Evolving Privacy, Security Regulations Complicate Health IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Clinical Information Systems

Evolving Privacy, Security Regulations Complicate Health IT

As authorities go back and forth on health IT regulations, organizations developing health information exchanges need to keep a close eye on the process.

Slideshow: Who's Who In Healthcare IT
(click for larger image and for full photo gallery)
The evolving patchwork of privacy and security regulations is making the difficult job of creating health information exchanges (HIEs) even tougher, according to a panel of experts at the New Jersey and Delaware Healthcare Information and Management Systems Society (HIMSS) fall event held this week in Atlantic City.

"Privacy and security laws are right now being reinvented, reinterpreted, stretched, morphed, and developed," said attorney Helen Oscislawski. Those changes are happening at the federal level, where the Department of Health and Human Services (HHS) HIT Policy Committee's Privacy and Security Tiger team is crafting recommendations that may appear in Stages 2 and 3 of meaningful use, as well as on state levels. "We are in the thick of it right now," she added.

The Tiger team is also looking at patient consent and de-identification of data, and will continue that examination through February, according to Lisa Gallagher, senior director, privacy and security at HIMSS. But despite the Tiger team's work, she said, the industry doesn't know much about what upcoming meaningful use stages will require.

In addition to watching Health Information Technology for Economic and Clinical Health (HITECH) related developments, HIE organizers need to monitor what HHS does around the breach notification final rule. Earlier this year, it pulled that rule back when privacy advocates balked at a "harm clause" which would have let healthcare providers determine if any harm had been caused to the affected party before disclosing a breach. Many healthcare organizations, concerned about "notification fatigue," had been in favor of the clause.

With the final rule pulled back from the review process, the interim final rule -- which includes the harm clause -- remains in effect until a new final rule is proffered, something Gallagher doesn't expect will happen before the November mid-term elections.

"We anticipate that more regulations around the final rule on breach notification will cause a lot of work," said Gallagher. "There will be a significant impact on healthcare organizations and HIEs."

She also warned providers that Congress is looking to ramp up enforcement of HIPAA violations by letting loose state attorneys general on offenders. The Office of Civil Rights, Gallagher said, is looking at compliance monitoring as well.

When it comes to reconciling federal and state law, Oscislawski said the federal government is "sticking to the position" that it will not make federal law override state law in situations where the state law offers greater patient protection. But, as with many privacy and security-related laws, she said, the exceptions are as important as the rules.

One particular exception allows two physicians treating the same patient to transmit data about that patient between them without first gaining consent. The Tiger Team, Oscislawski said, is moving to a more stringent standard that could require consent in cases where PHI is stored in a "central repository" managed by a HIO-HIPAA business-associate agreement for other providers to access in the course of treatment. In such cases, it's possible the HIO and its participating providers may not be permitted to rely on the HIPAA Treatment exception. (Federated provider-to-provider data-exchange models would continue to enjoy the exemption). "This could force in a backdoor way of reinventing healthcare’s workflow for centralized HIE models," she said.

Gallagher said recommendations by the Privacy and Security Tiger team would also place a new, and perhaps untenable, burden on physicians to educate patients about protected health information (PHI). "This would put the physician in the position of governing the consent process, so we really need to monitor the Tiger team and give them feedback. There are ways we can talk to them, even in addition to the public comment functions."

Those developing HIEs must be cognizant of all development in this area, lest the model they create fail to qualify for meaningful use dollars because of a privacy or security violation. Panelists suggested the Office of the National Coordinator for Health Information Technology, HIMSS, and Markle Foundation as good resources for guidance.

Anthony Guerra is the founder and editor of healthsystemCIO.com, a site dedicated to serving the strategic information needs of healthcare CIOs. He can be reached at [email protected]

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll