E-Health Privacy Regulations Draw Congressional Fire

The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law.The new rules significantly increase penalty amounts that the U.S. Department of Health and Human Services can impose for HIPAA violations of patient privacy, according to a statement from HHS. The new rules reflect requirements enacted in the Health Information Technology for Economic and Clinical Health (HITECH) sections of the American Recovery and Reinvestment Act (ARRA) of 2009.

Before HITECH, maximum penalties were $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan, or clearinghouse could be exempt from civil financial penalties if it demonstrated it did not know it violated the HIPAA rule.

The HITECH act increases civil financial penalties by establishing tiered ranges of increasing minimum penalties, with a maximum $1.5 million for all violations of identical provisions. And a "covered entity" can plead ignorance as a protection only if it fixes the violation within 30 days of discovery.

HHS published the rule with requests for comments Friday. It goes into effect Nov. 30 and HHS will consider all comments received by Dec. 29.

The HHS has come under fire for the way it's been interpreting ARRA rules. On Oct. 1, six powerful House leaders sent a critical letter to HHS Secretary Kathleen Sibelius. Signatories to the letter included Rep. Henry Waxman (D-Calif.) and ranking member Joe Barton (R-Texas):

The congressmen said HHS stretched the law when it defined a "breach" by improperly introducing the concept of "harm." The stimulus law passed by Congress in February doesn't use the word "harm," it defines a breach as "the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information"

But HHS says many commenters suggested there should be a harm threshold; information shouldn't be considered to have been breached unless there was harm to an individual. The "healthcare providers, researchers, data-miners and their business associates" who have possession of sensitive medical data perform a risk assessment, determine the extent to which individuals have been harmed by a brach, and only notify patients where there's been harm.

This is a tricky matter. On the surface, the Congressional criticism has merit. The law has no teeth if the healthcare companies responsible for safeguarding patient data get to decide when patients need to be notified of a privacy breech. It's like setting up speed limits on the road but letting drivers decide whether they should be issued tickets.

On the other hand, healthcare companies could be paralyzed if they're required to tell patients every time a nurse looks cross-eyed at a computer monitor. And patients, bombarded with too many notices of inconsequential privacy violations, will start ignoring those notices.

Lawmakers and regulators must walk a line between making sure patients are informed of privacy breaches without creating an unnecessary burden on healthcare companies and inundating patients with trivial notices.

Blue Cross of Northeast Pennsylvania, the University of Louisville School of Medicine, and a range of large and small healthcare providers are using mobile apps to improve care and help patients manage their health. Find out how. Download the report here (registration required).

Follow InformationWeek on Twitter, Facebook, and LinkedIn:

Twitter: @InformationWeek @IWpremium @MitchWagner

Facebook: InformationWeek Mitch Wagner

LinkedIn: InformationWeek Mitch Wagner