By Deven McGraw, Director, Health Privacy Project,Center for Democracy & Technology.
There have been some important developments this month related to the federal government’s efforts to encourage the adoption of electronic health records by providers (largely physicians and hospitals) and the use of those records to improve individual and population health. Our first take on these long awaited rules is below.Meaningful Use Criteria
On July 13, HHS released the final rules setting the requirements that providers must meet in order to be “meaningfully using” certified EHRs, which is the trigger for eligibility for federal Medicare and/or Medicaid subsidies beginning in 2011. One rule establishes the requirements for meaningful use; another sets the criteria EHR technology must meet in order to certified.
To engage patients in their health care, the criteria require providers to provide patients with electronic copies of their health information, upon request, within three business days. Physicians also must provide patients with clinical summaries within three business days of an office visit. The meaningful use criteria do not yet address the inclusion of patient-generated data like observations of daily living into EHRs – but discussions are underway to possibly include this in later stages of meaningful use (2013 and 2015).
Proposed Privacy and Security Regulation Changes to HIPAA
On July 14, the Department of Health and Human Services (HHS) published proposed regulations to implement changes to the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). Members of the public can submit comments on the regulations from now through September 13, 2010. A summary of the proposed HIPAA modifications has been prepared by Manatt.
The proposed rule includes provisions that further bolster a patient’s right to receive copies of his or her health information. For example, it clarifies an individual’s right to request and receive a readable, electronic copy of his or her health information when the information is kept by the provider in electronic form. The proposed rule also provides some additional details on an individual’s right to have that electronic copy sent directly to another individual or entity, such as a personal health record (PHR). But, it does not require that the electronic copy be computable; it also does not require providers to have an interface with every PHR on the market (so it may not always be possible for patients to have their information sent directly to the PHR of their choice). However, this provision is viewed by many as an important first step to achieving more robust exchange of computable data between patients and their providers, and the hope (and expectation) is that the EHR and PHR marketplace will respond to this new opportunity.
But perhaps of more interest to users of PHRs is what was not in the proposed HIPAA rules: clarity on when PHRs are covered by HIPAA. HITECH and the proposed rule state that a PHR is only covered by HIPAA if it is offered to individuals “on behalf of a covered entity.” (In such a case, the PHR is a “business associate” of the covered entity.) The proposed rule unfortunately provides no guidance as to when a PHR is offered “on behalf of” a physician or hospital, and when it is offered independently. This distinction is critical, as those PHRs that are covered by HIPAA are potentially permitted by law to access, use and disclose an individual’s health information without necessarily getting the individual’s consent .
A representative from the HHS Office of Civil Rights (OCR), which wrote the proposed rule and is tasked with enforcing it, recently clarified in a public forum that mere existence of a contract or interface between the PHR and the covered entity does not mean that the PHR is being offered “on behalf of a covered entity.” Instead, OCR would look at the facts and circumstances of the arrangement between the PHR and the covered entity to determine whether or not the PHR was being offered to patients independently or on the covered entity’s behalf. This confirms the approach used by the consultancy team at Manatt when they were analyzing the use of PHRs in Project HealthDesign and concluded that the PHRs were not covered by HIPAA. CDT intends to submit comments to the proposed rule to urge OCR to issue more official guidance setting forth the factors it will use to analyze PHR/covered entity arrangements to provide more clarity to consumers, providers, and companies offering PHRs.
Comments