Privacy and Security of Electronic Health Records: New Challenges, New Protections

Author: Joy Pritts

July 26, 2012

Health Care System Is Broken Focus on treatment Sporadic Fragmented Uncoordinated care Inconsistent delivery of evidence-based care Misaligned reimbursement system

Improving the Health System

Health Information Technology Provider Payment

Health Insurance Market Quality Improvement

3

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Creates financial incentives for eligible providers and hospitals to meaningfully use electronic health records (EHRs), including exchanging health information electronically Promotes development of a nationwide health information network to permit the secure exchange of electronic health information among providers.

Electronic Health Records (EHRs) Onsite server, network Cloud based solution Third party Off site server Promoted as Less expensive Simpler

8/15/2012

Office of the National Coordinator for Health Information Technology

Models for Electronic Health Information Exchange Directly between providers E.g., Referral from one doctor directly to another Decentralized with a record locator service Centralized data bases Different models raise different privacy concerns

HIPAA Privacy Rule Federal baseline: scope Applies to most health care providers, as well as to health plans and health care clearinghouses (covered entities) Detailed provisions on the use and disclosure of protected health information Treats all health information the same (except separately maintained psychotherapy notes)

HIPAA Security Rule Applies to electronic protected health information Establishes administrative, physical and technical standards for securing ePHI to ensure access only by authorized persons and entities Scalable and flexible to meet requirements of various organizations

8/15/2012

Office of the National Coordinator for Health Information Technology

Meaningful Use Incentives Eligible provider must conduct a security risk assessment per HIPAA Security Rule Qualified E H R technology must be able to be encrypted

8/15/2012

Office of the National Coordinator for Health Information Technology

HITECH Improvements

Extends HIPAA to directly cover business associates (entities that perform services on behalf of covered entities that need access to PHI on regular basis)
HITECH expressly clarifies that health information exchange organizations are business associates Cloud-based EHRs are business associates

10

Business Associates Under HITECH

Subject to use and disclosure limits of HIPAA Privacy Rule Must comply with substantive provisions of HIPAA Security Rule
Access limitations Authentication Encryption

11

Patient Protection and Affordable Care Act (ACA)

Improve patient access to quality care through Broader health insurance coverage
Health benefit exchanges for individuals and small groups

No denial of coverage for pre-existing conditions Coordination of care

12

Accountable Care Organizations

Network of doctors and hospitals that shares responsibility for providing care to patients. Manage all of the health care needs of a minimum of 5,000 Medicare beneficiaries for at least three years. Receive bonuses when providers keep costs down and meet specific quality benchmarks, focusing on prevention and carefully managing patients with chronic diseases

13

Accountable Care Organizations Accountable Care Organizations Final Rule

Federal Register, vol. 76 Page 67802 (11/02/11)

ACOs may be business associates Providers in ACO are eligible to receive Medicare claims data generated by other providers Individuals may opt out of having certain identifiable information shared
14

ACA Performance Measurement ACA requires CMS to make available to third parties (Qualified Entities) Medicare Data to be combined with other claims data for provider performance measurement.

8/15/2012

Office of the National Coordinator for Health Information Technology

15

ACA Performance Measurement Final Rule on Availability of Medicare Data for Performance Management
Federal Register, vol. 76, page 76542 (!2/07/11)

Qualified entities (conduct data analytics)

Are not considered business associates of CMS Must have a rigorous data privacy and security program to qualify to receive Medicare data Must sign a stringent data use agreement
Office of the National Coordinator for Health Information Technology

8/15/2012

16

Health Insurance Exchange Rule Privacy and Security Establishment of Exchanges and Qualified Health Plans Final Rule Federal Register, vol. 77, page 18310 (03/27/12) State health insurance exchanges must establish and implement privacy and security standards that are consistent with the Fair Information Practice Principles.
45 CFR 155.260
17

Electronic Health Information: A Balancing Act

Accessible for care

Protecting Privacy
18