing board, or by the state department of health or another agency within the government.
To help ensure that patients are adequately protected from substandard care provided by deficient practitioners, hospitals and other healthcare facilities in the United States are required by law to perform 'peer review' and 'quality assurance' activities. Compliance with specific procedures required by these laws qualifies the organisation and its physicians who participate in peer review for immunity from liability under antitrust and certain other laws. Physicians and other practitioners who are disciplined and do not prevail in their hearings are listed on a nationwide databank that warns other institutions and prospective employers regarding a practitioner's professional shortcomings.
However, there is a growing trend towards services provided in other care settings, coupled with a drive towards lower costs. This has spurred on the presence and success of telehealth services, which may offer increased efficiency and also lower the total cost of care. These trends came into sharp relief in 2020 with the covid-19 pandemic pushing hospital capacities to care for infected patients, with some hospitals entirely full of covid-19 infected patients. Patients seeking care for other diagnoses turned quickly to alternative care models such as telehealth, or went without care entirely.iii Payment for healthcare services
Healthcare services in the United States are paid for primarily by (1) government programmes such as Medicare and Medicaid and (2) private insurance organisations. These public and private organisations are collectively known as 'third-party payers' or simply 'payers'. Most third-party payer arrangements have some element of 'managed care', which means that care is provided subject to utilisation review, such as primary care physicians acting as gatekeepers to specialists. Managed care plans typically enter into contracts with providers to provide services at a discounted rate, sometimes in exchange for an expectation of increased volume from the payer. Government and private healthcare payers alike in the United States are increasingly focused on the value of services, which has contributed to the rapid expansion of alternative payment models that offer incentives to providers for better care outcomes, and in some cases penalise poor outcomes through reduced payments.iv Regulation of healthcare
Because the government spends so much on Medicare, Medicaid and other programmes, it has taken aim at fraud and abuse and made concerted efforts to reduce provider misconduct and to recover funds inappropriately paid by these programmes. This regulation is carried out by a number of regulatory bodies. At the federal level, most laws affecting the structure and payment of healthcare are promulgated by the Centers for Medicare and Medicaid Services (CMS). The CMS is a division of the Department of Health and Human Services (HHS), which has a separate oversight arm – the Office of Inspector General (OIG). (Many state and federal agencies have inspectors general to oversee the operations and fight fraud within the agencies.)9 The OIG fights fraud, abuse and other forms of waste in government healthcare programmes and provides oversight by carrying out audits, investigations, and evaluations and develops resources for the healthcare industry.
At the state level, state government agencies oversee issues such as Medicaid rules and payment requirements along with provider licensing, and often also enforce state-level versions of some of the major federal compliance rules and regulations. This two-tiered structure creates a complicated patchwork of healthcare laws, often with significant variations among the 50 states and the District of Columbia.
The healthcare economyi General
The US healthcare industry is one of the most closely watched and fastest growing sectors of the nation's economy. There are many stakeholders in the US healthcare system, many of which have dramatically differing interests. These include, but are not limited to:
- enterprises that operate hospitals and health systems;
- manufacturers and developers of medical devices, pharmaceuticals and other biotechnology products;
- academic institutions that provide care while training healthcare professionals;
- information technology firms, construction companies and other infrastructure providers;
- insurance companies, self-insured employers and other third-party payers;
- labour unions representing the employees of healthcare organisations;
- medical entrepreneurs and investors (including private equity and venture capital) who finance the healthcare system;
- healthcare trade associations;
- patient advocates and special interest healthcare advocacy organisations; and
- patients and their families.
In addition, there is substantial government involvement in healthcare in the United States, with the government serving as a major payer, as well as a provider and regulator in various parts of the market.ii The role of health insurance
Most medically necessary healthcare services in the United States are paid for by government or private third-party payers, including insurance companies, self-insured employer plans, health maintenance organisations (HMOs), Medicare and Medicaid, Tri-Care, the Veterans Administration and workers' compensation programmes. Most third-party payer arrangements are either managed care indemnity arrangements or involve monthly pre-payments known as 'capitation'. Private third-party payers are heavily regulated by state insurance commissioners, or the United States Department of Labor with respect to employer-sponsored plans, known as ERISA plans (short for the Employee Retirement Income Security Act).Medicare and Medicaid
The two major government healthcare payment programmes in the United States are Medicare and Medicaid. Medicare is a federal programme that primarily provides coverage for individuals who are age 65 and over, disabled or have end-stage renal disease. Medicare is currently the largest (in total dollars) federal healthcare programme, providing health insurance for the elderly and certain other individuals. Medicare offers a number of payment arrangements, including traditional indemnity fee-for-service coverage (Traditional Medicare) and Medicare HMOs, known as Medicare Advantage plans. Medicare beneficiaries may choose between the two types of plans.
Under Traditional Medicare, inpatient services for most hospitals (i.e., other than 'excluded hospitals' that have special status under the law because of their specific types of service, such as cancer care) are reimbursed under the Inpatient Prospective Payment System (IPPS). Under the IPPS, hospitals are paid a prospectively determined case rate based on the patient's diagnosis – a diagnosis-related group (DRG). There are certain add-on payments to the DRG, such as 'outlier' cases, where the patient requires medically necessary hospital services for a longer time than is normally the case. Provider-based hospital outpatient services under Traditional Medicare are reimbursed under the outpatient prospective payment system (OPPS), which is also based on a prospectively determined case rate. Outpatient services that are not 'provider-based' are reimbursed under the Medicare Physician Fee Schedule or the ambulatory surgical centre payment rules, which are less generous than the provider-based rules, discussed further below.
Some outpatient procedures can either be performed (1) outside and independent of a hospital (e.g., in a freestanding clinic or physician's office) and are reimbursed under the Medicare Physician Fee Schedule; or (2) in a hospital-affiliated and hospital-operated site included on the hospital's licence and generally referred to as 'provider-based'. Reimbursement for provider-based facilities under the OPPS methodology is generally higher than comparable rates for the same procedures if performed in a freestanding facility under the Physician Fee Schedule. However, to qualify for provider-based reimbursement, the outpatient site must meet a number of requirements, some of which are somewhat onerous.10 A hospital that operates a surgery centre also has the option of operating that facility as provider-based, thereby permitting use of the OPPS payment structure.
A significant change in Medicare policy affecting outpatient services was implemented through Section 603 of the Bipartisan Budget Act of 2015, capping the ability of hospitals to add new off-campus outpatient departments and have them reimbursed under the favourable OPPS rates. Unless grandfathered or meeting limited exceptions, these new off-campus facilities are reimbursed at lower, freestanding rates (site-neutral rates). CMS decreased the outpatient hospital rates subject to Section 603 to 40 per cent of the current OPPS rates, a major hardship for land-locked hospitals or those in communities with changing demographics and geographies, and further expanded 'site-neutrality' rate cuts for all off-campus hospital departments. Site neutrality has been embraced by private payers and state Medicaid programmes; however, site neutrality has faced significant opposition, particularly from the American Hospital Association (AHA), which has legally challenged these rules. Initially, the AHA was successful, as courts held that HHS exceeded its statutory authority, but in December 2019, the same judge from previous cases allowed site neutrality policy to move forward in CMS's 2020 payment structure, clarifying that the earlier decisions applied to 2019 payments only. In November 2019, CMS issued a Final Rule (that was reissued with a correction in January 2020) that included site-neutral payment policy, and the Supreme Court declined to take up the lawsuit – effectively ending the dispute.11
Medicaid is a joint state and federal programme traditionally for certain indigent or impoverished individuals who are aged, blind or disabled, or members of indigent families with dependent children that meet income and resource standards set by the state Medicaid agency. Medicaid today covers more individuals than Medicare, making it the largest single payment system in the United States, in terms of persons served.12 The federal government contributes roughly half of the reimbursement for the Medicaid programmes, though some US states with struggling economies receive higher reimbursement than others. Although the rates payable by Medicaid in most states are notoriously low (some falling short of the provider's costs), the rates will be increased for a number of years under the ACA, possibly making the programme more attractive for primary care physicians and others who are either in scarce supply or simply do not wish to treat these low-income patients.
Under the ACA, the rules governing Medicaid eligibility were substantially relaxed, thereby making it possible for millions of additional Americans to qualify for the programme even though they do not meet these traditional criteria. While the Trump administration attempted to roll back some of these protections by allowing states to pursue demonstration projects that impose work requirements as part of their Medicaid plan, the Biden administration has since sent letters to all states with work requirements to begin withdrawing the waivers that these states relied on.Commercial and private insuranceHMOs and preferred provider organisations
Although there remain some 'pure indemnity' arrangements (wherein the beneficiary is reimbursed for all healthcare expenses he or she incurred regardless of the provider who rendered the care), most third-party payer arrangements involve some element of managed care, meaning that the healthcare services are provided subject to utilisation review procedures such as a primary care physician serving as a 'gatekeeper' for specialists, and typically create certain constraints on the beneficiary's choice of provider, usually as a result of network or panel arrangements established by the payer.
There are two primary types of managed care arrangements: HMOs and preferred provider organisations (PPOs). An HMO typically requires the beneficiaries or members to exclusively use providers that have signed a contract with the HMO to receive a discounted or capitated amount for its services. The HMO will not pay for services provided by a non-contracted provider except when the services were performed in an emergency or the HMO does not have a needed specialist in its contracted network.
PPOs are delivery systems wherein the plan assembles a contracted provider network from which the member can receive care on a discounted fee-for-service basis; however, the beneficiary also has the option of going outside the network if he or she is willing to shoulder a greater share of the cost of care, typically in the form of a higher co-payment. There are also 'point-of-service' (POS) plans, which are a hybrid of an HMO and a PPO. Under a POS plan, the member usually receives capitated care but has the option of receiving care from a non-contracted out-of-network provider if he or she is willing to pay a substantial portion of the provider's fee-for-service charges.Consumer-driven health plans
An increasingly popular type of insurance arrangement combines a 'high deductible health plan' with a 'health savings account' (HSA). The HSA is similar to an individual retirement account in that it permits individuals to save, on a tax-sheltered basis, through the establishment of a special account. The member funds the HSA with up to the maximum permitted by law (US$3,600 for an individual and US$7,200 for a family in 2021; US$3,650 for an individual and US$7,300 for a family in 2022).13 Those funds can only be used to pay for healthcare items and services that would be deductible under federal tax rules if incurred by a taxpayer, as well as to pay down the deductible until the funds in the HSA are exhausted. The beneficiary must exhaust the high deductible in the health plan and spend down the HSA before receiving the full benefit of the health plan's coverage. Unused HSA funds are carried forward to the next year. These are sometimes called consumer-driven health plans because the beneficiary controls the expenditure of his or her healthcare dollars to a much greater extent than under a traditional plan. To the extent that those providers include domestic or overseas providers, these consumer-driven plans may be a catalyst for the growth of overseas medicine in the United States. Patient advocates are concerned that high deductible plans, coupled with insufficiently funded HSAs, have caused a spike in consumer bankruptcy filings. Indeed, many view medical debt as one of the leading causes of personal bankruptcy in the United States.iii Funding and payment for specific services
Healthcare reform, including the ACA and any new healthcare legislation that may ultimately be passed under a Republican-controlled Senate, has and will continue to have a major impact on healthcare delivery and expenditures. The ACA's overarching objective was to expand coverage to 31 million uninsured Americans, primarily through the individual mandate, employer mandate, expansion of Medicaid and establishment of subsidies (i.e., tax credits) to purchase plans in the health insurance marketplace established by each participating state, or by the federal government. The law establishes a minimum of 10 categories of 'essential health benefits' for plans: (1) ambulatory patient services; (2) emergency services; (3) hospitalisation; (4) maternity and newborn care; (5) mental health and substance use disorder services, including behavioural health treatment; (6) prescription drugs; (7) rehabilitative and habilitative services and devices; (8) laboratory services; (9) preventive and wellness services and chronic disease management; and (10) paediatric services, including oral and vision care. However, other types of healthcare services for adults, such as dental care and vision care, are typically paid for by individuals personally or through other types of private insurance plans that cover such services.
However, with the passage of the Tax Cuts and Jobs Act, which was signed into law by Trump on 22 December 2017, the individual mandate was repealed effective in 2019. The mandate, which subjects individuals without health insurance coverage to tax penalties (US$695 or 2.5 per cent of household income, whichever is greater), has long been seen as a cornerstone of the ACA, as the expanded coverage provisions of the programme are subsidised by requiring all individuals to pay into the system. Despite the perception that the mandate is essential to the functioning of ACA, health coverage held relatively steady in 2019 even after the mandate was repealed, suggesting it may not be as essential as originally thought.14
Another important development includes the introduction of alternative healthcare plans into the US healthcare market. As background, the ACA prohibits a health plan from establishing limits on the dollar value of these essential health benefits. It requires the plans to provide coverage for and to all individuals, and prohibits cost-sharing requirements for certain preventive services and immunisations. Further, it requires health plans that provide independent coverage of children to extend that coverage to adult children up to the age of 26. It establishes a minimum payment for primary care Medicaid services. The ACA further looks to novel healthcare delivery models to reimburse providers based on improved health outcomes, prevent preventable hospital readmissions, improve patient safety and reduce medical errors, as well as promote wellness. Health plans are prohibited from imposing pre-existing condition exclusions or discriminating on the basis of any health status-related factor, including genetic factors.15
The trend toward alternative payment models has strengthened in recent years, with recent data demonstrating that US healthcare payments associated with alternative payment models are steadily increasing.16 However, despite the appeal of certain alternative payment models (also known as value-based payment models), particularly those offering higher payments to providers who demonstrate a higher quality of care, providers have been reluctant to participate in programmes imposing full capitated risk. As a result, CMS has announced several new initiatives, including bundled payment models for certain clinical areas and a new direction for the Medicare Shared Savings Program, pushing accountable care organisations (the most popular type of alternative payment model, involving a group of providers that takes responsibility for the cost and quality of care in exchange for a portion of the savings) into a two-sided risk model more quickly than before. Other laws passed in recent years, including the Medicare Access and CHIP Reauthorisation Act of 2015 (MACRA), have established new ways of paying for care that focus on value instead of volume. Under MACRA, CMS has implemented a quality payment incentive program that rewards quality care and outcomes via two different methods: Merit-based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (APMs).
Despite these requirements of the programme and other initiatives, changes to the ACA introduced under the Trump administration have cut away at other features of the ACA. For instance, in August 2018, HHS promulgated regulations allowing for alternative health plans in the form of short-term plans lasting just under one year (under the previous administration, the duration of short-term plans was limited to 90 days, making them exceptionally unattractive to consumers). Such short-term plans intend to create a competitive, lower-priced alternative to the plans available under Obamacare because they are not subject to the same requirements as full-scale health plans. However, because these short-term plans do not face the same requirements, short-term plans may exclude people with pre-existing conditions, undercutting one of the most popular protections of the ACA. Additionally, beneficiaries may experience gaps in coverage and catastrophic costs, and adverse selection may lead to higher premiums for the traditional healthcare coverage available on the marketplace. For these reasons, some states have elected not to offer short-term, limited-duration plans. Currently, 39 states and the District of Columbia offer these short-term insurance plans.
Another change introduced by the Trump administration in June 2018 was the option for 'association health plans', which allowed small businesses to band together based on common geography or industry and collectively purchase health insurance as a larger employer might. Although the association health plans are not able to discriminate based on an employee's health status or any 'health factor', they may be able to offer health insurance that does not include all the essential health benefits required by the ACA. In March 2019, a federal judge found major provisions of the rule to be unlawful and remanded the rule to the Department of Labor to determine how the rule's severability provision affects the remaining provisions. Following the decision, the Department of Labor released guidances describing resulting changes to its enforcement policy. At the time of this writing, association health plans are permitted within certain parameters.
After Biden's election, he directed the federal agencies to re-examine current policies that may undermine the ACA and health insurance exchanges, including short-term health plans and association health plans. However, even if Biden reverses Trump's policies, it will take time for any changes to be promulgated through the US rulemaking process.iv Pricing transparency
At the end of the Trump administration, the US HHS issued a final rule called Transparency in Coverage as part of the federal government's initiative to increase transparency in healthcare pricing. Typically, healthcare prices are negotiated between insurers and providers and not easily accessible, but these new rules require health insurance issuer and group health plans to disclose certain pricing and cost-sharing information and publicly disclose a variety of information about in-network, out-of-network and pharmaceutical prices. Some of these requirements specifically related to hospitals came into effect on 1 January 2021, and CMS has begun sending warning letters to hospitals not in compliance.
Primary/family medicine, hospitals and social carei Hospitals and primary care
As noted above, hospitals are the work benches for the delivery of healthcare in the United States. Further, the Emergency Medical Treatment and Labor Act, a federal law mandating that anyone who arrives at a hospital emergency department must be medically screened and provided stabilising treatment, regardless of their insurance status, has contributed to the use of hospital emergency departments for all types of care. However, there has been an increased focus on primary care, particularly under the ACA. Not only has the ACA expanded the number of insured patients, thereby increasing the number of patients able to access primary care, but provisions of the law have also specifically addressed the types of primary care and other preventive services that must be covered by insurance and have set minimum payment rates for primary-care Medicaid services.
Further, under most types of third-party payment arrangements, there is an element of managed care, meaning that the healthcare services are provided subject to utilisation review procedures such as a primary care physician serving as a gatekeeper for specialists. Such care arrangements typically place restrictions on the beneficiary's choice of provider, usually as a result of network or panel arrangements established by the payer. Thus, although it is possible to have direct access to different healthcare providers, for many insureds, access to a specialist is only possible through a referral by that individual's primary care provider.
There have recently been further developments in this area, as innovators from other sectors of the economy become more involved in the delivery of healthcare. Capitalising on improvements in technology in this way can present opportunities to offer increased access to primary care services, particularly in areas where providers are scarce or patients are not easily able to travel to provider offices. For instance, there has been a growing movement towards telemedicine, whereby providers and patients interface virtually rather than through an in-person office visit. The covid-19 pandemic accelerated this movement, as telemedicine became necessary overnight. States facilitated the use of telemedicine by, for example, expanding scope of practice, relaxing in-person visit requirements and allowing controlled substances prescribing via telehealth.ii Electronic health records and privacy
Although many healthcare facilities and providers in the United States are individually moving towards use of electronic medical records, there has not yet been a sustained effort to implement a universal electronic medical record.
Healthcare organisations are subject to a plethora of federal and state privacy and security laws pertaining to health information maintained by the organisation. The most comprehensive federal law that applies to healthcare organisations is the Health Information Portability and Accountability Act of 1996 (HIPAA), as modified by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These laws and their implementing regulations provide federal protections for the privacy of individually identifiable health information or protected health information (PHI) held by covered entities (e.g., health plans, healthcare clearinghouses and most healthcare providers) and give patients an array of rights with respect to such information. The HIPAA Security Rule specifies a series of administrative, physical and technical safeguards that covered entities must implement to ensure the confidentiality, integrity and availability of electronic PHI.
HIPAA, along with other federal and state privacy and security laws, imposes liability on healthcare organisations for technical violations of the required privacy protections and security safeguards, and for any unauthorised access, use or disclosure (i.e., breach) of confidential health or medical information. If a healthcare organisation violates HIPAA, the Secretary of Health and Human Services may impose civil monetary penalties or corrective action plans on a covered entity and the business associates with which it contracts. The secretary may also refer criminal violations to the Department of Justice (DOJ). State attorneys general also have a right to bring a cause of action on behalf of residents of their states under HIPAA. State laws vary considerably, but in some states, a healthcare organisation is also subject to state civil penalties and damages in any action brought by an individual whose privacy was compromised as the result of a violation of state privacy law. In addition to any potential liability for their own actions, healthcare organisations may also bear liability for the actions of their subcontractors for violations of state privacy laws. Notably, during the covid-19 pandemic, HHS issued a notice that it was exercising its enforcement discretion to permit some sharing of PHI that would otherwise constitute a HIPAA violation, as described in Section IX, below.17
In 2018, the European Union General Data Protection Regulation (GDPR) imposed various requirements applicable to companies that monitor or process the personal data of European citizens. Initially, most US healthcare providers (e.g., hospitals, physicians and skilled nursing facilities) determined that they are not subject to GDPR and did not at first voluntarily comply. However, since the passage of GDPR, some US states have passed similarly stringent privacy laws, leading to many healthcare providers adjusting their business practices in efforts to comply. One of the more comprehensive of these laws is the California Consumer Privacy Act of 2018, which provides California residents with similar rights to those that GDPR provides to EU citizens, including the right to access personal data an organisation has collected and the right to have that personal data deleted.